New rules governing the testing and certification of critical security products are published

China

On 19 June 2018, two announcements were jointly published by the PRC authorities, which provide welcome clarification on the testing and certification scheme for critical network equipment and specialised network security products under the PRC Cybersecurity Law. It is hoped that the Announcement on Releasing the List of Entities Undertaking Security Certification and Testing of Critical Network Equipment and Specialised Network Security Products (First Batch) (“Entities Announcement”) and the Announcement on the Requirements for Implementation of Security Certification of Critical Network Equipment and Specialised Network Security Products (“Certification Implementing Announcement”) will improve coordination between existing cybersecurity assessment schemes managed by different ministries.

The Entities Announcement was jointly published by the Cyberspace Administration of China (“CAC”), the Ministry of Industry and Information Technology, the Ministry of Public Security and the Certification and Accreditation Administration (“CNCA”). It provides a list of 16 accredited entities that can undertake security testing or certification of Critical Network Equipment and Specialised Network Security Products (the “Products”). Under Article 23 of the Cybersecurity Law, before Products can be sold or provided, they must meet certain mandatory requirements and be security tested or certified by a qualified institution. However, despite the authorities publishing in 2017 a Catalogue of the types of Products to be regulated, including routers, web-application firewalls and rack-mounted servers, the qualified institutions were unclear until now.

In addition, the Certification Implementing Announcement jointly published by the CAC and the CNCA, sets out new information on the certification regime. It states that:

  • Product manufacturers who choose security certification for a Product should submit a security certification application to an accredited certification body.
  • Certification bodies will use the Rules on the Implementation of Security Certification of Critical Network Equipment and Specialised Network Security Product when certifying a Product. These rules are yet to be released by the CNCA.
  • Manufacturers who already hold a valid product certificate issued by an accredited certification body may apply directly to this certification body to reissue a security certificate.
  • Certification bodies must report their certification results to the CNCA, including any valid results that they certified prior to the announcement.

The two announcements provide important information on the certification and safety testing regime for Critical Network Equipment and Specialised Network Security Products. However, additional rules are still pending release. Product manufacturers are advised to carefully watch for developments and to update their procedures to follow the newly specified regime.