Regulation on the Administration of Commercial Cryptography (2023 Revision)
Order of the State Council of the People's Republic of China
(No. 760)
The Regulation on the Administration of Commercial Cryptography, as revised and adopted at the 4th executive meeting of the State Council on April 4, 2023, is hereby issued and shall come into force on July 1, 2023.
Premier: Li Qiang
April 27, 2023
Regulation on the Administration of Commercial Cryptography
(Issued by Order No. 273 of the State Council of the People's Republic of China on October 7, 1999 and revised by Order No. 760 of the State Council of the People's Republic of China on April 27, 2023)
Chapter I General Provisions
Article 1 This Regulation is developed in accordance with the Cryptography Law of the People's Republic of China and other laws for the purposes of standardizing the application and administration of commercial cryptography, encouraging and promoting the development of the commercial cryptography industry, ensuring cybersecurity and information security, safeguarding national security and social and public interests, and protecting the legitimate rights and interests of citizens, legal persons and other organizations.
Article 2 This Regulation shall apply to the scientific research, production, sale, service, testing, certification, import and export, application and other activities in respect of commercial cryptography within the territory of the People's Republic of China.
For the purposes of this Regulation, “commercial cryptography” refers to the technologies, products and services that conduct encryption-based protection and safety certification of the information that is not state secret by means of specific transformation.
Article 3 The leadership of the Communist Party of China over the work of commercial cryptography shall be insisted on and the overall national security concept shall be implemented. The state cryptography administrative department shall be responsible for the administration of commercial cryptography across the country. The local cryptography administrative departments at or above the county level shall be responsible for the administration of commercial cryptography in their respective administrative regions.
Cyberspace, commerce, customs, market regulation, and other relevant departments shall be responsible for the administration of commercial cryptography within the scope of their respective duties.
Article 4 The state shall strengthen the training of commercial cryptography talents, establish and improve the development system and mechanism and the talent evaluation system for commercial cryptography talents, encourage and support the construction of disciplines and specialties related to cryptography, standardize the social training on commercial cryptography, and promote the exchange of commercial cryptography talents.
Article 5 The people's governments at all levels and their relevant departments shall strengthen the publicity and education of commercial cryptography in various forms to enhance the cryptography security awareness of citizens, legal persons and other organizations.
Article 6 Societies, trade associations and other social organizations in the field of commercial cryptography shall, in accordance with the provisions of laws, administrative regulations and their bylaws, carry out academic exchanges, policy research, public services and other activities to strengthen academic and industrial self-regulation, promote credibility building, and promote the sound development of the industry.
The cryptography administrative departments shall strengthen guidance and support for social organizations in the field of commercial cryptography.
Chapter II Scientific and Technological Innovation and Standardization
Article 7 The state shall establish and improve the mechanism for promoting scientific and technological innovation in commercial cryptography, support independent innovation in science and technology on commercial cryptography, and commend and reward organizations and individuals that have made outstanding contributions in accordance with the relevant rules of the state.
The state shall protect intellectual property rights in the field of commercial cryptography in accordance with the law. Those who carry out commercial cryptography activities shall enhance their awareness of intellectual property rights and their ability to use, protect and manage intellectual property rights.
The state shall encourage cooperation on commercial cryptography technology in the process of foreign investment based on voluntary principles and commercial rules. Administrative organs and their staff members shall not use administrative means to force the transfer of commercial cryptography technology.
Article 8 The state shall encourage and support the transformation and industrial application of scientific and technological achievements in commercial cryptography, and establish and improve the feedback mechanism for the exchange, release and application of information on scientific and technological achievements in commercial cryptography.
Article 9 The state cryptography administrative department shall organize the examination and authentication of the cryptographic algorithms, cryptographic protocols, key management mechanisms and other commercial cryptography technologies used in networks and information systems that need to be protected by commercial cryptography as required by laws, administrative regulations and relevant regulations of the state.
Article 10 The standardization authority of the State Council and the state cryptography administrative department shall, according to their respective functions, organize the development of national and industrial standards for commercial cryptography, and regulate, guide and supervise the development of group standards for commercial cryptography. The state cryptography administrative departments shall, in accordance with their duties, establish an information feedback and evaluation mechanism for the implementation of the standards for commercial cryptography, and supervise and inspect the implementation of the standards for commercial cryptography.
The state shall promote participation in the international standardization activities of commercial cryptography, participate in the development of international standards for commercial cryptography, promote the conversion and application between Chinese and foreign standards for commercial cryptography, and encourage enterprises, social organizations, educational and scientific research institutions to participate in the international standardization activities of commercial cryptography.
If the standards in other fields involve commercial cryptography, they shall be coordinated with the national and industrial standards for commercial cryptography.
Article 11 Commercial cryptography activities shall comply with relevant laws, administrative regulations, compulsory national standards for commercial cryptography, and the technical requirements for the standards for self-declaration disclosure.
The state shall encourage the use of recommended national and industrial standards for commercial cryptography in commercial cryptography activities, to improve the protection ability of commercial cryptography and safeguard the legitimate rights and interests of users.
Chapter III Testing and Authentication
Article 12 The state shall promote the construction of the commercial cryptography testing and authentication system and encourage voluntary acceptance of commercial cryptography testing and authentication in commercial cryptography activities.
Article 13 Institutions carrying out commercial cryptography testing activities such as testing of commercial cryptography products and security assessment of application of commercial cryptography in the network and information system, and providing data and results with the function of proof for the public shall be accreditated by the state cryptography administrative department and obtain the qualification of a commercial cryptography testing institution in accordance with the law.
Article 14 To obtain the qualification of a commercial cryptography testing institution, an institution shall meet the following conditions:
(1) It has legal person qualification.
(2) It has the funds, premises, equipment and facilities, professional personnel and professional capabilities suitable for commercial cryptography testing activities.
(3) It has a management system to ensure the effective operation of commercial cryptography testing activities.
Article 15 To apply for the qualification of a commercial cryptography testing institution, a written application shall be filed with the state cryptography administrative department and materials that meet the conditions as stipulated in Article 14 of this Regulation shall be submitted.
The state cryptography administrative department shall, within 20 working days from the date of accepting an application, examine the application and make a decision on whether to grant the accreditation in accordance with the law.
If it is necessary to conduct technical review of an applicant, the time required for the technical review shall not be counted within the time limit as prescribed in this article. The state cryptography administrative department shall notify the applicant of the required time in writing.
Article 16 Commercial cryptography testing institutions shall, in accordance with laws, administrative regulations and technical specifications and rules for commercial cryptography testing, independently, impartially, scientifically and faithfully carry out commercial cryptography testing within the approved scope, be responsible for the testing data and results issued, and submit the information on testing implementation to the state cryptography administrative department on a regular basis.
The technical specifications and rules for commercial cryptography testing shall be developed and issued by the state cryptography administrative department.
Article 17 The market regulation department of the State Council shall, in conjunction with the state cryptography administrative department, establish a unified national commercial cryptography authentication system, implement the authentication of commercial cryptography products, services and management systems, and develop and issue the authentication catalogue, technical specifications and rules.
Article 18 Institutions carrying out commercial cryptography authentication activities shall obtain the qualifications of commercial cryptography authentication institutions in accordance with the law.
To apply for the qualification of a commercial cryptography authentication institution, a written application shall be filed with the market regulation department of the State Council. Besides meeting the basic conditions of authentication institutions as required by laws, administrative regulations and relevant rules of the state, an applicant shall also have the technical capabilities of detection and inspection suitable for the commercial cryptography authentication activities.
The market regulation department of the State Council shall, when examining the application for the qualification of a commercial cryptography authentication institution, request opinions of the state cryptography administrative department.
Article 19 Commercial cryptography authentication institutions shall independently, impartially, scientifically and faithfully carry out commercial cryptography authentication within the approved scope in accordance with laws, administrative regulations and technical specifications and rules for commercial cryptography authentication, and be responsible for the authentication conclusions issued.
A commercial cryptography authentication institution shall carry out an effective follow-up investigation into the commercial cryptography products, services and management systems authenticated by it, to ensure that the authenticated commercial cryptography products, services and management systems continue to satisfy the authentication requirements.
Article 20 Commercial cryptography products that concern national security, national economy and people's livelihood, and social and public interests shall be listed in the catalogue of key network equipment and special products for cybersecurity in accordance with the law, and may be sold or provided only after being tested and authenticated by qualified commercial cryptography testing and certification institutions.
Article 21 Commercial cryptography services that use key network equipment and special products for cybersecurity shall pass the authentication of a commercial cryptography authentication institution.
Chapter IV Electronic Authentication
Article 22 Where commercial cryptography technology is used to provide electronic authentication services, the service provider shall have premises, facilities, professionals, professional capabilities and management systems suitable for the use of cryptography, and obtain the certification documents on the approval of the use of the cryptography issued by the state cryptography administrative department in accordance with the law.
Article 23 An electronic authentication service institution shall, in accordance with laws, administrative regulations and technical standards and rules for the use of cryptogr......