Point of View: Multiple-level Protection Scheme

Multiple level Protection Scheme
Point of View: Multiple-level Protection Scheme

In part one of our Point of View series Interpretations of the updates to China’s Cybersecurity Law, we highlighted the updated legal requirements that impact organizations looking to do business in mainland China. One of these is the Multi-Level Protection Scheme (MLPS), an administrative requirement found in Article 21 of the Cybersecurity Law. Initially introduced in 1994, an updated MLPS 2.0 was issued in 2019, requiring network operators to ensure their networks are protected against interference, damage, or unauthorized access.

To support the implementation of MLPS 2.0, the National Standardization Management Committee of People's Republic of China published a revised Baseline for Multi-Level Protection of Cybersecurity (GB/T 22239-2019) on 10 May 2019 with an effective date of 1 December 2019.

Under MLPS 2.0, network operators are required to classify their infrastructure and application systems into five separate protection levels and fulfill protection obligations accordingly.

Multi-Level Protection Scheme 2.0 Compliance Procedure Overview

Initial classification

To begin compliance procedures, network operators must first conduct a self-assessment and propose a defined protection level for their network. According to the Guideline for MLPS Classification, companies must determine the protection level of their system or application based on two major considerations: impacted object and impacted level.

Impacted objects refer to who or what will be potentially impacted by network disruption or a cybersecurity incident. These include Chinese citizens, individuals and other organizations, social interest and public order, or national security. Impacted level refers to whether network disruptions or a cybersecurity incident will cause minor, major, or critical levels of impact on the objects.

A network’s protection level is graded according to its degree of societal impact within two benchmarks. The first benchmark assesses the importance of the network with regards to national security, economic construction, and social life. The second benchmark assesses the level of harm network disruption or a cybersecurity incident could cause to national security, public order and interest, and the interest and lawful rights of related citizens, legal persons, and other organizations.

As such, networks that do not affect national security, social order, and public interests are usually classified as Level 1, while networks that may affect social order and public interest are classified as Level 2 or above. Systems or applications with higher degrees of impact are more likely to be classified as Level 3 or even Level 4. Level 5 is usually reserved for state-owned military systems.

Registration with local police agency

Currently, systems or applications should be registered for MLPS within 30 days after the protection level is determined. Do note, however, that the Multi-Level Protection Scheme Rules (Drafted for Comment) will eventually decrease the period to 10 days for Level 2 classifications and above. Local police will review the registration and may either approve the registration and officially issue an MLPS Registration Certificate or reject the application and require the applicant to make rectifications accordingly.

Companies must submit multiple compliance documents with their registration. Documents required for each company may differ depending on local rules and regulations. Network operators should check the official websites for confirmation before submission.

Click “Download” to read the full article.