China Issues Administration Regulation on the Use of Commercial Encryption in Critical Information Infrastructure
Published 7 July 2025
Xia Yu
Article 31 of the Cybersecurity Law of the People’s Republic of China requires the State Council to formulate relevant regulations to implement key protection of critical information infrastructure (“CII”). On 1 July 2025, the Cyberspace Administration of the People’s Republic of China (“CAC”) announced the Administration Regulation on the Use of Commercial Encryption in Critical Information Infrastructure (“Administration Regulation”), which will come into effect on 1 August 2025. The Administration Regulation is used to regulate the use of commercial encryption in CII and ensure its security. It contains 25 provisions, primarily covering the division of responsibilities, the obligations of operators, security assessment requirements, and legal liabilities.
The Regulation on Protecting the Security of Critical Information Infrastructure (“Protection Regulation”) defines CII as important network facilities and information systems that may seriously endanger national security, national economy and people’s livelihood, and public interests once they are destroyed, lose their functions, or their data is leaked. It mainly involves public communications and information services, energy, transportation, water conservancy, finance, public services, e-government, and the national defense science and technology industry. According to the Regulation on the Administration of Commercial Cryptography, commercial encryption refers to technologies, products, and services that utilize specific transformation methods to encrypt and protect information that is not a state secret, and provide security authentication. In recent years, China’s representative cases in the field of the use of commercial encryption in CII include the application of cryptographic technology in the long-distance oil and gas pipelines of the National Pipeline Network Group in the energy field, the cryptographic protection of Guizhou Province's reservoir industrial control system in the water conservancy field, and data leakage prevention solutions for mobile terminals in Yunnan in the communications field.
The Administration Regulation further improves the management system for the use of commercial encryption in CII at the national, local, and industry levels. The Cybersecurity Law requires that, based on the cybersecurity graded protection system, the CAC shall coordinate and implement key protection measures for CII. The Regulation on Protecting the Security of Critical Information Infrastructure (“Protection Regulation”) provides, under the overall coordination of the CAC, the Ministry of Public Security of the People’s Republic of China is responsible for guidance and supervision and the telecommunications authorities and other relevant departments are responsible for the security protection and administration of CII within their respective responsibilities. The Administration Regulation further refines the management responsibilities by clarifying that the Cryptography Administration will take the lead and establish a sharing mechanism in conjunction with the CAC and the Ministry of Public Security. The industry protection departments, which are supervisory and management departments responsible for the security protection of CII in the industries, are responsible for the use and management of commercial cryptography of CII in their respective fields.
Chapter III of the Protection Regulations specifically stipulates the obligations of operators of CII (“operators”). On this basis, the Administration Regulation further refines and expands the obligations of the operators. The Protection Regulation requires that security protection measures should be planned, constructed, and used simultaneously with CII. The Administration Regulation proposes that the operators shall conduct regular security assessments on the synchronization and report to the industry protection departments before 31 January each year. Regarding system guarantees, the Administration Regulation requires the establishment of management systems involving the use of commercial encryption, emergency response, and major event reporting. Regarding personnel guarantees, it proposes that personnel who assume the duties of key administrators and cryptographic operators shall obtain cryptographic-related professional qualifications or cryptographic-related national professional skill level certifications, and personnel who assume the duties of cryptographic security auditors shall have professional security audit capabilities. Regarding security assessment funding guarantees, it points out that the funds shall be included in the network security and information technology funding arrangements. Moreover, it emphasizes the use of commercial encryption products and services that have been tested and certified, and the use of commercial encryption technologies such as cryptographic algorithms, cryptographic protocols, and key management mechanisms that have passed review and appraisal.
The Administration Regulation requires the operators to conduct commercial encryption application security assessments (“security assessments”) by the provisions of the Administrative Measures for the Security Assessment of Commercial Cryptography Application at all stages of CII, the planning stage, construction stage, and operation stage. During the planning stage, a security assessment shall be conducted on the formulated application plan. If the application plan needs to be adjusted during the construction process, a security assessment shall be conducted again. Before the operation, a security assessment shall be conducted. During operation, a security assessment shall be conducted at least once a year. If the security assessment fails, it shall not be used as the basis for the construction of the commercial encryption protection system, or it shall be modified. For the CII under construction before the implementation of the Administration Regulation, the operators are required to build and improve the commercial encryption protection system. For the CII that has been put into operation, a security assessment shall also be conducted every year.
In terms of legal liability, the Administration Regulation expands the scope of illegal acts and the types of penalties. Article 39 of the Protection Regulation lists ten types of illegal acts that may be imposed a fine of more than RMB100,000 (equivalent to US$14,000) but less than RMB1 million (equivalent to US$0.14 million) on the operator. The Administration Regulation expands this type of violation to acts including the use of commercial encryption products and services that have not been tested and certified, the use of commercial encryption technologies such as encryption algorithms, encryption protocols, key management mechanisms that have not passed the review and appraisal, and the failure to conduct the security assessments at all stages of CII following the above requirements. Meanwhile, the Administration Regulation also lists new penalties. For example, Article 20 stipulates that the penalties for using network products or services involving commercial encryption that have not been reviewed or have failed the security assessments include a fine of more than one time but less than ten times the purchase amount.
In conclusion, the Administration Regulation improves the supervision and management system of commercial encryption use in CII. It requires that commercial encryption products and services used in CII be tested and certified, commercial encryption technology be reviewed and identified, and security assessments be conducted regularly.
The Regulation on Protecting the Security of Critical Information Infrastructure (“Protection Regulation”) defines CII as important network facilities and information systems that may seriously endanger national security, national economy and people’s livelihood, and public interests once they are destroyed, lose their functions, or their data is leaked. It mainly involves public communications and information services, energy, transportation, water conservancy, finance, public services, e-government, and the national defense science and technology industry. According to the Regulation on the Administration of Commercial Cryptography, commercial encryption refers to technologies, products, and services that utilize specific transformation methods to encrypt and protect information that is not a state secret, and provide security authentication. In recent years, China’s representative cases in the field of the use of commercial encryption in CII include the application of cryptographic technology in the long-distance oil and gas pipelines of the National Pipeline Network Group in the energy field, the cryptographic protection of Guizhou Province's reservoir industrial control system in the water conservancy field, and data leakage prevention solutions for mobile terminals in Yunnan in the communications field.
The Administration Regulation further improves the management system for the use of commercial encryption in CII at the national, local, and industry levels. The Cybersecurity Law requires that, based on the cybersecurity graded protection system, the CAC shall coordinate and implement key protection measures for CII. The Regulation on Protecting the Security of Critical Information Infrastructure (“Protection Regulation”) provides, under the overall coordination of the CAC, the Ministry of Public Security of the People’s Republic of China is responsible for guidance and supervision and the telecommunications authorities and other relevant departments are responsible for the security protection and administration of CII within their respective responsibilities. The Administration Regulation further refines the management responsibilities by clarifying that the Cryptography Administration will take the lead and establish a sharing mechanism in conjunction with the CAC and the Ministry of Public Security. The industry protection departments, which are supervisory and management departments responsible for the security protection of CII in the industries, are responsible for the use and management of commercial cryptography of CII in their respective fields.
Chapter III of the Protection Regulations specifically stipulates the obligations of operators of CII (“operators”). On this basis, the Administration Regulation further refines and expands the obligations of the operators. The Protection Regulation requires that security protection measures should be planned, constructed, and used simultaneously with CII. The Administration Regulation proposes that the operators shall conduct regular security assessments on the synchronization and report to the industry protection departments before 31 January each year. Regarding system guarantees, the Administration Regulation requires the establishment of management systems involving the use of commercial encryption, emergency response, and major event reporting. Regarding personnel guarantees, it proposes that personnel who assume the duties of key administrators and cryptographic operators shall obtain cryptographic-related professional qualifications or cryptographic-related national professional skill level certifications, and personnel who assume the duties of cryptographic security auditors shall have professional security audit capabilities. Regarding security assessment funding guarantees, it points out that the funds shall be included in the network security and information technology funding arrangements. Moreover, it emphasizes the use of commercial encryption products and services that have been tested and certified, and the use of commercial encryption technologies such as cryptographic algorithms, cryptographic protocols, and key management mechanisms that have passed review and appraisal.
The Administration Regulation requires the operators to conduct commercial encryption application security assessments (“security assessments”) by the provisions of the Administrative Measures for the Security Assessment of Commercial Cryptography Application at all stages of CII, the planning stage, construction stage, and operation stage. During the planning stage, a security assessment shall be conducted on the formulated application plan. If the application plan needs to be adjusted during the construction process, a security assessment shall be conducted again. Before the operation, a security assessment shall be conducted. During operation, a security assessment shall be conducted at least once a year. If the security assessment fails, it shall not be used as the basis for the construction of the commercial encryption protection system, or it shall be modified. For the CII under construction before the implementation of the Administration Regulation, the operators are required to build and improve the commercial encryption protection system. For the CII that has been put into operation, a security assessment shall also be conducted every year.
In terms of legal liability, the Administration Regulation expands the scope of illegal acts and the types of penalties. Article 39 of the Protection Regulation lists ten types of illegal acts that may be imposed a fine of more than RMB100,000 (equivalent to US$14,000) but less than RMB1 million (equivalent to US$0.14 million) on the operator. The Administration Regulation expands this type of violation to acts including the use of commercial encryption products and services that have not been tested and certified, the use of commercial encryption technologies such as encryption algorithms, encryption protocols, key management mechanisms that have not passed the review and appraisal, and the failure to conduct the security assessments at all stages of CII following the above requirements. Meanwhile, the Administration Regulation also lists new penalties. For example, Article 20 stipulates that the penalties for using network products or services involving commercial encryption that have not been reviewed or have failed the security assessments include a fine of more than one time but less than ten times the purchase amount.
In conclusion, the Administration Regulation improves the supervision and management system of commercial encryption use in CII. It requires that commercial encryption products and services used in CII be tested and certified, commercial encryption technology be reviewed and identified, and security assessments be conducted regularly.