The Multi-Level Protection Scheme (MLPS), known in Chinese as《信息安全等级保护管理办法》, is a cybersecurity framework in China designed to classify and regulate the security requirements of information systems. The MLPS framework ensures that companies protect data and systems according to national security priorities. The requirement and implementation of such protection is guided by the information system’s security level, which is determined by the role it plays in national security, economic development, and social life. Aside from this, an assessment is made regarding the degree of harm it is likely to impose on national security, social order, public interests, and the legitimate rights and interests of citizens, legal persons, and other organisations should it be compromised or destroyed.
The management of information security products and the handling of security incidents must follow the established procedures for the system’s designated security level.
MLPS classifies systems into five levels based on the potential damage a security breach or system failure could cause:
Level | Type of Networks | Objects in Danger if Compromised | Degree of Harm |
Level 1 | Basic networks | The legitimate rights and interests of relevant citizens, legal persons and other organizations | General damage |
Level 2 | Basic networks | The legitimate rights and interests of relevant citizens, legal persons and other organizations | Serious damage |
Social order and public interest | General damage | ||
Level 3 | Important networks | The legitimate rights and interests of relevant citizens, legal persons and other organizations | Severe damage |
Social order and public interest | Serious damage | ||
National security | General damage | ||
Level 4 | Particularly important networks | Social order and public interest | Severe damage |
National security | Serious damage | ||
Level 5 | Extremely important networks | National security | Severe damage |
The MLPS is a key system of China’s cyberspace security management. Long before the introduction of the Cybersecurity Law, a system of information security level protection had already been established. The “Administrative Measures for the Multi-Level Protection of Information Security,” issued on June 22, 2007, by the Ministry of Public Security, the State Secretariat, the State Cryptography Administration, and the State Council’s Information Work Office, established the basic framework of the information security level protection system known in the industry as “等级保护1.0” (MLPS 1.0)
On November 7, 2016, the “Cybersecurity Law of the People’s Republic of China” was enacted, and the Network Security Multi-Level Protection System, commonly referred to as “Class Protection 2.0” in the industry, started to be required. The Ministry of Public Security issued the “Regulations on the Classified Protection of Network Security (Draft for Comment)” on June 27, 2018, and MLPS 2.0 took shape.
MLPS 2.0 requires all companies that operate any type of network in China (broadly defined to include most types of software, websites, and online platforms) to undergo an assessment of each network that they operate in China. Network operators are required to implement security features according to the level of harm that would be caused if the network was damaged or the data contained within it were to be lost, leaked, or stolen.
Compliance requirements aside, the implementation of the Multi-Level Protection Scheme is crucial in the protection of a company’s data and its employees’ and clients’ personal information. Without a proper evaluation and enhancement of the information system’s security, a data leak could result in suspended business operations, financial losses, and legal consequences.
While it’s difficult to have a 100% guarantee on your system’s security status, companies that successfully implemented MLPS as guided by certified institutions and governmental authorities are exposed to less risk. If a network that hasn’t conducted MLPS ends up losing data due to its security loopholes, the legal representative of the company and its main information technology personnel are likely to face serious allegations and sizable fines.
According to the law, all companies that operate networks in China are required to complete the MLPS assessment. This covers all networks, including basic networks, various information systems mounted on the basic networks (such as external business systems, internal management office systems, etc.), as well as various applications installed on the system, including apps and SaaS platforms.
Companies with information systems that serve a large user base and collect sensitive data should implement MLPS as soon as possible so that their legal liability is minimised in the event of a serious breach and to ensure that their system architectures and user information remain intact.
To start the MLPS (Multi-Level Protection Scheme) filing process, you must determine your system’s security level. This requires a full review by an authorised MLPS testing agency to classify your information system under the appropriate MLPS level (1–5).
Once your system is classified, you must submit the MLPS registration documents, stamped by the relevant authority, to the Cyber Security Office (网络安全保卫局) at the county, municipal, or provincial level, depending on where your business is registered in China.
Your company must upgrade technical security controls (such as encryption, access control, and monitoring) and improve management processes to meet MLPS compliance requirements. Many businesses engage MLPS consulting agencies for expert guidance during this stage.
After registering with local authorities and implementing security measures, you must schedule an MLPS compliance assessment with a government-certified institution to verify that your system meets the security standards for its designated level.
Once your system is MLPS-certified, it must undergo regular audits, inspections, and security updates as required by Chinese cybersecurity regulations to ensure continued compliance.
For a more detailed guide on how to apply for an MLPS Filing, visit our full article.
MLPS compliance costs start at CNY 200,000 per year and vary depending on system complexity and security level. Even lower-level systems with extensive hardware or intricate networks may incur higher costs than simpler high-level systems.
The total cost consists of three main components:
The total estimated cost for MLPS Level 3 compliance is approximately USD 33,000 per year, though actual costs may differ based on your system’s infrastructure and evolving requirements.
It is worth noting that there have been cases where clients were advised to obtain MLPS filing but chose not to. Later, after losing business opportunities due to non-compliance, they returned to us for assistance with the application.
Navigating MLPS requirements while managing costs can be challenging but is essential for those wishing to succeed in the Chinese market. AppInChina simplifies the process, helping businesses achieve compliance efficiently and cost-effectively. Contact us today to ensure your system meets China’s cybersecurity standards.
Sources: