On May 11, 2020, the State Cryptography Administration (“SCA”) and the State Administration for Market Regulation jointly issued the Commercial Encryption Product Certification Catalogue (First Batch) (“Product Catalogue”) and the Commercial Encryption Product Certification Measures (“Certification Measures”) (the announcement is available here), taking effect immediately.

 

Prior to the adoption of the Encryption Law (see our post on the Encryption Law here), manufacturers of commercial encryption products were required to apply to the SCA for the “Commercial Encryption Products Type and Model Certificate.”  The Encryption Law removed this approval requirement by establishing a voluntary certification scheme, which encourages manufacturers to voluntarily apply to qualified agencies for the testing and certification of their commercial encryption products.  The release of the Product Catalogue and the Certification Measures marks a critical step forward in implementing such a voluntary certification scheme under the Encryption Law.

 

Going forward, the manufacturers of products listed on the Product Catalogue will no longer be subject to mandatory approval requirements before launching their products in the market.  The voluntary certification, which will provide a marking, only serves as assurance to customers that their commercial encryption products conform with Chinese encryption standards.  Note that the certification will be based on the standards approved by SCA, such as those using China’s ZUC encryption algorithm.

 

With respect to imported encryption products, the Encryption Law establishes an import licensing framework for commercial encryption that “may impact national security or the public interest” and “provides an encryption protection function,” which specifically carves out the import of “products for consumption by the general population.”  It is unclear whether the commercial encryption products included in the Product Catalogue may fall within the scope of “products for consumption by the general population” and therefore can be freely imported into China.

 

Finally, the Certification Measures set out the process where manufacturers of commercial encryption products can apply for certification (“Certification Clients”) with the qualified agency conducting the certification (“Certification Agency”):

 

As a general matter, the certification remains valid for a five-year period.  If (1) the certified product or entity producing said product undergoes any changes or (2) the Certification Client wishes to expand the range of products covered by certification, the Certification Client shall notify the Certification Agency of the changes, so that the Certification Agency may conduct a further review.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Yan Luo Yan Luo

With over 10 years of experience in global technology regulations, Yan Luo specializes in the intersection of law and technology, focusing on regulatory compliance and risk mitigation for technology-driven business models. Her key strengths include data protection, cybersecurity, and international trade, with a

With over 10 years of experience in global technology regulations, Yan Luo specializes in the intersection of law and technology, focusing on regulatory compliance and risk mitigation for technology-driven business models. Her key strengths include data protection, cybersecurity, and international trade, with a particular emphasis on adapting to regulatory changes and ensuring compliance to support technology sector business strategies.

In recent years, Yan has guided leading multinational companies in sectors such as cloud computing, consumer brands, and financial services through the rapidly evolving cybersecurity and data privacy regulations in major Asian jurisdictions, including China. She has addressed challenges such as compliance with data localization mandates and regulatory audits. Yan’s work includes advising on high-stakes compliance issues like data localization and cross-border data transfers, navigating cybersecurity inspections for multinational companies, and providing data protection insights for strategic transactions. Additionally, Yan has counseled leading Chinese technology companies on global data governance and compliance challenges across major jurisdictions, including the EU and the US, focusing on specific regulations like GDPR and CCPA.

More recently, Yan has supported leading technology companies on geopolitical risk assessments, particularly concerning how geopolitical shifts impact sectors at the cutting edge, such as artificial intelligence and semiconductor technologies.

Yan was named as Global Data Review’s40 under 40” in 2018 and is frequently quoted by leading media outlets including the Wall Street Journal and the Financial Times.

Prior to joining the firm, Yan completed an internship with the Office of International Affairs of the U.S. Federal Trade Commission in Washington, DC. Her experiences in Brussels include representing major Chinese companies in trade, competition and public procurement matters before the European Commission and national authorities in EU Member States.