PRC Cryptography Law

(Adopted at the 14th Session of the Standing Committee of the 13th National People's Congress on October 26, 2019, and effective as of January 1, 2020.)

PRC President's Order (No.35 of the 13th NPC)

Part One: General Provisions

Article 1:    This Law has been formulated in order to regulate the application and administration of cryptography, promote the development of cryptography, ensure the security of networks and information, safeguard national security and the public interest and protect the lawful rights and interests of citizens, legal persons and other organizations.

Article 2:    For the purposes of this Law, the term "cryptography" means technologies, products and services that provide encryption protection and security authentication of information, etc. by using specific conversion methods.

Article 3:    Cryptographic work adheres to a holistic view of national security, and complies with the principles of unified leadership and responsibility divided among levels, innovative development and serving the main objective, and managing and ensuring security in accordance with the law.

Article 4:    Hold steadfastly to the leadership of the Communist Party of China in cryptographic work. The central cryptographic work leadership organization shall exercise unified leadership over cryptographic work nationwide, formulate major national policies on cryptographic work, centrally coordinate major national cryptography-related matters and tasks, and promote the state's development of the rule of law relating to cryptography.

Article 5:    The state cryptography administration shall be responsible for the administration of cryptographic work on a nationwide basis. Local cryptography administrations at the county level and above shall be responsible for the administration of cryptographic work in their administrative areas.

State authorities and entities that get involved in cryptographic work shall, ex officio¸ be responsible for cryptographic work within the authority, entity or system in question.

Article 6:    The state implements a classification system for the administration of cryptography.

Cryptography is divided into core cryptography, ordinary cryptography and commercial cryptography.

Article 7:    Core cryptography and ordinary cryptography are used to protect secret information of the state. The highest confidentiality level for information protected by core cryptography is top secret and that for information protected by ordinary cryptography is secret.

Core cryptography and ordinary cryptography constitute state secrets. Cryptography authorities shall subject core cryptography and ordinary cryptography to stringent centralized administration in accordance with this Law and relevant laws, administrative regulations and state provisions.

Article 8:    Commercial cryptography is used to protect information that does not fall within the scope of state secrets.

Citizens, legal persons and other organizations may lawfully use commercial cryptography to protect network and information security.

Article 9:    The state encourages and supports scientific and technological research and application of cryptography, lawfully protects intellectual property rights in the cryptography field and promotes scientific and technological progress and innovation in cryptography.

The state strengthens the fostering of cryptography talent and team building, and bestows commendations and rewards in accordance with relevant state provisions on organizations and individuals that make outstanding contributions in cryptographic work.

Article 10:   The state adopts numerous means to strengthen education on cryptographic security, incorporates education on cryptographic security into the national education system and public servant education and training system, and heightens the awareness of cryptographic security of citizens, legal persons and other organizations.

Article 11:   People's governments at the county level and above shall incorporate cryptographic work into the national economic and social development plans at their levels, and the required funds shall be included in the fiscal budgets for their levels.

Article 12:   No organizations or individuals may steal the encrypted information of a third party or unlawfully access a third party's cryptography assurance system.

No organizations or individuals may use cryptography to engage in illegal criminal activities that jeopardize national security, the public interest or the lawful rights and interests of third parties.

Part Two: Core Cryptography and Ordinary Cryptography

Article 13:   The state strengthens the scientific planning for, and the management and use of, core cryptography and ordinary cryptography, strengthens system building, improves management measures and enhances cryptography security assurance capabilities.

Article 14:   Secret information of the state transmitted over wired or wireless communications as well as information systems that store and process secret information of the state shall use core cryptography or ordinary cryptography in accordance with laws, administrative regulations and relevant state provisions to provide encryption protection and security authentication thereof.

Article 15:   Organizations that engage in the scientific research, production, servicing, testing, installation, use and destruction of core cryptography and/or ordinary cryptography (hereinafter collectively referred to as "Cryptographic Work Organizations") shall establish and improve security management systems and adopt stringent confidentiality measures and confidentiality responsibility systems in accordance with laws, administrative regulations and relevant state provisions as well as the requirements of core cryptography and ordinary cryptography standards so as to ensure the security of core cryptography and ordinary cryptography.

Article 16:   A cryptography administration shall guide, monitor and inspect the core cryptography and ordinary cryptography work of Cryptographic Work Organizations in accordance with the law, and such organizations shall offer their cooperation therein.

Article 17:   As required for its work, a cryptography administration shall, in concert with relevant departments, establish coordination mechanisms for core cryptography and ordinary cryptography security monitoring and warning, security risk assessment, information circulation, meeting for deliberation on major matters and emergency handling, so as to ensure coordination, joint action, order and efficiency in security management of core cryptography and ordinary cryptography.

If a Cryptographic Work Organization discovers a leakage of secrets by core cryptography or ordinary cryptography or a major issue or latent risk that could affect the security of core cryptography or ordinary cryptography, it shall promptly take countermeasures and report the same to the confidentiality administrative department and cryptography administration in a timely manner. The confidentiality administrative department and cryptography administration shall, in concert with relevant departments, arrange for the conduct of an investigation, deal with the matter and guide the Cryptographic Work Organization in eliminating, in a timely manner, the latent security hazard.

Article 18:   The state strengthens the development of Cryptographic Work Organizations and ensures that they perform their work duties.

The state has established management systems for the employment, transfer, confidentiality, evaluation, training, remuneration, rewarding/punishment, exchange, dismissal, etc. of the required personnel appropriate for core cryptography and ordinary cryptography work.

Article 19:   As required for its work, a cryptography administration may, in accordance with relevant state provisions, request that the public security, transport, customs or other such department provide conveniences such as exemption from inspection to items and personnel connected with core cryptography and ordinary cryptography, and the relevant department shall offer its assistance.

Article 20:   Cryptography administrations and Cryptographic Work Organizations shall establish and improve stringent monitoring and security review systems, monitor the compliance by their working personnel with laws and discipline, and take necessary measures in accordance with the law to arrange for the conduct of security reviews on a regular or ad hoc basis.

Part Three: Commercial Cryptography

Article 21:   The state encourages the research and development of, academic exchanges on, commercialization of the achievements of, and the promotion and application of, commercial cryptographic technologies, and a sound, uniform, open, competitive and orderly commercial cryptography market regime, and encourages and promotes the development of the commercial cryptography industry.

People's governments and their relevant departments at every level shall abide by the principle of non-discrimination in treating the scientific research, production, sales, servicing and import-export entities of commercial cryptography, including foreign-invested enterprises (hereinafter collectively referred to as "Commercial Cryptography Entities"), equally in accordance with the law. The state encourages, in the course of foreign investment, cooperation in commercial cryptographic technologies carried out based on the principle of free will and business rules. An administrative authority and its working personnel may not use administrative means to compel the transfer of commercial cryptographic technology.

The scientific research, production, sale, servicing and import-export of commercial cryptography may not jeopardize national security, the public interest or the lawful rights and interests of third parties.

Article 22:   The state has established and improves a system of commercial cryptography standards.

The State Council administrative department in charge of standardization and the state cryptography administration shall each, ex officio, arrange for the formulation of state standards and industry standards for commercial cryptography.

The state supports associations and enterprises in using their own innovative technologies to formulate association standards or enterprise standards for commercial cryptography that exceed the relevant technical requirements of state standards or industry standards.

Article 23:   The state promotes participation in international commercial cryptography standardization activities, participation in the formulation of international standards for commercial cryptography and promotes conversion between PRC standards and international standards for commercial cryptography and the application thereof.

The state encourages enterprises, associations, as well as educational and scientific research institutions to participate in international commercial cryptography standardization activities.

Article 24:   In carrying out commercial cryptography activities, a Commercial Cryptography Entity shall comply with laws, administrative regulations, mandatory state commercial cryptography standards as well as the technical requirements of the entity's disclosed standards.

The state encourages Commercial Cryptography Entities to adopt recommended state and industry commercial cryptography standards, enhance the preventive capabilities of commercial cryptography and safeguard the lawful rights and interests of users.

Article 25:   The state promotes the development of a commercial cryptography testing and certification system, the formulation of technical specifications and rules for commercial cryptography testing and certification, and encourages Commercial Cryptography Entities to voluntarily submit to commercial cryptography testing and certification so as to enhance their market competitiveness.

A commercial cryptography testing and certification institution shall secure the relevant qualifications in accordance with the law, and carry out commercial cryptography testing and certification in accordance with laws, administrative regulations and the technical specifications and rules for commercial cryptography testing and certification.

A commercial cryptography testing and certification institution shall bear an obligation of confidentiality in respect of the state secrets and trade secrets to which it is privy in the course of commercial cryptography testing and certification.

Article 26:   Commercial cryptographic products that have a bearing on national security, the national economy and people's livelihoods, or the public interest shall be included in the catalogue for critical network equipment and designated cybersecurity products in accordance with the law, and may only be sold or offered after testing and certification by a qualified institution. The testing and certification of commercial cryptographic products shall be governed by relevant provisions of the PRC Cybersecurity Law so as to avoid duplicated testing and certification.

Where a commercial cryptographic service uses critical network equipment and designated cybersecurity products, such commercial cryptographic service shall have been certified by a commercial cryptography certification institution.

Article 27:   For critical information infrastructure that are required by a law, administrative regulations or relevant state provisions to use commercial cryptography for protection, the operator thereof shall use commercial cryptography to protect the same and conduct an assessment of the security of the commercial cryptography applications itself or by entrusting the same to a commercial cryptography testing institution. The assessment of the security of a commercial cryptography application shall dovetail with the critical information infrastructure security testing and assessment and cybersecurity level testing and assessment systems, so as to avoid duplicate evaluations and duplicate testing and assessments.

Where the network products or services procured by the operator of critical information infrastructure involves commercial cryptography and could affect national security, the same shall be subject to a national security review organized by the cyberspace administration in concert with relevant departments such as the state cryptography administration in accordance with the PRC Cybersecurity Law.

Article 28:   The State Council department in charge of commerce and state cryptography administration shall, in accordance with the law, subject commercial cryptographic products that have a bearing on national security or the public interest and that have encryption protection functions to import licensing, and commercial cryptographic products that have a bearing on national security, the public interest or international obligations borne by China to export control. The lists of commercial cryptographic products subject to import licensing and export control shall be formulated and published by the State Council department in charge of commerce in concert with the state cryptography administration and the General Administration of Customs.

Commercial cryptography used in mass consumption products shall not be subject to the import licensing and export control systems.

Article 29:   The state cryptography administration shall subject authorities that use commercial cryptographic technologies to provide electronic government and electronic certification services to accreditation, and, in concert with relevant departments, shall be responsible for the administration of electronic signatures and data messages used in government activities.

Article 30:   Organizations such as industry associations in the commercial cryptography field shall provide information, technical, training and other such services to Commercial Cryptography Entities in accordance with laws, administrative regulations and their charters, guide and cause Commercial Cryptography Entities to lawfully engage in commercial cryptography activities, strengthen industry self-regulation, promote integrity in the industry and promote the healthy development of the industry.

Article 31:   A cryptography administration and relevant departments shall establish a commercial cryptography during-the-event and post-event oversight system that combines routine oversight with random inspections, establish a unified commercial cryptography regulatory information platform, promote the dovetailing of during-the-event and post-event oversight with the social credit system, and strengthen the self-regulation and public scrutiny of Commercial Cryptography Entities.

A cryptography administration, relevant departments and their working personnel may not require a Commercial Cryptography Entity or commercial cryptography testing and certification institution to disclose source code or other such cryptography related proprietary information to them, shall keep strictly confidential trade secrets and private personal information to which they are privy in the course of performing their duties, and may not disclose or illegally provide the same to third parties.

Part Four: Legal Liability

Article 32:   Where Article 12 hereof is violated by stealing the information of a third party protected with encryption, illegally accessing a third party's cryptography protected system or using cryptography to engage in illegal activities that jeopardize national security, the public interest, the lawful rights and interests of third parties, etc., legal liability therefor shall be pursued by the relevant department in accordance with the PRC Cybersecurity Law and other relevant laws and administrative regulations.

Article 33:   Where Article 14 hereof is violated by not using core cryptography or ordinary cryptography as required, the cryptography administration shall order rectification thereof or halting of the illegal act and give a warning. If the circumstances are serious, the cryptography administration shall recommend that the relevant state authority or entity discipline or deal with the supervisor directly responsible and other directly responsible persons in accordance with the law.

Article 34:   Where this Law is violated, giving rise to a core cryptography or ordinary cryptography secret leakage case, the confidentiality administrative department and/or cryptography administration shall recommend that the relevant state authority or entity discipline or deal with the supervisor directly responsible and other directly responsible persons in accordance with the law.

Where the second paragraph of Article 17 hereof is violated by failing to promptly take countermeasures or failing to make a report in a timely manner when it is discovered that there is a leakage of secrets from core cryptography or ordinary cryptography or a major issue or latent risk that could affect the security of core cryptography or ordinary cryptography, the confidentiality administrative department and/or cryptography administration shall recommend that the relevant state authority or entity discipline or deal with the supervisor directly responsible and other directly responsible persons in accordance with the law.

Article 35:   If a commercial cryptography testing and certification institution violates the second paragraph or third paragraph of Article 25 hereof in carrying out commercial cryptography testing or certification, the administration for market regulation shall, in concert with the cryptography administration, order it to rectify the same or halt the illegal act, give it a warning and forfeit the illegal income. If the illegal income is at least Rmb300,000, it may additionally impose a fine of not less than the amount of and not more than three times the illegal income. If there is no illegal income or the illegal income is less than Rmb300,000, it may additionally impose a fine of not less than Rmb100,000 and not more than Rmb300,000. If the circumstances are serious, the institution's relevant qualifications shall be revoked in accordance with the law.

Article 36:   Where Article 26 hereof is violated by selling or offering a commercial cryptographic product that has not undergone testing and certification or failed testing and certification or by offering a commercial cryptographic service that has not undergone certification or failed certification, the administration for market regulation shall, in concert with the cryptography administration, order rectification thereof or halting of the illegal act, give a warning and confiscate the illegal product and illegal income. If the illegal income is at least Rmb100,000, it may additionally impose a fine of not less than the amount of and not more than three times the illegal income. If there is no illegal income or the illegal income is less than Rmb100,000, it may additionally impose a fine of not less than Rmb30,000 and not more than Rmb100,000.

Article 37:   If an operator of critical information infrastructure violates the first paragraph of Article 27 hereof by failing to use commercial cryptography as required or failing to conduct a security assessment of a commercial cryptography application, the cryptography administration shall order it to rectify the same and give it a warning. If it refuses to rectify the same or a consequence such as jeopardizing of cybersecurity arises as a result thereof, it shall be imposed a fine of not less than Rmb100,000 and not more than Rmb1 million and the supervisor directly responsible shall be imposed a fine of not less than Rmb10,000 and not more than Rmb100,000.

If an operator of critical information infrastructure violates the second paragraph of Article 27 hereof by using a product or service that has not undergone a security review or failed a security review, the relevant competent authority shall order it to cease using the same and impose a fine of not less than the procurement amount and not more than 10 times the procurement amount. The supervisor directly responsible and other directly responsible persons shall be imposed a fine of not less than Rmb10,000 and not more than Rmb100,000.

Article 38:   Where a commercial cryptographic product subject to import licensing or export control provisions is imported or exported in violation of Article 28 hereof, the State Council department in charge of commerce or customs shall impose penalties in accordance with the law.

Article 39:   Where Article 29 hereof is violated by engaging in electronic government or electronic certification services without having undergone accreditation, the cryptography administration shall order rectification thereof or halting of the illegal act, give a warning and confiscate the illegal product and illegal income. If the illegal income is at least Rmb300,000, it may additionally impose a fine of not less than the amount of and not more than three times the illegal income. If there is no illegal income or the illegal income is less than Rmb300,000, it may additionally impose a fine of not less than Rmb100,000 and not more than Rmb300,000.

Article 40:   If a member of the working personnel of a cryptography administration or of a relevant department or entity abuses his/her authority, is derelict in his/her duties, practices favoritism or fraud in the course of his/her cryptography related work or discloses or illegally provides to a third party trade secrets or private personal information to which he/she is privy in the course of performing his/her duties, he or she shall be disciplined in accordance with the law.

Article 41:   If a violation of this Law constitutes a criminal offense, criminal liability shall be pursued in accordance with the law. If the same causes injury to a third party, civil liability shall be borne in accordance with the law.

Part Five: Supplementary Provisions

Article 42:   The state cryptography administration shall formulate rules and regulations for the administration of cryptography in accordance with laws and administrative regulations.

Article 43:   The measures for the administration of the cryptographic work of the Chinese People's Liberation Army and Chinese People's Armed Police Force shall be formulated by the Central Military Commission in accordance herewith.

Article 44:   This Law shall be effective as of January 1, 2020.