On November 21, 2025, Cybersecurity Administration of China (CAC), together with the Ministry of Industry and Information Technology (MIIT), drafted a new China Cybersecurity Labeling Management Measures (hereafter referred to as the Measure), which aims to enhance the cybersecurity resilience of internet-connected products and safeguarding consumer rights. The Measure was released for public comments until December 6, 2025. According to the Measure, China Cybersecurity Label (CCL) means an information label that reflects the cybersecurity capability level of the product itself, applying to products with internet connectivity functions and subject to a catalog-based management system for specific products.

Under the voluntary scheme, manufacturers of eligible products may apply for a CCL to indicate the device’s level of cybersecurity capability. The label will feature a star-based rating system:

  • One star (Basic Level): Meets fundamental national standards, requiring the prohibition of weak/default passwords, vulnerability management, and regular software updates.
  • Two stars (Enhanced Level): Reflects domestically advanced cybersecurity performance.
  • Three stars (Leading Level): Represents internationally advanced capability, including resistance to high-level cyber-attacks through penetration testing.

A CCL will include key details including producer name, product model, cybersecurity level, validity period, testing lab name, standard/technical file number, and a QR code linking to test reports and compliance statements. The specific design of the label for each product category shall be defined in the corresponding implementation rules and may be appropriately adapted from the basic format according to the actual form of the product. The CCL basic format is shown below:

Manufacturers must conduct cybersecurity capability testing in accordance with implementation rules. Products aiming for one- or two-star ratings may use in-house labs or accredited third-party testing agencies, while three-star products must undergo penetration testing by qualified third parties. According to the Measures, the China Electronics Standardization Institute (CESI) is tasked with setting up a Cybersecurity Label Filing Platform. After obtaining the necessary test reports, manufacturers will be required to submit their applications online through this platform.

CAC and MIIT will supervise labeling compliance. Violations – such as false claims, label misuse, or submission of fraudulent test reports – may lead to label revocation, public announcements, and a one-year ban from re-filing. Meanwhile, the accompanying draft catalog specifies the first product category to be covered: CSL 001—2025: Consumer Internet-Connected Cameras, which applies to devices purchased and used by individuals and families for audio-video capture and processing, excluding those used in public security fields. Notably, products already classified as critical network equipment or dedicated cybersecurity products under existing regulations will not be included in the labeling catalog. SESEC will keep monitoring the Measure’s final version.

 

Chinese source of the article: https://www.cac.gov.cn/2025-11/21/c_1765450099503494.htm