Database

Imported and exported encryption products must be certified by the Office of State Commercial Cryptography Administration (OSCCA). The use of encryption products without OSCCA certification is prohibited, regardless of public, commercial or individual nature of use.

However, it is reported that, in practice, only Chinese or Chinese-owned companies are eligible for OSCCA certification to sell, produce and carry out R&D for encryption technology in China, as well as to gain product licensing. Foreign or foreign-owned companies, even if they are incorporated in China, are excluded.

In 2007, OSCCA started to consider products such as Trusted Platform Module (used in computers) or smartcards (used in banking, insurance, health, transport, etc.) as core encryption products. As a result, such products could no longer be produced or sold by foreign or foreign-invested companies.

Without a sales certificate provided by the China’s National Commission on Encryption Code Regulations (NCECR), it is illegal to sell products using Commercial Encryption Codes (CEC). It is also prohibited to use CEC products not certified by the NCECR. The public promotion and/or exhibition of CEC products must be reported to and approved by the NCECR in advance.

To obtain the certificate, the company must fulfill three requirements:
- They must be staffed with personnel who are knowledgeable in CEC product information and capable of providing post‑sales services;
- They must be able to provide full sales services and be equipped with safety regulations;
- They must also have the rights of an independent juridical unit.

The Ministry of Industry and Information Technology (MIIT), in concert with the State Encryption Management Bureau, informally announced in early 2012 that only domestically developed encryption algorithms, such as ZUC, would be allowed for use in the network equipment (mobile base stations) and mobile devices comprising 4G TD-LTE networks in China. In addition, an industry analysis published by MIIT suggests that burdensome and invasive testing procedures threatening companies’ sensitive intellectual property could be required.

Although a globally accepted standard (3GPP) already exists, ZUC is de facto often required in order to enter the Chinese market, along with invasive testing requirements (source code review). These requirements are potentially violating bilateral commitments with the US and a commitment that China made to its trading partners in 2000 stating that China would permit the use of foreign encryption standards in IT and telecommunication hardware and software for commercial use and that it would only impose strict “Chinese-only” encryption requirements on specialized IT products whose “core function” is encryption.

A locally developed encryption standard (WAPI) is required to be used in all wireless equipment despite existing international standard IEEE 802.11i.

Imported and exported encryption products must be certified by the Office of State Commercial Cryptography Administration (OSCCA). The use of encryption products without OSCCA certification is prohibited, regardless of public, commercial or individual nature of use.

However, it is reported that, in practice, only Chinese or Chinese-owned companies are eligible for OSCCA certification to sell, produce and carry out R&D for encryption technology in China, as well as to gain product licensing. Foreign or foreign-owned companies, even if based in China, are excluded.

In 2007, OSCCA started to consider products such as Trusted Platform Module (used in computers) or smartcards (used in banking, insurance, health, transport, etc.) as core encryption products. As a result, such products could no longer be produced or sold by foreign or foreign-invested companies.

The Multi-level protection scheme (MLPS) introduced by the Ministry of Public Security prohibits government authorities with IT systems classified as "critical infrastructure" to purchase and incorporate foreign IT products. The MLPS requires all IT systems in China to be classified on different levels of security, from one to five (with the most sensitive systems designated as level 5).

MLPS regulations bar Chinese information systems graded level three and above from incorporating foreign products. Systems labeled as grade level three and above, for instance, must solely contain products developed by Chinese information security companies and their key components must bear Chinese intellectual property. Companies making systems labeled as grade level three and above must disclose product source codes, encryption keys, and other confidential business information.

To date, government agencies, firms in China’s financial sector, Chinese telecommunications companies, Chinese companies operating the domestic power grid, educational institutions, and hospitals in China have issued hundreds of request for proposals (RFPs) incorporating MLPS requirements. By incorporating level three requirements, many RFPs rule out the purchase of foreign products.

Since 2009, Administration of Quality Supervision, Inspection, and Quarantine (AQSIQ) bureaus have greater authority to conduct on-site investigations and increase penalties for non-compliance.

The regulations add more categories of non-compliance and refine and expand penalties. They also penalize companies that counterfeit or sells CCC marks or use canceled or expired certification documents. The revised regulations also raise fines for some violations—the fine for companies that are certified but do not apply CCC labels to their products has doubled to ¥20,000 ($2,928). The new provisions specify a five-year validity period for CCC certification and require a company to apply for an extension within 90 days of expiration.

China’s current certification requirements for telecommunications equipment are reported to conflict with its WTO obligations of limiting imported products to no more than one conformity assessment scheme and requiring the same mark for all products (Article 13.4(a) of China’s WTO Accession).

China has three different licensing regimes: the Radio Type Approval (RTA), the Network Access License (NAL) and the China Compulsory Certification (CCC). Therefore, for a given piece of equipment, it can cost between USD 30,000-35,000 to test for all three licenses (RTA, NAL, and CCC). The CCC mark is used for both Chinese and foreign products. Moreover, all testing for the CCC mark must be conducted in China and US exporters are often required to submit their products to Chinese laboratories for additional tests.

The CCC certificate and permission of printing the CCC mark must be renewed annually as part of a follow-up certification. Part of the follow-up certification is also a one-day factory audit.

China is also reported as having limitations on foreign invested conformity assessment bodies in country.

The National Security Law foresees the rollout of a “secure and controllable” internet infrastructure. The official Xinhua news agency said the new law, signed by President Xi Jinping, would establish “mechanisms to censor items that have or may have an impact on national security, including foreign investment, particular materials and key technologies”. The law appears vagues about how the new requirements will be implemented, and it has raised concerns related to legal uncertainty for businesses.

Companies have expressed concerns about duplication of safety certification requirements, particularly for radio and telecommunications equipment, medical equipment, and automobiles, which result in increased costs and slow down of product introduction in the market.

Twelve categories of ICT products and nine categories of telecommunication equipment are subject to compulsory EMC and safety regulation. Whether EMC, safety only or both tests are required depends on the certification guidelines for a particular product. Suppliers' declaration of conformity is not sufficient, while certification by a third party and/or certification by a government agency is not accepted unless the third party meets the requirements prescribed in Articles 10 and 11 of the Regulations of People's Republic of China on Certification and Accreditation.

Moreover, China retains the right to reconfirm sample machines or conduct tests on inconsistent items.

U.S. companies report that China is applying the China Compulsory Certification (CCC) mark requirement inconsistently and that many Chinese produced goods continue to be sold without the mark.

It is reported that most of the standards are drafted by the Chinese government alone, without foreign or public input. Even if foreign companies are allowed to sit in on the drafting process, they do not have a vote when the technical committees actually vote on a draft standard.

China is also increasingly developing and mandating national algorithms for its encryption technology that differ from global standards. These standards are developed in technical committees that are closed to foreign participation.

The Chinese government has also supported the development of mandated domestic radio frequency identification (RFID) standards, without international participation or consensus, despite the fact that global standards for RFID already exist.

China imposes a set of export restrictions, including export duties and export quotas, on selected raw materials: graphite, cobalt, copper, lead, chromium, magnesia, talcum, tantalum, tin, antimony and indium. Some of these raw materials (e.g. graphite, copper, tin, and indium) are used to produce smartphones and batteries. The export restrictions limit access to these products for companies outside China.

In July 2016, the EU launched a case at the WTO against China’s restrictions on export of these raw materials. Previously, the EU had already won two WTO cases in 2012 and 2014 on similar measures concerning different rare earths which were also key inputs for a multitude of products including advanced electronics.

China limits exports of advanced drones and supercomputers for national security reasons. Affected vendors will have to apply for a government permit to ship their technology outside China.

On 13 February 2012, the Chinese State Administration of Radio, Film and Television (SARFT) tightened the regulation for foreign TV and online streaming content. The regulation includes a ban of foreign TV shows and films between 7.30pm and 10pm. Furthermore, at most 25% of all TV series can be foreign made. Finally, Chinese internet companies can only stream up to 30% of foreign content. The measure can be seen as some sort of cultural conservation, but the President Hu Jintao confirmed that the regulations "were aimed at giving the domestic television industry a leg up on Asian competition".