Skip to content
DCC · DATA COMPLIANCE CHINA China data law, for overseas counsel.
§ LAW · CYBERSECURITY LABEL MEASURES

Measures for the Administration of Cybersecurity Labels.

网络安全标识管理办法

FILED UNDER · Data Security

Promulgated by: Cyberspace Administration of China (CAC), Ministry of Industry and Information Technology (MIIT), and Ministry of Public Security (MPS). Document No.: Not specified in the released text. Effective July 1, 2026.


Chapter I. General Provisions

Article 1. These Measures are formulated in accordance with the Cybersecurity Law of the People’s Republic of China and other laws and regulations, for the purposes of improving the cybersecurity capability of products, strengthening the protection of consumer rights and interests, and safeguarding cybersecurity and the public interest.

Article 2. For the purposes of these Measures, “cybersecurity label” (网络安全标识) means an information label that reflects the level of cybersecurity capability of a product itself.

Products with an internet-connection function are subject to these Measures, and specific products are subject to catalogue-based management.

Article 3. Cybersecurity label administration work adheres to the principle of coordinating development and security, and product manufacturers participate on a voluntary basis.

Product manufacturers are encouraged to improve the cybersecurity capability of their products and to affix cybersecurity labels in accordance with these Measures.

Consumers are encouraged to give preference to products bearing a cybersecurity label.

Article 4. The Cyberspace Administration of China, the Ministry of Industry and Information Technology, and the Ministry of Public Security are responsible for cybersecurity label administration work. They shall formulate and publish, in batches, a Catalogue of Products Subject to Cybersecurity Labeling, specifying the implementing rules and the national standards or technical documents on which each category of product is based, and shall organize publicity and education on cybersecurity labels. They entrust the China Electronics Standardization Institute (hereinafter, the “filing institution”) to carry out filing and information-release work for cybersecurity labels.

Chapter II. Implementation of Labels

Article 5. The cybersecurity capability levels corresponding to the cybersecurity label are, from low to high, basic level, enhanced level, and leading level, denoted respectively by one-star, two-star, and three-star labels.

The basic level requires that a product satisfy the basic security requirements of the relevant national standards, such as the absence of weak passwords or common default passwords, the establishment of a vulnerability-management mechanism with dynamic vulnerability remediation, and the maintenance of up-to-date software. The enhanced level requires that a product’s cybersecurity capability reach an advanced level among comparable products. The leading level requires that a product’s cybersecurity capability reach a leading level among comparable products, and additionally that the product pass penetration testing to verify its ability to withstand high-level cyberattacks.

The specific security requirements for the label level of each category of product shall be determined in the corresponding implementing rules. Security requirements shall be properly aligned with current national and international standards, and shall fully draw on and absorb the relevant experience of other countries and regions that operate cybersecurity labeling systems.

Article 6. A cybersecurity label (in English, “China Cybersecurity Label”) shall include the following basic contents:

(1) the name of the product manufacturer;

(2) the product specification and model;

(3) the cybersecurity capability level;

(4) the validity period of the cybersecurity label;

(5) the name of the testing laboratory;

(6) the number of the national standard or technical document relied upon; and

(7) a filing information code, by scanning which the test report, key indicators, the product manufacturer’s compliance declaration, and other information may be obtained.

The basic design of the cybersecurity label is as shown in the annex (see attachment).

The specific design for the label of each category of product shall be specified in the corresponding implementing rules, and may be appropriately adapted from the basic design above according to the actual form of the product.

Article 7. For a product required to bear a cybersecurity label, the product manufacturer shall carry out cybersecurity capability testing in accordance with the relevant requirements of the implementing rules, determine the cybersecurity capability level, and obtain a test report.

(1) For products required to bear a one-star or two-star label, the product manufacturer may use its own testing laboratory or entrust a third-party testing institution that has lawfully obtained qualification accreditation to carry out the testing;

(2) For products required to bear a three-star label, the product manufacturer, in addition to satisfying the relevant testing requirements, shall also entrust a qualified third-party testing institution to carry out penetration testing.

Article 8. The filing institution shall build a cybersecurity label filing and administration platform, and product manufacturers shall complete the filing of cybersecurity labels online through the platform.

The following materials shall be submitted in electronic form at the time of filing:

(1) the cybersecurity label filing form;

(2) the cybersecurity capability level test report;

(3) the design of the product’s cybersecurity label, prepared in accordance with the implementing rules;

(4) the product manufacturer’s compliance declaration;

(5) the product manufacturer’s business license;

(6) supporting materials evidencing the testing capability of the manufacturer’s own testing laboratory, or the qualification accreditation certificate of the third-party testing institution; and

(7) where the filing materials are submitted by an agent, the product manufacturer’s power of attorney and other authorization documents.

The product manufacturer and its agent shall be responsible for the authenticity, accuracy, and completeness of the foregoing materials.

Article 9. The filing institution shall, within 10 working days from the date of receiving complete filing materials, conduct a formal review of the authenticity, accuracy, and completeness of the materials, complete the filing, and publicly announce the relevant filing information for the product.

Once the filing is completed, the product manufacturer may print, use, and display the cybersecurity label in accordance with the requirements of the implementing rules.

Article 10. The validity period of a cybersecurity label shall be specified in the relevant product implementing rules. Where, for a product for which filing has been completed, a change occurs in key technical parameters or other matters that may affect the product’s cybersecurity capability, or where the label’s validity period has expired, the product manufacturer shall re-file.

Article 11. No organization or individual may forge or misappropriate a cybersecurity label, or use a cybersecurity label to engage in false advertising.

Article 12. The filing institution shall establish and improve working rules for cybersecurity label filings, and shall carry out filing-related work objectively and impartially.

A product manufacturer’s own testing laboratory or a third-party testing institution shall strictly carry out testing in accordance with the relevant standards, shall ensure that test results are objective, impartial, true, and accurate, and shall not forge test results or issue false test reports.

The filing institution and testing institutions shall not divulge state secrets or trade secrets that come to their knowledge in the course of their work.

Chapter III. Supervision and Administration

Article 13. The Cyberspace Administration of China, the Ministry of Industry and Information Technology, and the Ministry of Public Security are responsible for organizing supervision and inspection of the filing and use of cybersecurity labels, and shall, upon discovering conduct in violation of these Measures, promptly handle it in accordance with relevant provisions.

Local cyberspace administration departments, communications administration bureaus, and public security organs are responsible for organizing supervision and inspection of the use of cybersecurity labels within their respective regions, and shall strengthen information sharing. Upon discovering conduct in violation of these Measures, they shall, together with the relevant departments, handle the matter in accordance with relevant provisions and promptly notify the filing institution.

Article 14. Where any of the following circumstances is discovered, the filing institution shall revoke the filing and promptly issue a public announcement:

(1) the filing materials were fraudulent;

(2) the cybersecurity label does not correspond to the product’s actual cybersecurity capability;

(3) the cybersecurity label used does not comply with the applicable provisions on design, specifications, or other labeling requirements;

(4) the product manufacturer has ceased to provide technical support services for the filed product; or

(5) other violations for which the filing should be revoked.

Article 15. Where a product manufacturer forges or misappropriates a cybersecurity label, or uses a cybersecurity label to engage in false advertising, the filing institution shall revoke the cybersecurity label filing for the relevant product, publicly announce the product manufacturer’s violation, and, from the date of the announcement, refuse to accept filing applications from that manufacturer for one year.

Article 16. Where a product manufacturer’s own testing laboratory or a third-party testing institution forges test results or issues a false test report, the filing institution shall revoke the cybersecurity label filing for the relevant product, publicly announce the testing institution’s violation, and, from the date of the announcement, decline to rely on that institution’s test results for one year.

Article 17. Where a product manufacturer, third-party testing institution, or other party engages in fraud in cybersecurity capability testing, or forges or misappropriates a cybersecurity label, the competent authorities shall impose penalties in accordance with the Cybersecurity Law of the People’s Republic of China, the Measures for the Supervision and Administration of Inspection and Testing Institutions, and other applicable laws and regulations.

Article 18. Any organization or individual that discovers conduct in violation of these Measures may report it to the local cyberspace administration department, communications administration bureau, or public security organ. The local cyberspace administration department, communications administration bureau, or public security organ shall promptly investigate and handle the matter, keep the identity of the whistleblower confidential, and the filing institution shall cooperate during the course of the investigation.

Article 19. Where a product security vulnerability is discovered or becomes known in the course of cybersecurity capability testing, it shall be reported, remediated, and disclosed in accordance with the relevant requirements of the Provisions on the Management of Security Vulnerabilities of Network Products.

Article 20. The Cyberspace Administration of China, the Ministry of Industry and Information Technology, the Ministry of Public Security, and other authorities shall establish credit records for conduct in violation of these Measures, and incorporate such records into the National Credit Information Sharing Platform.

Chapter IV. Supplementary Provisions

Article 21. For the purposes of these Measures, “cybersecurity capability” means the capability of a product manufacturer, through the adoption of necessary technical and management measures, to enable a product itself to guard against attacks, intrusions, interference, sabotage, and unlawful use, and to ensure the stable and reliable operation of the product and the integrity, confidentiality, and availability of network data.

Article 22. Critical network equipment and dedicated cybersecurity products shall be subject to security management in accordance with the Announcement on Adjusting Relevant Matters Concerning the Security Administration of Dedicated Cybersecurity Products (No. 1 [2023]) issued by the Cyberspace Administration of China, the Ministry of Industry and Information Technology, the Ministry of Public Security, the Ministry of Finance, and the State Administration for Market Regulation’s Certification and Accreditation Administration, and are not included in the Catalogue of Products Subject to Cybersecurity Labeling.

Article 23. These Measures shall come into force as of July 1, 2026.

§ RELATED LAWS

See also.

§ COMMENTARY

Briefs on this law.

No briefs filed yet under this law.

§ SUBSCRIBE

The Monday brief.

One short email every Monday. New briefs on Chinese data-compliance rules from the previous week, with the source law cited.

Opt-in only. Unsubscribe anytime by replying "unsubscribe" to any issue.

SUPPORT DCC

Keep the publication free to read. Suggested support is $19.99, or choose your own amount.

Support →