Starting July 1, 2026, cybersecurity products sold in China will carry a government-issued star rating, the result of a joint regulatory push by three of Beijing’s most powerful agencies. The Cyberspace Administration of China (CAC), the Ministry of Industry and Information Technology (MIIT), and the Ministry of Public Security (MPS) published the Measures for Administration of China Cybersecurity Labels in April 2026, creating a one-, two-, or three-star certification system that will apply to products used in network protection and data security.
The regime is not a proposal. Hong Kong’s Trade and Industry Department has already issued a trade circular alerting businesses to the same measures and the same deadline, a strong signal that the rule is finalized and that compliance teams across the region are mobilizing.
How the label works
The system, formally introduced through document 2026 No. 4, assigns each evaluated product a star rating reflecting its assessed security level. Three stars represent the highest tier. The label is officially called the “China Cybersecurity Label,” and the governance structure splits responsibilities among the three agencies: CAC leads policy coordination, MIIT handles technical and industrial oversight, and MPS manages enforcement tied to public security.
For companies already navigating China’s cybersecurity product approval process, the label adds a visible, market-facing layer. Previous rounds of regulatory tightening reorganized how specialized security products were tested and approved. The star system builds on that foundation by converting internal compliance into an external signal that procurement officers, government buyers, and enterprise customers can use to compare products at a glance.
What companies know, and what they don’t
The confirmed facts are narrow but solid. Three co-issuing agencies, three star tiers, a July 1 start date, and a scope covering cybersecurity products in network protection and data security are all drawn directly from the CAC notification and independently corroborated by the Hong Kong circular.
Beyond that, significant gaps remain. The exact evaluation criteria for each tier have not been detailed in publicly available English-language materials. Technical benchmarks, such as encryption standards, vulnerability resistance thresholds, or code review requirements, are not broken out in the summary text. Companies seeking certification will need to consult the full Chinese-language measures and watch for implementation guides from MIIT or accredited testing bodies.
Which product categories face mandatory labeling first is also unclear. The measures appear broad, but whether the rollout will be phased, starting with critical infrastructure suppliers before expanding to consumer-facing tools, has not been specified. Enforcement details are similarly thin. MPS is named as a co-issuer, but neither it nor MIIT has released separate statements outlining penalties for non-compliance or describing the inspection process.
For foreign companies, the ambiguity runs deeper. The Hong Kong circular flags the measures for businesses engaged in cross-border commerce, but the notification does not explicitly address how international vendors should apply for certification or whether foreign testing labs will be recognized. That gap will determine whether the label functions as a quality signal or as a de facto market barrier for non-Chinese suppliers.
How the new label interacts with existing Chinese and international standards is another open question. Many cybersecurity products already comply with sector-specific rules or global frameworks. The measures do not clarify whether holding certain certifications will streamline the star-rating process or whether companies will face duplicative audits. Until harmonization rules are published, firms should assume the China Cybersecurity Label is an additional requirement, not a replacement for current schemes.
How it compares to Western labeling efforts
China is not the only major market moving toward cybersecurity product labels. The European Union’s Cyber Resilience Act, which began phasing in requirements in late 2024, mandates that connected products meet baseline security standards before reaching the EU market. The United States launched its voluntary Cyber Trust Mark program in early 2025, giving IoT devices a shield logo if they pass NIST-based security testing.
China’s approach differs in two notable ways. First, it is mandatory and tiered rather than pass/fail or voluntary, meaning the label does not just confirm a product cleared a bar but ranks it against peers. Second, the enforcement architecture spans three agencies with overlapping jurisdiction, giving regulators multiple pressure points to compel compliance. For multinational vendors, the practical result is a growing patchwork of regional certification demands, each with its own testing protocols, timelines, and costs.
What companies should do before July
The first step is straightforward: obtain and review the full Chinese-language text of the measures attached to the CAC notification. Companies with products already certified under earlier cybersecurity product management rules should check whether those certifications map to the new star tiers or require fresh evaluation. Those without any current Chinese certification face a tighter timeline and should begin securing testing appointments and assembling documentation now.
Legal and compliance teams should map product portfolios against the categories referenced in the measures, identifying which offerings are most likely to fall within the initial scope. High-revenue or strategically important products should be prioritized for early assessment. Building relationships with accredited testing organizations and local counsel will be critical, particularly for foreign firms unfamiliar with China’s cybersecurity review ecosystem.
Companies should also prepare for the label to become a procurement prerequisite, especially in government and state-linked sectors. Even if the measures do not immediately mandate labels for all purchases, buyers may adopt internal policies favoring higher-star products. That dynamic could create competitive pressure to secure at least a baseline rating quickly, then pursue higher tiers as technical and documentation gaps are closed.
A new gatekeeping layer for China’s digital market
A government-backed label that condenses complex security assessments into a simple star rating has the potential to reshape how cybersecurity products are marketed and selected across China. Vendors that achieve three-star status will likely use it as a competitive differentiator, while those with lower scores could face pointed questions from customers and regulators about their security posture.
For Beijing, the label is a steering mechanism: a way to push the market toward products that meet state-defined security baselines while giving procurement officials a standardized shorthand for vetting suppliers. For the companies subject to it, the calculus is binary. Those that align early gain a credential that could open doors across China’s vast public and enterprise sectors. Those that delay risk finding themselves locked out of a market that, as of July 1, will have a new and very visible way to sort winners from laggards.
More from Morning Overview
*This article was researched with the help of AI, with human editors creating the final content.
