网络安全法律引用标准：现状、问题与建议

摘要：

【目的】网络安全规范体系由法律规范（法律、法规、规章）与技术标准构成，二者通过法律对技术标准的“引用”形成关联，共同发挥规制网络活动、防范网络安全风险的重要作用。本文旨在明确当前我国网络安全法律引用技术标准的现状与问题，提出针对性优化路径，以强化法律与技术标准之间的协同。【方法】采用法律文本分析法，系统梳理网络安全领域不同位阶法律文件（法律、行政法规、部门规章）中引用技术标准的数量、方式、范围等核心要素，归纳总结引用现状。【结果】网络安全法律引用技术标准存在四大突出问题：一是标准总引用率偏低，引用范围集中于少数强制性国家标准，大量推荐性标准、行业标准等未被充分纳入；二是在普遍性引用方式下，部分法律条文所指标准缺失或不配套，导致条文“虚置”；三是直接引用中存在法律与标准更新不同步的情况，既包括注日期引用未跟进标准修订，也包括无日期引用存在标准滞后制定的问题；四是引用标准的表述模糊不准确，未能清晰界定标准的制定主体、属性及范围。【结论】为破解上述问题，应构建分级引用规则，明确标准引用的层级与优先级；完善标准清单目录及公共查询渠道，提升标准可获得性；优先采用不注日期的直接引用方式，实现法律与标准的动态适配；统一引用表述规范，明确所引标准的类型与范围，从而提升网络安全法律引用标准的科学性、规范性与可操作性，完善网络安全治理体系。

Abstract:

[Objective] The cybersecurity regulatory framework comprises legal norms (laws, administrative regulations, and departmental rules) and technical standards. These two components establish connections through the“reference”of technical standards by laws, jointly undertaking the important responsibility of regulating network activities and preventing cybersecurity risks. This paper aims to clarify the current status and existing issues of technical standard references in China’s cybersecurity laws, and propose targeted optimization paths to enhance the synergy between laws and technical standards. [Methods] Adopting the legal text analysis method, this paper systematically sorts out core elements such as the quantity, methods, and scope of technical standards cited in legal documents of different hierarchical levels (laws, administrative regulations, and departmental rules) in the field of cybersecurity, and summarizes the current situation of citations. [Results] The research identifies four prominent problems in the citation of technical standards by cybersecurity laws: firstly, the overall citation rate of standards is low, with the citation scope concentrated on a small number of mandatory national standards,while a large number of voluntary standards, industry standards, and other types of standards are not fully incorporated; secondly, under the general citation method, the standards referred to in some legal provisions are missing or incompatible, rendering the provisions“in a state of inaction”; thirdly, there is an asynchrony between laws and standards indirect citations, including dated citations failing to keep up with standard revisions and undated citations facing the problem of delayed standard development; fourthly, the expression of cited standards is vague and inaccurate, failing to clearly define the development entities, attributes, and scope of the standards. [Conclusion] To address the above issues, it is necessary to construct hierarchical referencing rules to clarify the hierarchy and priorities of standard citations; improve standard catalogs and public inquiry channels to enhance standard accessibility; prioritize the use of undated direct referencing methods to achieve dynamic adaptation between laws and standards; unify the norms for citation expressions to clarify the type and scope of cited standards. In this way, the scientificity, standardization, and operability of technical standard references in cybersecurity laws can be improved, and the cybersecurity governance system can be refined.

引用格式：郗蕊，柳经纬. 网络安全法律引用标准：现状、问题与建议[J]. 标准化学报，2026(5): 16-24.

基金项目：本文受国家社会科学基金重大项目“基于法治、国家治理和全球治理的技术法规研究”（项目编号：21&ZD192）资助。

作者简介：郗蕊，博士，讲师，研究方向为行政法、标准化法治、技术法规、网络安全法。柳经纬，通信作者，教授，博士生导师，研究方向为民商法、标准化法治、技术法规。