On 16 April, the China Electronic Standardization Institute (CESI), the National Computer Network Emergency Response Technical Team/Coordination Center of China (CNCERT), the National Information Security Research Center (NISRC), and three local officer device enterprises, jointly submitted to TC260/WG5 a new standard proposal: Information security technology – security specification for office devices. The new standard proposal aims to replace two currently effective standards used to ensure the information security of office devices, namely GB/T29244-2012 Information security technology – Basic security requirements for office devices, and GB/T 38558-2020 Information security technology – Security test method for office devices – which had both been adopted by the IT Product Information Security Certification owned by the China Cybersecurity Review Technology and Certification Centre.

The proposal remarks the need to adopt a new standard, as GB/T29244-2012 and GB/T 38558-2020 can no longer meet the needs of printing technology which is constantly iterating and updating; at the same time, the two current standards do not address aspects such as potential risks in supply chain, hardware, application software, data security, etc. Therefore, the proposed standard highlights a series of measures to mitigate such risks, in particular supply chain security. Specifically, the Draft stipulates that officer devices providers shall:

  • Complete the design, development, production, delivery, operation, and maintenance of office devices within China, and use key components that are designed and manufactured in China. These key components include, but are not limited to, main control chips, laser scanner assembly, capacitance, resistance, motor, etc.
  • Employ third party technologies for office devices, chips, engine, materials, software authorization, update, and technical support services, that do not have records of supply chain disruptions originating from political, diplomacy, trade or service capability factors.

It is evident that these requirements, if enacted, would rule out the possibility for overseas office devices providers to participate in government procurement in China, as most of their products rely heavily on overseas components. Furthermore, the standard also applies to critical information infrastructure operators, a concept that has not been clearly defined and determined so far. Many overseas manufactures suspect that their businesses with more state-owned enterprises could be negatively affected by this standard once adopted in government procurement and commercial bidding projects in the future.  Therefore, relevant European office device manufacturers and vendors should actively engage with TC260 and submit comments on the standard proposal, aimed at mitigating its potential future impact.