Cryptographic Module for PLC Controllers Plus Other Three Products Are Added to China Commercial Cryptography Product Certification Catalogue

On March 19, 2025, China’s State Administration for Market Regulation (SAMR) and the Office of State Cryptography Administration (OSCCA) jointly released the Commercial Cryptography Product Certification Catalogue (Third Batch). This announcement marks a significant step forward in expanding the scope of mandatory certification for commercial cryptographic products in line with the Cryptography Law of the People’s Republic of China.

The third batch aims to strengthen the implementation of cryptographic certification, promote product standardization, and better address the evolving needs of industry and information security. Issued pursuant to the Implementation Opinions on Carrying Out Commercial Cryptography Testing and Certification Work (SAMR & OSCCA Joint Document No. 50 [2020]), this batch officially takes effect from the date of its release.

Products Listed in the Third Batch

The newly added product categories reflect China’s continued focus on identity-based encryption, secure industrial control, and modern communication protocols. They include:

1. Key Management System Based on SM9 Identity-Based Cryptography Algorithm
— A system managing identity keys using the SM9 algorithm.
Standard: GM/T 0086Technical Specification for Key Management System Based on SM9 Identity-Based Cryptography Algorithm

2. Cryptographic Module for PLC Controllers
— A cryptographic device integrated into industrial PLC control systems for key storage and secure communication.
Standards: GM/T 0119 Technical Specification for Cryptographic Application in PLC Control Systems and Controllers; GM/T 0028 Technical Requirements for Cryptographic Module Security

3. DTLCP Cryptographic Module
— A module that establishes secure communication based on the Datagram Transport Layer Cryptographic Protocol.
Standards: GM/T 0128 Specification for Datagram Transport Layer Cryptographic Protocol; GM/T 0028 Technical Requirements for Cryptographic Module Security

4. SSH Client and Server Cryptographic Modules
— Devices that enable secure remote login and encrypted network services based on the SSH protocol.
Standards: GM/T 0129 Specification for SSH Cryptographic Protocol; GM/T 0028 Technical Requirements for Cryptographic Module Security

The cryptographic algorithms used in the above products shall comply with the national cryptography administration requirements, including but not limited to the following standards:

GM/T 0001 Zuchongzhi Sequence Cryptographic Algorithm
GM/T 0002 SM4 Block Cipher Algorithm
GM/T 0003 SM2 Elliptic Curve Public Key Cryptographic Algorithm
GM/T 0004 SM3 Cryptographic Hash Algorithm
GM/T 0009 Specification for the Use of the SM2 Cryptographic Algorithm
GM/T 0010 Encryption and Signature Message Syntax Specification of the SM2 Cryptographic Algorithm
GM/T 0044 SM9 Identity-Based Cryptographic Algorithm

Random number testing for the above products shall follow the standards:

GM/T 0005 Specification for Randomness Testing
GM/T 0062 Requirements for Random Number Testing of Cryptographic Products

Unless otherwise specified, the latest version of the above standards (including all amendments) shall apply in principle.

Some Background Information for Commercial Cryptography Product Certification Catalogue in China

The Commercial Cryptography Product Certification Catalogue is a regulatory list jointly maintained by SAMR and OSCCA. It defines specific categories of commercial cryptographic products that are subject to mandatory testing and certification before they can be legally sold, used, or integrated into government or critical infrastructure systems.

These include hardware, software, and systems providing encryption, decryption, digital signatures, authentication, and key management functionalities. They are intended to protect public, commercial, and personal data—excluding state secrets. Common products include secure communication modules, encryption chips, digital certificate systems, and key management platforms.

According to Article 26, 27 and 36 of China’s Cryptography Law, commercial cryptographic products listed in the certification catalogue must undergo certification when:

Procured by government agencies.
Deployed in critical information infrastructure(e.g., finance, energy, telecom);
Incorporated into systems covered by national Multi-Level Protection Scheme (MLPS);
Required by the cryptography administration for security assurance.

The intention of certification ensures that cryptographic products meet security, performance, and interoperability standards, enhancing trust and security in sensitive applications.

In current practice, in China, Commercial Cryptography Product Certification is The National Voluntary Certification (国推自愿认证), and the authority hopes the certification should be compulsory for the above-mentioned scenarios. The whole certification system has many indigenous requirements and de facto difficult for the products made by non- indigenous companies. However, whether the products actually need to make such certification- even if they are in the Commercial Cryptography Product Certification Catalogue– depends on the requests from users of the cryptography products.

[Note: The National Voluntary Certification (国推自愿认证) refers to a government-promoted voluntary conformity assessment scheme in China, implemented to guide quality improvement and support regulatory alignment.]

Different sectors in China now have different implementations for this subject. For example, all the financial organizations like banks need their products with Commercial Cryptography Product Certificates, more and more are required for automotives Industries, while other sectors still did not ask the certifications yet.

China has released three batches of the catalogue to this date:

First Batch (2020): Included 22 foundational product categories, such as cryptographic modules, secure keyboards, VPN devices, and digital signature servers.
Second Batch (2022): Added 6 emerging categories including trusted modules, cloud cryptography, random number generators, and blockchain components.
Third Batch (2025): Introduced identity-based encryption systems, industrial controller modules, and SSH/DTLCP security devices.

The catalogue is supported by: