The Cryptography Law of China came into force on 1 January 2020. The Law aims...


The Cryptography Law of China

March 2, 2020

Overview of the Law

The Cryptography Law of China (the Law), which came into force on 1 January 2020, aims to ensure network and information security, preserve national security and protect the interests of individuals and organisations in China, including by prohibiting the trespass of protected systems, theft of cryptographic information and illegal use of cryptography that compromise national security or the public interest.  The Law also promotes the growth of the cryptography industry by directing the Chinese government to strengthen the talent pool and support research programs.  The State Cryptography Administration shall be responsible for the management of the Law.

What is Cryptography?

The Law defines “cryptography” as technologies, products and services that perform security authentication or utilise specified transformation methods to encrypt information.

The Law classifies cryptography into three categories: core cryptography, common cryptography and commercial cryptography.

Core and Common Cryptography

Core and common cryptography refer to cryptography that is used to protect top secret and secret state secret information, respectively.  

The Law requires core and common cryptography work bodies – entities engaged in research, production, service, testing, furnishing, use or destruction of core and common cryptography – to:

  • put in place strict security systems and measures to ensure the security of core and common cryptography; and
  • promptly report discovered leaks of, or potential risks impacting, core or common cryptography security to the departments for secrecy administration and for cryptography management and take immediate response measures;

Commercial Cryptography

Commercial cryptography refers to cryptography for protecting non-state secret information.  In using commercial cryptography, national security, public interest or other people’s lawful rights must not be endangered.

The Law establishes a principle of non-discrimination to give equal treatment to all units that research, produce, sell, service, import or export commercial cryptography – i.e., commercial cryptography units (including foreign investment enterprises) and prohibits administrative organs from forcing the transfer of commercial cryptography technology through administrative measures.

Under the Law:

  • commercial cryptography units must comply with technical requirements under applicable laws and regulations;
  • commercial cryptography products that involve national security or welfare, people’s livelihood or public interest must pass testing and certification according to the Cybersecurity Law before they are sold;
  • commercial cryptography services that use critical network equipment and specialised cybersecurity products must be certified by a commercial cryptography certification body;
  • critical information infrastructures required to use commercial cryptography protections must undergo security assessments; and
  • import licensing and export control requirements apply to commercial cryptography that involves national security or public interest.

Penalties for Non-Compliance

Failure to comply with the Law may result in sanctions or pecuniary penalties.  For example, failure to take immediate response measures or report the discovery of data leaks relating to core or common cryptography may lead to sanctions or punishments for the managers and personnel responsible.  In addition, selling or providing uncertified commercial cryptography products or services may lead to pecuniary penalties of up to three times the unlawful gains, or between RMB30,000 to RMB100,000 for cases without unlawful gains.

Disclaimer: This article is for general information only and does not constitute legal advice.


Subscribe to
our newsletters

To subscribe, select the newsletter options that interest you (TMT, FinTech or DPC - Data Protection and Cybersecurity) and provide your details.

  • TMT - Technology, Media and Telecommunications
  • FinTech
  • DPC - Data Protection & Cybersecurity
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.