Encryption Law of the People’s Republic of China (Opinion-seeking Draft)

This translation was created jointly with Paul Triolo and John Costello

Table of contents

Chapter I: General principles

Chapter II: The use of encryption

Chapter III: Encryption security

Chapter IV: Stimulating the development of encryption

Chapter V: Supervision and management

Chapter VI: Legal liability

Chapter VII: Supplementary provisions

Chapter I: General principles

Article 1: In order to standardize the use and management of encryption, guarantee network and information security, protect the lawful rights and interests of citizens, legal persons and other organizations, and to safeguard national security and interests, this Law is formulated.

Article 2: This Law applies to activities including scientific research concerning the production, operation, import and export, monitoring, authentication, use, supervision and management of encryption.

Article 3: Encryption as mentioned in this Law, refers to materials and technologies using particular conversion algorithms and other such information to conduct encryption protection and security authentication.

Article 4: Encryption work shall adhere to the basic principles of unified leadership, hierarchical responsibilities, innovative development, service to the bigger picture, management according to the law, and guaranteeing security.

Article 5: In is necessary to guarantee the leadership of the Chinese Communist Party over encryption work. Central leadership bodies for encryption work exercise uniform leadership over encryption work nationwide, are responsible for formulating national major encryption principles and policies, comprehensively coordination major affairs and important work in national encryption, and advancing the construction of rule of law in national encryption.

Provincial, autonomous region and municipal-level encryption work leading groups, as well as those in relevant Central and state bodies, exercise leadership over encryption work within their localities or departments (systems).

Article 6: State encryption management departments are in charge of encryption work nationwide.

County-level or higher local encryption management departments at all levels, are in charge of encryption work within their administrative areas.

Encryption management departments within relevant Central and state bodies are responsible for encryption work within their departments (systems) within the scope of their powers.

Article 7: The State divides encryption into core encryption, common encryption and commercial encryption, and carries out categorized management.

Article 8: County-level or higher People’s Governments shall include encryption work in economic and social development plans for that level, required funds will be listed into the budget of that level.

 

Chapter II: The use of encryption

Article 9: The State vigorously standardizes and stimulates the application of encryption, the increase of the extent to which encryption is used to ensure network and information security, and protects the rights of citizens, legal persons and other organizations to use encryption lawfully.

Article 10: Core encryption and common encryption may be used to protect information related to national secrets. Commercial encryption is to be used to protect information not within the scope of national secrets.

Article 11: State encryption management departments shall implement permissions for commercial encryption products that are sold or used in business activities, as well as for the provision of commercial encryption services. Commercial encryption product and service management catalogues will be formulated and published by the State encryption management departments.

Article 12: Critical information infrastructure shall be protected by the use of encryption according to the provisions of laws and regulations as well as the mandatory requirements of encryption-related national standards, encryption protection systems should be planned, constructed and operated in a synchronous manner.

Article 13: State encryption management departments are responsible for managing the use of electronic signatures and data texts in government affairs, and will accredit bodies using encryption technology to engage in e-government electronic authentication services.

 

Article 14: Commercial encryption service bodies and e-government electronic authentication service bodies launching encryption-related services, shall respect the provisions of laws and regulations as well as the mandatory provisions of encryption-related national standards.

Chapter III: Encryption security

Article 15: The State will strengthen the construction of encryption security structures, perfect encryption security management regulations, and strengthen encryption security protection capabilities.

Article 16: The State implements management and control over encryption import and export. The export of core encryption and common encryption is prohibited. State Council commercial management departments and the State encryption management departments will implement permits for the import and export of commercial encryption. Commercial encryption import and export management and control lists are formulated and published by State Council responsible departments in conjunction with State encryption management departments and the General Administration of Customs.

Article 17: The State promotes the construction of encryption monitoring and authentication systems, and formulates encryption monitoring and authentication norms. Encryption monitoring and authentication bodies shall obtain relevant qualifications according to the law, and conduct encryption monitoring and authentication according to the provisions of laws and regulations as well as encryption monitoring and authentication norms.

Article 18: The State conducts categorized and hierarchical evaluation of the security of encryption used in critical information infrastructure, and conducts security reviews of encryption products, encryption-related services and encryption protection systems that influence or may influence national security, according to requirements of the national security review.

Article 19: Encryption management departments and relevant departments will establish encryption security monitoring and warning, information communication, major incident coordination and emergency response handling mechanisms, to ensure that encryption security management is coordinated, and comprehensive, orderly and effective.

Article 20: People’s procuratorates, public security bodies and State security bodies may require telecommunications operators and Internet service providers to provide technological decryption support when necessary for national security or the prosecution of criminal cases. Telecommunication operators and Internet service providers shall cooperate, and maintain the secrecy of relevant circumstances.

 

Article 21: No organization or individual may illegally attack the encrypted information or encryption protection system of another person, or use encryption to engage in activities endangering national security or the social and public interest, or engage in other unlawful or criminal activities.

Chapter IV: Stimulating the development of encryption

Article 22: The State supports scientific and technological encryption research, promotes the development of the encryption industry, encourages academic encryption research and exchange, protects encryption intellectual property rights according to the law, and stimulates the progress and innovation of encryption science and technology.

Article 23: The State establishes and perfects encryption standard systems. State Council administrative standardization management departments and State encryption management departments will, on the basis of their respective duties, organize the formulation of national encryption standards and sectoral standards. Where other standards involve encryption, coordination and unity will be maintained with national encryption standards and sectoral standards.

The State supports enterprises, social organizations and scientific research bodies to participate in the formulation of national encryption standards and sectoral standards, and encourages their participation in international standardization activities.

Article 24: The State establishes award systems for encryption science and technology, to grant awards to organizations and individuals who make prominent contributions to the progress of encryption science and technology.

 

Article 25: The State strengthens the construction of encryption talent teams, and stresses the training, recruitment and management of specialist encryption talent and particular talent.

Article 26: The State adopts many kinds of methods to strengthen encryption propaganda and education, will enter encryption education into compulsory education systems and civil servant education and training systems, and encourages and supports social organizations and the public to launch and participate in the dissemination and popularization of encryption knowledge.

 

Chapter V: Supervision and management

Article 27: Encryption management departments shall organize and conduct encryption use and encryption security supervision, inspection and law enforcement according to the law, uniformly organize and conduct encryption leak case investigations, and conduct guidance and supervision of encryption work in relevant State bodies and work units.

When encryption management bodies carry out supervision and management duties according to the law, relevant organizations and individuals shall cooperate.

Article 28: Encryption management bodies and relevant departments will establish encryption supervision and law enforcement coordination mechanisms, to conduct encryption supervision, inspection and law enforcement work in a coordinated manner.

Article 29: When encryption management departments carry out supervision and management duties according to the law, they may exercise the following powers:

(1) enter into encryption production, business, import and export, monitoring, authentication and usage venues to conduct on-the-spot investigations;

(2) investigate the main responsible persons and other relevant personnel in encryption production, business, import and export, monitoring, authentication and usage work units, to understand the relevant circumstances;

(3) consult and duplicate relevant contracts, notes, ledgers as well as other relevant materials;

(4) seal up and detain products used in unlawful encryption production, business, import and export, monitoring, authentication and use, as well as equipment and facilities used in unlawful encryption production, business, import and export, monitoring and authentication;

(5) seal up the venue of illegally conducted encryption publication, business, import and export, monitoring, authentication and use activities.

Encryption management departments shall, after adopting sealing or detention measures, timely investigate the facts and make a processing decision within the stipulated time limits according to the law.

 

Article 30: Where it is necessary to authenticate specific matters concerning encryption during encryption monitoring and investigation or law enforcement, authentication will be entrusted to qualified encryption monitoring bodies.

Chapter VI: Legal liability

 

Article 31: Where cases of encryption leaks occur in violation of this Law of relevant laws and regulations, the relevant State bodies and work units impose punishment on or deal with directly responsible management personnel and other directly responsible personnel according to the law.

Article 32: Where encryption is used in violation of Article 10 and Article 12 of this Law, State encryption management departments will order rectification or cessation of the unlawful activity, and issue a warning; where circumstances are grave, the relevant State body or work unit will impose punishment on or deal with directly responsible management personnel or other directly responsible personnel according to the law.

Article 33: Those trading in commercial encryption products or engaging in commercial encryption services, or e-government electronic authentication services without a permit or accreditation in violation of Article 11 and Article 13 of this Law, will be ordered to rectify or cease the unlawful activity by the encryption management department or administrative industry and commerce management department, issued with a warning, unlawful products and unlawful income will be confiscation, and a fine may additionally be imposed.

Article 34: Where commercial services bodies or e-government electronic authentication bodies launch encryption-related services in violation of Article 14 of this Law, the encryption management department will order rectification or cessation of the unlawful activity, issue a warning, confiscate unlawful income, and may impose an additional fine; where circumstances are grave, relevant qualifications will be cancelled by the State encryption management department.

 

Article 35: Those importing or exporting encryption in violation of Article 16 of this Law, will be subject to punishment by the State Council commercial management departments or customs departments.

Article 36: Where encryption monitoring, encryption management bodies, or authentication bodies launch encryption monitoring or authentication in violation of Article 17 of this Law, encryption management departments or authentication accreditation, supervision and management bodies will order rectification or cessation of the unlawful activity, issue a warning, confiscate unlawful income, and may impose an additional fine; where circumstances are grave, corresponding qualifications will be cancelled.

 

Article 37: Where telecommunications business operators or Internet service providers do not provide technological decryption support or divulge corresponding circumstances in violation of Article 20 of this Law, the department in charge will impose a fine on the work unit in question as well as its directly responsible management personnel and other directly responsible personnel, the public security bodies or national security bodies may also detain the directly responsible management personnel and other directly responsible personnel for five days to fifteen days.

Article 38: Those illegally attacking another person’s encrypted information or encryption protection systems, using encryption to engage in activities endangering national security or the social public interest, or engaging in other unlawful and criminal activities in violation of this Law or relevant laws and regulations, will bear liability according to the law. When necessary, the People’s procuratorates, public security bodies, national security bodies, secrecy protection, encryption and other such relevant departments may adopt measures according to the law to prevent the occurrence of unlawful or criminal activities or prevent the expansion of the harm.

Article 39: Where personnel of State bodies abuses their power, neglect their duties or engage in irregular favoritism in encryption work, they will be subject to punishment according to the law.

Article 40: Where violations of this Law constitute a crime, criminal liability will be borne according to the law.

Chapter VII: Supplementary provisions

 

Article 41: The State encryption management department formulates encryption rules according to the provisions of laws and administrative regulations.

Article 42: The Central Military Commission formulates encryption regulations for the Chinese People’s Liberation Army on the basis of this Law.

 

Article 43: This Law takes effect on (day, month, year).

Explanation of the draft law for comments

1. Legislative Need and Preliminary Draft for Soliciting Opinions Drafting Process

Network and information security is an important component of national security. Encryption is a core technology and basic support for ensuring cyber and information security. Encryption directly related to national political security, economic security, national defence security and information security. It is directly related to citizens, all legal persons, and the vital interests of other organizations. The party and the state have historically attached great importance to encryption and have always considered it a basic task in safeguarding national security and its fundamental interests. It is absolutely necessary to formulate a comprehensive and basic law in the field of cryptography in order to adapt to the new situation our national security faces and the challenges brought by the widespread adoption/application of encryption.

The party and the state attach great importance to encryption legislative work. The State Council Legislative Work Plan identified encryption law as an urgently needed item in comprehensively deepening reform. In accordance with the national encryption legislation work arrangement, in December 2014, the National Encryption Management Bureau established the drafting small group to commence encryption legislation drafting work. With the strong support and help of relevant departments, the drafting small group conducted in-depth research into new trends and tasks that the development of encryption efforts face in the new situation, earnestly summarize good experiences and good practices formed during China’s encryption work, actively consult and learn from foreign practices, conduct extensive in-depth research, systematically catalog outstanding problems encountered in the development of Chinese encryption efforts, and earnestly research countermeasures. On this basis, in succession the drafting small group has proposed basic thoughts, institutional framework, and preliminary draft for encryption legislation. After formation of the preliminary draft, many organizations organized seminars and demonstrations, conducted in-depth study of argument, repeatedly revised and improved, resulting in the formation of the preliminary draft for soliciting opinions in October 2016. After soliciting the opinion of the relevant departments of the central authorities and state organs, as well as experts and scholars, the preliminary draft for soliciting opinions has been further revised and perfected.

2. The Guiding Ideology and Main Principles of the Legislation

The guiding ideology of this law consists of adhering to Deng Xiaoping theory, important thinking of the ‘Three Represents’, and the scientific development concept as guides, and thoroughly carry out the spirit of the important speeches of General Secretary Xi Jinping, thoroughly carry out the overall national security concept, take “party-managed encryption” as a fundamental principle, take innovation and development as the basic path, take serving the overall situation as the fundamental goal, to build encryption legal system that is compatible with national governance system and governance modernization, to ensure the use of high quality and effective encryption, to ensure encryption management and security is reliably provided the solid protection of the rule of law. The In the drafting of the draft, we focus on the following five principles:

First, adhere to the fundamental principle of “Party-managed encryption” and fully carry out the spirit of central authorities. Comprehensively carry out the spirit of the important speeches of General Secretary Xi Jinping and new ideas, thoughts, and strategies in national governance, adhere to the party’s absolute leadership in encryption work, ensure the party’s position become national will through legal procedures, is based on China’s national conditions, follows the development path of “encryption with Chinese characteristics.”

Second, adhere to management according to the law, comprehensively promote the construction of encryption rule of law. Seriously carry out the arrangement of Central Committee decision-making, comprehensively promote the construction of encryption rule of law, improve the system of encryption laws and regulations, and earnestly strengthen management according to law, better leverage the leading and protective role the rule of law plays in encryption work, and constantly increase the scientific, standardization, institutionalization level of encryption work.

Third, adhere to the overall national security concept, earnestly protect national cyber and information security. Standardize and promote the application of encryption, give full play to the role encryption plays in cyberspace identification, security isolation, information encryption, integrity protection and non-repudiation, along with other important roles; strengthen encryption supervision, prevent and combat encryption criminal and illegal activities, and effectively safeguard national security and its fundamental interests.

Fourth, adhere to the construction of a good environment, promote the scientific development of encryption efforts. Regulate for the order of the encryption market, encourage progress and innovation in cryptographic science and technology, protect the intellectual property rights of encryption, appropriately adjust and deal with all kinds of social benefit relationships, fully mobilize all aspects of enthusiasm, and provide the solid protection of the rule of law for the proper and rapid development of encryption efforts.

Fifth, adhere to problem-oriented approach, focus on solving the outstanding problems facing encryption work.

According to the new features of the new situation of encryption work, adhere to the combination of inheritance and innovation, adhere to both security and development, make clear the basic principles of encryption work and focus on solving the problems of universal work in all areas, and on the problems and urgent requirements to fill the gaps in the law. At the same time, set aside space for the future development of relevant laws and regulations, and set up a good interface.

中华人民共和国密码法(草案征求意见稿)
目录
第一章 总 则
第二章 密码应用
第三章 密码安全
第四章 密码发展促进
第五章 监督管理
第六章 法律责任
第七章 附 则
第一章 总 则
第一条 为了规范密码应用和管理，保障网络与信息安全， 保护公民、法人和其他组织的合法权益，维护国家安全和利益， 制定本法。
第二条 密码的科研、生产、经营、进出口、检测、认证、 使用和监督管理等活动，适用本法。
第三条 本法所称密码，是指使用特定变换对数据等信息进 行加密保护或者安全认证的物项和技术。
第四条 密码工作坚持统一领导、分级负责，创新发展、服 务大局，依法管理、保障安全的基本原则。
第五条 坚持中国共产党对密码工作的领导。中央密码工作 领导机构统一领导全国密码工作，负责制定国家密码重大方针政 策，统筹协调国家密码重大事项和重要工作，推进国家密码法治 建设。
省、自治区、直辖市以及中央和国家机关有关部门密码工作 领导机构领导本地区、本部门(系统)的密码工作。
第六条 国家密码管理部门主管全国的密码工作。
县级以上地方各级密码管理部门主管本行政区域的密码工 作。
中央和国家机关有关部门负责密码管理的机构在其职责范 围内负责本部门(系统)的密码工作。
第七条 国家将密码分为核心密码、普通密码、商用密码， 实行分类管理。
第八条 县级以上人民政府应当将密码工作纳入本级国民经 济和社会发展规划，所需经费列入本级预算。
第二章 密码应用
第九条 国家积极规范和促进密码应用，提升使用密码保障 网络与信息安全的水平，保护公民、法人和其他组织依法使用密 码的权利。
第十条 核心密码、普通密码可以用于保护国家秘密信息。 商用密码用于保护不属于国家秘密的信息。
第十一条 国家密码管理部门对销售或者在经营活动中使用 的商用密码产品，以及从事商用密码服务的机构实施许可。商用 密码产品、服务管理目录由国家密码管理部门制定并公布。
第十二条 关键信息基础设施应当依照法律、法规的规定和 密码相关国家标准的强制性要求使用密码进行保护，同步规划、 同步建设、同步运行密码保障系统。
第十三条 国家密码管理部门负责政务活动中使用电子签 名、数据电文的管理，对采用密码技术从事电子政务电子认证服 务的机构进行认定。
第十四条 商用密码服务机构、电子政务电子认证服务机构 开展密码相关服务，应当遵守法律、法规的规定和密码相关国家 标准的强制性要求。
第三章 密码安全
第十五条 国家加强密码安全制度建设，完善密码安全管理
措施，增强密码安全保障能力。
第十六条 国家对密码进出口实行管制。核心密码、普通密 码禁止出口。国务院商务主管部门、国家密码管理部门依法对商 用密码进出口实施许可。商用密码进出口管制清单由国务院商务 主管部门会同国家密码管理部门和海关总署制定并公布。
第十七条 国家推进密码检测认证体系建设，制定密码检测、 认证规则。密码检测、认证机构应当依法取得相关资质，并依照 法律、法规的规定和密码检测、认证规则开展密码检测、认证。
第十八条 国家对关键信息基础设施的密码应用安全性进行 分类分级评估，按照国家安全审查的要求对影响或者可能影响国 家安全的密码产品、密码相关服务和密码保障系统进行安全审 查。
第十九条 密码管理部门和有关部门建立密码安全监测预 警、信息通报、重大事项会商和应急处置机制，确保密码安全管 理的协同联动和有序高效。
第二十条 因国家安全或者追查刑事犯罪的需要，人民检察 院、公安机关、国家安全机关可以依法要求电信业务经营者、互 联网服务提供者提供解密技术支持。电信业务经营者、互联网服 务提供者应当配合，并对有关情况予以保密。
第二十一条 任何组织或者个人不得非法攻击他人的加密 信息或者密码保障系统，不得利用密码从事危害国家安全、社会公共利益的活动，或者从事其他违法犯罪活动。
第四章 密码发展促进
第二十二条 国家支持密码科学技术研究，推动密码产业发 展，鼓励密码学术研究和交流，依法保护密码知识产权，促进密 码科学技术进步和创新。
第二十三条 国家建立和完善密码标准体系。国务院标准化 行政主管部门和国家密码管理部门依据各自职责，组织制定密码 国家标准、行业标准。其他标准中涉及密码的，应当与密码国家 标准、行业标准保持协调、统一。
国家支持企业、社会团体、科研机构等参与密码国家标准、
行业标准的制定，鼓励参与密码国际标准化活动。
第二十四条 国家建立密码科学技术奖励制度，对在促进密 码科学技术进步方面做出突出贡献的组织和个人给予奖励。
第二十五条 国家加强密码人才队伍建设，注重培养、招录、 管理密码专门人才和特殊人才。
第二十六条 国家采取多种形式加强密码宣传教育，将密码 教育纳入国民教育体系和公务员教育培训体系，鼓励和支持社会 团体、公众开展和参与密码知识的普及、推广。
第五章 监督管理
第二十七条 密码管理部门依法组织开展密码应用、密码安全监督检查和执法，统一组织开展密码失泄密案件调查，对有关 国家机关、单位的密码工作进行指导和监督。
密码管理部门依法履行监督管理职责，有关组织和个人应当 配合。
第二十八条 密码管理部门和有关部门建立密码监督执法 协作机制，协调开展密码监督检查和执法工作。
第二十九条 密码管理部门依法履行监督管理职责时，可以 行使下列职权:
(一)进入密码生产、经营、进出口、检测、认证、使用场 所实施现场检查;
(二)向密码生产、经营、进出口、检测、认证、使用单位 的主要负责人和其他有关人员调查、了解有关情况;
(三)查阅、复制有关合同、票据、账簿以及其他有关资料;
(四)查封、扣押违法从事密码生产、经营、进出口、检测、 认证、使用的产品，以及用于违法从事密码生产、经营、进出口、 检测、认证的设备、设施;
(五)查封违法从事密码生产、经营、进出口、检测、认证、 使用活动的场所。
密码管理部门采取查封、扣押措施后，应当及时查清事实，
依法在规定期限内作出处理决定。
第三十条 密码监督检查和执法中涉及密码专门事项需要鉴 定的，应当委托具备资质的密码检测机构进行鉴定。
第六章 法律责任
第三十一条 违反本法或者有关法律、法规规定，发生密码 失泄密案件的，由有关国家机关、单位对直接负责的主管人员和 其他直接责任人员依法给予处分或者处理。
第三十二条 违反本法第十条、第十二条规定使用密码的， 由密码管理部门责令改正或者停止违法行为，给予警告;情节严 重的，由有关国家机关、单位对直接负责的主管人员和其他直接 责任人员依法给予处分或者处理。
第三十三条 违反本法第十一条、第十三条规定，未经许可 或者认定，经营商用密码产品或者从事商用密码服务、电子政务 电子认证服务的，由密码管理部门或者工商行政管理部门责令改 正或者停止违法行为，给予警告，没收违法产品和违法所得，可 以并处罚款。
第三十四条 商用密码服务机构、电子政务电子认证服务机 构违反本法第十四条规定开展密码相关服务的，由密码管理部门 责令改正或者停止违法行为，给予警告，没收违法所得，可以并 处罚款;情节严重的，由国家密码管理部门吊销密码相关资质。
第三十五条 违反本法第十六条规定进出口密码的，由国务院商务主管部门或者海关依法予以处罚。
第三十六条 密码检测、认证机构违反本法第十七条规定开
展密码检测、认证的，由密码管理部门或者认证认可监督管理部 门责令改正或者停止违法行为，给予警告，没收违法所得，可以 并处罚款;情节严重的，依法吊销相关资质。
第三十七条 电信业务经营者、互联网服务提供者违反本法 第二十条规定，未按照要求提供解密技术支持或者泄露有关情况 的，由主管部门对该单位及其直接负责的主管人员和其他直接责 任人员处以罚款;情节严重的，可以由公安机关或者国家安全机 关对其直接负责的主管人员和其他直接责任人员处五日以上十 五日以下拘留。
第三十八条 违反本法或者有关法律、法规规定，非法攻击 他人的加密信息或者密码保障系统，利用密码从事危害国家安 全、社会公共利益的活动，或者从事其他违法犯罪活动的，依法 追究法律责任。必要时，人民检察院、公安机关、国家安全机关、 保密、密码等有关部门可以依法采取措施预防违法犯罪活动的发 生或者防止危害的扩大。
第三十九条 国家机关工作人员在密码工作中滥用职权、玩 忽职守、徇私舞弊的，依法给予处分。
第四十条 违反本法规定，构成犯罪的，依法追究刑事责任。

第七章 附 则
第四十一条 国家密码管理部门依照法律、行政法规的规 定，制定密码规章。
第四十二条 中央军事委员会根据本法制定中国人民解放 军密码条例。
第四十三条 本法自 年 月 日起施行。

关于《中华人民共和国密码法 (草案征求意见稿)》的说明
现就《中华人民共和国密码法(草案征求意见稿)》作如下 说明:
一、立法的必要性和草案征求意见稿起草过程
网络与信息安全是国家安全的重要组成部分，密码是保障网 络与信息安全的核心技术和基础支撑，密码工作直接关系国家政 治安全、经济安全、国防安全和信息安全，直接关系公民、法人 和其他组织的切身利益。党和国家历来高度重视密码工作，始终 将其作为维护国家安全和根本利益的一项基础性工作。为适应我 国国家安全面临的新形势和密码广泛应用带来的新挑战，制定一 部密码领域综合性、基础性法律，十分必要。
党和国家高度重视密码立法工作，国务院立法工作计划将密 码法确定为全面深化改革急需项目。按照国家密码立法工作部 署，2014 年 12 月，国家密码管理局成立起草小组，着手密码法 起草工作。在国家有关部门的大力支持和帮助下，起草小组深入研究新形势下密码事业发展面临的新形势、新任务，认真总结我 国密码工作中形成的好经验、好做法，积极参考借鉴国外做法， 广泛深入调研，系统梳理我国密码事业发展中存在的突出问题， 认真研究对策措施。在此基础上，先后提出了密码立法的基本思 路、制度框架和草案初稿。草案初稿形成后，多次组织召开研讨 会、论证会，深入研究论证，反复修改完善，于 2016 年 10 月形 成草案征求意见稿。经征求中央和国家机关有关部门以及专家学 者的意见，对草案征求意见稿作了进一步修改完善。
二、立法的指导思想和主要原则
制定本法的指导思想是，坚持以邓小平理论、“三个代表” 重要思想、科学发展观为指导，深入贯彻习近平总书记系列重要 讲话精神，深入贯彻总体国家安全观，以党管密码为根本原则， 以创新发展为基本路径，以服务大局为根本目标，构建与国家治 理体系和治理能力现代化相适应的密码法律制度体系，为确保密 码使用优质高效，确保密码管理安全可靠提供坚实的法治保障。 在草案起草工作中，我们重点把握以下五个原则:
第一，坚持党管密码根本原则，全面贯彻中央精神。全面贯 彻习近平总书记系列重要讲话精神和治国理政新理念新思想新 战略，坚持党对密码工作的绝对领导，确保党的主张通过法定程 序成为国家意志，立足我国国情，走中国特色密码发展路子。
第二，坚持依法管理，全面推进密码法治建设。认真贯彻落 实中央决策部署，全面推进密码法治建设，完善密码法律法规体 系，切实加强依法管理能力，更好发挥法治在密码工作中的引领 和保障作用，不断提高密码工作的科学化、规范化、制度化水平。
第三，坚持总体国家安全观，切实维护国家网络与信息安全。
规范和促进密码应用，充分发挥密码在网络空间中身份识别、安 全隔离、信息加密、完整性保护和抗抵赖性等方面的重要作用; 加强密码监管，防范和打击密码违法犯罪活动，切实维护国家安 全和根本利益。
第四，坚持构建良好环境，促进密码事业科学发展。规范密 码市场秩序，鼓励密码科技进步和创新，保护密码知识产权，妥 善调整和处理各种社会关系、利益关系，充分调动各方面积极性， 为密码事业又好又快发展提供坚实的法律制度保障。
第五，坚持问题导向，着力解决密码工作面临的突出问题。
根据密码工作新形势新特点，坚持继承与创新相结合，坚持安全 与发展并重，明确密码工作的基本原则和任务，重点解决密码工 作各领域带有普遍性的问题和亟待填补法律空白的问题，同时为 今后制定相关法律法规预留空间，设好接口。
三、草案征求意见稿的主要内容
草案征求意见稿共七章四十三条。
(一)关于本法的立法宗旨和密码的定义
密码立法与国家安全和利益，以及公民、法人和其他组织的 合法权益息息相关，为此，草案征求意见稿规定:为了规范密码 应用和管理，保障网络与信息安全，保护公民、法人和其他组织 的合法权益，维护国家安全和利益，制定本法(第一条)。
考虑到密码的专业性，草案征求意见稿规定了密码的定义: 本法所称密码，是指使用特定变换对数据等信息进行加密保护或 者安全认证的物项和技术(第三条)。
(二)关于密码工作的基本原则和领导管理体制
坚持党对密码工作的领导，是密码工作必须毫不动摇坚持的 基本原则。为此，草案征求意见稿规定:密码工作坚持统一领导、 分级负责，创新发展、服务大局，依法管理、保障安全的基本原 则。坚持中国共产党对密码工作的领导(第四条、第五条)。
同时，草案征求意见稿对密码工作的领导和管理体制作出了 具体规定:中央密码工作领导机构统一领导全国密码工作，省部 密码工作领导机构领导本地区、本部门(系统)的密码工作(第 五条)。国家密码管理部门主管全国的密码工作，县级以上地方 各级密码管理部门主管本行政区域的密码工作，中央和国家机关 有关部门负责密码管理的机构在其职责范围内负责本部门(系 统)的密码工作(第六条)。
(三)关于密码分类管理
根据国家密码分类管理原则，草案征求意见稿规定:国家将 密码分为核心密码、普通密码、商用密码，实行分类管理(第七 条)，并提出了密码分类保护要求:核心密码、普通密码可以用 于保护国家秘密信息，商用密码用于保护不属于国家秘密的信息 (第十条)。
(四)关于密码应用
按照中央确定的密码应用原则和密码应用政策措施，草案征 求意见稿第二章规定了密码应用的主要制度和要求。一是强调国 家积极规范和促进密码应用(第九条);二是规定了商用密码产 品、服务管理制度(第十一条、第十四条);三是规定了关键信 息基础设施密码使用要求(第十二条);四是规定了电子政务电 子认证服务管理制度(第十三条、第十四条)。
(五)关于密码安全
确保安全是密码事业发展的基本前提。草案征求意见稿第三 章规定了密码安全的有关要求和制度措施。一是强调国家加强密 码安全制度建设(第十五条);二是规定了密码进出口管制制度 (第十六条);三是规定了密码检测认证管理制度(第十七条); 四是规定了密码应用安全性评估制度和密码安全审查制度(第十 八条);五是确立了密码安全协同联动机制(第十九条);六是规定了电信业务经营者、互联网服务提供者的解密技术支持义务 (第二十条);七是规定了任何组织或者个人不得非法攻击他人 的加密信息或者密码保障系统，不得利用密码从事违法犯罪活动 (第二十一条)。
(六)关于密码发展促进
草案征求意见稿第四章规定了促进密码发展的制度和保障 措施。一是从支持科学技术研究、推动产业发展、鼓励学术研究 和交流、依法保护知识产权等方面明确了促进密码科学技术进步 和创新的有关制度措施(第二十二条);二是规定了密码标准化 制度(第二十三条);三是规定了密码科学技术奖励制度(第二 十四条);四是从人才队伍、宣传教育等方面明确了密码发展促 进的保障措施(第二十五条、第二十六条)。
(七)关于监督管理
规范有力的监督检查和执法是密码法律制度得以顺利实施 的保证。草案征求意见稿第五章规定了密码监督管理的制度和要 求。一是明确了密码管理部门承担密码应用和密码安全监督检查 和执法，以及密码失泄密案件调查职责(第二十七条);二是规 定了密码监督执法协作机制(第二十八条);三是规定了密码监 督管理权(第二十九条);四是规定了密码鉴定制度(第三十条)。
此外，草案征求意见稿还明确了违反本法规定应当承担的法律责任，以及国家密码管理部门的规章制定权和军队密码立法的 相关规定。