In August 2020 the State Cryptography Administration released the Regulations for the Administration of Commercial Cryptography (Draft for Comment). The draft regulations provide that the import of commercial cryptography products on the Commercial Encryption Import Licence List and the export of commercial cryptography products on the Commercial Encryption Export Control List should be subject to the import and export licence for dual-use items issued by the State Council.
In August 2020 the Ministry of Commerce issued the Master Plan for Comprehensively Deepening the Pilot Programme on the Innovative Development of Trade in Services. The plan covers 28 provinces and municipalities directly under the central government, including Beijing, Tianjin and Shanghai. The pilot programme, which concerns cross-border data transfer security management, will run for three years.
In 2020 the Ministry of Industry and Information Technology issued the Guidelines on the Construction of a Data Security Standards System in the Telecoms and Internet Industries for public comment. According to the draft guidelines, the data security standards system for telecoms and internet industries comprises four categories: basic and general standards, critical technology standards, security management standards and critical field standards.
In August 2020 the National Information Security Standardisation Technical Committee issued the Information Security Technology – Method for Evaluating the Security Protection Capabilities of Critical Information Infrastructure (Draft for Comment) for public comment. According to the draft method, the evaluation of the security protection capabilities of critical information infrastructure will focus on capability domain level, graded protection and cryptography.
In August 2020 the National Information Security Standardisation Technical Committee released the Information Security Technology – Method of Boundary Identification for Critical Information Infrastructure (Draft for Comment) for public opinion. The draft provides six factors that should be considered when identifying the boundaries of critical information infrastructure: critical business, network facilities, information systems, critical business information, critical business information flows and basic operation environments.