Other BriefingsChina Cybersecurity Label Explained: Why ‘Optional’ Doesn’t Mean Irrelevant
China cybersecurity label may be voluntary, but its influence is expected to extend beyond compliance. In a market where security credentials shape trust, the label is emerging as a competitive signal. For foreign IoT brands, understanding it now will grant a strategic advantage.
China’s new voluntary cybersecurity labelling regime for internet-connected products launches on July 1, 2026. For foreign companies selling smart devices, routers, cameras, or any IoT product in China, the label is not just a logo. Rather, it signals whether your product meets Beijing’s security baseline, and increasingly, whether it gets chosen at all.
Think about the last time a procurement manager, a platform buyer, or a government-linked enterprise in China had two broadly equivalent products in front of them. One carried a government-recognized cybersecurity rating. The other did not. The choice, in China’s increasingly security-conscious market, is becoming obvious.
That is the practical context behind the Cybersecurity Labelling Management Measures jointly issued on April 10, 2026 by the Cyberspace Administration of China (CAC), the Ministry of Industry and Information Technology (MIIT), and the Ministry of Public Security (MPS), effective July 1, 2026. The scheme’s official English name for the label itself, as specified in the Measures, is China Cybersecurity Label.
Participation is voluntary. But in China, voluntary rarely means irrelevant. As procurement criteria, consumer awareness campaigns, and platform listing requirements evolve, the China Cybersecurity Label has the makings of a de facto market-access expectation for connected products. Foreign businesses that understand the framework now will be better positioned than those who wait to be asked.
What the China Cybersecurity Label is
The China Cybersecurity Label is an information label that reflects the cybersecurity capability of a product, such as the ability to resist attacks, intrusions, interference, and destruction, and to maintain data integrity, confidentiality, and availability.
The scheme applies to products with internet connectivity. Exact product categories in scope are managed through a Product Catalogue, released in batches. Companies should monitor these catalogue releases, as new categories can expand the scheme’s reach with relatively short notice.
Products Excluded from the China Cybersecurity Label
Critical network equipment and dedicated cybersecurity products regulated under a separate 2023 joint announcement (by CAC, MIIT, MPS, the Ministry of Finance, and the Certification and Accreditation Administration) are explicitly excluded from the China Cybersecurity Label and will not appear in the Product Catalogue. Companies in those segments continue under the existing regime.
Each label must display:
- Manufacturer name
- Product model and specification
- Cybersecurity capability level
- Label validity period
- Testing laboratory name
- Reference national standard or technical document
- QR registration code
Scanning the code links to the test report, key indicators, and the manufacturer’s conformity declaration on CESI’s platform.
China Cybersecurity Label: Sample
Note: The specific design for each product category’s label will be defined in its corresponding implementation rules and may be adjusted as needed based on the product’s actual form.
The three-tier star rating explained
The China Cybersecurity Label uses a three-tier star rating to signal increasing levels of cybersecurity capability. Understanding what each tier requires and what testing it entails is essential for any company considering registration.
| Level | Grade | Security Requirements | Testing |
| ★
|
Basic | No weak/default passwords; active vulnerability patching; software update capability. Meets minimum national standard requirements. | Self-owned lab or any accredited third-party lab |
| ★★
|
Enhanced | Security capability reaches an advanced level among comparable products on the market. | Self-owned lab or any accredited third-party lab |
| ★★★
|
Leading | Top-tier security plus mandatory penetration testing to verify resilience against advanced cyberattacks. | Qualified third-party lab required for penetration test |
Each product category’s specific security requirements are set out in category-level implementation rules, referencing current GB national standards and aligned with international standards.
Note on Three-Star Testing
The penetration testing requirement for three-star products verifies resilience against advanced cyberattacks. Not all accredited labs are qualified for China Cybersecurity Label penetration testing. Foreign manufacturers targeting three-star status should confirm lab qualification before commencing testing.
Who manages the scheme
Three agencies share oversight:
- CAC as lead regulator;
- MIIT for connected device policy; and
- MPS for enforcement and public security dimensions.
Day-to-day administration, such as receiving registrations, formal reviews, and publishing records, is delegated to the China Electronics Standardization Institute (CESI), designated in the Measures as the registration body. Local authorities, including provincial cyberspace offices, communications bureaus, and public security organs, are responsible for regional supervision and referring violations.
How to register: Step-by-step guide for foreign manufacturers
Foreign manufacturers may register directly. But if your company has no registered entity in China, you can submit registration materials through a Chinese agent (distributor, importer, or professional service firm). The agent must provide the manufacturer’s power of attorney as part of the registration package. The manufacturer remains responsible for the accuracy of all submitted materials.
All registration is handled online through CESI’s platform. There is no paper-based submission option.
| Step | Action | Detail |
| 1 | Check product scope | Confirm your product category appears in the published Product Catalogue. Categories are released in batches. You are advised to monitor updates from CAC, MIIT, and MPS. |
| 2 | Choose the target level | Assess which star level fits your product’s existing security posture. One Star establishes baseline credibility; Three Star maximizes market differentiation but requires penetration testing. |
| 3 | Conduct security testing | Engage a qualified testing lab. Three-star applicants must additionally commission penetration testing from a specifically qualified third-party lab. |
| 4 | Prepare registration documents | Compile the China Cybersecurity Label registration form, test report, proposed label design (per the template), conformity declaration, business license, lab accreditation certificate, and a power of attorney if using an agent. |
| 5 | Submit online registration | File all materials electronically through the CESI registration management platform. Paper submissions are not accepted. |
| 6 | Await formal review | CESI has 10 working days from receipt of complete documents to complete its formal review and publish the registration record. |
| 7 | Print and display the label | Once registration is confirmed, manufacture and display the label per your product category’s implementation rules. The label must include the QR code linking to the test report and conformity declaration. |
After registration: Ongoing obligations
Label validity and re-registration
Each product category’s Implementation Rules specify the label’s validity period. If a registered product undergoes changes to key technical parameters that could affect its cybersecurity capability, the manufacturer must re-register before continuing to use the label. Expired labels must also be re-registered.
Ongoing monitoring
CESI maintains a public registration database. CAC, MIIT, and MPS, along with their local counterparts, conduct supervision and inspection of China Cybersecurity Label registration and use. Any organization or individual can report suspected violations; authorities are required to investigate and maintain confidentiality.
Vulnerability disclosure
If security vulnerabilities in a registered product are discovered during testing or otherwise identified, the manufacturer must handle disclosure and remediation under the Regulations on Network Product Security Vulnerability Management. This reinforces an existing obligation under Chinese cybersecurity law.
Enforcement: Consequences of misuse
Although participation is voluntary, once a manufacturer registers and uses the label, the enforcement framework applies in full. Consequences are significant and public.
| Violation | Consequences |
| Falsifying or impersonating the China Cybersecurity Label | Registration cancelled; public announcement; 1-year re-application bar; potential Cybersecurity Law sanctions |
| False advertising using the China Cybersecurity Label | Same as above |
| Fabricating test results or submitting fraudulent test reports | Registration cancelled; public announcement; lab barred from having results accepted for 1 year; Cybersecurity Law sanctions |
| Inaccurate registration materials | Registration cancelled and publicly announced |
| Label does not match the actual security capability | Registration cancelled and publicly announced |
| Failure to re-register after key technical changes | Registration cancelled and publicly announced |
Violations are also reported to the National Credit Information Sharing Platform, which can affect a company’s broader business activities in China. Foreign companies should note that Chinese agents or distributors who submit materials on their behalf can also face consequences if the submitted information is inaccurate.
Strategic implications for foreign investors
Voluntary today, but maybe not tomorrow
China has a track record of introducing voluntary compliance frameworks that gradually acquire the force of commercial necessity. Energy efficiency labelling and green product certification followed this pattern. Market incentives, procurement preferences, and platform rules effectively made “voluntary” participation a misleading characterization within a few years. Companies selling connected products into China should plan on the assumption that China Cybersecurity Label registration will be expected by major buyers within two to three years.
Alignment with global cybersecurity frameworks
The Measures explicitly require China Cybersecurity Label implementation rules to align with national and international standards and to draw on comparable schemes elsewhere. This is an important signal for foreign manufacturers: products already certified under the EU Cyber Resilience Act (CRA), the US FCC Cyber Trust Mark, Singapore’s Cybersecurity Labelling Scheme, or Japan’s equivalent may find their existing documentation substantially reusable. Conduct a gap analysis against the relevant GB standard before assuming direct transferability.
Supply chain and OEM considerations
For foreign businesses sourcing products from Chinese OEM manufacturers for sale in China, the question of who bears the China Cybersecurity Label registration responsibility requires contractual clarity. The Measures place responsibility on the “product producer”. Where a foreign brand sources from a Chinese OEM but retains branding and market responsibility, registration obligations and enforcement consequences may effectively flow to the foreign brand. Legal review of OEM agreements in light of the China Cybersecurity Label framework is advisable.
Act now on timing
The Measures take effect July 1, 2026. The first Product Catalogue entries will determine which categories face registration decisions earliest. Companies with connected products in the China market should begin monitoring the CAC, MIIT, and CESI websites for catalogue releases now, rather than waiting until a category directly affecting their products is published.
The China Cybersecurity Label is the clearest signal that China intends to make cybersecurity a product-level, consumer-visible quality differentiator, rather than just an invisible compliance checkbox. Foreign manufacturers that treat it as an inconvenience will be disadvantaged. Those who treat it as a product quality signal and market differentiation opportunity will be better placed. Businesses should review the Measures in full, monitor the Product Catalogue for their categories, and consult qualified China legal and technical advisors before registration.
Asia’s data protection environment is rapidly evolving, with businesses facing rising pressure to maintain secure IT systems while complying with national regulations like China’s CSL, DSL, and PIPL, alongside global frameworks such as GDPR. Dezan Shira & Associates provides cybersecurity and compliance advisory tailored for Asia’s regulatory landscape. Our services include IT infrastructure audits, Zero Trust implementation, security training, and multi-jurisdictional data privacy compliance. About Us China Briefing is one of five regional Asia Briefing publications. It is supported by Dezan Shira & Associates, a pan-Asia, multi-disciplinary professional services firm that assists foreign investors throughout Asia, including through offices in Beijing, Tianjin, Dalian, Qingdao, Shanghai, Hangzhou, Ningbo, Suzhou, Guangzhou, Haikou, Zhongshan, Shenzhen, and Hong Kong in China. Dezan Shira & Associates also maintains offices or has alliance partners assisting foreign investors in Vietnam, Indonesia, Singapore, India, Malaysia, Mongolia, Dubai (UAE), Japan, South Korea, Nepal, The Philippines, Sri Lanka, Thailand, Italy, Germany, Bangladesh, Australia, United States, and United Kingdom and Ireland. For a complimentary subscription to China Briefing’s content products, please click here. For support with establishing a business in China or for assistance in analyzing and entering markets, please contact the firm at china@dezshira.com or visit our website at www.dezshira.com.
- Previous Article April-May Hong Kong Tax Compliance: A Practical Checklist for Businesses
- Next Article
