People's Republic of China Cryptography Law

（ Adopted at the Fourteenth Meeting of the Standing Committee of the Thirteenth National People's Congress on October 26, 2019

) )

Table of Contents

Chapter 1 General Provisions

Chapter 2 Core Cryptography and Ordinary Cryptography

Chapter 3 Commercial Cryptography

Chapter 4 Legal Liability

Chapter 5 Supplementary Provisions     Provisions

Chapter 1 General Provisions

Article 1 　This Law is formulated to standardize the application and management of cryptography, promote the development of the cryptography industry, safeguard network and information security, uphold national security and public interests, and protect the legitimate rights and interests of citizens, legal persons, and other organizations.

Article 2 　As used in this Law, "cryptography" refers to the technology, products, and services that use specific transformation methods to encrypt and protect information and perform secure authentication.

Article 3 　Cryptography work adheres to the overall national security outlook and follows the principles of unified leadership, tiered responsibility, innovative development, serving the overall situation, management according to law, and security assurance.

Article 4 　The leadership of the Communist Party of China over cryptography work is upheld. The central leading body for cryptography work exercises unified leadership over national cryptography work, formulates major policies and principles for national cryptography work, coordinates major national cryptography matters and important work, and promotes the construction of national cryptography legislation.

Article 5 　The national cryptography management department is responsible for managing national cryptography work. The cryptography management departments at all levels of local governments above the county level are responsible for managing cryptography work within their respective administrative regions.

State organs and units involved in cryptography work are responsible for the cryptography work of their respective organs, units, or systems within the scope of their duties.

Article 6 　The state implements a classified management system for cryptography.

Cryptography is divided into core cryptography, ordinary cryptography, and commercial cryptography.

Article 7 　Core cryptography and ordinary cryptography are used to protect state secret information. The highest security level of information protected by core cryptography is top secret, and the highest security level of information protected by ordinary cryptography is secret.

Core cryptography and ordinary cryptography constitute state secrets. The cryptography management department shall, in accordance with this Law and other relevant laws, administrative regulations, and state regulations, strictly and uniformly manage core cryptography and ordinary cryptography.

Article 8 　Commercial cryptography is used to protect information that does not constitute state secrets.

Citizens, legal persons, and other organizations may use commercial cryptography to protect network and information security in accordance with the law.

Article 9 　The state encourages and supports research and application of cryptography science and technology, protects intellectual property rights in the field of cryptography according to law, and promotes progress and innovation in cryptography science and technology.

The state strengthens the cultivation of cryptography personnel and team building. Organizations and individuals who make outstanding contributions to cryptography work shall be commended and rewarded in accordance with relevant state regulations.

Article 10 　The state adopts various forms to strengthen cryptography security education, incorporating cryptography security education into the national education system and the education and training system for civil servants, to enhance the awareness of cryptography security among citizens, legal persons, and other organizations.

Article 11 　People's governments at or above the county level shall include cryptography work in their national economic and social development plans, and the required funds shall be included in their fiscal budgets.

Article 12 No organization or individual may steal encrypted information belonging to others or illegally intrude into others' cryptography-protected systems.

No organization or individual may use cryptography to engage in illegal and criminal activities that endanger national security, public interests, or the legitimate rights and interests of others.

Chapter 2 Core Cryptography and Ordinary Cryptography

Article 13 　The state strengthens the scientific planning, management, and use of core cryptography and ordinary cryptography, strengthens institutional construction, improves management measures, and enhances cryptography security capabilities.

Article 14 State secret information transmitted in wired and wireless communications, as well as information systems that store and process state secret information, shall be encrypted and authenticated using core cryptography and ordinary cryptography in accordance with laws, administrative regulations, and relevant state regulations.

Article 15 Institutions engaged in research, production, services, testing, equipment, use, and destruction of core cryptography and ordinary cryptography (hereinafter referred to as cryptography work institutions) shall establish and improve security management systems, adopt strict confidentiality measures and confidentiality responsibility systems, and ensure the security of core cryptography and ordinary cryptography in accordance with laws, administrative regulations, relevant state regulations, and the requirements of core cryptography and ordinary cryptography standards.

Article 16 　The cryptography management department shall, in accordance with the law, guide, supervise, and inspect the work of core cryptography and ordinary cryptography in cryptography work institutions, and cryptography work institutions shall cooperate.

Article 17 According to work needs, the cryptography management department shall, in conjunction with relevant departments, establish cooperation mechanisms such as security monitoring and early warning, security risk assessment, information reporting, consultation on major matters, and emergency response for core cryptography and ordinary cryptography to ensure coordinated and efficient management of core cryptography and ordinary cryptography.

If a cryptography work institution discovers a major problem or risk concerning the leakage of core cryptography and ordinary cryptography or affecting the security of core cryptography and ordinary cryptography, it shall immediately take countermeasures and promptly report to the administrative department for state secrets and the cryptography management department. The administrative department for state secrets and the cryptography management department shall, in conjunction with relevant departments, organize investigations and disposal, and guide relevant cryptography work institutions to eliminate security risks in a timely manner.

Article 18 　The state strengthens the construction of cryptography work institutions and ensures that they perform their work responsibilities.

The state establishes management systems for personnel recruitment, selection, confidentiality, assessment, training, treatment, rewards and punishments, exchange, and exit that meet the needs of core cryptography and ordinary cryptography work.

Article 19 If necessary, the cryptography management department may, in accordance with relevant state regulations, request the public security, transportation, and customs departments to provide inspection exemptions and other conveniences for items and personnel related to core cryptography and ordinary cryptography, and the relevant departments shall provide assistance.

Article 20 　Password management departments and password management agencies should establish and improve a strict supervision and security review system, supervise their staff's compliance with laws and disciplines, and take necessary measures in accordance with the law to organize and conduct security reviews regularly or irregularly.

Chapter 3 Commercial Cryptography

Article Twenty-One 　The state encourages research and development, academic exchanges, transformation of achievements, and promotion of commercial cryptography technology, improves a unified, open, competitive, and orderly commercial cryptography market system, and encourages and promotes the development of the commercial cryptography industry.

All levels of people's governments and their relevant departments shall follow the principle of non-discrimination and treat equally under the law commercial cryptography research, production, sales, service, import and export units (hereinafter referred to as commercial cryptography industry units), including foreign-invested enterprises. The state encourages commercial cryptography technology cooperation based on the voluntary principle and commercial rules during foreign investment. Administrative organs and their staff shall not use administrative means to forcibly transfer commercial cryptography technology.

The research, production, sales, service, and import and export of commercial cryptography shall not harm national security, public interests, or the legitimate rights and interests of others.

Article Twenty-Two 　The state establishes and improves a commercial cryptography standard system.

The state standardization administrative department and the national cryptography management department, in accordance with their respective responsibilities, organize the formulation of national standards and industry standards for commercial cryptography.

The state supports social groups and enterprises in using independent innovation technology to formulate commercial cryptography group standards and enterprise standards that have higher technical requirements than national standards and industry standards.

Article Twenty-Three 　The state promotes participation in international standardization activities for commercial cryptography, participates in the formulation of international standards for commercial cryptography, and promotes the conversion and application of Chinese standards for commercial cryptography and foreign standards.

The state encourages enterprises, social groups, and educational and research institutions to participate in international standardization activities for commercial cryptography.

Article Twenty-Four Commercial cryptography industry units engaging in commercial cryptography activities shall comply with relevant laws, administrative regulations, mandatory national standards for commercial cryptography, and the technical requirements of the open standards of the industry unit.

The state encourages commercial cryptography industry units to adopt recommended national standards and industry standards for commercial cryptography to improve the protection capabilities of commercial cryptography and protect the legitimate rights and interests of users.

Article Twenty-Five 　The state promotes the construction of a commercial cryptography testing and certification system, formulates technical specifications and rules for commercial cryptography testing and certification, and encourages commercial cryptography industry units to voluntarily accept commercial cryptography testing and certification to enhance market competitiveness.

Commercial cryptography testing and certification agencies shall obtain relevant qualifications in accordance with the law and carry out commercial cryptography testing and certification in accordance with the provisions of laws, administrative regulations, and technical specifications and rules for commercial cryptography testing and certification.

Commercial cryptography testing and certification agencies shall assume the obligation of confidentiality for state secrets and trade secrets that they learn about during commercial cryptography testing and certification.

Article Twenty-Six 　Commercial cryptography products related to national security, national economy and people's livelihood, and public interests shall be included in the catalog of key network equipment and dedicated network security products in accordance with the law. They may only be sold or provided after being tested and certified by qualified institutions. The testing and certification of commercial cryptography products shall apply the relevant provisions of the Cybersecurity Law of the People's Republic of China to avoid duplicate testing and certification.

The use of commercial cryptography services using key network equipment and dedicated network security products shall be certified by a commercial cryptography certification agency.

Article Twenty-Seven 　Operators of critical information infrastructure that are required to use commercial cryptography for protection under laws, administrative regulations, and relevant national regulations shall use commercial cryptography for protection and conduct commercial cryptography application security assessments themselves or entrust commercial cryptography testing agencies. The commercial cryptography application security assessment shall be linked to the critical information infrastructure security detection and assessment and network security level evaluation system to avoid duplicate assessments and evaluations.

Operators of critical information infrastructure purchasing network products and services involving commercial cryptography that may affect national security shall undergo national security review organized by the national cyberspace administration department in conjunction with the national cryptography management department and other relevant departments, in accordance with the provisions of the Cybersecurity Law of the People's Republic of China.

Article Twenty-Eight The state's commerce authorities and the national cryptography management department shall, in accordance with the law, implement import licenses for commercial cryptography involving national security and public interests and having encryption protection functions, and implement export controls for commercial cryptography involving national security, public interests, or international obligations assumed by China. The commercial cryptography import license list and export control list shall be formulated and published by the state's commerce authorities, together with the national cryptography management department and the General Administration of Customs.

Commercial cryptography used in mass consumer products shall not be subject to import licensing and export control systems.

Article Twenty-Nine 　The national cryptography management department shall identify institutions that use commercial cryptography technology to engage in e-government and electronic certification services, and shall be responsible for the management of the use of electronic signatures and data messages in government activities, together with relevant departments.

Article Thirty 　Industry associations and other organizations in the field of commercial cryptography shall, in accordance with the provisions of laws, administrative regulations, and their articles of association, provide information, technology, and training services to commercial cryptography industry units, guide and urge commercial cryptography industry units to conduct commercial cryptography activities in accordance with the law, strengthen industry self-discipline, promote industry integrity building, and promote healthy industry development.

Article Thirty-One 　The cryptography management department and relevant departments shall establish a commercial cryptography in-process and post-process supervision system that combines daily supervision and random spot checks, establish a unified commercial cryptography supervision and management information platform, promote the linkage between in-process and post-process supervision and the social credit system, and strengthen self-discipline and social supervision of commercial cryptography industry units.

The cryptography management department and relevant departments and their staff shall not require commercial cryptography industry units and commercial cryptography testing and certification agencies to disclose source code and other proprietary information related to cryptography, and shall strictly protect trade secrets and personal privacy that they learn about in the performance of their duties, and shall not disclose or illegally provide them to others.

Chapter 4 Legal Liability

Article Thirty-Two Those who violate the provisions of Article 12 of this Law by stealing information protected by encryption, illegally intruding into other people's password protection systems, or using passwords to engage in illegal activities that endanger national security, public interests, or the legitimate rights and interests of others shall be investigated for legal responsibility by relevant departments in accordance with the provisions of the Cybersecurity Law of the People's Republic of China and other relevant laws and administrative regulations.

Article Thirty-Three 　Those who violate the provisions of Article 14 of this Law by failing to use core passwords and ordinary passwords as required shall be ordered by the cryptography management department to correct or stop their illegal activities and be given a warning; in serious cases, the cryptography management department shall recommend that relevant state organs and units impose legal sanctions or disciplinary actions on the persons directly responsible and other directly responsible personnel.

Article Thirty-Four 　In case of core password or ordinary password leakage incidents in violation of the provisions of this Law, the state secrets protection administrative department and the cryptography management department shall recommend that relevant state organs and units impose legal sanctions or disciplinary actions on the persons directly responsible and other directly responsible personnel.

In violation of the provisions of Article 17, paragraph 2 of this Law, if a major problem or risk hidden danger is discovered concerning the leakage of core passwords, ordinary passwords, or the impact on the security of core passwords and ordinary passwords, and immediate countermeasures are not taken, or timely reporting is not done, the relevant state organs and units shall be suggested by the confidential administrative management department and the password management department to impose disciplinary actions or other processing on the directly responsible persons in charge and other directly responsible personnel in accordance with the law.

Article 35 　Commercial password detection and certification institutions that violate the provisions of Article 25, paragraphs 2 and 3 of this Law in conducting commercial password detection and certification shall be ordered to correct or stop illegal activities by the market supervision and administration department in conjunction with the password management department, and shall be given a warning, and illegal gains shall be confiscated; if the illegal gains exceed 300,000 yuan, a fine of one to three times the illegal gains may be imposed; if there are no illegal gains or the illegal gains are less than 300,000 yuan, a fine of 100,000 to 300,000 yuan may be imposed; in serious cases, the relevant qualifications shall be revoked in accordance with the law.

Article 36 　In violation of the provisions of Article 26 of this Law, the sale or provision of commercial password products that have not been tested and certified or that have failed to pass the test and certification, or the provision of commercial password services that have not been certified or that have failed to pass the certification, shall be ordered to correct or stop illegal activities by the market supervision and administration department in conjunction with the password management department, and shall be given a warning, illegal products and illegal gains shall be confiscated; if the illegal gains exceed 100,000 yuan, a fine of one to three times the illegal gains may be imposed; if there are no illegal gains or the illegal gains are less than 100,000 yuan, a fine of 30,000 to 100,000 yuan may be imposed.

Article 37 　Operators of critical information infrastructure who violate the provisions of Article 27, paragraph 1 of this Law by failing to use commercial passwords as required or failing to conduct commercial password application security assessments as required, shall be ordered to correct the situation by the password management department and shall be given a warning; if they refuse to correct the situation or cause consequences such as endangering network security, a fine of 100,000 to 1 million yuan shall be imposed, and a fine of 10,000 to 100,000 yuan shall be imposed on the directly responsible person in charge.

Operators of critical information infrastructure who violate the provisions of Article 27, paragraph 2 of this Law by using products or services that have not been subjected to security review or have failed the security review shall be ordered by the relevant competent authorities to stop using them, and shall be fined one to ten times the amount of the purchase; a fine of 10,000 to 100,000 yuan shall be imposed on the directly responsible person in charge and other directly responsible personnel.

Article 38 　In violation of the provisions on the implementation of import licenses and export controls in Article 28 of this Law, the import and export of commercial passwords shall be punished in accordance with the law by the competent department of commerce under the State Council or customs.

Article 39 　In violation of the provisions of Article 29 of this Law, those who engage in e-government e-authentication services without certification shall be ordered to correct or stop illegal activities by the password management department, and shall be given a warning, illegal products and illegal gains shall be confiscated; if the illegal gains exceed 300,000 yuan, a fine of one to three times the illegal gains may be imposed; if there are no illegal gains or the illegal gains are less than 300,000 yuan, a fine of 100,000 to 300,000 yuan may be imposed.

Article 40 　Staff members of the password management department and relevant departments and units who abuse their power, neglect their duties, engage in malfeasance, or leak or illegally provide trade secrets and personal privacy learned in the performance of their duties shall be given disciplinary actions in accordance with the law.

Article 41 　Those who violate the provisions of this Law and constitute a crime shall be investigated for criminal responsibility in accordance with the law; those who cause damage to others shall bear civil liability in accordance with the law.

Chapter 5 Supplementary Provisions

Article 42 The national password management department shall formulate password management regulations in accordance with the provisions of laws and administrative regulations.

Article 43 　The management methods for password work of the Chinese People's Liberation Army and the Chinese People's Armed Police Force shall be formulated by the Central Military Commission in accordance with this Law.

Article 44 　This Law shall come into force on January 1, 2020.