China: Ministry of Public Security issued Regulations on Management of Use of Commercial Encryption in Critical Information Infrastructure (Order No. 5)

On 11 June 2025, the National Cryptography Administration, the Cyberspace Administration of China, and the Ministry of Public Security of the People's Republic of China jointly issued the Regulations on the Management of the Use of Commercial Encryption in Critical Information Infrastructure (Order No. 5). The regulations are scheduled to enter into force on 1 August 2025 and are formulated pursuant to several laws, including the Cryptography Law, Cybersecurity Law, Data Security Law, and Personal Information Protection Law, aim to standardise the use of commercial encryption in critical information infrastructure (CII) and protect its security. They outline the responsibilities of national and local authorities, as well as protection work departments and operators of CII, regarding planning, construction, operation, and supervision of commercial encryption systems. The regulations require CII operators to use tested and certified commercial cryptographic products and services, protect core data, important data, and personal information using commercial encryption, and conduct regular commercial encryption application security assessments during the planning, construction, and operation phases. They also establish reporting obligations for operators and protection departments and specify penalties for non-compliance.