[Editor to fill: 200-word domain overview.]
Cybersecurity Review.
网络安全审查
The cybersecurity review regime for critical information infrastructure operators and large data processors — including overseas listings.
The legal corpus.
6 laws.
- CII Regulations Security Protection Regulations for Critical Information Infrastructure 关键信息基础设施安全保护条例
- RULE Cybersecurity Review Measures 网络安全审查办法
- Incident Reporting Measures Measures for the Administration of National Cybersecurity Incident Reporting 国家网络安全事件报告管理办法
- Healthcare Cybersecurity Measures Measures for the Cybersecurity Management of Healthcare Institutions 医疗卫生机构网络安全管理办法
- Financial Sector Cybersecurity Measures (Draft) Measures for Cybersecurity Management in the Financial Sector (Draft for Comment) 金融业网络安全管理办法(征求意见稿)
- FISR Measures Measures for the Security Review of Foreign Investments 外商投资安全审查办法
In this domain.
3 briefs.
- § 01 · SECURITY-REVIEW
One Company, Four Reviews: JunHe Maps China's Security-Review 'Matrix' in the Security-First Era
With the Measures for Network Data Security Risk Assessment (Order No. 24) in place, China's security-review architecture has four operating pillars: foreign investment security review (NDRC + MOFCOM), cybersecurity review (CAC + 12 departments), data export security assessment (CAC), and the new normalized network data security risk assessment (CAC coordination + sectoral authorities). JunHe lawyer Chen Sijia walks each regime through the same five questions — who reviews, what is reviewed, when review is triggered, and with what legal consequences — and lands on two points overseas counsel should not miss. First, the four regimes differ in kind: the first three are ex-ante, admission-style reviews with veto power, while the risk assessment is an annual, improvement-oriented 'physical exam.' Second, review decisions are effectively final — the mainstream view treats them as final administrative acts with no administrative reconsideration or litigation available — so cooperation during the review is the only real strategy. A closing lifecycle walkthrough shows how a single AI-model company can trip all four lines in sequence: FDI review at fundraising, cybersecurity review at GPU procurement, export assessment at model training, cybersecurity review again at foreign listing, and the annual risk assessment as a standing duty.
- § 02 · FOREIGN-INVESTMENT-SECURITY-REVIEW
Why China Used Foreign Investment Security Review on Manus — Not Tech or Data Export
Hong Yanqing on Beijing's banning of Meta's Manus acquisition. The regulator's choice of pathway — Foreign Investment Security Review, not Technology or Data Export — signals a shift from 'transaction-level' to 'capability-level' oversight of frontier AI projects, with implications for any overseas tech investment touching China.
- § 03 · CSL
China's Cybersecurity Law Just Got Teeth — The 2025 Amendment and What Changed
On October 28, 2025, the NPC Standing Committee adopted the first amendment to China's Cybersecurity Law since 2017, effective January 1, 2026. Compliance Talker's global legal policy team walks through what changed across 14 amendments: a new framework provision on AI safety and development, harmonization with PIPL and the Civil Code on personal information, sharply increased penalties (10× cap on top fines), expanded application of the dual-penalty system to individual officers, and broader extraterritorial reach. For overseas teams, the operational takeaway is that cybersecurity compliance is now an executive-level risk, not a documentation exercise.