MLPS Application in China

The basis for the Multi-Level Protection Scheme (MLPS) can be found in Article 21 of the 2017 Cybersecurity Law of the People’s Republic of China which requires “network operators” to follow the MLPS certification process “to ensure that the network is free from interference, disruption or unauthorized access, and prevent network data from being disclosed, stolen or tampered”.

The release of the draft Regulation on the Cybersecurity Multi-level Protection Scheme by the Ministry of Public Security in June 2018 and of three new MLPS-related standards by the State Administration for Market Regulation in May 2019 began an era of greater regulatory requirements and enforcement referred to as MLPS 2.0.

MLPS 2.0 requires all companies that operate any type of network in China (broadly defined to include most types of software, websites and online platforms) to undergo an assessment of each network that they operate in China. Network operators are required to implement security features at different levels according to the level of harm that would be caused if the network was damaged or the data contained within it were to be lost, leaked, or stolen:

Level 1: Damage to the network will cause harm to the legitimate rights and interests of the Chinese citizens, legal persons and other organizations concerned, but not to national security, social order or public interest on a general level.

Level 2: Damage to the network will cause serious harm to the legitimate rights and interests of the Chinese citizens, legal persons and other organizations concerned, or cause harm to social order and the public interest, but not to national security.

Level 3: Damage to the network will cause particularly serious damage to the legitimate rights and interests of the Chinese citizens, legal persons and other organizations concerned, or cause serious harm to social order and the public interest, or cause harm to national security.

AppInChina provides a service to apply for and maintain MLPS Filings for international companies in China. We aim to interpret all relevant laws and regulations as conservatively as possible to ensure that every network we work on achieves full legal compliance.

Our service proceeds along the following stages:

1. We provide a questionnaire to our clients asking for details of the network including the categories of data collected, network architecture, and number of users.

2. We use the data collected in step 1 to make an initial assessment, in consultation with licensed audit firms and law firms, of the likely MLPS filing level that will be required.

3. If the network only requires a Level 1 Filing then we will assist our client with conducting the required MLPS Level 1 self-assessment and maintaining it on an annual basis. 

4. If the network requires a Level 2 or Level 3 Filing then we will select a suitable licensed audit firm and work with our client to confirm an official classification of the correct MLPS level and any changes to the network and its security features that are required in order to become compliant with MLPS Level 2 or Level 3 as applicable. This work also involves technical discussions with our client’s staff to determine the optimal technical solutions that will not only ensure MLPS compliance but also minimize ongoing operational costs.   

5. When all required security features are in place the licensed audit firm will confirm a Level 2 or Level 3 Filing for your network and we will submit documentation to our client’s local public security bureau to obtain official certification.
   
6. If the network requires an MLPS Level 2 Filing then this will need to be renewed every 2 years. For MLPS Level 3 annual renewal is required.

Completion of MLPS Filing Level 1 usually takes 1 to 2 months, with Levels 2 and 3 taking between 3 to 6 months. However, this timeline is dependent on the scale and complexity of the network and the response times of each client. For more details, contact us here.