June 30, 2023
On June 25th 2023, the Chinese National Central Notification Office of Cybersecurity issued a notice requiring all information system related network operators at Level-3 or above Security Protection (“Level-3+ Network Operator”) shall enhance security assessment in accordance with Cybersecurity Law and relevant regulations, and cautiously purchase software or hardware that failed to pass cybersecurity review (i.e, Micron’s product).
This is another significant measure following the earlier announcement issued by the Cyberspace Administration of China (“CAC”) regarding the ban on Micron’s products being sold to Critical Information Infrastructure Operator, “CIIO”) due to Micron’s “relatively serious cybersecurity risk” on May 21st. The CAC stated in a brief statement on March 31st that it has launched a cybersecurity review of Micron’s products sold in China pursuant to the National Security Law, Cybersecurity Law and Cybersecurity Review Measures to ensure the security of the supply chain of CIIO, which is commented on by the foreign media as a countermeasure from the Chinese government on U.S. blacklisting of particular Chinese chip companies.
As a result of the ban, not only the concerned CIIOs have requested suppliers to replace products containing components and software of Micron and have required a written assurance in their contracts of “Micron-free” in future supply, some of the non-CIIO entities with a comparably higher level of cybersecurity protection (mostly Stated-owned Enterprise, “SOE”) impose the same requirements as well. The latest notice on June 25th has validated this concern of the industry.
We observe that the non-CIIO entities are rejecting Micron’s products for the following reasons mainly:
1. The Chinese government has paid particular attention to the cybersecurity of information technology products these years, especially those relating to the entities that process sensitive information. Although the number of officially recognized CIIOs is limited, there are a large number of companies, especially SOEs, collecting, processing and storing sensitive information in their routine work. Therefore, the use of Micron products that have not passed cybersecurity review may have the potential for security vulnerabilities, thus weakening the cybersecurity level and cybersecurity image of these IT product suppliers.
2. Many companies are direct or indirect suppliers to CIIOs, which means if they use parts from Micron, the parts may probably end up being incorporated into their final products and supplied to the CIIOs through “centralized platform purchase”. In this case it is difficult for the suppliers to identify on a case-by-case basis whether the products containing Micron’s parts will eventually be sold to CIIOs in the component procurement, complete machine manufacturing, or even sales process. Therefore, as long as these companies identify the likelihood that there are CIIOs among their downstream customers, they may turn to require their upstream suppliers to stop supplying parts containing Micron products.
3. Even some of the minor components and software from Micron may not be involved in data processing, given that the May 21st announcement did not differentiate the role of Micron’s products in the outcome, the CIIOs generally adopt a conservative measure to prohibit any of Micron’s products from being involved in their product supply chain due to their risk appetite.
Based on publicly available information, we speculated that the government might tend to take below
enforcement actions:
1. CAC and other cybersecurity law enforcement agencies might prefer a similar standard adopted by the US FCC’s order of Huawei, ZTE and Hikvision in accordance with the National Defense Authorization Act (“NDAA”), that is, any equipment, in whole or in part, containing Micron components or software will be strictly prohibited to be sold to the CIIOs as long as such equipment could be traced to contain Micron parts and software, regardless the function and value. Furthermore, the regulatory authorities might recommend or require the CIIOs to apply an “Equipment Certification” to ensure Micron’s products are excluded from their equipment supply chain.
2. Although the order directly targets the CIIOs, the regulatory authorities tend to adopt the “knowledge-base” standard to enforce the order. That means, as CIIOs’ suppliers or agents, if they supply products containing Micron products to the CIIOs with knowledge, they might be penalized for the violation of Article 22 of Cybersecurity Laws as well as relevant provisions of the Government Procurement Laws, the National Secret Law or the National Security Law. Similar to Part 772 of U.S Export Administration Regulations (“EAR”), “knowledge” is defined as “know” and “have reason to know”. Therefore, if any company “knows or has reason to know” that Micron’s products are contained in the products purchased, and that there are CIIOs customers among its downstream customers, this company could be liable for selling those Micron-involved products to the CIIOs even though there is no evidence of its intention of violation.
3. Besides the administrative penalty (such as financial fine, rectification, suspension of participating in government procurement), the regulatory authorities could also initiate the cybersecurity review on the companies, and there might be more companies to be designated to the blacklist like Micron, or the regulatory authorities may prohibit or urge the CIIOs and Level-3+ Network Operators from purchasing or urge them to “cautiously purchase” products from these companies via announcements, which will result in a significant loss of market share in China to these companies.
4. China will continuously enhance cybersecurity review and law enforcement as a policy instrument to response the “national security threat” including U.S’ action of adding more and more Chinese companies on various of blacklist. On top of conducting cybersecurity reviews on more foreign companies’ products, it’s reasonably expected that there will be administrative penalties imposed on the CIIOs that violate the order, or on the Chinese or foreign companies that cause CIIOs to violate such order.
According to several leading ICT (Information Communication Technology) companies in China, more and more customers tend to ask for their suppliers’ commitment of excluding Micron’s products from their supply chain, which has been impacting their supply chain management and sales services. V&V can assist you to reduce the impact and mitigate the uncertainty by taking below actions:
- Supply Chain Due Diligence
- Product Mapping
- Customer Identification and Labelling
- Contract Languages Modifying
- Develop Risk Alert and Contingency Plan
- Communicate with Regulatory Authorities
If you have any questions, please do not hesitate to contact us:
Lance Wu: lwu@shijielaw.com, Partner, Compliance and Security.
Lance F Wu
Partner
Beijing Vision & View Law firm (“V&V”) tackles sophisticated work for high-calibre clients in a supportive environment and navigate clients through complex and crucial regulatory areas such as security issues. V&V attorneys had abundant practical experience in cybersecurity, data privacy, trade restriction and national security matters. V&V is an elite law firm formed by partners and consultants who are from former agencies who participated legislation of China Cybersecurity and Data Security Laws and Regulations, or attorneys from reputable international law firms, Compliance Officer from top MNC and National Thinktank. V&V is capable to tackle complicated cross-border legal and compliance matters and to provide best-in-class services to MNCs operate in China. www.visionviewlaw.com/en
Lance is a partner of V&V Law who has more than 13 years practical experience specialized in export control, sanctions/anti-sanction, supply chain security and national security for foreign investment. Prior to joining V&V Law, Lance has served as trade consultant in an international consulting firm, US-headquartered MNCs as well as a Director of China-headquartered FT500 MNCs across various industries such as ITC and Smart EV, where he obtained solid experience in dealing with compliance issues in cross-border business. Lance has also provided expert consultation to legislators during legislation process, including the Chinese Export Control Laws and the Chinese Data Security Law. Lance is also the first-batch of legal experts in the Chinese National Thinktank IC500 (International Compliance 500).
VISION & VIEW
版权© 2023 VISION & VIEW -保留所有权利。
Vision & View Law Firm