On 30 October 2022, the technical committee of national information security standardization (TC 260) released the List of Approved Projects in 2022 for National Cybersecurity Standards (hereinafter referred to as the List). As detailed in the Annex below, the List contains 30 standardization projects in total, among which 17 standards are to be newly formulated, and 13 to be revised. The standards cover various areas, such as cryptography technology, authentication and authorization, information security evaluation, information security management, and big data security management.

Specifically, the standards listed reflect TC 260’s support to China’s data security mechanisms outlined in Data Security Law, which emphasize data grading and classification, data security risk assessment, as well as government data security. Such standards include: Security requirements for processing of key data; Risk assessment method for data security; Capacity requirements for assessment organization of data security; Security requirements for government data processing; etc. Other than the Data Security Law, approved standardization projects also involve personal data processing, such as Certification requirements for cross-border transmission of personal information and Security requirements for processing of sensitive personal information.

Furthermore, the list includes the controversial standard project of Security specification for office devices (click here to read more about SESEC’s news article about its draft). Based on the standard’s draft released in April, relevant clauses demand that office devices providers are established within China, fully onshoring their supply chain, and employ “politically-correct” third parties. These clauses might reduce the possibilities for overseas deices providers to participate in government procurement in China. Consequently, the draft aroused worries from major overseas providers. Despite this, China’s authorities are determined to go ahead. The standardization project is now officially initiated, and it remains to be seen whether relevant articles and clauses in the draft will be softened or maintained.

In short, the standardization projects listed in the following table have been officially initiated. Relevant enterprises and organizations will, under the leadership of TC 260, proceed with the drafting work, soliciting public opinions once completed.

Annex: List of Approved Projects in 2022 for National Cybersecurity Standards.