Regulations on the Management of Commercial Cryptography
（ (Promulgated by the State Council Order No. 273 on October 7, 1999)

Chapter 1 General     Provisions

Article 1   These Regulations are formulated to strengthen the management of commercial cryptography, protect information security, protect the legitimate rights and interests of citizens and organizations, and maintain national security and interests.

Article 2   As used in these Regulations, "commercial cryptography" refers to the cryptographic techniques and cryptographic products used to encrypt and protect information not involving state secrets or for secure authentication.

Article 3   Commercial cryptography techniques are state secrets. The state implements specialized control over the research, production, sales, and use of commercial cryptographic products.

Article 4   The State Cryptography Administration and its office (hereinafter referred to as the State Cryptography Administration) is in charge of the national management of commercial cryptography. The institutions in charge of cryptography management in provinces, autonomous regions, and municipalities directly under the Central Government shall undertake relevant management work of commercial cryptography as entrusted by the State Cryptography Administration.

Chapter 2 Management of Research and Production

Article 5   Research tasks on commercial cryptography shall be undertaken by units designated by the State Cryptography Administration. Designated research units for commercial cryptography must have the corresponding technical strength and equipment, be able to adopt advanced coding theories and technologies, and the commercial cryptographic algorithms developed must have high security strength and anti-attack capability.

Article 6   The research results of commercial cryptography shall be reviewed and appraised by experts organized by the State Cryptography Administration in accordance with commercial cryptography technical standards and specifications.

Article 7   Commercial cryptographic products shall be produced by units designated by the State Cryptography Administration. No unit or individual may produce commercial cryptographic products without designation. Designated production units of commercial cryptographic products must have the technical strength suitable for producing commercial cryptographic products, as well as the equipment, production processes, and quality assurance systems to ensure the quality of commercial cryptographic products.

Article 8   The varieties and models of commercial cryptographic products produced by designated production units of commercial cryptographic products must be approved by the State Cryptography Administration, and they must not exceed the approved scope of production of commercial cryptographic products.

Article 9   Commercial cryptographic products must pass the inspection and qualification certification of the product quality inspection institutions designated by the State Cryptography Administration.

Chapter 3 Sales Management

Article 10   Commercial cryptographic products shall be sold by units permitted by the State Cryptography Administration. No unit or individual may sell commercial cryptographic products without permission.

Article 11   The sale of commercial cryptographic products requires an application to the State Cryptography Administration, and must meet the following conditions: :

(1) Personnel familiar with commercial cryptographic products and capable of providing after-sales service;

(2) A complete set of sales service and security management regulations;

(3) Independent legal person qualifications. Units that pass the examination shall be issued a "Commercial Cryptographic Product Sales License" by the State Cryptography Administration.

Article 12   When selling commercial cryptographic products, the names (names), addresses (residential addresses), organization codes (resident identity card numbers), and the purpose of each commercial cryptographic product must be truthfully registered, and the registration information shall be reported to the State Cryptography Administration for the record.

Article 13   The import of cryptographic products and equipment containing cryptographic technologies, as well as the export of commercial cryptographic products, must be approved by the State Cryptography Administration. No unit or individual may sell cryptographic products from outside China.

Chapter 4 Usage Management

Article 14   Any unit or individual may only use commercial cryptographic products recognized by the State Cryptography Administration, and may not use self-developed or foreign-produced cryptographic products.

Article 15   Foreign organizations or individuals using cryptographic products or equipment containing cryptographic technologies within the territory of China must obtain approval from the State Cryptography Administration ; however, this does not apply to foreign diplomatic missions and consular agencies in China.

Article 16   Users of commercial cryptographic products may not transfer the commercial cryptographic products they use. In case of malfunction, commercial cryptographic products must be repaired by units designated by the State Cryptography Administration. The scrapping and destruction of commercial cryptographic products shall be reported to the State Cryptography Administration for the record.

Chapter 5 Security and Confidentiality Management

Article 17   The research and production of commercial cryptographic products should be conducted in an environment that meets security and confidentiality requirements. The sale, transportation, and storage of commercial cryptographic products should adopt appropriate security measures. Units and personnel engaged in the research, production, and sale of commercial cryptographic products, as well as those using commercial cryptographic products, must assume the obligation of confidentiality for the commercial cryptographic technologies they come into contact with and master.

Article 18   The publicity and public exhibition of commercial cryptographic products must be approved by the State Cryptography Administration in advance.

Article 19   No unit or individual may illegally attack commercial cryptography, or use commercial cryptography to endanger national security and interests, social order, or engage in other illegal and criminal activities.

Chapter 6 Penalties

Article 20   Those who commit any of the following acts shall have their cryptographic products confiscated by the State Cryptography Administration in conjunction with the Administration for Industry and Commerce, Customs, and other departments as appropriate. If there are illegal gains, the illegal gains shall be confiscated ; in serious cases, a fine of 1 to 3 times the illegal gains may also be imposed:

(1) Unauthorized production of commercial cryptographic products, or production of commercial cryptographic products by designated production units exceeding the approved scope;

(ii) Unauthorized sales of commercial cryptographic products;

(iii) Unauthorized import of cryptographic products and equipment containing cryptographic technology, export of commercial cryptographic products, or sale of cryptographic products outside the country. Units that sell commercial cryptographic products with permission but fail to comply with regulations will be warned and ordered to correct their actions by the State Cryptography Administration in conjunction with the Administration for Industry and Commerce.

Article 21   For any of the following acts, the State Cryptography Administration, in conjunction with the public security and national security organs, will issue warnings and orders for immediate correction, depending on the specific circumstances. :

(i) Violation of safety and secrecy regulations during the research and development or production of commercial cryptographic products;

(ii) Failure to take appropriate security measures when selling, transporting, or storing commercial cryptographic products;

(iii) Unauthorized publicity or public exhibition of commercial cryptographic products;

(iv) Unauthorized transfer of commercial cryptographic products or failure to have commercial cryptographic products repaired by units designated by the State Cryptography Administration. In cases of serious violations involving the use of self-developed or foreign-produced cryptographic products, the transfer of commercial cryptographic products, or failure to have commercial cryptographic products repaired by units designated by the State Cryptography Administration, the State Cryptography Administration, in conjunction with the public security and national security organs, will confiscate the cryptographic products, depending on the specific circumstances.

Article 22   If research, production, or sales units of commercial cryptographic products commit acts listed in Articles 20 and 21(i), (ii), and (iii) that cause serious consequences, the State Cryptography Administration will revoke their designated research and production unit qualifications and revoke their "Commercial Cryptographic Product Sales License". (一)、(二)、(三)项所列行为，造成严重后果的，由国家密码管理机构撤销其指定科研、生产单位资格，吊销《商用密码产品销售许可证》。

Article 23. In cases where the leakage of commercial cryptographic technology secrets, illegal attacks on commercial cryptography, or the use of commercial cryptography to engage in activities that endanger national security and interests are serious enough to constitute a crime, criminal liability will be pursued in accordance with the law. In cases where the acts listed in the preceding paragraph do not constitute a crime, the State Cryptography Administration, in conjunction with the national security organs or the secrecy departments, will confiscate the commercial cryptographic products used, depending on the specific circumstances; those who have endangered national security will be subjected to administrative detention by the national security organs according to law. ; State functionaries will also be given administrative sanctions according to law.

Article 24   If foreign organizations or individuals, without authorization, use cryptographic products or equipment containing cryptographic technology, the State Cryptography Administration, in conjunction with the public security organs, will issue a warning and order for correction, and may also confiscate the cryptographic products or equipment containing cryptographic technology.

Article 25   If personnel of the commercial cryptography administration abuse their power, neglect their duties, or engage in malfeasance, and such actions constitute a crime, criminal liability will be pursued in accordance with the law ; if they do not constitute a crime, they will be subject to administrative sanctions according to law.

Chapter Seven Appendix     Provisions

Article 26   The State Cryptography Committee may formulate relevant management regulations in accordance with this regulation.

Article 27   This regulation shall come into effect from the date of its promulgation.