The Multi-Level Protection Scheme (MLPS) is the safeguarding of proprietary information and information systems. The requirement and implementation of such protection is guided by the information system’s security level, which is determined by the role it plays in national security, economic development, and social life, as well as the degree of harm it is likely to impose on national security, social order, public interests, and the legitimate rights and interests of citizens, legal persons, and other organizations if compromised or destroyed.
The management of information security products, as well as the response to and handling of security incidents, must all adhere to the procedures established for the information system’s specific security level.
According to the degree of harm a system can cause if compromised or damaged, MLPS has 5 levels:
|Level||Type of Networks||Objects in Danger if Compromised||Degree of Harm|
|Level 1||Basic networks||The legitimate rights and interests of relevant citizens, legal persons and other organizations||General damage|
|Level 2||Basic networks||The legitimate rights and interests of relevant citizens, legal persons and other organizations||Serious damage|
|Social order and public interest||General damage|
|Level 3||Important networks||The legitimate rights and interests of relevant citizens, legal persons and other organizations||Severe damage|
|Social order and public interest||Serious damage|
|National security||General damage|
|Level 4||Particularly important networks||Social order and public interest||Severe damage|
|National security||Serious damage|
|Level 5||Extremely important networks||National security||Severe damage|
The MLPS is a key system of China’s cyberspace security management. Long before the introduction of the Cybersecurity Law a system of information security level protection had already been established. The “Administrative Measures for the Multi-Level Protection of Information Security,” issued on June 22, 2007, by the Ministry of Public Security, the State Secretariat, the State Cryptography Administration, and the State Council’s Information Work Office, established the basic framework of the information security level protection system known in the industry as “Deng Bao 1.0” (MLPS 1.0)
On November 7, 2016, the “Cybersecurity Law” was enacted, and the Network Security Multi-Level protection system, commonly referred to as “Class Protection 2.0” in the industry, started to be required. The Ministry of Public Security issued the “Regulations on the Classified Protection of Network Security (Draft for Comment)” on June 27, 2018, and MLPS 2.0 took shape.
MLPS 2.0 requires all companies that operate any type of network in China (broadly defined to include most types of software, websites and online platforms) to undergo an assessment of each network that they operate in China. Network operators are required to implement security features at different levels according to the level of harm that would be caused if the network was damaged or the data contained within it were to be lost, leaked, or stolen.
Compliance requirements aside, the implementation of the Multi-Level Protection Scheme is crucial in the protection of a company’s data and its employees’ and clients’ personal information. Without a proper evaluation and enhancement on the information system’s security, the data leak could result in suspended business operations, financial losses, and legal consequences.
While it’s difficult to have a 100% guarantee on your system’s security status, companies that successfully implemented MLPS as guided by certified institutions and governmental authorities are exposed to less risk. If a network that hasn’t conducted MLPS ended up losing data due to its security loopholes, the legal representative of the company and its main information technology personnel are likely to face serious allegations and sizable fines.
According to the law, all companies that operate networks in China should complete the MLPS assessment. This covers all kinds of networks, including basic networks, various information systems mounted on the basic networks (such as external business systems, internal management office systems, etc.), as well as various applications installed on the system including apps and SaaS platforms.
Companies with information systems that serve a large user base and collect sensitive data should implement MLPS as soon as possible so that their legal liability is minimized in the event of a serious breach and their system architectures and user information remain intact.
Step 1: Rating your information system
A full review of your system must be conducted by an authorized MLPS testing agency.
Step 2: Register your information systems with local authorities
System rating information needs to be stamped and taken to the Cyber Security Office of the county, municipal, or province, depending on which area you reside in.
Step 3: Complete system security construction
This requires that a company implement new tech solutions as well as management methods. Services of professional consulting agencies are usually needed during this stage.
Step 4: Conduct level-appropriate assessment of the information systems
After completing registration with local authorities and system security construction, you can schedule system assessments with certified assessing institutions.
Step 5: Accept supervision and inspection carried out by the competent authority regularly
The costs of obtaining an MLPS Filing consist of three parts: consulting fees paid to professional agencies for advice on changes that need to be made to the system, assessment fees paid to institutions certified by the government to evaluate the outcome of your system security construction, and security products purchased to be deployed on your information system to increase the system’s robustness.
The overall cost should be more than CNY 200,000 per year and will rise as the level of your information system increases. However, a lower-level system with more hardwire or a larger network may cost more than a higher-level system with a simpler setup.