January 30, 2023

Volume XIII, Number 30


January 30, 2023

Subscribe to Latest Legal News and Analysis

Chinese Authorities Release Catalog of Network and Cybersecurity Products Subject to Pre-Sale Inspection

On June 9, 2017, the Cyberspace Administration of China (“CAC”), together with three other agencies, released a Catalog of Critical Network Equipment and Network Security Products (First Batch) (“the Catalog,” original Chinese version available here).  It specifies network products that must be certified before they can be marketed in China.

China’s Cybersecurity Law requires certain “critical network equipment and network security products” to go through a certification process before being marketed in China.  This is a separate requirement from the procurement-related cybersecurity review, which mandates a cybersecurity review of network products or services procured by operators of Critical Information Infrastructure, if such procurement potentially affects China’s national security (discussed here).

Also since 1997, “computer information system security products,” which are defined to include “hardware and software designed to protect information system security,” have had to pass a technical review by the Ministry of Public Security (“MPS”) before they can be marketed in China.  The Cybersecurity Law seeks to consolidate the existing review requirements and agencies are required to issue a comprehensive catalog of approved products.  It is uncertain, however, whether the scope of “critical network equipment and network security products” is more expensive than “computer information system security products.”

The Catalog specifies that “critical network equipment and network security products” must be certified or tested by qualified institutions before being sold or provided in China.  Qualified institutions include institutions jointly confirmed by the Certification and Accreditation Administration, the Ministry of Industry and Information Technology, the MPS and the CAC.

The CAC specified that this is the first “batch” of equipment and products to be covered in a such a catalog, so more are expected to be announced in the future.

The Catalog includes:


Categories of Equipment or Products


Critical Network Equipment

1. Router

Throughput of the Whole System (Bi-direction) ≥ 12 Tbps


Routing Table Capacity of the Whole System ≥ 550,000 pieces

2. Switch

Throughput of the Whole System ≥ 30 Tbps


Packet Forwarding Rate of the Whole System ≥ 10 Gpps

3. Server (Rack)

Number of CPUs ≥ 8


Number of Cores of a Single CPU ≥ 14

Memory Capacity ≥ 256 GB

4. Programmable Logic Controller (PLC Equipment)

Controller Instruction Execution Time ≤ 0.08 ms

Network Security Products

5. Data Backup All-in-one Machine

Backup Capacity ≥ 20 TB


Backup Speed ≥ 60 MB/s

Backup Interval ≤ 1 hour

6. Firewall (Hardware)

Throughput of the Whole Machine ≥ 80 Gbps


Maximum Concurrent Connections ≥ 3,000,000

New Connections Per Second ≥ 250,000

7. WEB Application Firewall (WAF)

Application Throughput of the Whole Machine ≥ 6 Gbps


Maximum HTTP Concurrent Connections ≥ 2,000,000

8. Intrusion Detection System (IDS)

Full Detection Rate ≥ 15 Gbps


Maximum Concurrent Connections ≥ 5,000,000

9. Intrusion Prevention System (IPS)

Full Detection Rate ≥ 20 Gbps


Maximum Concurrent Connections ≥ 5,000,000

10. Security Isolation and Information Prevention Product (GAP)

Throughput ≥ 1 Gbps


System Delay ≤ 5 ms

11. Anti-spam Product

Connections Processing Rate (connections/second) > 100


Average Delay Time < 100 ms

12. Network Comprehensive Auditing System

Packet Capture Speed≥5 Gbps


Incidents Recording Capacity ≥ 50,000/s

13. Network Vulnerability Scanning Product

Maximum Concurrent IP Scanning Amount ≥ 60

14. Secure Database System

TPC-E tpsE (Trading Volume Per Second) ≥ 4500

15. Network Recovery Product

Recovery Time ≤ 2 ms


The Longest Path of the Site ≥ 10 levels

© 2023 Covington & Burling LLPNational Law Review, Volume VII, Number 172

About this Author

Yan Lou, Regulatory and public policy lawyer, Covington
Of Counsel

Yan Luo advises clients in a broad array of regulatory matters in connection with international trade, cybersecurity and antitrust/competition laws in the U.S., EU and China.

With previous work experience in Washington, DC and Brussels before relocating to Beijing, Ms. Luo has fostered her government and regulatory skills in all three capitals. She is able to strategically advise international companies on Chinese regulatory matters and represent Chinese companies in regulatory reviews in other markets.

Theodore J. Karch, Covington, intellectual property attorney

Ted Karch advises clients in a range of industries on the legal and reputational risks inherent in today’s data-driven world. His practice involves advising on US federal and state data privacy and cybersecurity laws as well as international privacy rules, including the EU General Data Protection Regulation (GDPR) and China’s Cybersecurity Law.

Mr. Karch helps clients navigate issues that arise in developing and launching innovative products. He has advised clients on practical solutions for approaching issues implicated by laws involving biometric data, online...