---
title_en: "Provisions on the Administration of the Use of Commercial Cryptography in Critical Information Infrastructure"
title_zh: "关键信息基础设施商用密码使用管理规定"
abbreviation: "CII Commercial Cryptography Provisions"
hierarchy: "rule"
issuing_body: "State Cryptography Administration; Cyberspace Administration of China"
adopted_date: 2025-06-11
effective_date: 2025-08-01
status: "effective"
related_laws: ["cii-protection-regulations"]
domains: ["critical-information-infrastructure", "data-security"]
url: https://datacompliancechina.com/laws/cii-commercial-cryptography-provisions/
summary: "Departmental rule (State Cryptography Administration / CAC / Ministry of Public Security Order No. 5) requiring operators of critical information infrastructure (CII) to use commercial cryptography to protect their CII, and to plan, build and operate commercial-cryptography assurance systems concurrently with the CII itself. It mandates commercial-cryptography application security assessments at the planning, construction and operation stages (at least annually once in operation), requires the use of certified commercial-cryptography products and State-vetted algorithms, sets staffing and funding requirements (key administrators, cipher operators, security auditors), imposes annual reporting duties, and provides penalties of up to RMB 1,000,000. Effective August 1, 2025."
---

> **Source: Data Compliance China** — https://datacompliancechina.com/laws/cii-commercial-cryptography-provisions/ · English rendering and annotations by DCC; the Chinese original governs. Cite as: Data Compliance China, "Provisions on the Administration of the Use of Commercial Cryptography in Critical Information Infrastructure", https://datacompliancechina.com/laws/cii-commercial-cryptography-provisions/
**Promulgated by:** State Cryptography Administration; Cyberspace Administration of China; Ministry of Public Security.  
**Document No.:** Order of the State Cryptography Administration, the Cyberspace Administration of China and the Ministry of Public Security No. 5.  
**Reviewed and adopted at the executive meeting of the State Cryptography Administration on April 21, 2025, and approved by the Cyberspace Administration of China and the Ministry of Public Security. Promulgated on June 11, 2025. Effective August 1, 2025.**

---

**Article 1.** These Provisions are formulated pursuant to the Cryptography Law of the People's Republic of China, the Cybersecurity Law of the People's Republic of China, the Data Security Law of the People's Republic of China, the Personal Information Protection Law of the People's Republic of China, the Regulations on the Administration of Commercial Cryptography, the Regulations on the Security Protection of Critical Information Infrastructure, the Regulations on the Administration of Network Data Security and other relevant laws and administrative regulations, in order to regulate the use of commercial cryptography in critical information infrastructure and protect the security of critical information infrastructure.

**Article 2.** These Provisions shall apply to the administration of the use of commercial cryptography in critical information infrastructure that is identified in accordance with the Cybersecurity Law of the People's Republic of China, the Regulations on the Security Protection of Critical Information Infrastructure and other laws, administrative regulations and the relevant provisions of the State.

**Article 3.** The national cryptography administration department, in conjunction with the national cyberspace administration department and the public security department of the State Council, shall be responsible for the planning, guidance and supervision of the administration of the use of commercial cryptography in critical information infrastructure throughout the country, and shall establish an information-sharing mechanism for the administration of the use of commercial cryptography in critical information infrastructure.

Local cryptography administration departments at or above the county level, in conjunction with the cyberspace administration departments and the public security organs, shall be responsible for guiding and supervising the administration of the use of commercial cryptography in critical information infrastructure within their respective administrative regions.

**Article 4.** The departments responsible for the protection of critical information infrastructure (hereinafter referred to as "protection departments") shall, within the scope of their duties, be responsible for supervising and administering the use of commercial cryptography in critical information infrastructure in their respective industries and fields; shall, separately, formulate plans for the use of commercial cryptography in their respective industries and fields, or incorporate such plans into the security plans for critical information infrastructure in their respective industries and fields, and organize their implementation; and shall guide the operators of critical information infrastructure in their respective industries and fields (hereinafter referred to as "operators") in carrying out support work such as commercial-cryptography-related systems, personnel and funding.

A protection department shall, before March 31 each year, report to the national cryptography administration department, the national cyberspace administration department and the public security department of the State Council on the administration of the use of commercial cryptography in critical information infrastructure in its industry and field for the previous year.

Where a major cybersecurity incident involving commercial cryptography occurs in critical information infrastructure, or a major cybersecurity threat involving commercial cryptography is discovered, the protection department shall promptly report to the national cryptography administration department, the national cyberspace administration department and the public security department of the State Council, guide the operator in carrying out emergency response, and, where necessary, conduct a commercial-cryptography application security assessment.

**Article 5.** Operators shall, in accordance with the relevant laws, administrative regulations and the relevant provisions of the State, and following the requirements of the systems for the administration of national commercial cryptography, cybersecurity multi-level protection, and the security protection of critical information infrastructure, use commercial cryptography to protect critical information infrastructure, plan, build and operate commercial-cryptography assurance systems concurrently, and regularly carry out commercial-cryptography application security assessments.

Operators shall, before January 31 each year, report to the protection department to which they belong on the use of commercial cryptography in critical information infrastructure and the conduct of commercial-cryptography application security assessments for the previous year.

**Article 6.** Operators shall strengthen the system safeguards for the use of commercial cryptography in critical information infrastructure, and establish systems for the administration of the use of commercial cryptography in critical information infrastructure, such as systems for the use of commercial cryptography, emergency response, and the reporting of major incidents.

The principal person in charge of an operator shall bear overall responsibility for the administration of the use of commercial cryptography in critical information infrastructure, and shall be responsible for the use of commercial cryptography in critical information infrastructure and the handling of major cybersecurity incidents involving commercial cryptography.

**Article 7.** Operators shall strengthen the personnel safeguards for the use of commercial cryptography in critical information infrastructure, and shall assign professionals who have obtained academic qualifications related to cryptography or national vocational-skill-level certification related to cryptography to respectively assume the duties of key administrators and cipher operators, and assign personnel with professional capabilities in security auditing to assume the duties of cipher security auditors.

Operators shall conduct security-background checks on cryptography-related professionals, and shall regularly organize them to participate in cryptography-related professional-skills training, so as to improve the commercial-cryptography use capabilities of cryptography-related professionals.

**Article 8.** Operators shall strengthen the funding safeguards for the use of commercial cryptography in critical information infrastructure and for application security assessments, and shall incorporate the funds for the use of commercial cryptography and for application security assessments into the arrangements for cybersecurity and informatization funds.

**Article 9.** The commercial-cryptography products and services used in critical information infrastructure shall have passed testing and certification, and the commercial-cryptography technologies used, such as cryptographic algorithms, cryptographic protocols and key management mechanisms, shall have passed the review and appraisal of the national cryptography administration department.

Where an operator procures network products and services involving commercial cryptography that affect or may affect national security, it shall undergo a cybersecurity review in accordance with the Cybersecurity Review Measures.

**Article 10.** Critical information infrastructure shall, in accordance with the relevant requirements of the State for data security protection and personal information protection, use commercial cryptography to protect the core data, important data and personal information that it stores, uses and transmits.

**Article 11.** At the planning stage of critical information infrastructure, the operator shall, in accordance with the relevant laws, administrative regulations and standards and specifications, and based on the demand for commercial-cryptography application, formulate a commercial-cryptography application plan, plan a commercial-cryptography assurance system and incorporate it into the security plan for critical information infrastructure for overall deployment.

The operator shall, on its own or by entrusting a commercial-cryptography testing institution, conduct a commercial-cryptography application security assessment of the commercial-cryptography application plan. A commercial-cryptography application plan that has not passed the commercial-cryptography application security assessment shall not be used as the basis for constructing the commercial-cryptography assurance system.

**Article 12.** At the construction stage of critical information infrastructure, the operator shall organize implementation in accordance with the commercial-cryptography application plan that has passed the commercial-cryptography application security assessment, implement commercial-cryptography security protection measures, and construct the commercial-cryptography assurance system. Where it is necessary to adjust the commercial-cryptography application plan during the construction process, the commercial-cryptography application security assessment shall be conducted again, and only after passing the assessment may construction continue in accordance with the adjusted commercial-cryptography application plan.

Before critical information infrastructure goes into operation, the operator shall, on its own or by entrusting a commercial-cryptography testing institution, conduct a commercial-cryptography application security assessment. Where the critical information infrastructure has not passed the commercial-cryptography application security assessment, the operator shall carry out rectification, and shall not put it into operation during the rectification period.

**Article 13.** After critical information infrastructure has been built and put into operation, the operator shall, on its own or by entrusting a commercial-cryptography testing institution, conduct a commercial-cryptography application security assessment at least once a year, so as to ensure the correct use of commercial cryptography in the critical information infrastructure and the effective operation of the commercial-cryptography assurance system. Where the critical information infrastructure has not passed the commercial-cryptography application security assessment, the operator shall carry out rectification, and shall take necessary measures during the rectification period to ensure the operational security of the critical information infrastructure.

**Article 14.** For critical information infrastructure that is under construction before the implementation of these Provisions, the operator shall strengthen the preparation and demonstration of the commercial-cryptography application plan, build and improve the commercial-cryptography assurance system, and conduct a commercial-cryptography application security assessment in accordance with Article 12 of these Provisions.

For critical information infrastructure that has been put into operation before the implementation of these Provisions, the operator shall conduct a commercial-cryptography application security assessment in accordance with Article 13 of these Provisions.

**Article 15.** The conduct of commercial-cryptography application security assessments for critical information infrastructure shall comply with the relevant provisions of the Measures for the Administration of Commercial-Cryptography Application Security Assessments.

Commercial-cryptography application security assessments for critical information infrastructure shall be more closely linked with the security testing and assessment of critical information infrastructure and with cybersecurity multi-level protection evaluation, so as to avoid duplicate assessment and evaluation.

**Article 16.** The national cryptography administration department shall be responsible for the construction and management of the national infrastructure for the operational security management of commercial cryptography in critical information infrastructure, shall coordinate protection departments in constructing infrastructure for the operational security management of commercial cryptography in critical information infrastructure in their respective industries and fields, shall, in conjunction with the national cyberspace administration department and the public security department of the State Council, analyze and assess the operational security posture of commercial cryptography in critical information infrastructure, and shall coordinate the response to and disposal of major commercial-cryptography operational security threats.

**Article 17.** Cryptography administration departments shall regularly organize supervision and inspection of the use of commercial cryptography in critical information infrastructure. Protection departments shall regularly inspect the use of commercial cryptography in critical information infrastructure in their respective industries and fields and put forward improvement measures, and may, where necessary, conduct commercial-cryptography application security assessments on their own or by entrusting professional institutions such as commercial-cryptography testing institutions.

Operators shall cooperate with the supervision and inspection of the use of commercial cryptography in critical information infrastructure conducted by cryptography administration departments and protection departments, promptly carry out rectification in accordance with the supervision and inspection opinions and report the rectification to the protection department, and the protection department shall report the rectification to the national cryptography administration department.

The conduct of supervision and inspection of the use of commercial cryptography in critical information infrastructure shall strengthen coordination, cooperation and information communication, so as to avoid unnecessary inspections and cross or duplicate inspections. No fees shall be charged for supervision and inspection, and no entity under supervision and inspection shall be required to purchase or use commercial-cryptography products or services of a designated entity or brand.

**Article 18.** Cryptography administration departments, relevant departments, commercial-cryptography testing institutions and their staff shall bear confidentiality obligations with respect to the State secrets, trade secrets and personal privacy that come to their knowledge in the performance of their duties, and shall not divulge them or illegally provide them to others.

**Article 19.** Where an operator violates the relevant provisions of the Cryptography Law of the People's Republic of China, the Cybersecurity Law of the People's Republic of China, the Regulations on the Administration of Commercial Cryptography, the Regulations on the Security Protection of Critical Information Infrastructure or these Provisions, and falls under any of the following circumstances, the cryptography administration department shall order corrections and give a warning; where the operator refuses to make corrections or where there are other serious circumstances, a fine of not less than RMB 100,000 but not more than RMB 1,000,000 shall be imposed, and a fine of not less than RMB 10,000 but not more than RMB 100,000 shall be imposed on the person directly in charge:

(I) failing to use commercial cryptography to protect critical information infrastructure as required, or failing to plan, build and operate the commercial-cryptography assurance system concurrently;

(II) the commercial-cryptography products and services used in critical information infrastructure have not passed testing and certification;

(III) the commercial-cryptography technologies used in critical information infrastructure, such as cryptographic algorithms, cryptographic protocols and key management mechanisms, have not passed the review and appraisal of the national cryptography administration department;

(IV) failing, at the planning stage of critical information infrastructure, to formulate a commercial-cryptography application plan, or failing to conduct a commercial-cryptography application security assessment of the commercial-cryptography application plan;

(V) failing, at the construction stage of critical information infrastructure, to construct the commercial-cryptography assurance system in accordance with the commercial-cryptography application plan that has passed the commercial-cryptography application security assessment;

(VI) failing, before critical information infrastructure goes into operation, to conduct a commercial-cryptography application security assessment, or failing to pass the commercial-cryptography application security assessment and failing to carry out rectification; or

(VII) failing, after critical information infrastructure has been built and put into operation, to regularly conduct commercial-cryptography application security assessments, or failing to pass the regularly conducted commercial-cryptography application security assessment and failing to carry out rectification.

**Article 20.** Where an operator violates the relevant provisions of the Cryptography Law of the People's Republic of China, the Cybersecurity Law of the People's Republic of China, the Regulations on the Administration of Commercial Cryptography, the Regulations on the Security Protection of Critical Information Infrastructure and Article 9 of these Provisions by using network products or services involving commercial cryptography that have not undergone security review or have not passed security review, the relevant competent department shall order the cessation of use, impose a fine of not less than one time but not more than ten times the procurement amount, and impose a fine of not less than RMB 10,000 but not more than RMB 100,000 on the person directly in charge and other directly responsible persons.

**Article 21.** Where an operator violates the relevant provisions of the Cryptography Law of the People's Republic of China, the Cybersecurity Law of the People's Republic of China, the Regulations on the Administration of Commercial Cryptography, the Regulations on the Security Protection of Critical Information Infrastructure and Article 17 of these Provisions by refusing, without justified reason, to accept or cooperate with, or by interfering with or obstructing, the supervision and administration of commercial cryptography by cryptography administration departments or relevant departments, the cryptography administration department or relevant department shall order corrections and give a warning; where the operator refuses to make corrections or where there are other serious circumstances, a fine of not less than RMB 50,000 but not more than RMB 500,000 shall be imposed, and a fine of not less than RMB 10,000 but not more than RMB 100,000 shall be imposed on the person directly in charge and other directly responsible persons; where the circumstances are particularly serious, the operator shall be ordered to suspend business for rectification.

**Article 22.** Where an operator violates these Provisions and falls under any of the following circumstances, the cryptography administration department or relevant department shall, in accordance with its duties, order corrections:

(I) failing to report, as required, the use of commercial cryptography in critical information infrastructure and the conduct of commercial-cryptography application security assessments for the previous year;

(II) failing to establish a system for the administration of the use of commercial cryptography in critical information infrastructure;

(III) failing to assign key administrators, cipher operators and cipher security auditors as required; or

(IV) failing to safeguard the funds for the use of commercial cryptography in critical information infrastructure and for application security assessments.

**Article 23.** Where personnel engaged in the supervision and administration of the use of commercial cryptography in critical information infrastructure abuse their power, neglect their duties, engage in malpractice for personal gain, or divulge or illegally provide to others trade secrets, personal privacy or whistleblower information that comes to their knowledge in the performance of their duties, they shall be given sanctions in accordance with the law.

**Article 24.** For the administration of the use of commercial cryptography in critical information infrastructure that is a national government affairs information system, in addition to complying with these Provisions, the relevant requirements of the Measures for the Administration of the Construction of National Government Affairs Informatization Projects (Guo Ban Fa [2019] No. 57) and other relevant provisions shall also be complied with.

**Article 25.** These Provisions shall come into force as of August 1, 2025.
