On 19th March 2025, China State Administration for Market Regulation and Office of State Cryptography Administration announced the third Batch of Commercial Cryptography Product Certification Catalogue. The official announcement is as below.

Announcement of the State Administration for Market Regulation and the Office of State Cryptography Administration on the Release of the Commercial Cryptography Product Certification Catalogue (Third Batch)

In order to implement the Cryptography Law of the People’s Republic of China, further improve the commercial cryptography product certification system, gradually expand the scope of certification implementation, and better meet the needs of industrial development, the Commercial Cryptography Product Certification Catalogue (Third Batch) has been formulated in accordance with the requirements of the Implementation Opinions on Carrying Out Commercial Cryptography Testing and Certification Work (SAMR & OSCCA Joint Document No. 50 [2020]).

It is hereby announced that the Catalogue shall come into effect as of the date of its release.

State Administration for Market Regulation
Office of State Cryptography Administration
March 19, 2025

Commercial Cryptography Product Certification Catalogue (Third Batch)

Note:

1. The      cryptographic algorithms used in the above products shall comply with the      national cryptography administration requirements, including but not      limited to the following standards:

• GM/T       0001 Zuchongzhi Sequence Cryptographic Algorithm

• GM/T       0002 SM4 Block Cipher Algorithm

• GM/T       0003 SM2 Elliptic Curve Public Key Cryptographic Algorithm

• GM/T       0004 SM3 Cryptographic Hash Algorithm

• GM/T       0009 Specification for the Use of the SM2 Cryptographic Algorithm

• GM/T       0010 Encryption and Signature Message Syntax Specification of the SM2       Cryptographic Algorithm

• GM/T       0044 SM9 Identity-Based Cryptographic Algorithm

2. Random      number testing for the above products shall follow the standards:

• GM/T       0005 Specification for Randomness Testing

• GM/T       0062 Requirements for Random Number Testing of Cryptographic Products

3. Unless      otherwise specified, the latest version of the above standards (including      all amendments) shall apply in principle.

Background

the explanation about the Commercial Cryptography Product Certification Catalogue:

📌 What Is the “Commercial Cryptography Product Certification Catalogue”?

The Commercial Cryptography Product Certification Catalogue is an official list jointly issued by the Office of State Cryptography Administration (OSCCA) and the State Administration for Market Regulation (SAMR) of China. It defines which commercial cryptographic products must undergo mandatory testing and certification before being legally marketed, used, or integrated into critical systems.

📘 What Are “Commercial Cryptographic Products”?

Commercial cryptographic products refer to hardware, software, or systems that provide cryptographic functionalities—such as encryption, decryption, digital signatures, authentication, and key management—for protecting public, commercial, or personal information, but not involving state secrets.

Typical examples include:

• Cryptographic modules, encryption chips, secure communication devices

• Digital certificate systems, key management systems

• Cryptographic components used in e-government, financial, telecom, and healthcare systems

🧾 Definition and Purpose of the Catalogue

The Certification Catalogue serves as a clear regulatory tool that specifies which cryptographic products require certification. Its primary purposes include:

1. Clarifying the Certification Scope: Identifies which product types must be certified.

2. Regulating Market Access: Products not certified are prohibited from being used in key sectors like government, finance, transportation, and healthcare.

3. Enhancing Product Security: Ensures commercial cryptographic products meet consistent security and technical standards.

4. Promoting Industry Compliance: Encourages the orderly application of cryptography to      reduce information security risks.

🔒 China’s commercial cryptography certification is not universally mandatory, but it is compulsory under specific circumstances, as outlined below:

I. Mandatory Certification Scenarios (Certification Required)

Commercial cryptographic products must undergo certification in the following situations:

• The product is listed in the Commercial Cryptography Product Certification Catalogue and is:

• Used for government procurement;

• Applied in critical information  infrastructure (e.g., finance, telecommunications, transportation,  energy);

• Part of an important system under  the national Multi-Level Protection Scheme (MLPS) for cybersecurity;

• Included in the scope of mandatory  certification as stipulated by the competent cryptography administration  authorities.

According to Article 36 of the Cryptography Law of the People’s Republic of China:

"The state implements classified management for commercial cryptographic products. Products listed in the Commercial Cryptography Product Certification Catalogue shall be certified in accordance with the law."

📅 Catalogue Releases and Implementation

To date, China has released three batches of the Commercial Cryptography Product Certification Catalogue:

• First Batch (2020): 22 basic product categories, such as cryptographic modules,      encryption cards, authentication servers, etc.

• Second Batch (2022): Added 6 categories, focusing on emerging technologies like      cloud computing, blockchain, and secure browsers.

• Third      Batch (2025): Further expansion into SM9 algorithms, SSH cryptography, PLC      controller modules, etc.

✅ Legal Basis

The catalogue is based on the following key legal and policy documents:

• Cryptography  Law of the People’s Republic of China

• Implementation  Opinions on Carrying Out Commercial Cryptography Testing and Certification      Work (SAMR & OSCCA Joint Document No. 50 [2020])

First Batch (Released in 2020)

A total of 22 product categories were included, covering cryptographic modules, key management systems, and authentication systems. Certification is based primarily on national standards such as GM/T 0028 Technical Requirements for Cryptographic Module Security.

Product categories include:

1.      Smart Cryptographic Key

2.      Smart IC Card

3.      POS/ATM/Multifunction/Internet Terminal Cryptographic Application System

4.      PCI-E/PCI Cryptographic Card

5.      IPSec VPN Products / Security Gateway

6.      SSL VPN Products / Security Gateway

7.      Secure Authentication Gateway

8.      Cryptographic Keyboard

9.      Financial Data Cryptographic Machine

10.  Server Cryptographic Machine

11.  Signature and Verification Server

12.  Timestamp Server

13.  Secure Access Control System

14.  Dynamic Token / Authentication System

15.  Secure Electronic Seal System

16.  Cryptographic Application System for Electronic Documents

17.  Trusted Computing Cryptographic Support Platform

18.  Certificate Authority System / Key Management System

19.  Symmetric Key Management Products

20.  Secure Chip

21.  RFID Tag Chip

22.  Other Cryptographic Modules

For more details, refer to official announcements:

• Chinese Government Official Website Notice

• Office of State Cryptography Administration (OSCCA) Notice

Second Batch (Released in 2022)

An additional 6 product categories were added, focusing on emerging areas such as cloud computing and blockchain. Certification is based on standards including GM/T 0028, GM/T 0104, and GM/T 0111.

New product categories include:

1. Trusted cryptographic modules

2. Key management systems for smart IC cards

3. Cloud server cryptographic devices

4. Random number generators

5. Blockchain cryptographic modules

6. Secure browser cryptographic modules

For more details, refer to official announcements:

• SAMR (State Administration for Market Regulation) Notice

• Office of State Cryptography Administration (OSCCA) Notice