How do China’s Information Security Laws Affect You?

By Paul Milton

The Chinese information security market is ever-changing, and the rules and regulations surrounding it may seem like a moving target. Identifying these standards and understanding how they can work for your business is a key to success in the China market.

The China Certification of Information Security (CCIS) mark is required for all information security products used by the Chinese state agencies, and is voluntary for other information security products. China Compulsory Certification, or CCC, is required for many international products looking to enter the Chinese market; other factors, such as local requirements and potential uses of the device, could add the CCIS requirement, even for products not intended for government procurement.

Product Categories

CCIS certification is granted by the Chinese Information Security Certification Centre (ISCCC), which sets eight categories of information security equipment that require the certification:

  • Border security: Firewalls*; line selectors and network security separated cards; security isolation and information exchange products*
  • Communication security: Secure routers*
  • Authentication and access control: Smart card chip operating systems*
  • Data security: Data backup and recovery products; secure operating systems*; secure database systems*
  • Content security: Anti-spam products
  • Valuation, audit, and control: Intrusion detection systems; network vulnerability scanning products; security audit products
  • Application security: Website recovery products

*The product types marked with an asterisk require cypher testing by the Office of the State Commercial Cryptography Administration, which must be completed before obtaining CCIS certification. However, Chinese regulations on encryption products often present challenges.

In certain cases, China may invoke local ownership or investment regulations. The Multi-Level Protection Scheme (MLPS) in China  is used to protect Chinese national security, but is often viewed as a way to  protect certain local industries from international competition. Chinese regulations require any information security products classified by MLPS as level three or higher  to be invested or owned by Chinese citizens or companies, which presents a challenge for international information security companies.

Encryption products are often subject to additional scrutiny and regulation. The real-world application of these regulations is that Chinese-owned companies run the encryption technology market, and foreign developers and engineers face high barriers to market entry.

Depending on the type of information security product involved, additional certifications might be necessary. For example, products that connect to a public telecommunications network require Network Access License certification, and products that use radio transmitters require Radio Type Approval certification.

Regulated testing and inspections

IT products must undergo local testing at a Chinese government-accredited test laboratory, according to OSCCA requirements, where experts check the product specifications against applicable Chinese and international standards. Once the testing is complete, the report is sent to the ISCCC for review and approval.

Chinese information security laws also require international manufacturers to submit to an ISCCC factory inspection. ISCCC officials inspect the factory, ensuring products are up to standards and product conformity regulations are met. The manufacturer is typically responsible for the cost of the inspection, including travel expenses and day fees for inspection staff.

Challenges for businesses

In certain areas of China, products must meet local cybersecurity and information technology standards in addition to the national CCIS standards, according to The Software Alliance. After the product is  CCIS certified, it might be valuable to consult with a compliance or certification agency to ensure products are up to international, national, and local standards.

It remains to be seen if China will keep a tight hold on IT products coming into the country. But for now, the best way to stay on top of local and national regulations is to study the product categories, figure out where you fit in, and work with a compliance agency with an established relationship with Chinese authorities.

 

About the author: Paul Milton is the CEO of G&M Compliance, a full-service compliance and certification agency headquartered in Orange, Calif. G&M Compliance specializes in getting certifications fast, and they have helped clients sell products in China, Europe, India, and around the world since 1997. With technical expertise, industry knowledge, and valuable connections, G&M certify a wide range of products, including challenging certifications like wireless products, IT equipment, and automotive products.

YOU'RE INVITED
Gala 2024

Gala 2024