New PRC Rules on Compulsory Certification of Information Security Products

    View Author March 2008
    China's Certification and Accreditation Administration (CNCA) and the General Administration of Quality Supervision, Inspection and Quarantine (AQSIQ) jointly issued the Announcement on Imposing Compulsory Certification on Certain Information Security Products (the 2008 Announcement) on January 28, 2008 [with reference number No. 7 (2008)] to take effect on May 1, 2009. We understand from various sources, however, that implementation of rules for a certification system will likely be postponed.

    The 2008 Announcement's implications have greatly heightened concerns among multinational companies with a China presence regarding market entry and product viability, as well as protection of intellectual property. According to the 2008 Announcement, information security products listed in the catalog as subject to compulsory certification cannot be distributed, sold, imported or used commercially in China without being certified in accordance with regulations and having the China compulsory certification (CCC) mark to indicate the product passed the certification process.

    In 2007 China publicly announced its intent to regulate these products with the institution of a mandatory approval and certification system via its Technical Barriers to Trade statement to the World Trade Organization (WTO) in compliance with its obligations. In 2008 China announced that eight categories with 13 types of information security products in total would be affected. Squire Sanders' summary of the affected information security products subject to Compulsory Certification is now available.

    The impending May 1, 2009 date, along with the absence of any clear guiding regulations, has created uncertainty among many multinationals whose information security products currently constitute the majority of the market in China. Implementation of the rules will almost certainly bar from China's market many products made by multinationals, either in China or abroad. Concerns among enterprise users about network security, especially hacking, virus dissemination, and intrusion detection and prevention, have fueled the growth of this market all over, and China's growing economy offers sizable opportunities for manufacturers of these products and systems. Companies based outside of China own the lion's share of this market and its various segment products and network security platforms and solutions including integrated security and Unified Threat Management (UTM) solutions and platforms. China-based companies, however, have made efforts to increase their market share.

    Some have expressed concern over the effects to competition from the barriers imposed by the rules – more precisely, whether the certification requirement will give manufacturers in China any advantage by alleviating competition from non-PRC companies that either cannot or will not be able to sell their existing products in China. There is no guarantee that China's certification rules including protocols and benchmarks used by its certification laboratories will employ international standards for such products. Moreover, should the rules require disclosure of product source code and other secret information to testing labs as a prerequisite to certification, competition could be affected.

    At the 19th US – China Joint Commission on Commerce and Trade (JCCT) on September 16, 2008, China advised that it would delay the implementation of final rules regarding information security product certification. As of March 10, 2009 we still await final rules and detailed information on the implementation process.

    The China Information Security Certification Center (ISCCC) is the designated certification institution, and seven laboratories have been designated as certification laboratories. There are no non-PRC laboratories among the designated seven.

    It is reported that the application documents generally include:
    1. Basic information of the applicant;
    2. A Chinese user manual;
    3. Introduction of key modules with security function;
    4. Quality standards adopted by the products;
    5. Primary raw material used and a detailed list of components outsourced;
    6. Label and warnings mark in Chinese (if applicable);
    7. Explanation of the differences between various versions/models in a single certification unit; and
    8. Other documents required by the certification institution.
    We are in contact with the CNCA on an anonymous basis, which has advised that it is likely that the implementation of the proposed certification system will be postponed. Other organizations in the business community have the same understanding from various other sources. A postponement would be in line with China's announcement at the JCCT this past September and alleviate some of the pressure on multinational corporations with affected products. Perhaps with a delayed implementation, AQSIQ and CNCA will provide a regulatory roadmap for businesses, providing guidance regarding future implementation and technical certification and approval requirements specifically. China Customs officials will need to receive official instruction from AQSIQ, CNCA and any other PRC authorities involved clarifying import/export procedures with respect to any postponement of the certification system.

    In any event, we will actively monitor information sources including direct communication with the CNCA and the AQSIQ as to the date and substance of any future notification from the administrations involved including strategy for delayed implementation of the rules and a detailed roadmap for businesses provided by these administrations. We will continue to monitor the implementation of the new rules.