China’s Cybersecurity Law requires certain Cyper Critical Equipment and Cybersecurity-specific Products security products to go through a certification process before being marketed in China. On June 9, 2017, the Cyberspace Administration of China (“CAC”), together with three other agencies, released a catalogue of Cyber Critical Equipment and Cybersecurity-Specific Products (Batch 1). On June 19, 2018, the Certification and Accreditation Administration of China (CNCA) announced a list of 16 agencies that will undertake security testing and security certification. On July 2, 2018, CNCA announced the implementation rules with immediate effectiveness, CCIS mark as a new mandatory certification mark will be applied to the equipment and products in the scope.
The CAC specified that this is the first “batch” of equipment and products to be covered in a such a catalog, so more are expected to be announced in the future.
This is a separate requirement from the procurement-related cybersecurity review, which mandates a cybersecurity review of network products or services procured by operators of Critical Information Infrastructure, if such procurement potentially affects China’s national security .
Also since 1997, “computer information system security products,” which are defined to include “hardware and software designed to protect information system security,” have had to pass a technical review by the Ministry of Public Security (“MPS”) before they can be marketed in China. The Cybersecurity Law seeks to consolidate the existing review requirements and agencies are required to issue a comprehensive catalog of approved products.
Please feel free to contact with SRQ China at Jessie.meng@srqchina.com to get more details on the implementation rules.