Cryptography Law of the People's Republic of China

Cryptography Law of the People's Republic of China

Order of the President of the People's Republic of China
(No. 35)

The Cryptography Law of the People's Republic of China as adopted at the 14th session of the Standing Committee of the Thirteenth National People's Congress of the People's Republic of China on October 26, 2019, is hereby issued and shall come into force on January 1, 2020.

President of the People's Republic of China: Xi Jinping
October 26, 2019

Cryptography Law of the People's Republic of China
(Adopted at the 14th session of the Standing Committee of the Thirteenth National People's Congress on October 26, 2019)

Table of Contents
Chapter I General Provisions
Chapter II Core Cryptography and Ordinary Cryptography
Chapter III Commercial Cryptography
Chapter IV Legal Liability
Chapter V Supplemental Provisions

Chapter I General Provisions

Article 1 This Law is enacted for purposes of regulating the application and administration of cryptography, promoting the development of the cryptographic cause, guaranteeing cyber and information security, maintaining national security and the public interest, and protecting the lawful rights and interests of citizens, legal persons and other organizations.

Article 2 For the purpose of this Law, "cryptography" means technology, product and service that effect encryption protection or security certification of information and the like by adopting the method for specific conversion.

Article 3 Cryptographic work shall be in adherence to a holistic approach to national security and in conformity with the principles of unified leadership, hierarchical responsibility, innovative development, serving the overall picture, law-based administration, and guaranteeing security.

Article 4 The leadership of the Communist Party of China over cryptographic work shall be adhered to. The central cryptographic work leading agency shall exercise unified leadership over nationwide cryptographic work, develop major guidelines and policies on national cryptographic work, holistically coordinate major matters and important tasks respecting national cryptography, and advance the building of the rule of law of national cryptography.

Article 5 The state cryptographic administrative authority shall be responsible for administrating nationwide cryptographic work. Local cryptographic administrative authorities at the county level and above shall be responsible for administrating the cryptographic work in their respective administrative areas.
A state agency or a cryptographic work-related entity shall be responsible for the cryptographic work of the agency, or the entity, or its system within its remit.

Article 6 The state shall place cryptography under classification administration.
Cryptography shall be divided into core cryptography, ordinary cryptography, and commercial cryptography.

Article 7 Core cryptography and ordinary cryptography shall be used to secure state secret information, the highest classification level of core cryptography-secured information shall be top secret, and the highest classification level of ordinary cryptography-secured information shall be secret.
Core cryptography and ordinary cryptography shall be state secrets. The cryptographic administrative authorities shall strictly and uniformly administer core cryptography and ordinary cryptography in accordance with this Law and the relevant laws, administrative regulations, and relevant provisions issued by the state.

Article 8 Commercial cryptography shall be used to secure information other than state secrets.
A citizen, legal person or any other organization may use commercial cryptography according to the law to protect cyber and information security.

Article 9 The state shall encourage and support the research on and application of cryptographic science and technology, protect intellectual property in the cryptography field according to the law, and promote the progress of and innovation in cryptographic science and technology.
The state shall strengthen the training of cryptography talents and team building and commend and reward any organization or individual who has made outstanding contributions to cryptographic work in accordance with the relevant provisions issued by the state.

Article 10 The state shall strengthen cryptographic security education in various forms, incorporate cryptographic security education into the national education system and the education and training system for civil servants, and heighten citizens, legal persons, and other organizations' awareness of cryptographic security.

Article 11 The people's governments at and above the county level shall incorporate cryptographic work into national economic and social development plans at the same level and funds necessary into the fiscal budget at the same level.

Article 12 No organization or individual may steal encrypted information from another person or illegally intrude into the cryptographic security system of another person.
No organization or individual may use cryptography to engage in illegal and criminal activities such as endangering national security, the public interest, or the lawful rights and interests of another person.

Chapter II Core Cryptography and Ordinary Cryptography

Article 13 The state shall strengthen the scientific planning, management, and use of core cryptography and ordinary cryptography, reinforce system building, improve administrative measures, and enhance capabilities for cryptographic security.

Article 14 Any state secret information transmitted by wired or wireless communications, or an information system storing or processing state secret information, shall be encrypted and secured, or be subject to security authentication, by using core cryptography or ordinary cryptography, in accordance with the laws, administrative regulations and relevant provisions issued by the state.

Article 15 The institutions engaged in the research on, production, service, testing, equipment, use and destruction of core passwords and ordinary passwords (hereinafter collectively referred to as password working institutions) shall comply with laws, administrative regulations, relevant state regulations and the requirements of the core passwords and ordinary passwords standard, establish a sound security management system, adopt strict security measures and confidentiality responsibility system to ensure the security of core passwords and ordinary passwords.

Article 16 The cryptographic administrative authorities shall guide, supervise and inspect the work relating to core cryptography and ordinary cryptography of cryptographic work entities according to the law, and the cryptographic work entities shall cooperate.

Article 17 The cryptographic administrative authorities shall establish monitoring and advance warning, security risk assessment, notice of information, consultation about material matters, emergency disposal, and other collaborative mechanisms for the security of core cryptography and ordinary cryptography as needed in work, so as to ensure coordinated, linked, orderly and efficient management of the security of core cryptography and ordinary cryptography.
A cryptographic work entity shall, upon discovery of divulgence of core cryptography or ordinary cryptography, or any material problem or hidden risk affecting the security of core cryptography or ordinary cryptography, immediately take countermeasures and report to the secrecy administrative agency and the cryptographic administrative authority in a timely manner, and the secrecy administrative agency and the cryptographic administrative authority shall organize an investigation or disposal, and guide the relevant cryptographic work entity in eliminating hidden security risks in a timely manner, in conjunction with relevant authorities.

Article 18 The state shall strengthen the construction of cryptographic work entities and guarantee their performance of duties.
The state shall establish a management system for the recruitment, selection, secrecy, evaluation, training, benefits, rewards an......