China’s New Administration Measures for Commercial Cryptography Testing Institutions

On 12 October 2023, the State Cryptography Administration (SCA) of China released the Measures for the Administration of Commercial Cryptography Testing Institutions (hereinafter referred to as the Measures), which will be enforced from 1 November 2023. The Measures were developed in line with the requirements of the Cryptography Law and the newly-revised Regulation on the Administration of Commercial Cryptography. The purpose is to regulate relevant testing and certification bodies. In addition, the Measures include provisions regulating and managing the operations of institutions performing security assessment of commercial cryptography applications, thus providing support to Measures for the Administration of the Security Assessment of Commercial Cryptography Application.

In general, the Measures put forward clear requirements for the accreditation, supervision and management of testing institutions. These are highly significant for standardizing market access and professional behavior of testing institutions, and thus promoting the healthy development of the commercial cryptography testing industry. The following is the summary of main content of the Measures:

• General requirements:
  • Definition of the scope of application, including the accreditation, supervision and management of commercial cryptographyproduct testing institutions and commercial cryptography application security assessment institutions.
  • Definition of the regulatory system. The SCAis responsible for the accreditation, supervision and management of commercial cryptography testing institutions across the country. Local cryptography administration departments at or above the county level shall be responsible for the supervision and administration of commercial cryptography testing institutions within their respective jurisdictions.

• Conditions and procedures for accreditation, specifically including:
  • Legal basisfor the accreditation of commercial cryptography testing
  • Requirements for accreditation.
  • Procedures for accreditation, including application, acceptance, review, decision, and certification.
  • Otherrelevant requirements such as accreditation change, continuation and cancellation.

• Practicingspecifications:
  • Code of conduct that commercial cryptographytesting institutions and related practitioners should abide by.
  • Specific requirements for testing activities, including test reports, data and sample management, information submission, and testing behavior.

• Supervision and inspection,and legal liability:
  • Requirements for cryptography administration departmentsin terms of supervision, inspection and disclosure of results (i.e. publicizing the supervision and inspection results, uploading the penalty information and submitting the supervision and inspection result to the SCA).
  • Illegal situationsand legal responsibility of commercial cryptography testing
  • Responsibilities and obligations of commercial cryptography testinginstitutions in supervising and managing the information publicity and personnel.
• Other matters, including the implementation timeline of the Measures.