On May 13, 2019, China’s State Administration for Market Regulation (“SAMR”) released three core national standards related to the country’s Cybersecurity Multi-level Protection Scheme (“MLPS”), describing technical and organizational controls that companies must follow when complying with MLPS-related obligations under the Cybersecurity Law (“CSL”).  These standards, which are commonly referred to as the “MLPS 2.0 standards,” include: GB/T 22239 – 2019 Information Security Technology – Baseline for Multi-level Protection Scheme, GB/T 25070 – 2019 Information Security Technology – Technical Requirements of Security Design for Multi-level Protection Scheme and GB/T 28448 – 2019 Information Security Technology – Evaluation Requirements for Multi-level Protection Scheme.  The MLPS 2.0 standards are set to take effect on December 1, 2019.

Background of MLPS

China’s CSL, which took effect on June 1, 2017, requires the government to implement the MLPS for cybersecurity (Article 21).  This framework is designated as a fundamental scheme to protect cybersecurity in China and requires all network operators, a term broadly defined to include all entities using a network (including the Internet) to operate or provide services, to meet certain cybersecurity requirements.

To implement provisions related to MLPS in the CSL, the government, in particular the Ministry of Public Security (“MPS”), has been working since 2017 on rules and national standards that specify the networks that must to be classified under the MLPS; the classification, certification and filing process for such networks; the technical controls that must be implemented by network operators; and the compliance obligations that network operators at different levels must follow.  Collectively these rules and national standards form a layered framework for cybersecurity requirements under CSL, commonly referred to as the “MLPS 2.0” framework.

The first layer of the MLPS 2.0 framework is the draft Regulations on Cybersecurity Multi-level Protection Scheme, issued by MPS on June 27, 2018 (the “Draft Regulation”, see our previous post here) for public consultation.  The Draft Regulation updated the existing MLPS regulation (commonly referred to as “MLPS 1.0”), a framework dating back to 2007 that classified information systems physically located in China according to their relative impact on national security, social order, and economic interests if the system is damaged or attacked.  Under both the MLPS 1.0 and the Draft Regulation, the classification levels range from one to five, one being the least critical and five being the most critical.  Further, under the Draft Regulation, information systems that are classified—initially self-assessed and proposed by network operators and then confirmed by the MPS—at level 3 or above are subject to enhanced security requirements.  MPS publically announced that it plans to finalize the Draft Regulation by the end of 2019.

The second layer of the MLPS 2.0 framework is the MLPS 2.0 standards, which establish the technical foundation of the framework by clarifying varying technical and organizational controls that network operators at each level should establish.  The release of this core set of MLPS 2.0 standards marks an important step for MPS, which plans to roll out the MLPS 2.0 framework at a full scale nation-wide in the coming months.  As the next step, MPS indicated that two more MLPS 2.0 standards, which set out the implementation process and the certification process, will be released together with the final version of the Draft Regulation.  At that point, the full MLPS 2.0 framework will be completed and impose mandatory requirements on all network operators in China.

At this moment, certain aspects of the MLPS 2.0 framework, especially those are to be covered by the Draft Regulation and the two forthcoming MLPS 2.0 standards remains unclear – for example, it is still not clear what systems need to be certified or the specific legal obligations companies operating networks classified at different levels, especially at Level 3 or above, will be subject to.

What are the Key Updates of MLPS 2.0 Standards?

As explained in more detail below, the MLPS 2.0 standards (1) significantly expand the applicability of the MPLS 1.0 by broadening the definition of “information systems”; (2) establishes common controls for all types of systems; and (3) establishes extended controls for certain types of systems.

  1. Expanded Applicability: As compared to MLPS 1.0, the MLPS 2.0 standards expand their coverage from “information systems” to a wider range of “systems,” which may include network infrastructure, cloud computing platform/system, mobile application platforms, connected devices (Internet of Things, “IoT”), and industrial control systems.
  2. Common Controls for all Systems: MLPS 2.0 standards establish a core set of technical and organizational controls for all systems, referred to as “common controls,” regardless of the classification level of the system.  Specifically, network operators are required to establish controls in the following areas:  security governance, including organization, management, and personnel; physical environment security; communication network security; network boundary protection; business continuity and disaster recovery; identity management; intrusion detection; third party risk management; and security operations.
  3. Extended Controls for Specific Types of Systems: The MLPS 2.0 standards also require network operators to implement additional extended controls at each classification level for the following specific types of systems: (i) cloud computing, (ii) industrial control systems, (iii) connected devices, and (iv) mobile network systems.

For example, network operators are required to implement a series of extended controls for cloud computing systems, regardless of the classification level of a particular cloud computing system, in the following areas:  physical environment security (e.g. localized infrastructure in China, possibly referring to the use of local data centers); communication network security (e.g. localized storage of customer data and personal information in China; if cross-border data transfers are needed, such transfers must be in compliance with unspecified Chinese laws and regulations); network boundary protection (e.g. access control, non-invasive security and security audit); computing environment security (e.g. identity authentication, data recovery, data backup, etc.); and maintenance (e.g. localized maintenance in China, unless oversea maintenance can follow unspecified Chinese rules and regulations).

In addition, if a network operator will use a vendor to run a cloud computing system, the network operator is required to include a number of additional controls in its vendor management program, such as:  requiring the vendor to comply with applicable Chinese laws and regulations; confirming that the MLPS classification level of the vendor is not lower than the classification level of the network operator’s system that will be run on the cloud; and ensuring the service level agreement specifies the service scope, technical details, rights and obligations, access control, privacy protection and other key terms.

Further, network operators classified Level 2 or above are also required to request their cloud service providers return the complete set of customer data and delete such data after the termination of the cloud service agreement.  Network operators of systems classified Level 3 or above, are required to enter into a confidentiality agreement with the cloud service provider to prohibit unauthorized disclosure of customer data.

*                      *                      *

In sum, the MLPS 2.0 standards introduce different technical and organizational controls for companies at different classification levels and provide important technical guidance for companies that are making efforts to comply with the MLPS requirements.  Some of the extended controls, such as localized infrastructure, storage, and maintenance for cloud computing systems, could raise compliance issues for both global cloud service providers and their customers, if they become mandatory requirements.  Additional guidance is expected to be provided by MPS in the coming months, and companies who are or may be subject to the MLPS requirements should closely monitor the developments.

Tags: China, Cybersecurity, Data Security
Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Yan Luo Yan Luo

With over 10 years of experience in global technology regulations, Yan Luo specializes in the intersection of law and technology, focusing on regulatory compliance and risk mitigation for technology-driven business models. Her key strengths include data protection, cybersecurity, and international trade, with a

With over 10 years of experience in global technology regulations, Yan Luo specializes in the intersection of law and technology, focusing on regulatory compliance and risk mitigation for technology-driven business models. Her key strengths include data protection, cybersecurity, and international trade, with a particular emphasis on adapting to regulatory changes and ensuring compliance to support technology sector business strategies.

In recent years, Yan has guided leading multinational companies in sectors such as cloud computing, consumer brands, and financial services through the rapidly evolving cybersecurity and data privacy regulations in major Asian jurisdictions, including China. She has addressed challenges such as compliance with data localization mandates and regulatory audits. Yan’s work includes advising on high-stakes compliance issues like data localization and cross-border data transfers, navigating cybersecurity inspections for multinational companies, and providing data protection insights for strategic transactions. Additionally, Yan has counseled leading Chinese technology companies on global data governance and compliance challenges across major jurisdictions, including the EU and the US, focusing on specific regulations like GDPR and CCPA.

More recently, Yan has supported leading technology companies on geopolitical risk assessments, particularly concerning how geopolitical shifts impact sectors at the cutting edge, such as artificial intelligence and semiconductor technologies.

Yan was named as Global Data Review’s40 under 40” in 2018 and is frequently quoted by leading media outlets including the Wall Street Journal and the Financial Times.

Prior to joining the firm, Yan completed an internship with the Office of International Affairs of the U.S. Federal Trade Commission in Washington, DC. Her experiences in Brussels include representing major Chinese companies in trade, competition and public procurement matters before the European Commission and national authorities in EU Member States.

Read more about Yan LuoEmail
Show more Show less
Photo of Ashden Fein Ashden Fein

Ashden Fein is a vice chair of the firm’s global Cybersecurity practice. He advises clients on cybersecurity and national security matters, including crisis management and incident response, risk management and governance, government and internal investigations, and regulatory compliance.

For cybersecurity matters, Ashden counsels clients…

Ashden Fein is a vice chair of the firm’s global Cybersecurity practice. He advises clients on cybersecurity and national security matters, including crisis management and incident response, risk management and governance, government and internal investigations, and regulatory compliance.

For cybersecurity matters, Ashden counsels clients on preparing for and responding to cyber-based attacks, assessing security controls and practices for the protection of data and systems, developing and implementing cybersecurity risk management and governance programs, and complying with federal and state regulatory requirements. Ashden frequently supports clients as the lead investigator and crisis manager for global cyber and data security incidents, including data breaches involving personal data, advanced persistent threats targeting intellectual property across industries, state-sponsored theft of sensitive U.S. government information, extortion and ransomware, and destructive attacks.

Additionally, Ashden assists clients from across industries with leading internal investigations and responding to government inquiries related to the U.S. national security and insider risks. He also advises aerospace, defense, and intelligence contractors on security compliance under U.S. national security laws and regulations including, among others, the National Industrial Security Program (NISPOM), U.S. government cybersecurity regulations, FedRAMP, and requirements related to supply chain security.

Before joining Covington, Ashden served on active duty in the U.S. Army as a Military Intelligence officer and prosecutor specializing in cybercrime and national security investigations and prosecutions — to include serving as the lead trial lawyer in the prosecution of Private Chelsea (Bradley) Manning for the unlawful disclosure of classified information to Wikileaks.

Ashden currently serves as a Judge Advocate in the
U.S. Army Reserve.

Read more about Ashden FeinEmail
Show more Show less