• EU and US groups sound alarm on China cyber security rules

EU and US groups sound alarm on China cyber security rules

The regulations would require IT equipment to undergo security testing, use Chinese intellectual property and force developers to share source codes and other sensitive data with Beijing.
By Christian Oliver in Brussels and Tom Mitchell in Beijing

European and US companies have asked their authorities for urgent help in stopping the implementation of new Chinese cyber security regulations, which are expected to force local and foreign banks to use information technology equipment deemed “secure and controllable” by Beijing.

In a letter to the European Commission dated February 25 and seen by the Financial Times, six business organisations led by Business Europe and The City UK said the “worrisome” Chinese regulations “could close the door for many foreign IT companies to the Chinese banking IT market”.

The business groups warned that if fully implemented, the policies “will not only undermine the ability of European companies to participate in the IT market in China and to serve banks in general... but also hurt the development and integration of the Chinese banking sector in the global market”.

Last September, the China Banking Regulatory Commission and Ministry of Industry and Information Technology issued new “guiding opinions” on “secure and controllable” information and communication technologies, which would affect banks’ procurement of equipment including ATMs, point of sales terminals, smart-card readers and cash counters.

The regulations would require such equipment to undergo security testing, use Chinese intellectual property and also force developers to share source codes and other sensitive data with Beijing.

Multinational companies fear that the new rules, which have not been published in full, could begin to take effect as early as March 15 and could eventually be extended to other industries. 

“Do they want to carve out business opportunities for Chinese companies that can’t compete with IBM, Oracle and SAP,” one European executive asked. 

“Is this the first step? Are insurance companies next?”
The CBRC declined to comment on Thursday.
The MIIT was not available for comment.

Many executives and analysts see the new rules as part of a larger and ongoing response to last year’s revelations by Edward Snowden, the former National Security Agency contractor, about US espionage activities.
But others believe there could be a deeper agenda to boost Chinese companies.

“There have always been attempts to promote local companies under the guise of national security,” said Duncan Clark at BDA, a consultancy.

Chinese and foreign banks have until 2019 to ensure that at least 75 per cent of their information technology infrastructure in China is compliant with the new regulations, giving the EU and US time to try to dilute their impact.
The EU business lobbies asked European commissioners to raise the issue during the course of ongoing trade negotiations, including a Sino-EU bilateral investment treaty and the global Information Technology Agreement.
The European protest follows a similar appeal by more than a dozen US business lobbies this month to four US cabinet secretaries. 

The US letter requested the Obama administration’s “immediate action” against the new rules.
“If fully implemented, these policies threaten the ability of US companies to participate in the $465bn ICT market in China,” the letter said. 

“Our companies’ losses in turn will translate into decreased R&D investments in the US, harming US jobs and innovations.”