Three Chinese government bodies, including the Cyberspace Administration of China, have jointly released the "Cybersecurity Labeling Management Measures." According to the new rules, if a product manufacturer is found to have forged or misused cybersecurity labels, or used them for false advertising, the filing authority must revoke the product's cybersecurity label filing. The manufacturer's violation will be publicly announced, and no new product filings from that manufacturer will be accepted for one year from the date of the announcement.
The cybersecurity labels will indicate three levels of cybersecurity capability, from lowest to highest: Basic, Enhanced, and Leading. These levels are represented by one, two, and three stars, respectively. The Basic level requires products to meet fundamental national security standards, such as avoiding weak or default passwords, establishing a vulnerability management mechanism for dynamic patching, and maintaining software updates. The Enhanced level demands that a product's cybersecurity capabilities reach an advanced level among similar products. The Leading level requires top-tier cybersecurity capabilities and mandates that the product pass penetration testing to demonstrate its ability to withstand high-level cyber attacks. Specific security requirements for each product category will be detailed in implementation rules, which are to align with current national and international standards and incorporate relevant international experience.
The official notice, numbered 4 of 2026, was distributed to provincial cyberspace administrations, communications regulators, public security departments, and other relevant state organs. The measures are scheduled to take effect on July 1, 2026.
Comments