What is an MLPS Filing and Who Needs one?
What is MLPS?
The Multi-Level Protection Scheme (MLPS), known in Chinese as《信息安全等级保护管理办法》, is a cybersecurity framework in China designed to classify and regulate the security requirements of information systems. The MLPS framework ensures that companies protect data and systems according to national security priorities. The requirement and implementation of such protection is guided by the information system’s security level, which is determined by the role it plays in national security, economic development, and social life. Aside from this, an assessment is made regarding the degree of harm it is likely to impose on national security, social order, public interests, and the legitimate rights and interests of citizens, legal persons, and other organisations should it be compromised or destroyed.
The management of information security products and the handling of security incidents must follow the established procedures for the system’s designated security level.
MLPS classifies systems into five levels based on the potential damage a security breach or system failure could cause:
| Level | Type of Networks | Objects in Danger if Compromised | Degree of Harm |
| Level 1 | Basic networks | The legitimate rights and interests of relevant citizens, legal persons and other organizations | General damage |
| Level 2 | Basic networks | The legitimate rights and interests of relevant citizens, legal persons and other organizations | Serious damage |
| Social order and public interest | General damage | ||
| Level 3 | Important networks | The legitimate rights and interests of relevant citizens, legal persons and other organizations | Severe damage |
| Social order and public interest | Serious damage | ||
| National security | General damage | ||
| Level 4 | Particularly important networks | Social order and public interest | Severe damage |
| National security | Serious damage | ||
| Level 5 | Extremely important networks | National security | Severe damage |
When and how did the MLPS take shape?
The MLPS is a key system of China’s cyberspace security management. Long before the introduction of the Cybersecurity Law, a system of information security level protection had already been established. The “Administrative Measures for the Multi-Level Protection of Information Security,” issued on June 22, 2007, by the Ministry of Public Security, the State Secretariat, the State Cryptography Administration, and the State Council’s Information Work Office, established the basic framework of the information security level protection system known in the industry as “等级保护1.0” (MLPS 1.0)
On November 7, 2016, the “Cybersecurity Law of the People’s Republic of China” was enacted, and the Network Security Multi-Level Protection System, commonly referred to as “Class Protection 2.0” in the industry, started to be required. The Ministry of Public Security issued the “Regulations on the Classified Protection of Network Security (Draft for Comment)” on June 27, 2018, and MLPS 2.0 took shape.
Why should companies obtain an MLPS Filing?
Compliance
MLPS 2.0 requires all companies that operate any type of network in China (broadly defined to include most types of software, websites, and online platforms) to undergo an assessment of each network that they operate in China. Network operators are required to implement security features according to the level of harm that would be caused if the network was damaged or the data contained within it were to be lost, leaked, or stolen.
Data Protection
Compliance requirements aside, the implementation of the Multi-Level Protection Scheme is crucial in the protection of a company’s data and its employees’ and clients’ personal information. Without a proper evaluation and enhancement of the information system’s security, a data leak could result in suspended business operations, financial losses, and legal consequences.
Mitigate Legal Liability
While it’s difficult to have a 100% guarantee on your system’s security status, companies that successfully implemented MLPS as guided by certified institutions and governmental authorities are exposed to less risk. If a network that hasn’t conducted MLPS ends up losing data due to its security loopholes, the legal representative of the company and its main information technology personnel are likely to face serious allegations and sizable fines.
Who should obtain an MLPS Filing?
According to the law, all companies that operate networks in China are required to complete the MLPS assessment. This covers all networks, including basic networks, various information systems mounted on the basic networks (such as external business systems, internal management office systems, etc.), as well as various applications installed on the system, including apps and SaaS platforms.
Companies with information systems that serve a large user base and collect sensitive data should implement MLPS as soon as possible so that their legal liability is minimised in the event of a serious breach and to ensure that their system architectures and user information remain intact.
How to obtain MLPS Filing?
Step 1: Conduct an MLPS System Classification
To start the MLPS (Multi-Level Protection Scheme) filing process, you must determine your system’s security level. This requires a full review by an authorised MLPS testing agency to classify your information system under the appropriate MLPS level (1–5).
Step 2: Register Your System with Local Authorities
Once your system is classified, you must submit the MLPS registration documents, stamped by the relevant authority, to the Cyber Security Office (网络安全保卫局) at the county, municipal, or provincial level, depending on where your business is registered in China.
Step 3: Implement Required Security Measures
Your company must upgrade technical security controls (such as encryption, access control, and monitoring) and improve management processes to meet MLPS compliance requirements. Many businesses engage MLPS consulting agencies for expert guidance during this stage.
Step 4: Undergo an Official MLPS Security Assessment
After registering with local authorities and implementing security measures, you must schedule an MLPS compliance assessment with a government-certified institution to verify that your system meets the security standards for its designated level.
Step 5: Maintain Ongoing Compliance and Security Audits
Once your system is MLPS-certified, it must undergo regular audits, inspections, and security updates as required by Chinese cybersecurity regulations to ensure continued compliance.
For a more detailed guide on how to apply for an MLPS Filing, visit our full article.
How much does it cost to obtain an MLPS Filing?
MLPS compliance costs start at CNY 200,000 per year and vary depending on system complexity and security level. Even lower-level systems with extensive hardware or intricate networks may incur higher costs than simpler high-level systems.
The total cost consists of three main components:
- Service Fees: Annually to professional agencies for system evaluation, gap analysis, and assistance in preparing required documentation. For MLPS Level 3, AppInChina charges approximately USD 20,000 per year for these services.
- Assessment Fees: Annually paid to government-certified testing agencies for system verification. These fees vary based on complexity but typically cost approximately USD 13,000 per year for Level 3 compliance.
The total estimated cost for MLPS Level 3 compliance is approximately USD 33,000 per year, though actual costs may differ based on your system’s infrastructure and evolving requirements.
It is worth noting that there have been cases where clients were advised to obtain MLPS filing but chose not to. Later, after losing business opportunities due to non-compliance, they returned to us for assistance with the application.
Navigating MLPS requirements while managing costs can be challenging but is essential for those wishing to succeed in the Chinese market. AppInChina simplifies the process, helping businesses achieve compliance efficiently and cost-effectively. Contact us today to ensure your system meets China’s cybersecurity standards.
Sources: