China: State Council adopts revised commercial encryption regulations
The State Council of the People's Republic of China released, on May 24, 2023, the revised Commercial Encryption Regulations which will enter into effect on July 1, 2023.
The revised regulations apply to commercial cryptography research, production, sales, service, testing, certification, import and export, application, and other activities, supervision, and management within China. On this, 'commercial encryption' refers to technologies, products, and services that use specific transformation methods to encrypt, protect, and securely authenticate information that is not a state secret.
Requirements for organizations
The revised regulations examine organizations looking to engage in commercial cryptography testing activities and the provision of electronic certification services, among others, outlining specific requirements for obtaining applicable certifications, qualifications, and licenses. In relation to imports and exports, the revised regulations state that in order to import/export commercial ciphers in the import/export license list of commercial ciphers, an application must be made to the competent department of commerce of the State Council for an import and export license.
Moreover, commercial encryption meeting certain criteria must be included in a specialized catalog and must pass testing and certification from qualified commercial encryption testing and certification institutions to be sold.
The revised regulations outline a number of violations for breach of its provisions, including administrative fines of up to CNY 500,000 (approx. $65,890) for those who refuse to accept, do not cooperate with, or intervene in or obstruct, the supervision and management of commercial encryption by the encryption management department or relevant departments, without justified reasons, and where the circumstances are serious. Furthermore, other violations include:
- carrying out commercial password testing activities to the public or engaging in e-government electronic certification services without certification;
- selling or providing commercial encryption products that have not been tested and certified; or
- providing commercial encryption services that have not been certified or failed to pass the certification.
You can read the revised regulations, only available in Chinese, here.