China MLPS 2.0 — Multi-Level Protection Scheme (Classified Protection of Cybersecurity)
SmartSuite provides the system for managing controls, evidence, mappings, assessments, and reporting. Framework text may require a separate license unless explicitly provided.
Overview
China MLPS 2.0 --- Multi-Level Protection Scheme (Classified Protection of Cybersecurity) is a regulatory framework that enables organizations to classify and protect information systems based on their importance to national security, economic stability, and public interests. The scheme establishes requirements for implementing cybersecurity controls and risk management practices that correspond to different levels of system criticality.
Issued by the Ministry of Public Security (MPS) of China, MLPS 2.0 applies to both public and private sector organizations operating or managing information systems within China. The regulation covers areas such as data protection, risk assessment, network security, access controls, and incident response, with a tiered approach to strengthening compliance oversight and cybersecurity resilience.
Organizations implement MLPS 2.0 by performing system classification, conducting security gap assessments, deploying technical and organizational controls, and maintaining compliance documentation for regulatory inspection.
Why it Matters
China MLPS 2.0 enables organizations to systematically classify and secure information systems, strengthening national cybersecurity and regulatory compliance.
Key benefits include:
Strengthen cybersecurity governance
Establishes a formal structure for identifying, classifying, and protecting information systems according to risk and criticality.
Enhance regulatory alignment
Supports compliance with China's national cybersecurity requirements, helping organizations meet evolving legal and policy obligations.
Protect sensitive data assets
Implements graduated security controls to safeguard critical data, reducing the likelihood of breaches or unauthorized disclosures.
Increase audit readiness
Provides a documented trail of risk assessments, controls, and procedures to facilitate regulatory inspections and third-party audits.
Promote operational resilience
Improves preparedness for incident detection and response, minimizing disruptions from cyber threats across organizational operations.
How it Works
China MLPS 2.0 establishes a hierarchical cybersecurity framework by classifying information systems and networks into five protection levels based on their importance to national security, economic development, and public interests. The scheme outlines specific catalogues of security controls and requirements for each level, covering governance, physical security, technical safeguards, and operational processes.
Organizations implement MLPS 2.0 by first conducting classification assessments to determine their systems' required level of protection. They then apply corresponding security controls, conduct periodic risk management reviews, and integrate compliance monitoring into ongoing operations.
Key Elements
System Classification Levels
Defines hierarchical tiers for systems based on their significance to national security and public interests.
Security Control Categories
Organizes technical and organizational measures required for each classification level to address key risk areas.
Risk Assessment Process
Outlines ongoing evaluation of system vulnerabilities, threats, and potential impact aligned with system classification.
Compliance Documentation Requirements
Specifies mandatory records and evidence supporting regulatory audits and continuous compliance verification.
Network and Data Protection Domains
Describes areas covering network security, information protection, and control mechanisms for safeguarding critical assets.
Incident Response Architecture
Establishes structural requirements for detecting, reporting, and responding to cybersecurity incidents within each tier.
Framework Scope
China MLPS 2.0 is implemented by entities managing information systems vital to national security, economic interests, or critical infrastructure within China.
Framework Objectives
China MLPS 2.0 defines a tiered approach for safeguarding information systems vital to national interests and public welfare.
Classify and protect systems based on cybersecurity risk and criticality
Strengthen governance and oversight of security controls and compliance measures
Ensure effective risk management and continuous improvement of defenses
Enhance protection of sensitive data and personal information assets
Support regulatory compliance with China's cybersecurity laws and standards
Improve audit readiness through rigorous documentation and monitoring practices
Common Framework Mappings
Mapped frameworks include:
CIS Critical Security Controls
GB/T 22239 --- Information Security Technology --- Baseline for Classified Protection of Cybersecurity
ISO/IEC 27001
ISO/IEC 27002
ISO/IEC 27701
MITRE ATT&CK
NIST Cybersecurity Framework
NIST SP 800-53
- ClassicifationCategoryCybersecurityDomainCybersecurityFramework FamilyOther
- Regulatory ContextTypeFrameworkLegal InstrumentProgramSectorCross-SectorIndustryCross-Industry
- Region / PublisherRegionAsia-PacificRegion DetailChinaPublisherNational Cybersecurity Center of China
- VersioningVersionMLPS 2.0 — Multi-Level Protection SchemeEffective Date2019Issue DateJuly 2020
- AdoptionAdoption ModelRegulatory ComplianceImplementation ComplexityVery High
- Official ReferenceOpen Link in New TabSource
License included / downloadable: Yes
MLPS guidance is published by Chinese government authorities and is publicly available through official regulatory sources.
How SmartSuite Supports MLPS 2.0
Manage China MLPS 2.0 requirements by organizing system classification, tracking security controls by level, and maintaining evidence supporting compliance with national cybersecurity protection standards.
System Classification and Protection Levels
Classify systems into MLPS levels (Level 1–5) and track required protection measures.
Control Framework by Security Level
Structure technical and organizational controls aligned to MLPS level requirements.
System Risk Assessment and Gap Remediation
Assess system risks, identify control gaps, and prioritize remediation activities.
Identity, Authentication, and Network Protection
Manage identity, authentication, and network protection controls across systems.
Monitoring, Logging, and Incident Response
Track system activity, detect anomalies, and manage incident response workflows.
MLPS Compliance Tracking and Certification Readiness
Provide dashboards showing control coverage, system classification status, and MLPS compliance readiness.
Related frameworks
CIS Controls v8.1 provides prioritized, practical security actions to help organizations mitigate common cyber threats and strengthen defenses.
ISO/IEC 27001:2022 is an international ISMS standard that helps organizations manage information security risks and protect data.
ISO/IEC 27002:2022 provides best-practice information security controls to help organizations select, implement, and manage protections for information assets.
ISO/IEC 27701 extends ISO/IEC 27001 to help organizations manage privacy and protect personally identifiable information.
MITRE ATT&CK is a knowledge framework documenting adversary tactics and techniques to help organizations detect, analyze, and respond to attacks.
Frequently Asked Questions For China MLPS 2.0 (Multi-Level Protection Scheme for Cybersecurity)
China MLPS 2.0 is used to classify and secure information systems according to their significance to national security, economic activities, and public interests. It sets forth cybersecurity requirements and controls tailored to different protection levels, driving risk-based security management in organizations operating in China.
Yes, compliance with MLPS 2.0 is mandatory for all organizations, both domestic and foreign, that operate or manage information systems within China. Non-compliance can result in regulatory penalties, operational restrictions, or other legal consequences.
MLPS 2.0 applies to all public and private sector organizations using information systems in China, including critical infrastructure, cloud service providers, and enterprises handling sensitive data. The framework covers IT, OT, and networked systems used for national, economic, or social functions.
Information systems are classified into five ascending protection levels based on their potential impact on national security, social stability, economic development, or public interests in the event of a security breach. Each level prescribes progressively stricter security and compliance requirements.
Key compliance artifacts include classification assessment reports, gap analyses, security policies, control implementation evidence, risk registers, and documentation of regular security assessments and remediation actions. These documents are reviewed during regulatory audits.
MLPS 2.0 is distinct in its tiered approach and mandatory national application, but shares concepts like risk management, access controls, and auditability with frameworks such as ISO 27001 or NIST CSF. However, it specifically aligns with China’s cybersecurity regulations and legal requirements.
Continuous compliance requires periodic risk assessments, regular security testing, incident response planning, documentation updates, and ongoing monitoring of controls. Organizations must be prepared for regulatory inspections and demonstrate remediation of any findings.
SmartSuite streamlines MLPS 2.0 compliance by enabling centralized management of control implementation, risk tracking, and policy documentation according to each protection level. The platform facilitates evidence collection for audits, tracks remediation activities, and offers dashboards for ongoing compliance monitoring and reporting, supporting audit readiness and regulatory engagement.
Put CRI Profile into action with SmartSuite
Map controls, collect evidence, run assessments, manage remediation, and report readiness - all from a single connected system.