Article 24  Commercial cryptography entities shall, when engaging in activities involving commercial cryptography, comply with the technical requirements prescribed in relevant laws, administrative regulations, mandatory national standards for commercial cryptography and the standards published by such entities themselves. 

The State encourages commercial cryptography entities to adopt voluntary national standards and industry standards for commercial cryptography to enhance commercial cryptography protection capability and safeguard the legitimate interests of users. 

Article 25  The State facilitates the development of the commercial cryptography testing and certification system, formulates the technical specifications and rules for commercial cryptography testing and certification, and encourages commercial cryptography entities to have their cryptography tested and certified on a voluntary basis to boost their market competitiveness. 

Commercial cryptography testing and certification bodies shall obtain relevant qualifications in accordance with law, and conduct commercial cryptography testing and certification in compliance with the laws, administrative regulations, and the technical specifications and rules for commercial cryptography testing and certification. 

Commercial cryptography testing and certification bodies shall have the duty to keep confidential any State and commercial secrets learned in the course of commercial cryptography testing and certification.

Article 26  Commercial cryptography products which concern national security, national welfare and people's livelihood, or public interests shall be listed in the catalog of critical network equipment and specialized cyber security products in accordance with law, and be sold or provided for use provided that they have passed the testing and certification conducted by qualified testing and certification bodies. The testing and certification on commercial cryptography products shall be in compliance with relevant provisions of the Cyber security Law of the People's Republic of China, and repeated testing and certification shall be avoided.

Commercial cryptography service using critical network equipment and specialized cyber security products shall pass the certification conducted by a commercial cryptography certification body.

Article 27  Operators of critical information infrastructure shall adopt commercial cryptography to protect such infrastructure if so required by relevant laws, administrative regulations, and State provisions, and shall, conduct application security assessment on commercial cryptography by themselves or by entrusting a commercial cryptography testing body. Commercial cryptography application security assessment shall be coordinated with both critical information infrastructure security testing and assessment system and classified cyber security assessment system to avoid repeated testing and assessment. 

Where operators of critical information infrastructure purchase network products and services involving commercial cryptography that may affect national security, such products and services shall be subject to the national security review by the national cyberspace administrative department in conjunction with the national cryptography administrative department and other relevant departments in accordance with the Cyber Security Law of the People's Republic of China.

Article 28  The competent department in charge of commerce under the State Council and the national cryptography administrative department shall, in accordance with law, apply import licensing to commercial cryptography which has encryption functionality and concerns national security or public interests, and shall apply export control to commercial cryptography which concerns national security or public interests or which entails international obligations on China. The import licensing list and export control list of commercial cryptography shall be formulated and published by the competent department in charge of commerce under the State Council in conjunction with the national cryptography administrative department and the General Administration of Customs.

Import licensing and export control shall not be applied to commercial cryptography used in mass consumption products.

Article 29  The national cryptography administrative department shall be responsible for the approval of institutions using commercial cryptography technologies to engage in electronic certification service for E-Government activities, and shall, in conjunction with relevant departments, be responsible for the administration of the use of electronic signatures and data messages in administrative activities. 

Article 30  Organizations such as commercial cryptography industry associations shall, in accordance with laws, administrative regulations, and their articles of association, provide information, technology, training and other services for commercial cryptography entities, guide and supervise commercial cryptography entities to conduct commercial cryptography activities in accordance with law, improve industry self-discipline and integrity, and promote the healthy development of the industry.

Article 31  Cryptography administrative departments and relevant departments shall establish the mechanism of both in-process and ex-post supervision on commercial cryptography, which combines routine supervision with random inspection, and shall establish a unified information platform for supervision and administration on commercial cryptography, coordinate the in-process and ex-post supervision mechanism and the social credit system, strengthen the self-discipline of commercial cryptography entities and public supervision.

Cryptography administrative departments and other relevant departments, as well as their staff members shall not require commercial cryptography entities or commercial cryptography testing and certification bodies to reveal source code or other cryptography-related proprietary information, and shall strictly keep confidential the trade secrets and individual privacy learned in the course of performing their duty, and shall not disclose or illegally provide such information to others.

Chapter IV Legal Liability

Article 32  In case of a violation of Article 12 of this Law by stealing encrypted information, illegally intruding into the cryptography-protected system of others, or using cryptography to engage in activities endangering national security or public interests or the legitimate rights and interests of others, or other illegal activities, the relevant department shall investigate the legal liability in accordance with the Cyber Security Law or other relevant laws or administrative regulations.

Article 33  In case of a violation of Article 14 of this Law and failure in using core cryptography or common cryptography as required, the cryptography administrative department shall give an order of correction or ceasing the illegal activities, and shall issue a warning. Where the circumstances are serious, the cryptography administrative department shall recommend the relevant State organ or entity to impose punishment on the persons in charge who are directly responsible and the other persons who are directly responsible in accordance with law.

Article 34  In case of a core cryptography or common cryptography leak in violation of this Law, the confidentiality administrative department and the cryptography administrative department shall recommend the relevant State organ or entity to impose punishment on the persons in charge who are directly responsible and the other persons who are directly responsible in accordance with law. 

In case of a violation of the second paragraph of Article 17 of this Law and failure in taking measures immediately or reporting the situation upon detecting a core cryptography or common cryptography leak or a major problem or serious risk affecting the security of core cryptography or common cryptography in a timely manner, the confidentiality administrative department and the cryptography administrative department shall recommend the relevant State organ or entity to impose punishment on the persons in charge who are directly responsible and the other persons who are directly responsible in accordance with law. 

Article 35  Where a commercial cryptography testing or certification body conducts commercial testing and certification in violation of the second or third paragraph of Article 25 of this Law, the market supervision administration shall, in conjunction with the cryptography administrative department, order the said commercial cryptography testing or certification body to make correction or cease the illegal activities, and shall issue a warning and confiscate the illegal gains. Where the amount of illegal gains is RMB 300,000 yuan and above, a fine of not less than one time but not more than three times the amount of illegal gains may be concurrently imposed; where there are no illegal gains or the amount of illegal gains is less than RMB 300,000 yuan, a fine of not less than RMB 100,000 yuan but not more than RMB 300,000 yuan may be concurrently imposed; where the circumstances are serious, the relevant qualifications shall be revoked in accordance with law.

Article 36  Where an untested, uncertified or unqualified commercial cryptography product is sold or provided, or uncertified or unqualified commercial cryptography service is provided in violation of Article 26 of this Law, the market supervision administration shall, in conjunction with the cryptography administrative department, give an order of correction or ceasing the illegal activities, and shall issue a warning and confiscate the illegal products and gains. Where the amount of illegal gains is RMB 100,000 yuan or more, a fine of not less than one time but not more than three times the amount of illegal gains may be concurrently imposed; where there are no illegal gains or the amount of illegal gains is less than RMB 100,000 yuan, a fine of not less than RMB 30,000 yuan but not more than RMB 100,000 yuan may be concurrently imposed.

Article 37  Where an operator of critical information infrastructure, in violation of the first paragraph of Article 27 of this Law, fails to use commercial cryptography as required, or fails to conduct security assessment on commercial cryptography as required, the cryptography administrative department shall give an order of correction and issue a warning; where the operator refuses to make correction, or the violation has endangered cyber security or caused other results, a fine of not less than RMB 100,000 yuan but not more than RMB 1,000,000 yuan shall be imposed, and a fine of not less than RMB 10,000 yuan but not more than RMB 100,000 yuan shall be imposed upon the persons in charge who are directly responsible. 

Where an operator of critical information infrastructure, in violation of the second paragraph of Article 27 of this Law, uses products or services which have not been subjected to or have failed to pass the security review, the relevant administrative department in charge shall order the operator to stop using such products or services, and shall impose a fine of not less than one time but not more than ten times the value of the purchase amount, and a fine of not less than RMB 10,000 yuan but not more than RMB 100,000 yuan upon the persons in charge who are directly responsible and the other persons who are directly responsible. 

Article 38  Where the import or export of commercial cryptography is in violation of Article 28 of this Law on import licensing and export control, a punishment shall be imposed in accordance with law by the competent department in charge of commerce under the State Council or the customs. 

Article 39  In case of a violation of Article 29 of this Law and engagement in electronic certification service for E-government activities without approval, the cryptography administrative department shall give an order of correction or ceasing the illegal activities, and shall issue a warning and confiscate the illegal products and gains. Where the amount of illegal gains is RMB 300,000 yuan or more, a fine of not less than one time but not more than three times the amount of illegal gains may be concurrently imposed; where there are no illegal gains or the amount of illegal gains is less than RMB 300,000 yuan, a fine of not less than RMB 100,000 yuan but not more than RMB 300,000 yuan may be concurrently imposed.

Article 40  Where, in cryptography work, a staff member of cryptography administrative departments or other relevant departments or entities abuses his or her power, neglect his or her duties or practices favoritism for personal gain, or discloses or illegally provides to others trade secrets or individual privacy he or she has learned in the course of performing his or her duty, the said staff member shall be punished in accordance with law.

Article 41  Where a person or entity violates the provisions of this Law, if a crime is constituted, he or it shall be investigated for criminal responsibility in accordance with law; and shall bear civil liability in accordance with law if damage is caused to others.

Chapter V Supplementary Provisions

Article 42  The national cryptography administrative department shall formulate rules of cryptography administration in accordance with laws and administrative regulations. 

Article 43  The Central Military Commission shall formulate measures for cryptography administration of the Chinese People's Liberation Army and the Chinese People's Armed Police Force in accordance with this Law. 

Article 44  This Law shall enter into force as of January1, 2020.