In the digital age, cybersecurity has become paramount, especially in nations like China, where rapid technological advancements intersect with stringent regulatory frameworks. One of the cornerstone regulations in China’s cybersecurity landscape is the Multi-Level Protection Scheme (MLPS). Originally introduced in 2007 and updated in 2019 to MLPS 2.0, this scheme categorizes information systems based on their importance and potential impact on national security, public interest, and individual rights.
What is MLPS?
The Multi-Level Protection Scheme is a national standard in China that classifies information systems into five levels, from Level 1 (least critical) to Level 5 (most critical). The classification determines the security measures and compliance requirements an organization must implement. This hierarchical approach ensures that resources are allocated efficiently, focusing on protecting systems that, if compromised, could have the most significant adverse effects.
Evolution from MLPS 1.0 to MLPS 2.0
The original MLPS, known as MLPS 1.0, primarily focused on traditional IT systems. However, with the advent of cloud computing, big data, and the Internet of Things (IoT), the scope of the scheme was expanded. MLPS 2.0, introduced in 2019, incorporates new technologies and application scenarios, emphasizing the security of cyberspace systems encompassing data, networks, systems, and personnel. This evolution reflects China’s commitment to adapting its cybersecurity framework to contemporary technological landscapes.The National Law Review
The Five Levels of MLPS
The MLPS classifies information systems into five levels based on their importance and the potential consequences of their compromise:
- Level 1: Systems whose damage would harm the legal rights of citizens or organizations but not national security or public interest.
- Level 2: Systems whose damage would seriously harm the legal rights of citizens or organizations, social order, or public interests, but not national security.
- Level 3: Systems whose damage would seriously harm social order, public interest, or national security.
- Level 4: Systems whose damage would cause very serious harm to social order, public interest, or national security.
- Level 5: Systems whose damage would cause extremely serious harm to national security.The US-China Business Council
The higher the level, the stricter the security measures and compliance requirements.
Compliance Requirements for MLPS
General Requirements
All network operators, regardless of their system’s classification level, must adhere to the following general cybersecurity protection obligations:Mondaq+6Reed Smith+6Mondaq+6
- Personnel Designation: Assign responsible individuals for cybersecurity.
- Cybersecurity Management System: Establish and maintain operational procedures for data centers and computer rooms.
- Record Retention: Keep records of network operations, cybersecurity incidents, and illegal activities for at least six months.
- Data Classification and Protection: Classify data and implement measures such as backups and encryption for important data.
- Lawful Data Handling: Collect, use, and process personal information in compliance with laws.
- Incident Reporting: Report cybersecurity incidents to the local Ministry of Public Security within 24 hours.
- Annual Self-Assessment: Conduct an annual self-assessment of MLPS implementation and report results to the local Ministry of Public Security.The National Law Review+3Mondaq+3Reed Smith+3The National Law Review+2Reed Smith+2Mondaq+2
Extended Requirements for Higher Levels
For systems classified at Level 2 or above, additional requirements include:Global Practice Guides+6Protiviti+6Mondaq+6
- Expert Assessment: Engage qualified experts to conduct security reviews.
- Independent Verification: Obtain verification of assessment results from government-approved experts.
- Government Approval: Submit assessment results and verification documents to the local Ministry of Public Security for approval.
- Re-evaluation Schedule: Undergo regular re-evaluations: every two years for Level 2, annually for Level 3, and every six months for Level 4.PwC+3Protiviti+3The National Law Review+3
Failure to comply with these requirements can lead to administrative penalties, including fines and potential suspension of operations.
Implementation Challenges
Implementing MLPS compliance can pose several challenges for organizations:
- Complexity of Requirements: The extensive and detailed requirements can be overwhelming, especially for organizations unfamiliar with China’s regulatory landscape.
- Resource Allocation: Ensuring adequate resources, both human and technological, to meet compliance standards.
- Continuous Monitoring: Maintaining ongoing compliance through regular assessments and updates to security measures.
- Third-Party Dependencies: Managing compliance across third-party vendors, especially in cloud computing and IoT environments.
Addressing these challenges requires a proactive approach, including staff training, investment in cybersecurity infrastructure, and collaboration with experienced compliance consultants.
Impact on Foreign Enterprises
Foreign enterprises operating in China must be particularly vigilant regarding MLPS compliance:
- Data Localization: Certain MLPS 2.0 requirements mandate data storage and processing within China, impacting cloud service strategies.
- Vendor Management: Ensuring that third-party vendors, especially those providing cloud services, comply with MLPS standards.
- Regulatory Scrutiny: Increased scrutiny from Chinese authorities on foreign enterprises’ compliance with cybersecurity laws.Inside Privacy
Failure to adhere to MLPS can result in reputational damage, legal consequences, and operational disruptions.
Best Practices for Compliance
To navigate the complexities of MLPS compliance, organizations should consider the following best practices
