On April 10, 2026, The Cyberspace Administration of China (CAC), the Ministry of Industry and Information Technology (MIIT), and the Ministry of Public Security (MPS) have jointly issued the final version of the China Cybersecurity Labeling Management Measures. The document will take effect on July 1, 2026.
A comparison between the final text and the previously released draft (see more details from our previous news coverage) reveals several notable changes, primarily focused on strengthening enforcement and accountability.
The most significant revision is the inclusion of the MPS as a co-issuing and co-regulating authority. While the draft version only named the CAC and MIIT as the lead agencies, the final measure officially brings the MPS into the regulatory framework. Accordingly, local-level oversight now involves public security bureaus alongside cyberspace and telecommunications authorities. This change transforms the system from an industry-focused initiative into a cross-sector enforcement mechanism.
Furthermore, the final version establishes a more structured process for addressing violations. Unlike the draft, which mainly authorized the designated filing agency (China Electronics Standardization Institute) to address non-compliance, the final measure explicitly states that violations such as falsifying test results or misusing cybersecurity labels will be subject to legal penalties under the Cybersecurity Law and the Measures for the Supervision and Administration of Inspection and Testing Institutions. Local authorities are now required to jointly investigate and handle violations, rather than merely notifying the filing agency.
To further deter non-compliance, the final measure introduces a credit-based disciplinary mechanism. Entities found in violation will have their records entered into the National Credit Information Sharing Platform, potentially affecting their long-term standing across sectors.
The final measures maintain the core design of the draft. Cybersecurity labels are classified into three tiers: Basic (one star), Enhanced (two stars), and Leading (three stars), each with distinct security capability requirements. Producers participate voluntarily, and consumers are encouraged to prefer labeled products.
A comparison of the draft and final versions reveals three key implications for European enterprises. First, while producer participation remains voluntary, enforcement has been significantly strengthened, with violations leading to penalties under the Cybersecurity Law and national credit records. Second, enterprises must rigorously audit local testing partners to avoid liability for third-party fraud. Third, achieving higher-tier labels offers a competitive edge as Chinese consumers increasingly prioritize data security.
Source: https://www.cac.gov.cn/2026-04/10/c_1777558393316312.htm
