Decree of the State Council of the People's Republic of China
No. 760
The Regulations on the Administration of Commercial Passwords, revised and adopted at the fourth executive meeting of the State Council on April 14, 2023, are hereby promulgated and shall come into force as of July 1, 2023.
Premier Li Qiang
April 27, 2023
Regulations on the Administration of Commercial Passwords
(Promulgated by Decree No. 273 of the State Council of the People's Republic of China on October 7, 1999, revised by Decree No. 760 of the State Council of the People's Republic of China on April 27, 2023)
general provisions
Article 1 These Regulations are formulated in accordance with the Password Law of the People's Republic of China and other laws in order to regulate the application and management of commercial passwords, encourage and promote the development of the commercial password industry, safeguard network and information security, safeguard national security and social public interests, and protect the legitimate rights and interests of citizens, legal persons and other organizations.
Article 2 These Regulations shall apply to the scientific research, production, sales, service, detection, certification, import and export, application, supervision and administration of commercial passwords within the territory of the People's Republic of China.
The term "commercial passwords" as mentioned in these Regulations refers to the technologies, products and services that use specific transformation methods to encrypt, protect and secure information that does not belong to state secrets.
Article 3 Adhere to the leadership of the Communist Party of China over commercial password work and implement the overall national security concept. The State Password Administration Department is responsible for the administration of commercial passwords throughout the country. The local password administration departments at or above the county level shall be responsible for the administration of commercial passwords in their respective administrative areas.
The relevant departments such as Netcom, Commerce, Customs and Market Supervision and Administration are responsible for the management of commercial passwords within their respective responsibilities.
Article 4 The State strengthens the training of commercial password talents, establishes and improves the development system and mechanism of commercial password talents and talent evaluation system, encourages and supports the construction of password related disciplines and specialties, standardizes the socialized training of commercial password, and promotes the exchange of commercial password talents.
Article 5 The people's governments at all levels and their relevant departments shall take various forms to strengthen the publicity and education of commercial passwords, so as to enhance citizens, legal persons and other organizations' awareness of password security.
Article 6 Societies, trade associations and other social organizations in the field of commercial passwords shall, in accordance with the provisions of laws, administrative regulations and their articles of association, carry out academic exchanges, policy research, public services and other activities, strengthen academic and industrial self-discipline, promote integrity construction and promote the healthy development of the industry.
The password management department shall strengthen the guidance and support for social organizations in the field of commercial passwords.
Chapter II Scientific and Technological Innovation and Standardization
Article 7 The State establishes and improves the promotion mechanism for scientific and technological innovation of commercial cryptography, supports independent innovation of commercial cryptography science and technology, and commends and rewards organizations and individuals that have made outstanding contributions in accordance with the relevant provisions of the State.
The State protects intellectual property rights in the field of commercial passwords according to law. When engaging in commercial password activities, they should enhance their awareness of intellectual property rights and improve their ability to use, protect and manage intellectual property rights.
The State encourages cooperation in commercial cryptography technology based on the principle of voluntariness and commercial rules in the process of foreign investment. Administrative organs and their staff members shall not use administrative means to forcibly transfer commercial password technology.
Article 8 The State encourages and supports the transformation and industrialized application of commercial cryptography scientific and technological achievements, and establishes and improves a feedback mechanism for the information collection, release and application of commercial cryptography scientific and technological achievements.
Article 9 The State Password Administration Department shall organize the examination and appraisal of the cryptographic algorithms, cryptographic protocols, key management mechanisms and other commercial cryptographic technologies used in the network and information systems that are required to be protected by commercial passwords by laws, administrative regulations and relevant national regulations.
Article 10 The standardization administration department of the State Council and the national password administration department shall, in accordance with their respective duties, organize the formulation of national and industrial standards for commercial passwords, and regulate, guide and supervise the formulation of standards for commercial password organizations. The State Password Administration Department shall, according to its responsibilities, establish a feedback and evaluation mechanism for the implementation of commercial password standards, and supervise and inspect the implementation of commercial password standards.
The state promotes participation in international standardization activities of commercial passwords, participates in the formulation of international standards of commercial passwords, promotes the transformation and application of Chinese and foreign standards of commercial passwords, and encourages enterprises, social organizations, education and scientific research institutions to participate in international standardization activities of commercial passwords.
Where standards in other fields involve commercial passwords, they shall be coordinated with national and industrial standards for commercial passwords.
Article 11 Commercial password activities shall comply with relevant laws, administrative regulations, mandatory national standards for commercial passwords, and the technical requirements of self declaration disclosure standards.
The State encourages the adoption of recommended national and industrial standards for commercial passwords in commercial password activities, improves the protection capability of commercial passwords, and protects the legitimate rights and interests of users.
Chapter III Testing and Certification
Article 12 The State promotes the construction of a commercial password detection and authentication system, and encourages voluntary acceptance of commercial password detection and authentication in commercial password activities.
Article 13 Institutions engaged in commercial password detection activities such as detection of commercial password products, evaluation of security of commercial password applications in networks and information systems, and providing data and results that can prove to the public, shall be recognized by the State Password Administration Department and obtain the qualification of commercial password detection institutions according to law.
Article 14 To obtain the qualification of a commercial password detection institution, the following conditions shall be met:
(1) Having legal personality;
(2) Having the funds, places, equipment, facilities, professionals and professional abilities suitable for commercial password detection activities;
(3) It has a management system to ensure the effective operation of commercial password detection activities.
Article 15 To apply for the qualification of a commercial password testing institution, a written application shall be submitted to the State Password Administration Department, and the materials meeting the requirements specified in Article 14 of these Regulations shall be submitted.
The State Password Administration Department shall, within 20 working days from the date of acceptance of the application, examine the application and decide whether to approve it according to law.
If it is necessary to conduct a technical review of the applicant, the time required for the technical review shall not be included in the time limit specified in this article. The State Password Administration Department shall notify the applicant in writing of the time required.
Article 16 Commercial password detection institutions shall, in accordance with laws, administrative regulations and technical norms and rules for commercial password detection, independently, impartially, scientifically and honestly carry out commercial password detection within the approved scope, be responsible for the detection data and results issued, and regularly report the implementation of detection to the State Password Administration Department.
The technical specifications and rules for commercial password detection shall be formulated and published by the State Password Administration Department.
Article 17 The market supervision and administration department under the State Council shall, together with the State Password Administration Department, establish a unified commercial password authentication system promoted by the State, implement the authentication of commercial password products, services and management systems, and formulate and publish the authentication catalogue, technical specifications and rules.
Article 18 An institution engaged in commercial password authentication shall obtain the qualification of a commercial password authentication institution according to law.
To apply for the qualification of a commercial password authentication institution, a written application shall be submitted to the market supervision and administration department of the State Council. In addition to meeting the basic requirements of the certification authority required by laws, administrative regulations and relevant national regulations, the applicant should also have the technical capabilities of detection, inspection, etc. that are suitable for engaging in commercial password authentication activities.
The market supervision and administration department of the State Council shall consult the State Password Administration Department when examining the application for the qualification of a commercial password authentication institution.
Article 19 A commercial password authentication institution shall, in accordance with laws, administrative regulations and technical norms and rules for commercial password authentication, independently, impartially, scientifically and honestly carry out commercial password authentication within the scope of approval, and shall be responsible for the authentication conclusions issued.
The commercial password certification authority shall conduct effective tracking investigation on the commercial password products, services and management systems it has certified, so as to ensure that the certified commercial password products, services and management systems continue to meet the certification requirements.
Article 20 Commercial password products involving national security, national economy and people's livelihood, and social and public interests shall be listed in the catalogue of key network equipment and special network security products according to law, and can be sold or provided only after being tested and certified as qualified by qualified commercial password testing and certification institutions.
Article 21 Where a commercial password service uses key network equipment and special network security products, the commercial password service shall be certified as qualified by a commercial password certification authority.
Chapter IV Electronic Authentication
Article 22 To provide electronic authentication services using commercial password technology, it is necessary to have a place, equipment and facilities, professionals, professional competence and management system suitable for the use of passwords, and obtain the certificate of approval of the State Password Administration Department for the use of passwords according to law.
Article 23 An electronic authentication service institution shall provide electronic authentication services by using passwords in accordance with laws, administrative regulations and technical specifications and rules for the use of passwords in electronic authentication services, so as to ensure that the use of passwords in its electronic authentication services continues to meet the requirements.
The technical specifications and rules for the use of electronic authentication service passwords shall be formulated and published by the State Password Administration Department.
Article 24 The institutions that use commercial password technology to engage in e-government electronic authentication services shall be recognized by the State Password Administration Department and obtain the qualification of e-government electronic authentication service institutions according to law.
Article 25 To obtain the qualification of e-government electronic certification service institution, the following conditions shall be met:
(1) Having the status of enterprise legal person or institution legal person;
(2) Having funds, places, equipment and facilities and professionals suitable for engaging in e-government electronic authentication service activities and using passwords;
(3) Have the ability to provide long-term e-government electronic authentication services for government affairs activities;
(4) It has a management system to ensure the safe operation of e-government electronic authentication service activities and their use of passwords.
Article 26 To apply for the qualification of e-government electronic authentication service institution, a written application shall be submitted to the State Password Administration Department, and the materials meeting the requirements specified in Article 25 of these Regulations shall be submitted.
The State Password Administration Department shall, within 20 working days from the date of acceptance of the application, examine the application and decide whether to approve it according to law.
If it is necessary to conduct a technical review of the applicant, the time required for the technical review shall not be included in the time limit specified in this article. The State Password Administration Department shall notify the applicant in writing of the time required.
Article 27 Where foreign investment in e-government electronic authentication services affects or may affect national security, foreign investment security review shall be conducted according to law.
Article 28 An e-government electronic authentication service institution shall provide e-government electronic authentication services within the approved scope in accordance with laws, administrative regulations and technical specifications and rules of e-government electronic authentication services, and regularly report the implementation of services to the password management departments of provinces, autonomous regions, and municipalities directly under the Central Government where the main offices are located.
The technical specifications and rules for e-government electronic authentication services shall be formulated and published by the State Password Administration Department.
Article 29 The State shall establish a unified electronic authentication trust mechanism. The State Password Administration Department is responsible for the planning and management of electronic authentication trust sources and, together with relevant departments, promotes mutual trust and mutual recognition of electronic authentication services.
Article 30 The password management department, together with the relevant departments, shall be responsible for the management of the use of electronic signatures and data messages in government affairs activities.
The electronic authentication services related to electronic signatures, electronic seals, electronic certificates and licenses in government affairs activities shall be provided by the legally established e-government electronic authentication service institutions.
Chapter V Import and Export
Article 31 Commercial passwords that involve national security, social and public interests and have encryption protection functions shall be included in the list of import licenses for commercial passwords, and import licenses shall be implemented. Commercial passwords involving national security, social and public interests or China's international obligations shall be included in the export control list of commercial passwords for export control.
The list of commercial password import licenses and the list of commercial password export controls shall be formulated and published by the competent commerce department of the State Council in conjunction with the State Password Administration Department and the General Administration of Customs.
The system of import license and export control is not applied to the commercial passwords used for mass consumer products.
Article 32 The commercial passwords in the import license list of import commercial passwords or in the export control list of export commercial passwords shall apply to the competent commerce department of the State Council for an import and export license.
The provisions of the preceding paragraph shall apply to the transit, transshipment, through transportation and re export of commercial passwords, which enter and exit from abroad to areas under special customs supervision such as the comprehensive bonded area, or from abroad to bonded supervision places such as export supervised warehouses and bonded logistics centers.
Article 33 When the commercial passwords in the import license list of import commercial passwords or in the export control list of export commercial passwords are used, the import and export license shall be submitted to the customs for inspection, and the customs declaration formalities shall be handled in accordance with the relevant provisions of the State.
If the import and export operator fails to submit the import and export license to the customs for inspection, and the customs has evidence that the import and export products may fall within the scope of the commercial password import license list or export control list, it shall challenge the import and export operator; The customs may propose to the competent commerce department of the State Council to organize the identification, and handle according to the identification conclusion made by the competent commerce department of the State Council in conjunction with the State Password Administration Department. During the period of identification or challenge, the customs will not release the import and export products.
Article 34 To apply for the import and export license of commercial passwords, a written application shall be submitted to the competent commerce department under the State Council and the following materials shall be submitted:
(1) The identity certificates of the applicant's legal representative, main business manager and handler;
(2) A copy of the contract or agreement;
(3) Technical description of commercial passwords;
(4) End user and end use certificate;
(5) Other documents required to be submitted by the competent commerce department of the State Council.
The competent commerce department of the State Council shall, within 45 working days from the date of accepting the application, examine the application together with the State Password Administration Department, and decide whether to grant the license according to law.
The export of commercial passwords that have a significant impact on national security, social and public interests or foreign policy shall be reported to the State Council for approval by the competent commerce department of the State Council in conjunction with the State Password Administration Department and other relevant departments. Those submitted to the State Council for approval shall not be subject to the time limit prescribed in the preceding paragraph.
Chapter VI Application Promotion
Article 35 The State encourages citizens, legal persons and other organizations to use commercial passwords according to law to protect network and information security, and encourages the use of commercial passwords that have been tested and certified as qualified.
No organization or individual may steal the information encrypted and protected by others or illegally invade the commercial password security system of others, or use commercial passwords to engage in illegal and criminal activities that endanger national security, social and public interests, or the legitimate rights and interests of others.
Article 36 The State supports the use of commercial passwords to improve the security of network products and services, and supports and standardizes the application of commercial passwords in new technologies, new formats and new models in the information field.
Article 37 The State shall establish a promotion and coordination mechanism for the application of commercial passwords, and strengthen the overall guidance for the application of commercial passwords. State organs and units involved in the work of commercial passwords shall be responsible for the application and security of commercial passwords of their own organs, units or systems within the scope of their duties.
The password management department, together with relevant departments, will strengthen the collection of commercial password application information, risk assessment, information notification and major event consultation, and strengthen the connection with network security monitoring, early warning and information notification.
Article 38 The operators of key information infrastructures that are required by laws, administrative regulations and relevant national regulations to use commercial passwords for protection shall use commercial passwords for protection, formulate commercial password application schemes, allocate necessary funds and professionals, and plan, construct and operate commercial password security systems synchronously, Self or entrust commercial password detection institutions to carry out security evaluation of commercial password applications.
The key information infrastructure listed in the preceding paragraph can be put into operation only through the security evaluation of commercial password applications. After the operation, the evaluation shall be conducted at least once a year, and the evaluation shall be submitted to the national password management department or the password management department of the province, autonomous region, or municipality directly under the Central Government where the key information infrastructure is located for the record in accordance with the relevant provisions of the State.
Article 39 For the key information infrastructure that is required to be protected with commercial passwords by laws, administrative regulations and relevant national regulations, the commercial password products and services used should be tested and certified as qualified, and the commercial password technologies used, such as password algorithms, password protocols, key management mechanisms, should be reviewed and identified by the national password administration department.
Article 40 If the operators of key information infrastructure purchase network products and services involving commercial passwords, which may affect national security, they shall, in accordance with law, pass the national security review organized by the national network information department in conjunction with the national password administration department and other relevant departments.
Article 41 Network operators shall use commercial passwords to protect network security in accordance with the requirements of the national network security grading protection system. The national password management department determines the requirements for the use, management and application security evaluation of commercial passwords according to the security protection level of the network, and formulates standards and specifications for network security level protection passwords.
Article 42 The security evaluation of commercial password applications, the security detection and evaluation of key information infrastructure, and the evaluation of network security levels should be strengthened to avoid repeated evaluation and evaluation.
Chapter VII Supervision and Management
Article 43 The password management department shall, in accordance with the law, organize the supervision and inspection of commercial password activities, and guide and supervise the work related to commercial passwords of state organs and units involved in commercial password work.
Article 44 The password management department and the relevant departments shall establish a cooperation mechanism for the supervision and management of commercial passwords, and strengthen the coordination and cooperation in the supervision, inspection, guidance and other work of commercial passwords.
Article 45 The password management department and relevant departments may exercise the following functions and powers to carry out the supervision and inspection of commercial passwords according to law:
(1) Enter the commercial password activity site for on-site inspection;
(2) Investigate and understand the relevant information from the legal representative, main responsible person and other relevant personnel of the party concerned;
(3) Look up and copy relevant contracts, bills, account books and other relevant materials.
Article 46 The password management department and relevant departments shall promote the connection between the supervision and management of commercial passwords and the social credit system, and establish mechanisms to promote the credit records of commercial password business entities, credit classification and classification supervision, dishonesty punishment and credit repair according to law.
Article 47 Commercial password detection and authentication institutions, e-government electronic authentication service institutions and their staff members shall assume confidentiality obligations for the state secrets and trade secrets they know in their commercial password activities.
Password management departments, relevant departments and their staff shall not require commercial password research, production, sales, service, import and export and other units as well as commercial password detection and certification institutions to disclose source code and other password related proprietary information to them, and shall strictly keep confidential the business secrets and personal privacy they know in performing their duties, and shall not disclose or illegally provide them to others.
Article 48 The password management department and the relevant departments shall carry out the supervision and management of commercial passwords according to law, and the relevant units and personnel shall cooperate, and no unit or individual shall illegally interfere and obstruct.
Article 49 Any unit or individual shall have the right to report violations of these Regulations to the password management department and relevant departments. When receiving a report, the password management department and the relevant departments shall verify and deal with it in a timely manner and keep it confidential for the informant.
Chapter VIII Legal Liability
Article 50 If anyone, in violation of the provisions of these Regulations, conducts commercial password detection activities to the public without identification, or engages in e-government electronic authentication services without identification, the password management department shall order him to correct or stop his illegal act, give him a warning, and confiscate his illegal products and illegal gains; If the illegal income is more than 300000 yuan, a fine of not less than one time but not more than three times the illegal income may also be imposed; If there is no illegal income or the illegal income is less than 300000 yuan, a fine of 100000 yuan to 300000 yuan may be imposed.
Those who violate the provisions of these Regulations and engage in commercial password authentication without approval shall be punished by the market supervision and administration department together with the password administration department in accordance with the provisions of the preceding paragraph.
Article 51 Where a commercial password testing institution conducts commercial password testing, under any of the following circumstances, the password management department shall order it to correct or stop the illegal act, give a warning, and confiscate its illegal income; If the illegal income is more than 300000 yuan, a fine of not less than one time but not more than three times the illegal income may also be imposed; If there is no illegal income or the illegal income is less than 300000 yuan, a fine of 100000 yuan to 300000 yuan may be imposed; If the circumstances are serious, the qualification of a commercial password detection institution shall be revoked according to law:
(1) Beyond the approved scope;
(2) There are behaviors that affect the independence, impartiality and integrity of the test;
(3) The test data and results issued are false or untrue;
(4) Refusing to submit or failing to submit the implementation information truthfully;
(5) Failure to perform confidentiality obligations;
(6) Other cases of commercial password detection in violation of laws, administrative regulations and technical specifications and rules for commercial password detection.
Article 52 Where a commercial password authentication institution conducts commercial password authentication under any of the following circumstances, the market supervision and administration department together with the password administration department shall order it to correct or stop the illegal act, give a warning and confiscate the illegal income; If the illegal income is more than 300000 yuan, a fine of not less than one time but not more than three times the illegal income may also be imposed; If there is no illegal income or the illegal income is less than 300000 yuan, a fine of 100000 yuan to 300000 yuan may be imposed; If the circumstances are serious, the qualification of the commercial password authentication institution shall be revoked according to law:
(1) Beyond the approved scope;
(2) There are behaviors that affect the independence, impartiality and integrity of certification;
(3) The certification conclusion issued is false or untrue;
(4) Failing to carry out effective tracking investigation on its certified commercial password products, services and management systems;
(5) Failure to perform confidentiality obligations;
(6) Other cases of commercial password authentication in violation of laws, administrative regulations and technical specifications and rules for commercial password authentication.
Article 53 Anyone who, in violation of the provisions of Articles 20 and 21 of these Regulations, sells or provides commercial password products that have not been tested and certified or fail to pass the test and certification, or provides commercial password services that have not been tested and certified or fail to pass the certification, shall be ordered by the market supervision and administration department in conjunction with the password administration department to correct or stop the illegal act and be given a warning, Confiscation of illegal products and illegal income; If the illegal income is more than 100000 yuan, a fine of not less than one time but not more than three times the illegal income may also be imposed; If there is no illegal income or the illegal income is less than 100000 yuan, a fine of 30000 yuan to 100000 yuan may be imposed.
Article 54 If an electronic authentication service institution uses a password in violation of laws, administrative regulations and technical norms and rules for the use of passwords in electronic authentication services, the password management department shall order it to correct or stop the illegal act, give a warning and confiscate its illegal income; If the illegal income is more than 300000 yuan, a fine of not less than one time but not more than three times the illegal income may also be imposed; If there is no illegal income or the illegal income is less than 300000 yuan, a fine of 100000 yuan to 300000 yuan may be imposed; If the circumstances are serious, the documents certifying the use of passwords by electronic authentication services shall be revoked according to law.
Article 55 Where an e-government electronic authentication service institution carries out e-government electronic authentication services in any of the following circumstances, the password management department shall order it to correct or stop the illegal act, give a warning and confiscate the illegal income; If the illegal income is more than 300000 yuan, a fine of not less than one time but not more than three times the illegal income may also be imposed; If there is no illegal income or the illegal income is less than 300000 yuan, a fine of 100000 yuan to 300000 yuan may be imposed; If the circumstances are serious, it shall be ordered to suspend business for rectification, or even revoke the qualification of e-government electronic certification service organization:
(1) Beyond the approved scope;
(2) Refusing to submit or failing to submit the implementation information truthfully;
(3) Failure to perform confidentiality obligations;
(4) Other situations of providing e-government electronic authentication services in violation of laws, administrative regulations and technical specifications and rules of e-government electronic authentication services.
Article 56 Where an electronic signer or an electronic signature relying party suffers losses in government affairs activities based on the electronic signature authentication service provided by the electronic government affairs electronic authentication service agency, and the electronic government affairs electronic authentication service agency cannot prove that it is not at fault, it shall bear the liability for compensation.
Article 57 If the electronic authentication services involved in the electronic signatures, electronic seals, electronic certificates and licenses in the government affairs activities violate the provisions of Article 30 of these Regulations and are not provided by the legally established e-government electronic authentication service institutions, the password management department shall order them to make corrections and give a warning; If the person refuses to correct or has other serious circumstances, the password administration department shall suggest the relevant state organ or unit to punish or deal with the directly responsible person in charge and other directly responsible persons according to law. The relevant state organ or unit shall inform the password management department of the punishment or handling in writing.
Article 58 Those who violate the provisions of these Regulations on import and export commercial passwords shall be punished by the competent commerce department of the State Council or the customs according to law.
Article 59 Anyone who steals the information encrypted and protected by others, illegally intrudes into another's commercial password security system, or uses commercial passwords to engage in illegal activities that endanger national security, social and public interests, or the legitimate rights and interests of others, shall be investigated for legal responsibility by the relevant departments in accordance with the Cyber Security Law of the People's Republic of China and other relevant laws and administrative regulations.
Article 60 If an operator of key information infrastructure violates the provisions of Articles 38 and 39 of these Regulations, fails to use commercial passwords as required, or fails to conduct security evaluation of commercial password applications as required, the password management department shall order it to correct and give a warning; If he refuses to make corrections or has other serious circumstances, he shall be fined not less than 100000 yuan but not more than 1 million yuan, and the person in charge directly responsible shall be fined not less than 10000 yuan but not more than 100000 yuan.
Article 61 If an operator of key information infrastructure violates the provisions of Article 40 of these Regulations by using network products or services involving commercial passwords that have not passed the security review or security review, the relevant competent department shall order it to stop using them and impose a fine of not less than one time but not more than 10 times the purchase amount; The directly responsible person in charge and other directly responsible persons shall be fined not less than 10000 yuan but not more than 100000 yuan.
Article 62 If a network operator, in violation of the provisions of Article 41 of these Regulations, fails to use commercial passwords to protect network security in accordance with the requirements of the national network security classification protection system, the password management department shall order it to make corrections and give it a warning; Those who refuse to correct or cause consequences such as endangering network security shall be fined not less than 10000 yuan but not more than 100000 yuan, and the directly responsible person in charge shall be fined not less than 5000 yuan but not more than 50000 yuan.
Article 63 Those who refuse to accept, cooperate with or interfere with or obstruct the supervision and administration of commercial passwords by the password administration department and relevant departments without justified reasons shall be ordered to correct and given a warning by the password administration department and relevant departments; If it refuses to make corrections or has other serious circumstances, it shall be fined not less than 50000 yuan but not more than 500000 yuan, and the person in charge and other persons directly responsible shall be fined not less than 10000 yuan but not more than 100000 yuan; If the circumstances are especially serious, it shall be ordered to suspend business for rectification, or even revoke its business password license.
Article 64 If a State organ has any of the violations listed in Articles 60, 61, 62 and 63 of these Regulations, the password administration department and the relevant departments shall order it to make corrections and give it a warning; If the person refuses to correct or has other serious circumstances, the password management department and the relevant department shall suggest the relevant state organ to punish or deal with the directly responsible person in charge and other directly responsible persons according to law. The relevant state organ shall inform the password administration department and relevant departments of the punishment or handling in writing.
Article 65 The staff of the password management department and relevant departments who abuse their power, neglect their duties, engage in malpractices for personal gain, or disclose or illegally provide to others the business secrets, personal privacy, and informant information that they learned in the performance of their duties shall be punished according to law.
Article 66 Those who violate the provisions of these Regulations and constitute a crime shall be investigated for criminal responsibility according to law; If it causes damage to others, it shall bear civil liability according to law.
Chapter IX Supplementary Provisions
Article 67 These Regulations shall come into force as of July 1, 2023.
Related links:
Li Qiang Signed the Order of the State Council to Promulgate the Revised Regulations on the Administration of Commercial Passwords
The head of the Ministry of Justice and the State Password Administration answered questions from reporters on the revision of the Regulations on the Administration of Commercial Passwords
Expert Interpretation | Wang Xiaoyun: Implement the Commercial Password Management Regulations and Promote the high-quality development of China's commercial password industry
Expert Interpretation | Zhou Hanhua: A Major Leap in the Legalization of Commercial Password Management -- Comment on the revision of the Commercial Password Management Regulations
Expert interpretation | Yang Jianjun: Standards help the development of commercial password applications
Expert Interpretation | Zhang Zhenfeng: Implement the Regulations on the Administration of Commercial Passwords and Promote the Innovation and Development of Commercial Password Technology
Expert interpretation | Zuo Xiaodong: The revision of the Regulations on the Administration of Commercial Passwords provides a strong legal guarantee for safeguarding national network security
Liu Dongfang, Director of the State Encryption Administration, published a signed article in the People's Daily: Deeply implement the Regulations on the Administration of Commercial Passwords and strive to create a new situation of commercial password work in the new era
Expert Interpretation | Ma Minhu: Implement the overall national security concept and deeply understand the essence of the Commercial Password Management Regulations
Expert Interpretation | Yao Xiaomin: Clarify the boundary of regulatory power and refine the responsibility for illegal activities
Expert interpretation | Niu Luhong: Comprehensively strengthen the construction of detection and authentication capacity to effectively guarantee the application and development of commercial passwords