On Jul. 1, CHI CAC issued provisions re commercial cryptography.
CHI CAC issued Provisions on the use and administration of commercial cryptography in critical information infrastructure (CII) to strengthen cybersecurity, data protection.
Outline of Provisions
National and sectoral regulators must guide, supervise cryptography use, with annual reports due by Mar. 31; operators must report usage, evaluations annually by Jan. 31.
Operators must plan, build, operate cryptography systems in sync with infrastructure development, conduct regular security evaluations, rectify failures before operation.
Internal systems for cryptography use, emergency response, incident reporting must be in place, with designated, trained staff responsible for key management, auditing.
Certified cryptographic products and approved technologies must be used; any purchases affecting national security require a cybersecurity review.
Operators must protect core data, personal information using cryptographic measures.
Must also include cryptography-related expenses in their cybersecurity budgets and integrate evaluations with other regulatory assessments to avoid duplication.
Authorities may inspect cryptography use but cannot charge fees or require use of specific products; operators must cooperate and report corrective actions.
Violations may lead to warnings, fines (up to CNY 1mn for entities), or penalties for responsible personnel; serious cases may result in business suspension.
Effectiveness
The published Provisions are effective from Aug. 1, 2025.
Regulators
CHI CAC
Entity Types
Corp
Reference
RN CAC No. 5, 7/1/2025; ESG;
Functions
Audit; BCS; Compliance; C-Suite; Cyber; Exams; Financial; HR; Legal; Operations; Privacy; Record Retention; Reporting; Risk; Technology; Training
