IT security in China is evolving

Companies have been confronted with complex challenges ever since China began introducing a series of laws meant to ensure the integrity of IT systems and safeguard the country’s digital sovereignty. The regulations target the processing of data and personal information, which are now integral to China’s digital economy, while ensuring issues relating to state security and privacy are also addressed, not only within the country but also at processing sites abroad. The following gives an overview of the scope of these regulations and how they have developed over time.

Cybersecurity Law

The introduction of the Cybersecurity Law (CSL) by the National People’s Congress in June 2017 resulted in a regulatory regime for technology and information security that has since developed rapidly. The CSL regulates all activities related to domestic networks, thus impacting a wide range of industries with an emphasis on cybersecurity and China’s national sovereignty in cyberspace.

Data Security Law

The Data Security Law (DSL) came into effect in September 2021. Focusing on regulations and requirements that guarantee data security, it also protects the rights and interests of individuals and organizations. Another objective is the advancement of China’s national security interests.

Personal Information Protection Law

In November 2021, the Personal Information Protection Law (PIPL) became China’s first comprehensive personal data privacy law. PIPL is designed to protect the privacy of Chinese citizens by safeguarding any personal information processed domestically or overseas. PIPL can be seen as the Chinese equivalent of the European GDPR.

CSL applied: The Multi-Level Protection Scheme 2.0

In 2019, implementation of the CSL marked the official launch of the Multi-Level Protection Scheme 2.0 (MLPS 2.0), a regulatory classification system for cybersecurity protection that every network operator in China is required to comply with. Businesses operating in the People’s Republic face continued pressure to adhere to an increasingly comprehensive – and strictly enforced – cyber and data privacy regime.

MLPS 2.0 applies to all network operators in the broadest sense, which means it applies to every company that runs an IT system. For each IT system or application in use, the business in question must carry out an evaluation process to identify, rate and officially certify the relevant security protection level.

Four-stage evaluation process

The critical stages in the evaluation process consist of Self-classification, Self-filing & Self-security construction and alteration, Third-party evaluation and Continuous inspection and improvement. Each stage is described briefly below.

Self-classification

• Operators are responsible for determining the classification of each application’s cybersecurity protection level. There are five levels of security which range from 1 (high) to 5 (low).
• Operators of networks that are classified as level 2 or higher must organize expert reviews of the classification process.

Self-filing & Self-security construction and alteration

• Operators must conduct filing procedures at public security authorities according to the security protection level that has been determined.
• They must plan and design the protection of the target networks or applications based on the “Baseline for Classified Protection of Cybersecurity.”

Third-party evaluation

• When the protection level is classified as level 3 or higher, operators must select a qualified institution to implement testing and evaluation.
• The testing and evaluation should be filed at the local public cybersecurity department (county level or above) responsible for the area where the operator is located.
• Operators with networks classified as level 3 or higher must undergo security inspections by public security authorities at least once a year.
• More detailed information is available in the “Evaluation Requirement for Classified Protection of Cybersecurity.”

Continuous inspection and improvement

• Supervision and inspection of network operators is carried out by the classified protection management department of the relevant public authority.

Key takeaway

CSL, DSL, PIPL and MLPS lay out the legislative regulations governing cybersecurity and data privacy that businesses operating in China must comply with. MLPS 2.0 requires network operators to pass a mandatory evaluation, and companies face regulatory sanctions if they fail to do so. To address the requirements of MLPS 2.0, companies need to assess the current state and risk level of their information systems. For systems categorized as level 2 or higher, an expert or professionally licensed organization should be engaged to perform an independent evaluation.