Order of the President of the People's Republic of China
No. 35
The Cryptography Law of the People's Republic of China, adopted at the 14th Meeting of the Standing Committee of the Thirteenth National People's Congress of the People's Republic of China on October 26, 2019, is hereby promulgated and shall enter into force as of January 1, 2020.
Xi Jinping
President of the People's Republic of China
October 26, 2019
Cryptography Law of the People's Republic of China
(Adopted at the 14th Meeting of the Standing Committee of the Thirteenth National People's Congress on October 26, 2019)
Contents
Chapter I General Provisions
Chapter II Core Cryptography and Common Cryptography
Chapter III Commercial Cryptography
Chapter IV Legal Liability
Chapter V Supplementary Provisions
Chapter I General Provisions
Article 1 This Law is enacted for the purpose of regulating the application and administration of cryptography, promoting the development of cryptography work, ensuring cyber and information security, safeguarding national security and public interests, and protecting the legitimate rights and interests of citizens, legal persons and other organizations.
Article 2 For the purpose of this Law, "cryptography" refers to technologies, products, and services utilized for encryption protection and security authentication on information and the like by using specific transformation methods.
Article 3 Cryptography work shall adhere to a holistic approach to national security, and be in conformity with the principles of unified leadership, hierarchical responsibilities, innovation and development, serving the overall picture, law-based administration, and ensuring security.
Article 4 Cryptography work shall adhere to the leadership of the Communist Party of China. The central leading authority of cryptography work shall uniformly lead nationwide cryptography work, develop national major guidelines and policies for cryptography work, coordinate national significant affairs and tasks concerning cryptography, and promote the rule of law in the national cryptography development.
Article 5 The national cryptography administrative department shall be charge of the nationwide cryptography work. Local cryptography administrative departments at or above the county level shall be charge of cryptography work within their respective administrative areas.
State organs and other entities relating to cryptography work shall be responsible for the cryptography work of their own organs, entities or systems within the scope of their responsibilities.
Article 6 The State shall implement classified administration of cryptography.
Cryptography shall be classified into core cryptography, common cryptography and commercial cryptography.
Article 7 Core cryptography and common cryptography shall be used to secure State secret information. The highest level of information protected by core cryptography shall be top secret, and the highest level of information protected by common cryptography shall be secret.
Core cryptography and common cryptography are State secrets. Cryptography administrative departments shall implement strict and unified administration for core cryptography and common cryptography in accordance with this Law, other relevant laws, administrative regulations, and State provisions.
Article 8 Commercial cryptography shall be used to protect the information that does not involve anything of State secret.
Citizens, legal persons and other organizations may use commercial cryptography to protect cyber and information security in accordance with law.
Article 9 The State encourages and supports research in and application of cryptography science and technology, protects the intellectual property rights concerning cryptography in accordance with law, and facilitates the progress and innovation in cryptography science and technology.
The State shall strengthen the cultivation and development of cryptography talent teams. The State commends and rewards organizations or individuals that have conducted outstanding contributions to cryptography work in accordance with the relevant State provisions.
Article 10 The State shall take various measures to strengthen public education in cryptography security, incorporate the education of cryptography security into the national education system and public servant education and training system, and enhance the awareness of cryptography security of citizens, legal persons and other organizations.
Article 11 The people's government at or above the county level shall incorporate cryptography work into the corresponding national economic and social development plan, and incorporate required funds into the fiscal budget of the corresponding level.
Article 12 No organization or individual may steal encrypted information or illegally intrude into the cryptography-protected system of others.
No organization or individual may use cryptography to engage in activities endangering national security or public interests or the legitimate rights and interests of others, or other illegal or criminal activities.
Chapter II Core Cryptography and Common Cryptography
Article 13 The State shall strengthen the scientific planning, management and utilization of core cryptography and common cryptography, enhance system building, improve management measures, and enhance cryptography security and protection capability.
Article 14 State secrets that are transmitted in wired or wireless communication and information systems that store or process State secrets shall be encrypted or authenticated using core cryptography or common cryptography in accordance with relevant laws, administrative regulations, and State provisions.
Article 15 The institutions engaged in scientific research, production, service, testing, equipment, utilizing or destruction of core cryptography and common cryptography (hereinafter collectively referred to as "cryptography working institutions") shall establish and improve the security management system, take strict confidential measures and responsibilities to ensure the security of core cryptography and common cryptography in accordance with relevant laws, administrative regulations, State provisions, and the requirements in core cryptography and common cryptography standards.
Article 16 Cryptography administrative departments shall guide, supervise, and inspect the core cryptography and common cryptography work of cryptography working institutions in accordance with law, and the said institutions shall cooperate.
Article 17 Cryptography administrative departments shall establish core-cryptography-and-common-cryptography-related coordination mechanisms in conjunction with relevant departments based on the needs of work, conducting security surveillance and alert, security risks assessment, information reporting, critical issue consultation, and emergency response to ensure the coordination and efficiency of core cryptography and common cryptography security administration.
If a cryptography working institution detects a core cryptography or common cryptography leak or a major problem or serious risk affecting the security of core cryptography or common cryptography, the institution shall immediately take measures to resolve it and report to the confidentiality administrative department and the cryptography administrative department. The confidentiality administrative department and the cryptography administrative department shall, in conjunction with relevant departments, organize the investigation and response, and guide the relevant cryptography working institution to eliminate security risks in a timely manner.
Article 18 The State shall strengthen the construction of cryptography working institutions to ensure that they fulfill their responsibilities.
The State shall establish the personnel management systems in respect of recruitment, selection, confidentiality, evaluation, training, treatment, award and punishment, exchange and withdrawal, which adapt to the needs of core cryptography and common cryptography work.
Article 19 Cryptography administrative departments may, based on the needs of work and in accordance with relevant State provisions, ask the public security, transport, customs or other relevant departments for privileges such as inspection exemptions on items and personnel related to core cryptography and common cryptography, and the relevant departments shall cooperate.
Article 20 Cryptography administrative departments and cryptography working institutions shall establish and improve strict supervision and security review mechanisms, oversee staff members as to their compliance with laws and disciplines, and take necessary measures to regularly or irregularly organize security review in accordance with law.
Chapter III Commercial Cryptography
Article 21 The State encourages the research, development, academic exchange, transfer and application of commercial cryptography technology, facilitates a unified, open, competitive, and orderly commercial cryptography market environment, encourages and promotes the development of commercial cryptography industry.
People's governments at various levels and their relevant departments shall follow the non-discrimination principle and provide equal treatment in accordance with law, to all entities, including foreign invested enterprises, which engage in scientific research, production, sale, service, import and export of commercial cryptography (hereinafter collectively referred to as "commercial cryptography entities"). The State encourages foreign investors to cooperate in commercial cryptography technology based on voluntariness and commercial rules. Administrative departments and their staff members shall not force the transfer of commercial cryptography technology by administrative means.
The research, production, sale, service, import and export of commercial cryptography shall not endanger national security, public interests, or the legitimate rights and interests of others.
Article 22 The State establishes and improves the system of commercial cryptography standards.
The standardization administrative department of the State Council and the national cryptography administrative department shall organize the development of national standards and industry standards for commercial cryptography according to their respective responsibilities.
The State supports social organizations and enterprises in using independent innovative technologies to develop association standards or enterprise standards for commercial cryptography that are stricter than relevant technical requirements of national standards or industry standards.
Article 23 The State promotes participation in international standardization activities concerning commercial cryptography and in the development of international standards for commercial cryptography, and advances the conversion between Chinese standards and foreign standards for better application.
The State encourages enterprises, social organizations, educational institutions, scientific research institutes and other organizations to participate in international standardization activities concerning commercial cryptography.