Both drafts require that "critical network equipment" and "specialized cyber security products" must be certified by a qualified institution before they can be sold in China. A catalogue must be issued listing equipment and products subject to the Law. This affects not only technology companies that will have to go through certification, but foreign multinationals too - for example global banks might find it difficult if their Chinese branches want to continue using the software that they use across a number of markets.
Furthermore, the second draft is different as it uses the "secure and controllable technology" term, first introduced by the China Banking Regulatory Commission in 2014. However, the second draft does not provide a definition for the term nor does it explain how it will be applied in practice.
Though "secure and controllable" might turn out a reasonable technology requirement, there is a strong possibility that this might give authorities a way to control which providers can work with financial institutions, and thus limit the competition to domestic tech firms. Nevertheless, a better definition of "secure and controllable" is needed to make definitive conclusions.
Co-operation with authorities
According to the first draft, all "owners or managers of any cyber networks", which likely means all Internet businesses, such as financial institutions working with clients online e.g. internet banking, will have to provide "technical support and assistance" to security organisations such as the police. The second draft introduces certain details, such as requirements for "network operators" to keep log records and notify the authorities if security defects are discovered in their systems. Nevertheless, a clearer definition of "owners or managers of cyber networks" is also required to know whether foreign financial institutions are included in the Law.
The first draft forced all "critical information infrastructure operators" to store personal information in mainland China. These include the operators information systems in key industries, including finance. The second draft extends "personal data" to add "business data" and removes the possibility of "storage" of such information outside of China.
Bottom line: We are still waiting for the definition of "secure and controllable" and "network operators" to do better analysis, however it is safe to say that the second draft gives regulators more control over the industry and makes it harder for foreign businesses to operate in the country.