On September, 29, 2024, China officially released the national recommended standard GB/T 29244-2024 Cybersecurity technology—Security specifications for office devices (hereinafter referred to as the Standard). According to the Standard, an office device refers to the equipment with one or more functions such as printing, scanning, faxing, and copying. This Standard specifies the security function requirements, security assurance requirements, and evaluation methods for office devices. It applies to the procurement, testing and evaluation, maintenance and management, security design, delivery, and operation of office devices.

The initial draft of the standard, which had been previously circulated, included provisions that limited the participation of foreign suppliers in government procurement in China, introduced politically sensitive elements, and mandated the use of China’s Trusted Cryptography Module (TCM). Consequently, the initial draft proposal raised significant concerns among overseas office device manufacturers. Following rounds of discussions and revisions, the revised draft of the Standard has become more feasible for foreign suppliers, with most discriminatory provisions removed. The following is a summary of the key adjustments addressing the initial concerns:

  1. The provisions that would have excluded foreign office devices providers from government procurement have been
  2. Politically sensitive elements, such as the requirement stating that “third-party technologies supply disruption shall not occur due to political or diplomatic factors”, have been deleted.
  3. The application of TCMand compliance with related standard GB/T 29829-2022 Information security technology—Functionality and interface specification of cryptographic support platform for trusted computing, has been made optional.

The first two concerns were addressed in the draft for comments released in 2023. Since then, therefore, subsequent discussions primarily focused on the necessity and feasibility of mandatory TCM application. At present, mainstream foreign IT manufacturers and standard organizations have established a technical specification system centered on the Trusted Platform Module (TPM). However, for security concerns, China established a trusted computing cryptography group in 2006, aiming to develop a trusted computing technology system with independent intellectual property rights. In December 2007, China issued the Functionality and interface specification of cryptographic support platform for trusted computing, the predecessor of GB/T 29829-2022. Since then, China’s Trusted infrastructure Module has been defined as TCM. In 2023, foreign office devices suppliers opposed the mandatory compliance with GB/T 29829, arguing that it would impose excessive costs by requiring replacement of TPM with TCM in medium- and high-level office devices. As the final version of the Standard makes TCM application optional, this major concern has been addressed.

In a summary, the newly published standard GB/T 29244-2024 Cybersecurity technology—Security specifications for office devices, removed the negative clauses against overseas’ manufacturers and therefore can be accepted and implemented without technical barriers to trade.