From June 12 to 15, 2024, the first annual edition of the Standard Week organized by China’s National Cybersecurity Standardization Technical Committee (hereinafter referred to as the SAC/TC260) was successfully held in Nanchang, Jiangxi province. The event encompassed a plenary meeting, 5 thematic forums, 2 training sessions, and working group meetings. The Standard Week is a major event in the field of cybersecurity, gathering numerous Chinese stakeholders to learn about the latest cybersecurity standardization topics and trends, and discuss specific cybersecurity standards. The attendees included SAC/TC260, governmental officials from Cyberspace Administration of China and the Ministry of Industry and Information Technology, as well as the industrial representatives in this field.

Below is a summary of the key takeaways from this Standard Week:

  • Statistics:To date, SAC/TC260 has published 389 national standards covering the protection of critical information infrastructure, cybersecurity products, data security, etc. Internationally, SAC/TC260, as the mirroring organization of ISO/IEC JTC1/SC27, led the development of 59 international standards, accounting for 17% of the standards published by ISO/IEC JTC1/SC27. During the Standard Week, the working groups discussed 46 to-be-initiated standard projects, and promoted more than 50 standard projects currently under development.
  • Structural adjustment:SAC/TC260 has transferred its work in Special Working Group for Big Data Standards (SWG-BDS) under WG8, a newly established working group dedicated to standards development in the field of data security and personal information protection. In addition, another working group has been established, namely SWG-ETS (Special Working Group for Emerging Technology Standards). The SWG-ETS will focus on the standardization of emerging technologies, including artificial intelligence, quantum computing, blockchain, and cloud computing. Its work will build on instructions of relevant national policies or legislation.
  • Artificial intelligence:
    • Generative AI:three national standards are being developed, namely: Basic security requirements for generative artificial intelligence services, Generative artificial intelligence data annotation security specification, and Security specification for generative artificial intelligence pre-training and fine-tuning data.
    • Standard system:SAC/TC260 has initiated the drafting of a standard system for AI security. Currently, three rounds of comments solicitation have been completed. Still, the standard system is in a preliminary stage, therefore SAC/TC260 welcomes the industry to actively provide inputs and contributions, with the aim of identifying the most urgent standards.
  • Quantum technology:Experts that participated in the meeting raised concerns about the threat that quantum computing in the post-quantum era and advised to devoting more efforts to this field. Currently, quantum-related standard development is discussed in WG5 and SWG-ETS. In particular, two international standards were discussed in the working group meeting, which will be adopted in China as identical versions:
    • ISO/IEC 23837-1 Information security — Security requirements, test and evaluation methods for quantum key distribution Part 1: Requirements
    • ISO/IEC 23837-2 Information security — Security requirements, test and evaluation methods for quantum key distribution Part 2: Evaluation and testing methods
  • Data security protection:
    • Data security technology — Requirements for data security protection. This standard, currently being developed by WG8, aims to support China’s classified and graded data security protection mechanism, complementing GB/T 43697-2024 Data security technology — Rules for data classification and grading, while integrating Information security technology — Security requirements for processing of key databy extending its requirements to core data and general data. Such a broad scope poses a challenge to the objective of the standard, which is to provide practical and comprehensive guidance for various industries.
    • Standards grading. To assist stakeholders to navigate among countless standards and clarify the role of each standard (and their specific articles), WG8 has classified all data security and personal information protection standards into three different levels: the basics, the advanced, and the excellent. The standards that directly support the legal obligations of the relevant stakeholders and reflect the baseline of data security aregraded as the basics; whereas the other two levels represent higher level requirements. The full framework translation will be provided by SESEC in the coming weeks, and published on the project’s
  • Security specifications for office devices:According to the secretariat, the 20230251-T-469 Cybersecurity technology—Security specifications for office devices is currently in the stage for approval. The major concerns raised by foreign enterprise in China in the past regarding this standard, namely the political factors, and the compulsory requirement for the compliance with GB/T 29829, have been removed. According to European enterprises in China, the current version of the standard is acceptable and their concerns have been addressed.

In conclusion, the Standard Week provides a platform for broad discussions on cybersecurity standards, allowing relevant enterprises to share their experiences in terms of standards implementation. The focus of the next activities will be on increasing the alignment among standards, strengthening the supporting role of standards to legislation, as well as accelerating standardization of emerging technology – as emphasized by Mr. Gao Lin, Head of Cybersecurity Coordination Bureau at the Cyberspace Administration of the China, in his speech during the plenary meeting.