China Revises Draft of its Electronic Certification Service Management Measures
Published 12 September 2024
Yu Du
On 2 September 2024, the Ministry of Industry and Information Technology (MIIT) issued the draft revision of the Electronic Certification Service Management Measures (the Measures), for public comments until 3 October 2024. The Measures were first enacted in 2005 and subsequently revised in 2009 and 2015. These regulations have provided a legal basis for regulating the administrative licensing and supervision of electronic certification services, contributing significantly to the development of the industry. However, issues such as the non-compliance of some service providers, including holding a license without conducting business, have emerged. Therefore, the revision of the Measures is both a response to these pressing industry issues and a practical step toward promoting high-quality development in the electronic certification service sector.
Key Revisions in the Draft
The revised Measures adopt a new structural framework consisting of eight chapters, each addressing different aspects of electronic certification services. The major changes are as follows:
1. Clarification of Regulatory Scope
The revised draft clearly outlines the scope of electronic certification services subject to regulatory oversight. Specifically, it defines the services that fall under the regulation, with a particular focus on the issuance of electronic signature authentication certificates. This ensures that only those services involving third-party verification of electronic signatures are regulated, while activities solely for identity verification purposes fall outside the scope of the Measures.
2. Enhancement of CA Institutions’ Capabilities
The revision adjusts the application requirements for certification authorities (CA). These adjustments include stricter qualifications, such as requiring a minimum registered capital of RMB70 million, a dedicated technical team of no fewer than 60 professionals, and appropriate facilities to support secure operations. Additionally, the revised draft streamlines the administrative approval process by optimizing the review and evaluation procedures. It also sets forth conditions under which a CA’s license can be modified, including changes in organizational structure, technical systems, or service capacity.
3. Strengthening the Responsibilities of CA Institutions
The draft emphasizes the duties of CA institutions, specifying their obligations in service delivery. CA institutions must now establish clear internal protocols for processing electronic signature certificates and are prohibited from delegating critical operations to third parties. Further, they are required to set up service outlets in each province or region where they operate, ensuring adequate and localized support for users.
4. Improvement of the Regulatory Mechanism
The revision leverages advancements in information technology to enhance regulatory oversight. It proposes the integration of an information-driven supervision system, enabling real-time monitoring and reporting of CA activities. A coordinated regulatory framework is also established, involving both national and provincial regulatory bodies working together to ensure consistent oversight. Additionally, the draft introduces a comprehensive complaint and reporting mechanism, allowing the public and stakeholders to raise concerns about non-compliance, which will be addressed in a timely and structured manner.
5. Standardization of Administrative Penalties
The revised Measures standardize penalties for non-compliance, offering a clear framework for administrative enforcement. New provisions outline penalties for failing to meet essential requirements, such as not reporting significant operational changes, failing to file certificate chains with the regulatory authority, or not updating certificates in a timely manner. Violations may result in warnings, fines ranging from several thousand to tens of thousands of RMB, or in severe cases, the revocation of the CA’s license.
6. Introduction of an Exit Mechanism
For the first time, the draft includes a formal exit mechanism for non-compliant institutions. Through credit punishment measures, CA institutions that violate regulations or fail to meet operational standards can face industry restrictions or even be prohibited from offering electronic certification services. This mechanism also includes provisions for CA institutions to withdraw from the industry voluntarily, ensuring that there is a structured handover of business to other compliant entities and minimizing disruptions to users.
7. Cross-Border Recognition of Certificates
The draft introduces a clear process for recognizing foreign electronic signature certificates. Institutions seeking cross-border recognition must submit detailed documentation outlining the foreign CA’s qualifications, the type of certificate, technical standards, and the application scenarios for the certificate. The MIIT will review these materials and, if they meet the required standards, approve the foreign certificate for use within China. This procedure ensures that foreign electronic signature certificates comply with Chinese regulatory standards, thereby promoting international cooperation while safeguarding security.
[Comment]
The revisions to the Electronic Certification Service Management Measures provide a more structured and transparent regulatory framework. By addressing existing shortcomings in compliance and service quality, the revised measures aim to foster a healthier business environment for electronic certification service providers. For companies, these changes potentially enhance trust in electronic transactions. Further, improving the security and reliability of electronic certification services contributes to the broader goal of digital transformation, encouraging the adoption of electronic signatures in business and legal transactions.
Key Revisions in the Draft
The revised Measures adopt a new structural framework consisting of eight chapters, each addressing different aspects of electronic certification services. The major changes are as follows:
1. Clarification of Regulatory Scope
The revised draft clearly outlines the scope of electronic certification services subject to regulatory oversight. Specifically, it defines the services that fall under the regulation, with a particular focus on the issuance of electronic signature authentication certificates. This ensures that only those services involving third-party verification of electronic signatures are regulated, while activities solely for identity verification purposes fall outside the scope of the Measures.
2. Enhancement of CA Institutions’ Capabilities
The revision adjusts the application requirements for certification authorities (CA). These adjustments include stricter qualifications, such as requiring a minimum registered capital of RMB70 million, a dedicated technical team of no fewer than 60 professionals, and appropriate facilities to support secure operations. Additionally, the revised draft streamlines the administrative approval process by optimizing the review and evaluation procedures. It also sets forth conditions under which a CA’s license can be modified, including changes in organizational structure, technical systems, or service capacity.
3. Strengthening the Responsibilities of CA Institutions
The draft emphasizes the duties of CA institutions, specifying their obligations in service delivery. CA institutions must now establish clear internal protocols for processing electronic signature certificates and are prohibited from delegating critical operations to third parties. Further, they are required to set up service outlets in each province or region where they operate, ensuring adequate and localized support for users.
4. Improvement of the Regulatory Mechanism
The revision leverages advancements in information technology to enhance regulatory oversight. It proposes the integration of an information-driven supervision system, enabling real-time monitoring and reporting of CA activities. A coordinated regulatory framework is also established, involving both national and provincial regulatory bodies working together to ensure consistent oversight. Additionally, the draft introduces a comprehensive complaint and reporting mechanism, allowing the public and stakeholders to raise concerns about non-compliance, which will be addressed in a timely and structured manner.
5. Standardization of Administrative Penalties
The revised Measures standardize penalties for non-compliance, offering a clear framework for administrative enforcement. New provisions outline penalties for failing to meet essential requirements, such as not reporting significant operational changes, failing to file certificate chains with the regulatory authority, or not updating certificates in a timely manner. Violations may result in warnings, fines ranging from several thousand to tens of thousands of RMB, or in severe cases, the revocation of the CA’s license.
6. Introduction of an Exit Mechanism
For the first time, the draft includes a formal exit mechanism for non-compliant institutions. Through credit punishment measures, CA institutions that violate regulations or fail to meet operational standards can face industry restrictions or even be prohibited from offering electronic certification services. This mechanism also includes provisions for CA institutions to withdraw from the industry voluntarily, ensuring that there is a structured handover of business to other compliant entities and minimizing disruptions to users.
7. Cross-Border Recognition of Certificates
The draft introduces a clear process for recognizing foreign electronic signature certificates. Institutions seeking cross-border recognition must submit detailed documentation outlining the foreign CA’s qualifications, the type of certificate, technical standards, and the application scenarios for the certificate. The MIIT will review these materials and, if they meet the required standards, approve the foreign certificate for use within China. This procedure ensures that foreign electronic signature certificates comply with Chinese regulatory standards, thereby promoting international cooperation while safeguarding security.
[Comment]
The revisions to the Electronic Certification Service Management Measures provide a more structured and transparent regulatory framework. By addressing existing shortcomings in compliance and service quality, the revised measures aim to foster a healthier business environment for electronic certification service providers. For companies, these changes potentially enhance trust in electronic transactions. Further, improving the security and reliability of electronic certification services contributes to the broader goal of digital transformation, encouraging the adoption of electronic signatures in business and legal transactions.