How to Comply with China’s Encryption Technology Regulations: 2026 Guide

Date:

Share post:

How to Comply with China’s Encryption Technology Regulations: 2026 Guide

China’s encryption technology regulations underwent a fundamental transformation with the effective implementation of the Cryptography Law (effective January 1, 2020) and its supporting Commercial Cryptography Product Regulations and Administrative Measures on the Use of Encryption. For foreign companies importing, exporting, or using encryption technology in China, compliance is complex and non-negotiable. Encryption products and technologies are subject to a multi-agency regulatory regime involving the State Cryptography Administration (SCA), the Cyberspace Administration of China (CAC), the Ministry of Industry and Information Technology (MIIT), and MOFCOM, depending on the nature of the encryption technology and the transaction type.

China regulates encryption technology through three distinct but overlapping frameworks: commercial cryptography product regulation (for products sold or used in China), encryption technology import/export controls (for cross-border transfers), and cybersecurity-related encryption requirements (for network products and data protection). A single encryption technology can be subject to all three frameworks simultaneously, creating a compliance matrix that requires careful mapping.

This guide provides foreign companies with a practical framework for understanding and complying with China’s encryption technology regulations, covering the regulatory structure, product certification requirements, import and export controls, cross-border data encryption rules, enforcement trends, and strategies for building an effective encryption compliance program.

Regulatory Framework Governing Authority Scope Key Requirement
Cryptography Law State Cryptography Administration (SCA) All commercial encryption products used in China Commercial Cryptography Product Certification for many categories
Encryption Import/Export Controls MOFCOM + SCA Cross-border transfer of encryption technology Import contract registration or export license as applicable
Cybersecurity Law / DSL Encryption Requirements CAC + SCA Network products and data encryption Use of SCA-approved encryption algorithms for certain applications

Understanding the Cryptography Law Framework

China’s Cryptography Law establishes a three-tier classification system for encryption technologies and products: Core Cryptography (state secrets), Ordinary Cryptography (government use), and Commercial Cryptography (civilian/business use). For foreign companies, the Commercial Cryptography category is the most relevant, governing encryption products, technologies, and services used in commercial activities.

The Commercial Cryptography regulatory system includes the following key elements:

  1. Commercial Cryptography Product Certification (CCPC) — Certain categories of commercial encryption products must undergo SCA certification before they can be manufactured, sold, imported, or used in China. The certification process involves product testing by an SCA-accredited laboratory, factory inspection, and ongoing surveillance. Products that pass receive an SCA Commercial Cryptography Product Certification Certificate, valid for 5 years.
  2. Commercial Cryptography Algorithm Standards — The SCA has published a set of national standard encryption algorithms (SM2, SM3, SM4, SM9) that are mandatory for certain applications, particularly in government procurement, financial services, and critical information infrastructure. Foreign companies selling encryption products into these sectors must implement these algorithms, either natively or through cryptographic service modules.
  3. Commercial Cryptography Product Import Licensing — Importing commercial encryption products into China may require an SCA import license, depending on the product’s technical characteristics and the intended use. Products using non-SCA algorithms (e.g., AES, RSA, ECC) and products classified as “dual-use encryption goods” are subject to additional scrutiny.
  4. Commercial Cryptography Service Institution Certification — Entities providing commercial encryption services (encryption consulting, system integration, managed encryption services) must be certified by the SCA as qualified service institutions. Foreign companies providing encryption-related services to Chinese clients may need to partner with a certified Chinese entity.

The scope of products requiring certification has expanded significantly. As of 2025, the SCA’s certification catalog covers over 80 product categories, including encryption chips, encryption modules, VPN products, digital certificates, PKI products, encryption software, secure operating systems, and network encryption products. Foreign companies should check the current catalog — available on the SCA website — to determine whether their products require certification.

Step 1: Determine Your Encryption Product Classification

The first compliance step is determining how your encryption product or technology is classified under Chinese regulations. The classification determines which permits, certifications, and licenses are required. The key classification questions are:

  • Is the encryption product “commercial cryptography”? — Most encryption products used in business applications fall under commercial cryptography. Exceptions include products designed exclusively for government classified communications (core/ordinary cryptography) and products with encryption as an ancillary feature (e.g., a smartphone with built-in encryption).
  • Is the product on the SCA certification catalog? — Products on the catalog must obtain SCA Commercial Cryptography Product Certification before being sold or used in China. Products not on the catalog can be sold without certification but must still comply with other applicable regulations.
  • Does the product use SCA-approved algorithms? — For applications involving government procurement, financial services, or critical information infrastructure, use of SM2/SM3/SM4/SM9 algorithms may be mandatory. For other commercial applications, non-SCA algorithms are generally permitted but the product may face additional scrutiny during import clearance.
  • Is the encryption technology being imported or exported? — Cross-border transfers of encryption technology are subject to separate import registration or export licensing requirements under MOFCOM’s technology transfer regulations (see CG360-TECH-TRANSFER-GUID-001 and CG360-TECH-TRANSFER-GUID-002).

The classification process requires a detailed technical review of the product’s encryption algorithms, key lengths, implementation methods, and intended applications. Foreign companies should engage an SCA-qualified consultant or law firm to conduct the classification review, as incorrect classification can lead to product seizure, fines, or import/export license revocation.

Step 2: Obtain Commercial Cryptography Product Certification

If your encryption product falls within the SCA certification catalog, the certification process involves the following steps:

  1. Product testing — Submit the product to an SCA-accredited testing laboratory for technical evaluation. The testing covers algorithm implementation, key management, random number generation, protocol compliance, and security functionality. Testing typically takes 2 to 4 months, depending on the product complexity and the laboratory’s workload.
  2. Factory inspection — For hardware encryption products, the SCA conducts an on-site factory inspection to verify production quality control, supply chain security, and anti-tampering measures. For software products, a development process audit may be conducted instead of a factory inspection.
  3. Documentation review — Submit technical documentation, including product specifications, algorithm implementation descriptions, security design documents, user manuals, and test reports. All documentation must be in Chinese or accompanied by certified translations.
  4. Certification issuance — If testing and inspection are passed, the SCA issues the Commercial Cryptography Product Certification Certificate. The certificate is valid for 5 years, with annual surveillance audits required to maintain certification.

The total cost of certification varies widely depending on the product category, testing requirements, and whether the factory is located in China or abroad. Foreign companies with overseas factories should budget RMB 200,000 to RMB 500,000 for a complete certification cycle, including testing, inspection, translation, and consulting fees. The timeline is typically 6 to 9 months from application to certificate issuance.

Step 3: Comply with Encryption Import Requirements

Importing encryption technology into China requires compliance with both the Cryptography Law (for the product itself) and the Technology Import and Export Regulations (for the technology transfer aspect). The import process involves:

Import Scenario Requirements Authority
Import of encryption product hardware SCA product certification (if on catalog); customs clearance with SCA import permit for certain high-grade products SCA + Customs
Import of encryption software via license Technology import contract registration with MOFCOM; SCA certification for the software (if on catalog) MOFCOM + SCA
Import of encryption technology as know-how Technology import contract registration with MOFCOM; classification review for encryption-specific regulations MOFCOM + SCA
Temporary import for testing/demo Simplified customs procedure; SCA notification may be required Customs

The SCA and MOFCOM have overlapping jurisdiction for encryption technology imports. The Technology Import Contract Registration Certificate (from MOFCOM) and the Commercial Cryptography Product Certification (from SCA) serve different purposes. The MOFCOM certificate is about the contract and royalty remittance; the SCA certificate is about the product’s legality for use in China. Both may be required, and foreign companies should confirm which applies to their specific transaction.

Encryption Export Controls: A Growing Concern

China’s encryption export controls have tightened considerably since the 2024 revision of the Export Control Law. Encryption technologies developed in China — including SM-series algorithm implementations, Chinese-developed encryption hardware designs, and encryption software with Chinese cryptographic components — may be subject to export licensing requirements when transferred to foreign entities.

Key developments include:

  • SM4 encryption algorithm implementations are now classified as “restricted technology” for export purposes when the implementation includes proprietary optimizations or specialized hardware integration. The algorithm specification itself (published as a national standard) is not restricted, but production-ready implementations may be.
  • Encryption products that combine SCA-certified algorithms with non-standard protocols or custom key management schemes face enhanced scrutiny during export license review. MOFCOM considers these “dual-use encryption goods” requiring case-by-case licensing.
  • Encryption source code developed by Chinese engineers — even within a foreign-invested enterprise in China — is considered Chinese-origin technology for export control purposes. Transferring this source code to an overseas affiliate may require an export license.

Foreign companies with Chinese R&D centers developing encryption technology should implement internal controls to identify Chinese-origin encryption components and establish a procedure for obtaining export licenses before any cross-border transfer of encryption technology.

Enforcement and Penalties

Enforcement of China’s encryption regulations has increased significantly since 2023. The SCA has conducted targeted inspections of encryption product manufacturers, importers, and users, with a particular focus on products used in critical information infrastructure, financial services, and telecommunications.

Penalties for non-compliance can be severe:

  • Product seizure — Uncertified encryption products can be seized by market regulatory authorities or customs, resulting in immediate supply chain disruption and financial loss.
  • Fines — Under the Cryptography Law, violations can attract fines ranging from RMB 100,000 to RMB 1 million for the entity, with additional personal fines for responsible officers of RMB 50,000 to RMB 500,000.
  • Business license suspension — Serious or repeated violations can result in suspension or revocation of the entity’s business license, effectively ending the company’s ability to operate in China.
  • Import/export license revocation — Violations of encryption import or export regulations can result in revocation of existing licenses and a blacklisting period during which no new licenses will be issued.
  • Criminal liability — In cases involving national security or classified encryption, criminal penalties including imprisonment of up to 10 years can apply to responsible corporate officers.

Beyond direct penalties, non-compliant encryption products create downstream risks for customers. If a Chinese company uses an uncertified encryption product and suffers a security breach, the SCA may hold both the user and the product supplier liable. This cascading liability risk makes encryption compliance a key consideration for Chinese procurement officers, who increasingly require SCA certification as a condition of purchase.

Building an Encryption Compliance Program

Given the complexity of China’s encryption regulations and the severity of penalties for non-compliance, foreign companies dealing with encryption technology in China should develop a dedicated encryption compliance program. Key components include:

Product classification matrix: Create a matrix mapping each encryption product or technology against the SCA certification catalog, the MOFCOM technology import/export lists, and the cybersecurity encryption requirements. Update this matrix quarterly as regulations evolve.

Algorithm inventory: Maintain an inventory of all cryptographic algorithms used in products sold or deployed in China, including algorithm type (SCA-standard vs. international), key length, implementation method (hardware vs. software), and intended application. This inventory is essential for both SCA certification applications and MOFCOM import/export filings.

Cross-border technology transfer procedure: Establish a formal procedure for reviewing any cross-border transfer of encryption technology, including classification review, license application (if required), and documentation of the compliance determination. The procedure should cover both inbound transfers (import to China) and outbound transfers (export from China).

SCA liaison: Designate a China-based compliance officer or external consultant as the primary liaison with the SCA. Regular communication with SCA officials can provide advance notice of regulatory changes and facilitate faster certification processing.

Training: Conduct annual encryption compliance training for all employees involved in product development, import/export, and sales in China. The training should cover the basic classification framework, red flags for regulated products, and internal reporting procedures for encryption-related compliance questions.

Where to Go From Here

China’s encryption regulations are among the most complex technology control regimes foreign companies face. A systematic approach to classification, certification, and compliance is essential.

How to Comply with China’s Encryption Technology Regulations: 2026 Guide — first published on China Gateway 360. Last updated: July 2026.

Related articles

How to Prepare an EIA Report for a Manufacturing Plant in China: 2026 Guide

How to Prepare an EIA Report for a Manufacturing Plant in China: 2026 Guide body { font-family: Arial, Helvetica, sans-serif; line-height: 1.7; color:

How to Navigate China’s EIA Exemption Policy for Foreign Businesses: 2026 Guide

How to Navigate China's EIA Exemption Policy for Foreign Businesses: 2026 Guide body { font-family: Arial, Helvetica, sans-serif; line-height: 1.7; co

How to Prepare an EIA Report for a Manufacturing Plant in China: 2026 Guide

How to Prepare an EIA Report for a Manufacturing Plant in China: 2026 Guide body { font-family: Arial, Helvetica, sans-serif; line-height: 1.7; color:

How to Navigate China’s EIA Exemption Policy for Foreign Businesses: 2026 Guide

How to Navigate China's EIA Exemption Policy for Foreign Businesses: 2026 Guide body { font-family: Arial, Helvetica, sans-serif; line-height: 1.7; co