IT security in China is evolving

07 July, 2022

When it comes to safeguarding IT systems, the number of regulatory measures China has implemented has grown steadily. From cybersecurity to data security to the protection of personal information, the controls public authorities are putting on so-called network operators continue to increase. This article provides an overview of existing regulations and the multi-stage evaluation process companies now face.

Companies have been confronted with complex challenges ever since China began introducing a series of laws meant to ensure the integrity of IT systems and safeguard the country’s digital sovereignty. The regulations target the processing of data and personal information, which are now integral to China’s digital economy, while ensuring issues relating to state security and privacy are also addressed, not only within the country but also at processing sites abroad. The following gives an overview of the scope of these regulations and how they have developed over time.

Infographic about Cyber Security Law by PwC Germany

Cybersecurity Law

The introduction of the Cybersecurity Law (CSL) by the National People’s Congress in June 2017 resulted in a regulatory regime for technology and information security that has since developed rapidly. The CSL regulates all activities related to domestic networks, thus impacting a wide range of industries with an emphasis on cybersecurity and China’s national sovereignty in cyberspace.

Data Security Law

The Data Security Law (DSL) came into effect in September 2021. Focusing on regulations and requirements that guarantee data security, it also protects the rights and interests of individuals and organizations. Another objective is the advancement of China’s national security interests.

Personal Information Protection Law

In November 2021, the Personal Information Protection Law (PIPL) became China’s first comprehensive personal data privacy law. PIPL is designed to protect the privacy of Chinese citizens by safeguarding any personal information processed domestically or overseas. PIPL can be seen as the Chinese equivalent of the European GDPR.

MLPS 2.0 applies to all network

CSL applied: The Multi-Level Protection Scheme 2.0

In 2019, implementation of the CSL marked the official launch of the Multi-Level Protection Scheme 2.0 (MLPS 2.0), a regulatory classification system for cybersecurity protection that every network operator in China is required to comply with. Businesses operating in the People’s Republic face continued pressure to adhere to an increasingly comprehensive – and strictly enforced – cyber and data privacy regime.

MLPS 2.0 applies to all network operators in the broadest sense, which means it applies to every company that runs an IT system. For each IT system or application in use, the business in question must carry out an evaluation process to identify, rate and officially certify the relevant security protection level.

Four-stage evaluation process

The critical stages in the evaluation process consist of Self-classification, Self-filing & Self-security construction and alteration, Third-party evaluation and Continuous inspection and improvement. Each stage is described briefly below.

Infographic about the Four-stage evaluation process by PwC Germany


  • Operators are responsible for determining the classification of each application’s cybersecurity protection level. There are five levels of security which range from 1 (high) to 5 (low).
  • Operators of networks that are classified as level 2 or higher must organize expert reviews of the classification process.

Self-filing & Self-security construction and alteration

  • Operators must conduct filing procedures at public security authorities according to the security protection level that has been determined.
  • They must plan and design the protection of the target networks or applications based on the “Baseline for Classified Protection of Cybersecurity.”

Third-party evaluation

  • When the protection level is classified as level 3 or higher, operators must select a qualified institution to implement testing and evaluation.
  • The testing and evaluation should be filed at the local public cybersecurity department (county level or above) responsible for the area where the operator is located.
  • Operators with networks classified as level 3 or higher must undergo security inspections by public security authorities at least once a year.
  • More detailed information is available in the “Evaluation Requirement for Classified Protection of Cybersecurity.”

Continuous inspection and improvement

  • Supervision and inspection of network operators is carried out by the classified protection management department of the relevant public authority.

Key takeaway

CSL, DSL, PIPL and MLPS lay out the legislative regulations governing cybersecurity and data privacy that businesses operating in China must comply with. MLPS 2.0 requires network operators to pass a mandatory evaluation, and companies face regulatory sanctions if they fail to do so. To address the requirements of MLPS 2.0, companies need to assess the current state and risk level of their information systems. For systems categorized as level 2 or higher, an expert or professionally licensed organization should be engaged to perform an independent evaluation.

Jingyi Zuo provides compliance services for cloud service providers for PwC Germany

Jingyi Zuo

After graduating from the Luiss Business School in Rome, Jingyi Zuo joined PwC China in Beijing in July 2015. For five years, she supported clients there in enterprise risk management, especially in their IT alignment. In February 2020, she moved to PwC Germany in Munich, where she provides compliance services for cloud service providers, including on the C5 criteria catalog and SOC qualification, as well as transformation governance services for cloud users. In 2021, she began developing a new business field for German cloud services in China that supports both German and Chinese cloud users in their cloud transformation in China and Germany.


Eiko Ermold is a Director for Consulting Services around Cloud Transformation Governance at PwC Germany

Eiko Ermold

Eiko Ermold began his career at PwC after graduating with a degree in business administration in 2000. After four years as a consultant and auditor in IT Risk Management, he moved to the internal IT organization. There, as Enterprise Architect, he was responsible for the Assurance application landscape. Later, he was active as team leader of PwC IT Solution Engineers for Infrastructure and Platform Services. In 2012, he became Enterprise Architect in the central IT division of an MDAX group, where he supported the global consolidation of systems. He worked at Microsoft as a consultant for digitalization and cloud at large corporations before returning to PwC in 2021 as Director for Consulting Services around Cloud Transformation Governance.


Follow us

Contact us

Thomas Heck

Thomas Heck

Partner, PwC USA Business Group Leader & China Business Group, PwC United States

Dr. Katja Banik

Dr. Katja Banik

Redaktionsleitung, PwC Germany

Tel: +49 151 14262429