China's Cybersecurity Law: Multi-Level Protection Scheme (MLPS)
In part one of our Point of View (POV) series Interpretations of the updates to China’s Cybersecurity Law, we highlighted the updated legal requirements that impact organisations looking to do business in mainland China. One of these is the Multi-Level Protection Scheme (MLPS), an administrative requirement found in Article 21 of the Cybersecurity Law. Initially introduced in 1994, an updated MLPS 2.0 was issued in 2019, requiring network operators to ensure their networks are protected against interference, damage, or unauthorised access.
To support the implementation of MLPS 2.0 of China, the National Standardisation Management Committee of People's Republic of China published a revised Baseline for Multi-Level Protection of Cybersecurity (GB/T 22239-2019) on 10 May 2019 with an effective date of 1 December 2019.
Under Cybersecurity Law’s MLPS 2.0, network operators are required to classify their infrastructure and application systems into five separate protection levels and fulfill protection obligations accordingly.
To begin compliance procedures, network operators must first conduct a self-assessment and propose a defined protection level for their network. According to the Guideline for MLPS Classification, companies must determine the protection level of their system or application based on two major considerations: impacted object and impacted level.
Impacted objects refer to who or what will be potentially impacted by network disruption or a cybersecurity incident. These include Chinese citizens, individuals and other organisations, social interest and public order, or national security. Impacted level refers to whether network disruptions or a cybersecurity incident will cause minor, major, or critical levels of impact on the objects.
A network’s protection level is graded according to its degree of societal impact within two benchmarks. The first benchmark assesses the importance of the network with regards to national security, economic construction, and social life. The second benchmark assesses the level of harm network disruption or a cybersecurity incident could cause to national security, public order and interest, and the interest and lawful rights of related citizens, legal persons, and other organisations.
As such, networks that do not affect national security, social order, and public interests are usually classified as Level 1, while networks that may affect social order and public interest are classified as Level 2 or above. Systems or applications with higher degrees of impact are more likely to be classified as Level 3 or even Level 4. Level 5 is usually reserved for state-owned military systems.
Currently, systems or applications should be registered for China's MLPS within 30 days after the protection level is determined. Do note, however, that the Multi-Level Protection Scheme Rules (Drafted for Comment) will eventually decrease the period to 10 days for Level 2 classifications and above. Local police will review the registration and may either approve the registration and officially issue an MLPS Registration Certificate or reject the application and require the applicant to make rectifications accordingly.
Companies must submit multiple compliance documents with their registration. Documents required for each company may differ depending on local rules and regulations. Network operators should check the official websites for confirmation before submission.
Types of required documents for systems and applications of Level 2 classification and above
- Multi-level protection classification report
- Multi-level protection registration application form
- Expert classification review opinion
- Network and information security commitment
- MLPS emergency contact registration form
Additional required documents for systems and applications of Level 3 classification and above
- System architecture and topology description
- Cybersecurity organisation and management policy
- System security and protection measures
- Security product inventory and sale permit
- System classification assessment report
- Regulatory agency review and approval
Key requirements for compliance
Network operators must comply with both general and extended requirements in order to fulfil their legal obligations around multi-level protection. Compliance requirements are defined according to the associated protection level.
General requirements cover technical solutions and security management. Technical solutions include requirements on physical environment, communications network, network border protection, data security protection, and security operations. Security management covers security policy, security organisation, security resources, project management, and operations management.
Extended requirements focus on the security requirements of specific types of platforms, including cloud computing, mobile, Internet of Things (IoT), industrial control systems, and big data.
If a network is determined to be Level 2 or above, the network operator must engage a qualified expert to carry out additional security reviews. Qualified experts are usually a third-party agency, but they can also be certified security professionals within the organisation. The review process is very similar to other security audits and technical assessments: the qualified expert will interview the IT management and technical staff, as well as security professionals, to understand current security governance and practices. They will also examine the documented security design and related policies and procedures to assess whether appropriate security controls are within the requirements of the specific protection level. A minimum score of 75 is necessary to pass the assessment for China's MLPS 2.0.
The above assessment results must be evaluated and endorsed by an independent expert recognised by the MLPS regulatory body. The independent expert is required to provide official documents to confirm assessment results.
The above security assessment result and verification should be provided as supplementary documents to the branch of the local police agency where the registration was filed. The process of China's MLPS compliance is completed once the documents are confirmed by the Ministry of Public Security and an official MLPS certification is issued.
Regular re-evaluations are required for systems and applications classified as Level 3 and above. The higher the protection level, the more frequently re-assessments should be conducted in order to stay in compliance with MLPS, with Level 2 networks re-assessed every two years, Level 3 networks re-assessed annually, and Level 4 networks re-assessed every six months. For Level 5 networks, re-evaluation will be defined and managed by respective regulatory ministry and commissions.
MLPS compliance depends on the specific protection level of the targeted systems and applications, as well as the requirements of particular industry regulators. It is important to note that a perfect score is not necessary for MPLS compliance, and network operators should not try to implement all the requirements. Not only is it expensive to do so, attempting to fulfill all requirements may cause companies to risk implementing incompatible technologies, especially if they already utilise another standard, such as ISO27001 or NIST. Implementing MPLS for the sake of compliance and without proper analysis and redesign may, in fact, reduce the level of cybersecurity protection.
Companies should also consider the capabilities of its cybersecurity team when implementing certain technologies. For example, technologies such as SELinux, a Linux security module, requires a high level of technical knowledge and the ability to manage superuser privilege. Without the proper capacities, it may be more prudent for a network operator to disable SELinux or other technologies requiring specialised expertise.
MPLS compliance is not a one-time action. Network operators should create a budget plan to ensure that they remain in compliance from the time the system goes online until it is retired. When defining the protection level and developing a budget, network operators should consider long-term system compliance expenditures, as well as indirect costs.
Examples of direct and indirect compliance costs:
Direct compliance cost
- MLPS evaluation cost
- MLPS remediation cost
- Product and device purchasing cost
Indirect compliance cost
- Cost of additional security systems and devices
- MLPS consulting and pre-evaluation cost
- Additional resource costs from MLPS compliance
- Additional maintenance or change for affected systems
- Additional services cost from MLPS
- Travel and overtime costs for internal and external staff
- Collateral damage from system malfunctions and business disruption
Protiviti helps businesses in ensuring that their IT services meet legal requirements and regulatory rules on both national and industry-specific levels. With a team of IT security professionals, compliance experts, auditors, and other professionals, Protiviti keeps track of evolving regulations based on industry innovations, environmental trends, and emerging risks.
Protiviti will evaluate your current compliance status and recommend technical solutions to increase the return of investment on MLPS while limiting any impact on your IT and business operations. Our compliance experts will monitor the published technical standards and provide professional opinions on MLPS compliance to help your enterprise continuously meet national standards and requirements.
 More information on ranking criteria may be found in OneTrust DataGuidance’s article on the Multi-Level Protection Scheme.
 The official website for Beijing may be found here, and the official website for Shanghai may be found here.
 This is the full list of required documents for Beijing. Other provinces may have different requirements.