On 20 August 2020 the State Cryptography Administration released the Regulations for the Administration of Commercial Cryptography (Draft for Comment) for public comment.(1) The consultation period ended on 19 September 2020.

The draft regulations provide that the import of commercial cryptography products on the Commercial Encryption Import Licence List and the export of commercial cryptography products on the Commercial Encryption Export Control List should be subject to the import and export licence for dual-use items issued by the competent commercial department of the State Council.

According to the draft regulations, operators of networks and information systems (eg, unclassified critical information infrastructure, networks of Grade III or above (under the network graded protection regime) and national government information systems) should:

  • use commercial cryptography products for protective purposes;
  • formulate a commercial cryptography application scheme;
  • have the necessary funds and professionals;
  • plan, construct and operate the commercial cryptography safeguard system synchronously; and
  • carry out a security assessment on commercial cryptography applications themselves or have a commercial cryptography testing institution do so for them.

The abovementioned network and information systems can be put into operation only after the relevant commercial cryptography application has undergone a security assessment. Once operation commences, such assessment must be conducted at least once a year. The assessment results must be filed with the local municipal cryptography administrative department.

The draft regulations provide that operators of networks and information systems such as those cited above should use commercial cryptography products and services that have been tested or certified and commercial cryptography technology that is listed in the Guidance Catalogue of Commercial Cryptography Technology.

The draft regulations stipulate that if operators of critical information infrastructure purchase network products and services involving commercial cryptography, which may affect national security, they must pass the national security examination of the state cyberspace department, the state cryptography department and other relevant departments according to the law.

Endnotes

(1) Further information is available here.