On 17 April 2023, several ministerial departments jointly released the Announcement on Adjusting the Security Management of Specialized Cybersecurity Products (hereinafter referred to the Announcement).

The main purpose of the Announcement is to strengthen the security management of specialized cybersecurity products via new standards developed in 2022, and promote the mutual recognition of certification, thus avoiding repetitive product testing and certification. The Announcement is in line with the requirements set in the 23rd Article of the Cybersecurity Law which specifically outlines requirements for (i) mandatory compliance with national standards, (ii) certification carried out by qualified bodies, and (iii) establishment of a specialized cybersecurity product catalogue. Consequently, in accordance with those requirements, relevant ministries published a series of notices and announcements, including the Cybersecurity Product Catalogue (first batch), the Catalogue for Certification and Testing Bodies (first batch), and the notice of unified announcement of certification and testing results. The newly-released Announcement, which will become effective on 1 July 2023, is an official notice for enforcing the new rules for supplying specialized cybersecurity products.

The detailed adjustments made in the newly-released Announcement are summarized as follows:

  1. From 1 July 2023, the specialized cybersecurity products listed in the Cybersecurity Product Catalogue (first batch) shall be sold or suppliedonly after they pass the security certification, thus meeting the mandatory security testing requirements of the qualified bodies stipulated in GB 42250-2022 Information security technology—Security technical requirements for specialized cybersecurity products (to be effective from 1 July 2023). Qualified bodies refer to those bodies listed in the Catalogue for Certification and Testing Bodies (first batch). CAC, MIIT, MPS, and CNCA are responsible for updating the product catalogue of critical network devices and specialized cybersecurity products, and the catalogue of qualified certification and testing bodies.
  2. From 1 July 2023, China will cease to issue the “Sales License for Specialized Productsin Computer Information System”: relevant product manufacturers will not need to apply anymore, while those that have already obtained the Sales License may continue to sell or supply the products within the validity period of the license.
  3. From 1 July 2023, the Announcement onAdjusting the Implementation Requirements of Mandatory Certification of Information Security Products and the Notice on the Implementation of Government Procurement of Information Security Products will no longer be enforced.
  4. CAC, together with MIIT, MPS and CNCA, shall publicly publish, update and disclose the listsof critical network devices and specialized cybersecurity products that meet the requirements.

In short, the Announcement is a predictable move of the Chinese administration in managing the security of specialized cybersecurity products – as indicated in the Cybersecurity Law. Relevant foreign stakeholders are advised to closely analyze GB 42250-2022, and carry out product testing and certification as required.