China has passed its controversial new cybersecurity law, which could freeze multinational banks and companies out of key economic sectors.

The law, which will come into force in June 2017, has been vocally opposed by the international business community, but the Chinese government claims it targets hacking and terrorism, rather than commercial interests.

The main points of contention are those that require IT products used by “critical infrastructure operators” to be subject to review, with some experts warning that tech companies might be forced to reveal their source code to the Chinese government.

Those sectors deemed critical are: communication infrastructure, energy, transport, water supply, finance, public utilities and e-government services, while the law’s ambiguity also leaves the door open for inspections of areas that might affect “national security”, the “citizens’ well-being” or “public interest”.

Nabil Alsabah, cybersecurity analyst at the Mercator Institute for China Studies (Merics) says that such vague language could allow authorities to arbitrarily classify more and more areas as “critical”.

Companies could be forced to evaluate whether the benefit of selling tech products to Chinese SOEs and banks outweighs the potential cost of sharing their intellectual property with the Chinese government.

Given that the critical sectors include transport and finance, companies involved in China’s domestic Belt and Road plans could be affected, as could banks working in the transactional stage.

“I think the general question is: is your fear of the consequences of potentially sharing source code with Chinese agencies bigger than the financial opportunities of participating in OBOR? Personally I would assume that a lot of companies would go along with these new requirements,” Alsabah tells GTR.

For the financial sector, including trade finance banks, there will also be concerns over the requirement to store data that is collected in China locally.

Some banks operate entirely centralised data storage facilities, while others have very separate international business units, which may have multiple independent businesses per jurisdiction.

Bryce Boland, Asia Pacific CTO at cybersecurity firm FireEye, explains that this makes accountability easier to manage and often gives the holding bank flexibility if it looks to enter a market or sell a business unit. Keeping data local allows banks to make local decisions, but can be expensive. Establishing a central data storing function in China, then, could add costs for banks.

He explains: “While the new law mandates data localisation, this has been informally the practice for many banks with a presence in China already. The impact will likely come more from the security incident or breach disclosure requirements, and the cost of providing ‘technical assistance’ to the government for investigations.

“Given that this part of the law is vaguely worded, it is quite possible that this law could be abused in a variety of ways, including forcing banks to provide backdoors in their encryption or applications. Any of these could increase costs for foreign banks.”

In August, GTR reported that a coalition of 46 business groups wrote a letter to Chinese premier Li Keqiang asking him to rethink the proposals around cybersecurity, which they fear signals an era of increased protectionism in China and which they said could negatively affect China’s economy.

The letter followed a series of complaints from international companies working in China about the worsening business climate. The government floated legislation to intervene in the banking market last year but that has yet to be signed into law. This would require banks to buy products from domestic suppliers, a move that opponents say would be in direct contravention to WTO rules.