On June 9, 2017, the Cyberspace Administration of China (“CAC”), together with three other agencies, released a Catalog of Critical Network Equipment and Network Security Products (First Batch) (“the Catalog,” original Chinese version available here).  It specifies network products that must be certified before they can be marketed in China.

China’s Cybersecurity Law (see our series of blog posts on the Law here) requires certain “critical network equipment and network security products” to go through a certification process before being marketed in China.  This is a separate requirement from the procurement-related cybersecurity review, which mandates a cybersecurity review of network products or services procured by operators of Critical Information Infrastructure, if such procurement potentially affects China’s national security (discussed here).

Also since 1997, “computer information system security products,” which are defined to include “hardware and software designed to protect information system security,” have had to pass a technical review by the Ministry of Public Security (“MPS”) before they can be marketed in China.  The Cybersecurity Law seeks to consolidate the existing review requirements and agencies are required to issue a comprehensive catalog of approved products.  It is uncertain, however, whether the scope of “critical network equipment and network security products” is more expensive than “computer information system security products.”

The Catalog specifies that “critical network equipment and network security products” must be certified or tested by qualified institutions before being sold or provided in China.  Qualified institutions include institutions jointly confirmed by the Certification and Accreditation Administration, the Ministry of Industry and Information Technology, the MPS and the CAC.

The CAC specified that this is the first “batch” of equipment and products to be covered in a such a catalog, so more are expected to be announced in the future.

The Catalog includes:

  Categories of Equipment or Products Scope
Critical Network Equipment 1. Router Throughput of the Whole System (Bi-direction) ≥ 12 Tbps

Routing Table Capacity of the Whole System ≥ 550,000 pieces

2. Switch Throughput of the Whole System ≥ 30 Tbps

Packet Forwarding Rate of the Whole System ≥ 10 Gpps

3. Server (Rack) Number of CPUs ≥ 8

Number of Cores of a Single CPU ≥ 14

Memory Capacity ≥ 256 GB

4. Programmable Logic Controller (PLC Equipment) Controller Instruction Execution Time ≤ 0.08 ms
Network Security Products 5. Data Backup All-in-one Machine Backup Capacity ≥ 20 TB

Backup Speed ≥ 60 MB/s

Backup Interval ≤ 1 hour

6. Firewall (Hardware) Throughput of the Whole Machine ≥ 80 Gbps

Maximum Concurrent Connections ≥ 3,000,000

New Connections Per Second ≥ 250,000

7. WEB Application Firewall (WAF) Application Throughput of the Whole Machine ≥ 6 Gbps

Maximum HTTP Concurrent Connections ≥ 2,000,000

8. Intrusion Detection System (IDS) Full Detection Rate ≥ 15 Gbps

Maximum Concurrent Connections ≥ 5,000,000

9. Intrusion Prevention System (IPS) Full Detection Rate ≥ 20 Gbps

Maximum Concurrent Connections ≥ 5,000,000

10. Security Isolation and Information Prevention Product (GAP) Throughput ≥ 1 Gbps

System Delay ≤ 5 ms

11. Anti-spam Product Connections Processing Rate (connections/second) > 100

Average Delay Time < 100 ms

12. Network Comprehensive Auditing System Packet Capture Speed≥5 Gbps

Incidents Recording Capacity ≥ 50,000/s

13. Network Vulnerability Scanning Product Maximum Concurrent IP Scanning Amount ≥ 60
14. Secure Database System TPC-E tpsE (Trading Volume Per Second) ≥ 4500
15. Network Recovery Product Recovery Time ≤ 2 ms

The Longest Path of the Site ≥ 10 levels

 

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Yan Luo Yan Luo

With over 10 years of experience in global technology regulations, Yan Luo specializes in the intersection of law and technology, focusing on regulatory compliance and risk mitigation for technology-driven business models. Her key strengths include data protection, cybersecurity, and international trade, with a

With over 10 years of experience in global technology regulations, Yan Luo specializes in the intersection of law and technology, focusing on regulatory compliance and risk mitigation for technology-driven business models. Her key strengths include data protection, cybersecurity, and international trade, with a particular emphasis on adapting to regulatory changes and ensuring compliance to support technology sector business strategies.

In recent years, Yan has guided leading multinational companies in sectors such as cloud computing, consumer brands, and financial services through the rapidly evolving cybersecurity and data privacy regulations in major Asian jurisdictions, including China. She has addressed challenges such as compliance with data localization mandates and regulatory audits. Yan’s work includes advising on high-stakes compliance issues like data localization and cross-border data transfers, navigating cybersecurity inspections for multinational companies, and providing data protection insights for strategic transactions. Additionally, Yan has counseled leading Chinese technology companies on global data governance and compliance challenges across major jurisdictions, including the EU and the US, focusing on specific regulations like GDPR and CCPA.

More recently, Yan has supported leading technology companies on geopolitical risk assessments, particularly concerning how geopolitical shifts impact sectors at the cutting edge, such as artificial intelligence and semiconductor technologies.

Yan was named as Global Data Review’s40 under 40” in 2018 and is frequently quoted by leading media outlets including the Wall Street Journal and the Financial Times.

Prior to joining the firm, Yan completed an internship with the Office of International Affairs of the U.S. Federal Trade Commission in Washington, DC. Her experiences in Brussels include representing major Chinese companies in trade, competition and public procurement matters before the European Commission and national authorities in EU Member States.