China: Ministry of Public Security's Regulations on Management of Use of Commercial Encryption in Critical Information Infrastructure (Order No. 5) enter into force

On 1 August 2025, the Regulations on the Management of the Use of Commercial Encryption in Critical Information Infrastructure (Order No. 5) enter into force. Jointly issued by the National Cryptography Administration, the Cyberspace Administration of China, and the Ministry of Public Security on 11 June 2025, the regulations establish a framework to standardise and oversee the application of commercial encryption within Critical Information Infrastructure (CII). The regulations outline the responsibilities of national and local authorities, as well as protection work departments and operators of CII, regarding planning, construction, operation, and supervision of commercial encryption systems. The regulations require CII operators to use tested and certified commercial cryptographic products and services, protect core data, important data, and personal information using commercial encryption, and conduct regular commercial encryption application security assessments during the planning, construction, and operation phases. They also establish reporting obligations for operators and protection departments and specify penalties for non-compliance.