What is China’s MLPS Filing and Who Needs one?

By Marcos SabioLast Updated on Dec 2, 2025

China’s digital landscape is governed by strict cybersecurity regulations, and one of the most critical requirements for businesses operating information systems is the MLPS Filing. If you’re planning to operate digital services, process data, or run any type of network in mainland China, understanding the Multi-Level Protection Scheme is essential for legal compliance and successful market entry. This guide outlines everything you need to know about the MLPS Filing including who needs one and how to get one.

What is China’s Multi-Level Protection Scheme (MLPS)?

The Multi-Level Protection Scheme (MLPS), known in Chinese as the 信息安全等级保护管理办法, is a cybersecurity framework in China that classifies and regulates the security requirements of information systems. The MLPS framework ensures that companies protect their data and systems in line with national requirements.

Each information system receives a security level classification based on two key factors: the role it plays in national security, economic development, and social life, and the potential harm to national security, social order, public interests, and the legitimate rights of citizens and organisations if compromised or destroyed.

Once classified, companies must implement security measures, manage security products, and handle security incidents according to the established procedures for their system’s designated level.

MLPS classifies systems into five levels based on potential damage from security breaches or system failures:

Level	Type of Networks	Objects in Danger if Compromised	Degree of Harm
Level 1	Basic networks	The legitimate rights and interests of relevant citizens, legal persons and other organisations	General damage
Level 2	Basic networks	The legitimate rights and interests of relevant citizens, legal persons and other organisations	Serious damage
		Social order and public interest	General damage
Level 3	Important networks	The legitimate rights and interests of relevant citizens, legal persons and other organisations	Severe damage
		Social order and public interest	Serious damage
		National security	General damage
Level 4	Particularly important networks	Social order and public interest	Severe damage
		National security	Serious damage
Level 5	Extremely important networks	National security	Severe damage

When and How Did the MLPS Take Shape?

The following timeline details how the legal foundation governing MLPS in China formed, showing why compliance is mandatory for all network operators:

Administrative Measures for the Hierarchical Protection of Information Security (信息安全等级保护管理办法, 2007)
- Issued by the Ministry of Public Security (中华人民共和国公安部) along with multiple central agencies, this regulation created the country’s first structured framework for classifying information systems and implementing corresponding security controls.
- It established the foundation for what became known as “MLPS 1.0,” forming the earliest nationwide model for graded information protection.
Cybersecurity Law of the PRC (中华人民共和国网络安全法, 2016)
- Chapter 3, Article 21 formally requires China to implement a “cybersecurity graded (multi-level) protection system“, elevating MLPS from an administrative mechanism to a legal obligation.
- This law mandates that all network operators comply with the MLPS classification, construction, and assessment requirements.
Regulations on the Classified Protection of Cybersecurity (网络安全等级保护条例 – 征求意见稿, 2018）
- Issued by the Ministry of Public Security on June 27, 2018, this draft regulation provided the detailed operational rules for modernising the MLPS system.
- It marked the formal launch of MLPS 2.0, expanding MLPS coverage to cloud computing, mobile internet, industrial control systems, big data, and IoT environments.
MLPS 2.0 National Standards (网络安全等级保护基本要求, 2019)
- A new series of national technical standards (国家标准), including baseline requirements, design specifications, and assessment criteria, was released in May 2019 and came into force on December 1, 2019.
- These standards completed the transition to the MLPS 2.0 framework and remain the core technical basis for cybersecurity compliance across China.

Who Must Obtain an MLPS Filing?

Under China’s Cybersecurity Law and the national standard GB/T 22240-2020, all network operators are required to classify and file their MLPS objects (等级保护对象). This obligation applies to any organisation that operates networks, information systems, or data-processing components within Mainland China.

According to the above national standard, MLPS objects fall into three categories:

1. Information Systems (信息系统)

Examples of information systems that require MLPS Filing include:

Public-facing systems such as web applications serving Chinese users, mobile app backends (e.g., account systems and payment platforms) and customer portals, dashboards, or account management platforms.
Internal company systems operated in China such as human resource management and customer relationship management systems.
SaaS platforms serving Chinese customers, mainly localised SaaS offering hosted in Mainland China regions
China region workloads deployed on cloud platforms such as compute instances and containers operating in Alibaba Cloud, Tencent Cloud or AWS China, and backend components supporting apps or websites such as databases or storage buckets.

2. Communication Network Facilities (通信网络设施)

Examples of communication networks facilities that require MLPS Filing include:

VPN gateways and dedicated leased-line networks
SD-WAN networks connecting branches inside China
CDN nodes operated in China
Private communication networks such as logistics tracking networks or financial trading networks

3. Data resources (数据资源)

Examples of data resources that require MLPS Filing include:

Large datasets used for analytics or algorithm training
User profile databases, paymennt transaction histories or behaviour logs
Business databases supporting core operations

This means any company processing or storing data in China, operating servers in China, or offering digital services to Chinese users must complete MLPS classification and filing for each independent information system. This requirement applies to:

How MLPS Applies in Practice

In practice, companies must file MLPS for each system that falls under the national standard’s definition of an “object of classification” (定级对象). Therefore, a system needs to be filed if it has:

a clear entity responsible for its security,
an independent business function, and
a set of interconnected resources that work together to process information.

This means companies do not file their entire IT environment. Instead, they file each system that falls under the above definition. This allows MLPS compliance to match the way systems are actually built and deployed in real-world technical environments.

Examples of MLPS in Practice

Understanding how information systems are classified under China’s Multi-Level Protection Scheme (MLPS) is essential for determining filing requirements and the security obligations that follow. The table below summarises the characteristics and typical examples of MLPS Levels 1 through 5.

MLPS Level	Risk / Classification Characteristics	Typical System Examples
Level 1	Minimal impact; systems do not process personal data or sensitive business data. Security incidents would have negligible effect on users or operations.	Static informational websites, marketing pages, publicly accessible product/documentation sites.
Level 2	Limited business impact; systems that process non-sensitive operational data or support small-scale China workloads. Compromise affects the company but not public interests.	Reverse proxies, edge nodes, API gateways, small microservices in China, internal office tools hosted in China without personal data, basic content distribution endpoints.
Level 3	Clear impact on public interests. Systems that process personal data, provide consumer-facing services, or operate core business functions in China.	User-account/authentication systems, e-commerce platforms, mobile/web apps with large user bases, SaaS platforms for Chinese enterprises, CN-hosted databases containing profiles, transactions, or other regulated data.
Level 4	Severe impact on social order, key industries, or critical public services. Typically applied to Critical Information Infrastructure (CII) operators.	Banking core platforms, telecom operational systems, power grid SCADA, transportation scheduling/dispatch, large hospital HIS/EMR systems, major payment clearing and settlement systems.
Level 5	Significant impact on national security. Systems whose compromise could affect state stability, national defense, or nationwide critical operations.	National-level command and control systems, military information platforms, nationwide financial settlement networks, national emergency response platforms, top-tier government data centers.

What is the Most Common MLPS Level for Foreign Companies?

Most international companies operating in China fall under Level 3, because at this level, systems begin processing personal data, providing consumer-facing functions, or performing core business operations for Chinese users. Even when most infrastructure is located overseas, any China-based subsystems that store or process user data (e.g., databases, analytics pipelines, content delivery components) typically trigger Level 3 filing requirements.

How to Obtain an MLPS Filing?

Step 1: Conduct an MLPS System Classification

To begin the MLPS Filing process, you must first determine a system’s security level. For level 1, this can be done through self-assessment. For leves 2 through 5, this can only be done by an MLPS-qualified testing agency, which evaluates the potential impact to national security, public interests, and business operations in the event of a security incident. It is imporant to note,At level 1, systems pose no risk to national security or public interests and therefore do not need to file their system with the Public Security Bureau, companies are however required to ensure that the system is compliant and functional.

Most commercial systems fall under Level 2 or Level 3. The Cybersecurity Department of the Public Security Bureau (公安机关网安部门) has an official database of all agencies qualified to carry out MLPS system classifications and testing.

The official database of all agencies qualified to carry out MLPS system classifications and testing.

Step 2: File Your System with the Local Public Security Bureau

According to Article 15 of the Administrative Measures for the Hierarchical Protection of Information Security, once the system’s level has been determined, you must submit the following materials within 30 days of obtaining the the level classification to the Cybersecurity Department of the local Public Security Bureau (公安机关网安部门) in the city or district where your company is registered:

System Classification Report (信息安全等级保护测评报告)
This document explains the system’s MLPS level, how the classification was determined, and the system’s business function, architecture, and data sensitivity. This is provided by testing agencies.

MLPS Filing Registration Form (备案登记表)

The core form required for the record filing, stamped with the company’s official seal.

Information System Overview (信息系统基本情况说明)

A description of system boundaries, functional modules, data flows, deployment location, cloud usage, and connected third-party services.

Network Topology Diagram (网络拓扑结构图)

A clear architectural diagram showing servers, network segments, firewalls, databases, and external interfaces.

System Security Responsibility Statement (安全责任书)

Companies are required to designate personnel across two distinct categories in accordance with the Cybersecurity Law and the Baseline for Classified Protection of Cybersecurity (网络安全等级保护基本要求):

Category 1: Company Leadership (Legal Responsibility)

These individuals bear legal responsibility and must be formal company employees:

Legal Representative (法定代表人): Must match the person listed on the Business License (营业执照).
System Manager (系统负责人): Must be a formal employee of the company (with labor contract and social insurance contributions), responsible for overall system operations and maintenance.
Security Manager (安全负责人): Must be a formal employee of the company (with labor contract and social insurance contributions), responsible for overall cybersecurity management.

When filing, all three roles require submission of ID cards or passports, appointment letters, and social insurance records. These three roles must be held by different individuals.

Category 2: System Administrators (Technical Operations)

These individuals handle day-to-day technical operations:

System Administrator (系统管理员): Responsible for daily technical operations such as server deployment, software installation, and patch management.
Security Administrator (安全管理员): Responsible for security policy configuration and account management.
Audit Administrator (审计管理员): Responsible for log monitoring and security report generation.

For non-classified systems, these three positions may be outsourced to third-party companies, and outsourced personnel may be foreign nationals. However, security responsibilities must be clearly defined in contracts, and outsourced personnel must undergo background checks and on-site assessments by the employing entity.

It is worth noting that the Public Security Bureau requires that this personnel be reachable and any communication will be in Chinese. It is therefore necesarry that the personnel mentioned above understand the system and can explain its functions in Chinese. AppInChina can provide this outsourcing for companies that do not have this personnel in China. Each role cannot be held by the same person, and their names, contact information, and outsourcing service agreement summaries must be accurately recorded in the filing materials.

The filing materials require two separate forms: one listing the Company Leadership who bear legal responsibility, and another listing the System Administrators who maintain operational separation of duties.

Personnel Requirements by System Type:

Non-classified systems (非涉密信息系统): These are typically systems classified as MLPS Level 3 or below that handle standard business or user data. The Company Leadership must be formal company employees with proper documentation. The System Administrators may be outsourced to third-party service providers, and professional certifications such as CISP or CISSP are recommended but not required.

Classified systems (涉密信息系统): These are systems typically classified as MLPS Level 4 or above that handle state secrets or sensitive government data. All designated personnel across both categories must be Chinese nationals, internal staff, formally trained, and certified by national authorities. Confidentiality commitments are mandatory, and no duties may be outsourced.

Business License (营业执照) Copy

Required for verification of the entity submitting the filing.

IDC / Cloud Service Agreement

For systems hosted on local cloud providers such as Alibaba Cloud, Tencent Cloud, AWS China, and Azure China. a hosting service agreement is often required to confirm the physical location of the system, as MLPS applies only to systems hosted within Mainland China.

After approval, the Public Security Bureau will issue an MLPS Filing certificate with a filing number.

Example of an MLPS Filing certificate. This system filed for level 2.

Step 3: Implement Required Security Measures

After the MLPS filing is accepted, your company must implement the technical, procedural, and organisational security measures required for the designated MLPS level. This typically includes enhancements such as access control, network boundary protection, encryption, monitoring, logging, vulnerability management, and improvements to internal security policies. Many companies consult with testing institutions to complete this stage.

Step 4: Undergo an Official MLPS Security Assessment

Once the required controls are in place, you must arrange for a certified MLPS testing institution to conduct the official technical assessment. This assessment verifies whether your information system meets the security requirements stipulated in the MLPS 2.0 technical standards for its designated level.

Step 5: Maintain Ongoing Compliance and Security Audits

According to Article 25 of the Regulations on Levels of Cyber Security Protection, all systems regardless of their level must conduct an internal annual review to ensure the compliance and functionality of the system. In addition to the annual internal review, external assessments are compulsory only for Level 2 and above:

Level 1: No external test required.
Level 2: Once every two years.
Level 3: Once every year.
Level 4: Every six months
Level 5: On a timetable set by the Ministry of Public Security

After each external assessment, any security risks identified must be rectified and both the assessment report and evidence of remediation submitted to the PSB for the record.

An outline of the steps to obtain an MLPS Filing.

How Long Does it Take to Obtain an MLPS Filing?

The timeline for obtaining MLPS Filing varies significantly based on your system’s classification level:

Level	Typical Timeline	Key Activities and Notes
Level 1	15–30 days	Self-assessment and internal remediation. No Public Security Bureau filing required; timeline is fully controllable.
Level 2	2–4 months	Classification, filing, remediation, assessment, and certificate issuance. Can be compressed to 6 weeks if all materials are submitted correctly on first attempt.
Level 3	4–6 months	Comprehensive technical testing by third-party agencies, extensive remediation, and detailed PSB review. More thorough Public Security Bureau review process.
Level 4+	6–12+ months	Multiple rounds of expert review and industry regulatory authority approvals. Timeline depends on system complexity and regulatory scheduling.

If your system architecture is complex, requires extensive remediation, or faces queues at regulatory review windows, the overall project timeline may extend to 6–12 months regardless of the initial classification level.

Why Should Companies Obtain an MLPS Filing?

Compliance

MLPS 2.0 requires all companies that operate any type of network in China undergo an assessment of each network that they operate in China. Network operators are required to implement security features according to the level of harm that would be caused if the network. Failure to file Levels 2 to 5 is a direct breach of Articles 21 and 59 of the Cybersecurity Law and Article 63 of the Regulations on Levels of Cyber Security Protection

Consequences for non-compliance include:

Orders to suspend operations.
Confiscation of illegal gains.
Fines of CNY 10,000 to 100,000 on the company.
Fines of CNY 5,000 to 50,000 on the Legal Representative personally.
In serious cases, criminal liability for failure to perform network-security obligations.

Data Protection

MLPS establishes the technical security baseline for protecting corporate data and employee/client personal information. While MLPS focuses on system security classification and technical controls, companies processing personal information in China must also comply with separate data protection obligations under the Personal Information Protection Law (PIPL) or 个人信息保护法 in Chinese.

Systems that lack proper MLPS classification may face compounded regulatory risk. For example, if a system processes personal information and fails to implement proper security measures, resulting in a data leak, aside from MLPS non-compliance consequences above, the company would also be subject to penalties under Article 66 of the Personal Information Protection Law (个人信息保护法):

Fines of up to CNY 1 million for standard violations
Fines of CNY 10,000 to 100,000 on directly responsible personnel
For serious violations: fines of up to CNY 50 million or 5% of previous year’s turnover, business suspension, license revocation, and prohibition of executives from holding leadership positions.

While MLPS and PIPL are separate legal requirements, both are important to stay compliant in China when processing data.

Potential Loss of Business

Any platforms that wish to operate and succeed in China need to ensure they are compliant with China’s local laws and regulations, including MLPS, so that clients feel confident using their system in the country. Without MLPS compliance, companies may worry about the legal liability they take on when using the platform. As a result, the absence of an MLPS filing can steer clients away from adopting your system. This is especially true for B2B SaaS platforms that want to operate and succeed in China.

How Much Does it Cost to Obtain an MLPS Filing?

There is no fixed cost for obtaining the MLPS Filing. Costs vary depending on the testing agency you choose and the level of the system you are filing for. Typically, costs consist of:

Service Fees: Annually to professional agencies for system evaluation and assistance in preparing required documentation. For MLPS Level 3, AppInChina charges approximately USD 20,000 per year for these services.
Assessment Fees: Annually paid to government-certified testing agencies for system verification. These fees vary based on complexity but typically cost approximately USD 13,000 per year for Level 3 compliance.

The total estimated cost for MLPS Level 3 compliance is approximately USD 33,000 per year, though actual costs may differ based on your system’s infrastructure and evolving requirements.

How Can AppInChina Help?

Whether you have an established Chinese entity or are entering the market for the first time, AppInChina provides two pathways to help you achieve MLPS compliance efficiently.

At AppInChina, we can help with:

Compliance consulting services. If you operate under your own Chinese legal entity, we can guide you through the MLPS process, including:
1. A free compliance assessment to identify whether you require an MLPS Filing and any other licenses, certificates or filings to be compliant with local laws and regulations.
2. Assistance with system classification and evaluation.
3. Implementing technical remediation guidance to implement required security controls.
4. Application process support through documentation preparation and submission to the Public Security Bureau

Publishing partnership. For companies without a Chinese entity or seeking a faster market entry, AppInChina acts as the registered publisher and operator of your system in China. We handle all classification, filing, and ongoing compliance maintenance for your MLPS Filing, ensuring your system is both functional and compliant in China.
Outsourcing. We can provide companies with the technical personnel required to monitor systems and communciate with the Public Security Bureau if they do not have someone who can fulfill this role internally.

Contact us today to discuss which pathway is right for your business and ensure your system meets China’s cybersecurity standards.