On 26 October 2019 the Standing Committee of the National People's Congress approved the Cryptography Law, which will come into effect on 1 January 2020.(1)
Under the Cryptography Law, cryptography is divided into core cryptography, ordinary cryptography and commercial cryptography.
If a commercial cryptography product concerns state security, the national economy, people's livelihoods or social public interests, it will be included in the catalogue of critical network equipment and dedicated cybersecurity products under the law.
Further, such products will be sold and supplied only after they have been tested and certified by a qualified agency. Commercial cryptography services that use critical network equipment and dedicated cybersecurity products shall pass the certification of such services conducted by commercial cryptography certification agencies
For critical information infrastructure that by law must be protected by commercial cryptography, operators of critical information infrastructure will need to use commercial cryptography and conduct security assessments of commercial cryptography applications themselves or engage commercial cryptography testing agencies.
Where an operator of a critical information infrastructure procures network products and services involving commercial cryptography which may affect state security, the operator must undergo a state security review organised by the state cyberspace administration in concert with the state cryptography administration and other relevant authorities in accordance with the Cybersecurity Law.
Endnotes
(1) Further details are available here.
This article was first published by the International Law Office, a premium online legal update service for major companies and law firms worldwide. Register for a free subscription.
