Cryptography Law of the People’s Republic of China

Effective Date: o1-01-2020

Source: Website

Chinese Title: 中华人民共和国密码法

Presidential Decree No. 35

The Cryptography Law of the People’s Republic of China, adopted at the 14th Session of the Standing Committee of the Thirteenth National People’s Congress of the People’s Republic of China on October 26, 2019, is hereby promulgated, effective January 1, 2020.

Xi Jinping

President of the People’s Republic of China

October 26, 2019

(Adopted at the 14th Session of the Standing Committee of the Thirteenth National People’s Congress of the People’s Republic of China on October 26, 2019)

Chapter I General Provisions

Article 1 This Law is enacted with a view to regulating the application and administration of cryptography, promoting the development of cryptography undertakings, safeguarding cyber and information security, and protecting the legitimate rights and interests of citizens, legal persons and other organizations.

Article 2 For the purpose of this Law, the term “cryptography” refers to products, technologies and services that use specific transformations to carry out encryption protection or security authentication for information, etc.

Article 3 Cryptography shall adhere to the overall concept of state security and follow the principles of unified leadership, graded responsibility, innovative development, serving the overall situation, administration in accordance with the law and security assurance.

Article 4 It is imperative to adhere to the leadership of the Communist Party of China on cryptography. The Central Cryptography Work Leading Body shall exercise unified leadership over the national cryptography work, develop major guidelines and policies for national cryptography work, make overall arrangements and coordinate major national cryptography matters and work in this regard, and promote rule of law in the national cryptography.

Article 5 The State Cryptography Administration is responsible for the administration of cryptography work nationwide, while cryptogram administrations at the county level or above take charge of the administration of cryptography work within their respective administrative regions.State agencies and organizations involving cryptography shall be responsible for cryptography of their own agencies, organizations or systems within the scope of their duties.

Article 6 The State administers cryptography by category. Cryptography is classified into three categories, namely core cryptography, ordinary cryptography, and commercial cryptography.

Article 7 Core cryptography and ordinary cryptography shall be used to protect state secrets. The highest level of confidentiality of the core cryptography protected information is top-secret, and that of ordinary cryptography protected information is secret. Core cryptography and ordinary cryptography are state secrets. Cryptography administrations shall exercise strict and unified administration of core cryptography and ordinary cryptography in accordance with this Law, relevant laws, administrative regulations and the relevant provisions of the State.

Article 8 Commercial cryptography is used to protect information that is not a state secret. Any citizen, legal person or any other organization may use commercial cryptography to protect cybersecurity and information security in accordance with the law.

Article 9 The State encourages and supports science and technology research and application of cryptography, protects intellectual property rights in this regard according to law, and promotes progress and innovation for science and technology on cryptography. The State enhances the cultivation of cryptogram talent and team building. Organizations and individuals who have made outstanding contributions to cryptography will be commended and rewarded in accordance with relevant state regulations.

Article 10 The State adopts various forms to strengthen cryptography security education, integrates cryptography security education into the national education system and civil servant education and training system, and strengthens the cryptography security awareness of citizens, legal persons and other organizations.

Article 11 People’s governments above the county level shall incorporate cryptography into their plans for national economic and social development and list the required expenses in the fiscal budget at the same level.

Article 12 No organization or individual may steal others’ information under encryption protection or illegally invade others’ cryptography security system. No organization or individual may use cryptography to engage in illegal or criminal activities that endanger national security, public interests or the legitimate rights and interests of others.

Chapter II Core Cryptography and Ordinary Cryptography

Article 13 The state strengthens the scientific planning, administration and use of core cryptography and ordinary cryptography, enhances the system development, improves administrative measures, and reinforces the cryptography security guarantee capability.

Article 14 State secret information that is transmitted through wire or wireless communications and information systems used to store or process State secret information shall be protected by encryption or undergo security authentication by using core cryptography or ordinary cryptography in accordance with laws, administrative regulations and the relevant provisions of the State.

Article 15 Agencies engaged in, among others, scientific research, production, services, testing, equipment, use and destruction of core cryptography and ordinary cryptography (hereinafter collectively referred to as cryptography-related agencies) shall establish a sound security management system in accordance with the laws, administrative regulations, relevant national regulations and requirements for criteria of core cryptography and ordinary cryptography, and take strict confidentiality measures and confidentiality accountability system to ensure the security of core cryptography and ordinary cryptography.

Article 16 Cryptography administrations shall guide, supervise and inspect the work relating to core cryptography and ordinary cryptography of cryptography-related agencies, and such agencies shall provide necessary cooperation in this regard.

Article 17 Cryptogram administrations shall, in concert with the relevant authorities, establish a collaboration mechanism for the monitoring and early warning, security risk evaluation, information notification, consultation on major matters and emergency response concerning core cryptography and ordinary cryptography, so as to ensure that the security administration of core cryptography and ordinary cryptography can be coordinated, orderly and efficient. If a cryptography-related agency discovers the divulgence of core cryptography or ordinary cryptography or any major problem or hidden risk affecting the security of core cryptography or ordinary cryptography, it shall take immediate response measures and report the same to the secrecy administration and the cryptogram administration in a timely manner. The secrecy administration and the cryptogram administration shall, in concert with relevant authorities, investigate and deal with the situation, and guide the cryptography-related agency to eliminate security hidden risks in a timely manner.

Article 18 The State strengthens the building of cryptography-related agencies to ensure their performance of duties. The State establishes management systems for the employment, selection, confidentiality, assessment, training, benefits, rewards and punishments, exchange, exit, etc. of personnel that meet the needs of core cryptography and ordinary cryptography.

Article 19 Cryptogram administrations may, as needed for work, propose such authorities as public security, transport and customs to grant inspection exemption and other facilitation for the articles and persons relating to core cryptography and ordinary cryptography in accordance with the relevant provisions of the State.

Article 20 Cryptography administrations and cryptography-related agencies shall establish a sound and strict supervision and security review system, supervise their staff’s compliance with laws and disciplines, and take necessary measures according to law to organize security audits on a regular or irregular basis.

Chapter III Commercial cryptography

Article 21 The State encourages the research and development, academic exchanges, achievement transformation and popularization and application of commercial cryptography technologies, improves a unified, open, competitive, and orderly market system for commercial cryptography, and encourages and promotes the development of the commercial cryptography industry. The people’s governments at all levels and their relevant departments shall follow the principle of non-discrimination, and equally treat foreign-invested enterprises and other agencies engaging in scientific research, production, sales, services, import and export of commercial cryptography (hereinafter collectively referred to as “commercial cryptography agencies”) in accordance with the law. The State encourages commercial cryptography technology cooperation based on the principle of voluntariness and business rules in the course of foreign investment. Administrative agencies and their staff shall not force the transfer of commercial cryptography technologies by administrative means.

The scientific research, production, sales, services and import and export of commercial cryptography shall not impair state security, social public interests or the legitimate rights and interests of others.

Article 22 The State establishes and improves the system of commercial cryptography standards.The standardization administrative authority of the State Council and the state cryptography administration shall organize the formulation of national and industry standards for commercial cryptography according to their respective duties.

The State supports social groups and enterprises in making use of independent innovation technologies to develop group standards and corporate standards for commercial cryptography that are higher than the relevant technical requirements of national standards and industrial standards.

Article 23 The State promotes participation in international standardization activities on commercial cryptography and participation in the development of international standards for commercial cryptography, and promotes the transformation between Chinese standards and foreign standards on commercial cryptography. The State encourages enterprises, social groups, and educational and scientific research institutions to participate in international standardization activities on commercial cryptography.

Article 24 Commercial cryptography-related agencies that carry out activities involving commercial cryptography shall comply with the relevant laws, administrative regulations, mandatory national standards on commercial cryptography and the technical requirements of their disclosed standards.The State encourages commercial cryptography-related agencies to adopt recommended national standards and industry standards for commercial cryptography, to enhance the protection capabilities of commercial cryptography, and to safeguard the legitimate rights and interests of users.

Article 25 The State promotes the development of testing and certification system for commercial cryptography, formulates technical standards and rules for the testing and certification of commercial cryptography, and encourages commercial cryptography-related agencies to voluntarily accept the testing and certification of commercial cryptography to improve their market competitiveness. Commercial cryptography testing and certification agencies shall obtain relevant qualifications according to law, and carry out commercial cryptography testing and certification in accordance with the provisions of laws, administrative regulations, technical specifications and rules on testing and certification for commercial cryptography.

Commercial cryptography testing and certification agencies shall keep confidential state secrets and trade secrets known to them during their commercial cryptography testing and certification.

Article 26 The commercial cryptography products involving state security, national economy and people’s livelihood, and social public interests shall be included in the catalogue of critical network equipment and dedicated cybersecurity products according to law. No sale or supply of such products may be made until they have passed the testing and certification conducted by a qualified agency. The relevant provisions of the Cybersecurity Law of the People’s Republic of China shall apply to the testing and certification of commercial cryptography products to avoid repeated testing and certification.Commercial cryptography services using critical network equipment and dedicated cybersecurity products shall pass the certification of such services conducted by commercial cryptography certification agencies.

Article 27 For critical information infrastructure that laws, administrative regulations, and relevant national regulations require the protection by commercial cryptography, the operators thereof shall use commercial cryptography for protection and conduct security assessment of commercial cryptography applications on their own or by entrusting commercial cryptography testing agencies. The security assessment of commercial encryption applications shall be connected with the security testing and assessment and cybersecurity grade assessment systems for critical information infrastructure, so as to avoid repeated evaluation and assessment.Where an operator of critical information infrastructure procures network products and services involving commercial cryptography, which may affect state security, it shall go through a state security review organized by the state cyberspace administration in concert with the state cryptography administration and other relevant authorities in accordance with the provisions of the Cybersecurity Law of the People’s Republic of China.

Article 28 The commerce department of the State Council and the state cryptography administration shall implement import licensing for commercial cryptography that involves State security and public interest and that have encryption protection functions. They shall implement export control on commercial cryptography that involves State security and public interest or that involves the international obligations of China. The list of commercial cryptography subject to import licensing and the list of commercial cryptography subject to export controls shall be developed and announced by the commerce department of the State Council in conjunction with the state cryptography administration and the General Administration of Customs. Commercial cryptography used in mass consumer products is not subject to import licensing and export control systems.

Article 29 The state cryptography administration shall accredit those agencies that use commercial cryptography technologies for e-government and e-certification services, and shall be responsible for the use of electronic signatures and data messages in government affairs.

Article 30 Organizations such as trade associations in the field of commercial cryptography shall provide commercial cryptography-related agencies with information, technology, training and other services in accordance with laws, administrative regulations and their respective articles of association, guide and supervise commercial cryptography-related agencies to carry out commercial cryptography-related activities in accordance with the law, enhance industry self-discipline, drive integrity cultivation in the industry, and promote the healthy development of the industry.

Article 31 Cryptography administrations and related authorities shall an interim and ex post regulation system for commercial cryptography combining routine regulation and random checks, establish a unified regulation information platform for commercial cryptography, promote the connection between interim and ex post regulation and the social credit system, and strengthen the self-discipline and social supervision of commercial cryptography agencies. Cryptography administrations and related authorities and the staff thereof shall not require commercial cryptography-related agencies and commercial cryptography testing or certification agencies to disclose their source codes and other proprietary cryptography-related information. They shall keep strictly confidential trade secrets and personal privacy obtained during the performance of their duties and shall not disclose or illegally provide the same to others.

Chapter IV Legal Liability

Article 32 Whoever, in violation of Article 12 of this Law, steals encrypted information of others, illegally intrudes into the cryptography security system of others, or uses cryptography to engage in any activities jeopardizing the national security, public interests or legitimate rights and interests of others, shall be investigated for legal liability according to the provisions of the Cybersecurity Law of the People’s Republic of China or other relevant laws and administrative regulations.

Article 33 For anyone who uses core cryptography or ordinary cryptography in violation of Article 14 hereof, the cryptography administration concerned shall order him to make rectification or to cease the illegal act and give a warning to him. If the case is serious, the cryptography administration shall suggest the relevant State authority or agency to take disciplinary actions or impose punishments against the directly responsible personnel and other individuals directly held liable in accordance with the law.

Article 34 Where core cryptography or ordinary cryptography is divulged in violation of this Law, the secrecy administration and cryptography administration shall suggest relevant state organs or agencies to take disciplinary actions or impose punishments against the head directly in charge and other individuals directly held liable in accordance with the law.In the case of divulging of core cryptography or ordinary cryptography or any other major problems or hidden risks that may affect core cryptography or ordinary cryptography security, if the discoverer fails to take immediate response measures or to promptly report the same, which is in violation of Paragraph 2, Article 17 hereof, the secrecy administration or cryptography administration shall suggest state organs or agencies to take disciplinary actions or impose punishments against the head directly in charge and other individuals directly held liable in accordance with the law.

Article 35 For any testing or certification agency that conducts testing or certification of commercial cryptography in violation of the provisions of Paragraph 2 or Paragraph 3 of Article 25 hereof, the market regulatory body shall, in conjunction with the cryptography administration, order it to make corrections or to cease the illegal act, give it a warning and confiscate the illegal income. If the illegal income exceeds 300,000 yuan, a fine of not less than one time but not more than three times the illegal income may be imposed concurrently; if there is no illegal income or the illegal income is less than 300,000 yuan, a fine of not less than 100,000 yuan but not more than 300,000 yuan may be imposed concurrently; in serious circumstances, the relevant qualification shall be revoked in accordance with the law.

Article 36 For anyone who, in violation of Article 26 hereof, sells or provides commercial cryptography products or services that have not undergone security certification or that have failed to pass security certification, the market regulatory body shall order it to make rectification or to cease the illegal act, give it a warning, and confiscate its illegal products and illegal income. If the illegal income exceeds 100,000 yuan, a fine of not less than one time and not more than three times the illegal income may be imposed concurrently. In the absence of illegal income or the illegal income is less than 100,000 yuan, a fine of not less than 30,000 yuan but not more than 100,000 yuan may be imposed concurrently.

Article 37 Where an operator of critical information infrastructure fails to use commercial cryptograph or to conduct security assessment of commercial cryptograph applications as required, which is in violation of Paragraph 1 of Article 27 hereof, the cryptography administration shall order it to make rectification and give it a warning. If the operator fails to do so as required or the violation has resulted in harms to cybersecurity or other consequences, the operator and the head directly in charge shall be imposed a fine of not less than 100,000 yuan but not more than one million yuan and a fine of not less than 10,000 yuan but not more than 100,000 yuan respectively.Where an operator of critical information infrastructure uses commercial cryptograph that does not undergo security review or fails to pass security review, which is in violation of Paragraph 2, Article 27 hereof, the competent authority shall order it to cease the use and impose a fine of one up to three time the amount for procurement of such commercial cryptograph against the operator and a fine of not less than 10,000 yuan but not more than 100,000 yuan against the head directly in charge and other persons directly liable.

Article 38 Where an operator of critical information infrastructure imports or exports commercial cryptography in violation of the provisions of Article 28 hereof on import licensing or export control, the commerce department of the State Council or the Customs shall penalize it in accordance with the law.

Article 39 For anyone who provides electronic authentication services for electronic government affairs without being identified as having such qualification, which violates the provisions of Article 29 hereof, the cryptography administration shall order it/him to make rectification or to cease the illegal act, give it/him a warning and confiscate its/his illegal products and illegal income. If the illegal income exceeds 300, 000 yuan, the cryptography administration may impose upon it/him a fine of one up to three times the illegal income concurrently. In the absence of illegal income or the illegal income is less than 300, 000 yuan, the cryptography administration may impose upon it/him a fine of not less than 100, 000 yuan but not more than 300, 000 yuan concurrently.

Article 40 Any staff member of a cryptography administration or any other authority or agency who abuses his/her power, neglects his/her duties or engages in malpractice for personal gains in carrying out cryptography-related work shall be subject to disciplinary actions in accordance with the law.

Article 41 Any violation of the provisions hereof that constitutes a crime shall be investigated for criminal liability according to law; in the case of damages caused to others, the offender shall bear civil liability in accordance with the law.

Chapter V Supplemental Provisions

Article 42 State cryptography administrations shall develop cryptography administration regulations in accordance with laws and administrative regulations.

Article 43 Administrative measures on cryptography for the Chinese People’s Liberation Army and the Chinese People’s Armed Police Force shall be formulated by the Central Military Commission of the People’s Republic of China according to this Law.

Article 44 This law shall come into force as of January 1, 2020.