The Chinese authorities have announced the Multi-Level Protection Scheme version 2.0 (MLPS 2.0) which will come into force on 1 December 2019 and extends and supplements the original MLPS rules.
MLPS is a tiered information security protection system, which sets out the reporting requirements and level of data and security management requirements which organisations with a presence in China (including domestic and foreign businesses) must implement with respect to their IT infrastructure. The requirements vary depending on the classification of your systems.
The new mandatory and stricter MLPS 2.0 will regulate data security across your entire IT infrastructure. The authorities have issued a series of supplementing technical regulations and guidelines to assist organisations in moving towards data security compliance, with yet further practical guidelines expected to follow in the coming months.
(a) Conduct self-evaluations and determine the tier to which your information and network systems belong - from the lowest tier 1 to the highest tier 5.
(b) Comply with the general set of data and security management requirements (requirements for each tier are different), and any applicable additional requirements that are customised for mobile communication technology systems, cloud computing platforms, big data application platform/resources, internet of things and industrial control systems.
(c) File your evaluation results with the Public Security Bureau (PSB) and retain such evaluation records.
(d) Appoint an approved third party agency to undertake security certification of your information and network systems (for tier 2 and above) and file the assessment results with the PSB.
(e) Repeat the evaluation process on an annual basis. The PSB may conduct an audit on tier 3 and above businesses in respect of such evaluation.
Other implications to keep in mind:
(i) Given the additional requirements imposed on higher tier systems, localisation of your IT infrastructure may be required.
(ii) Conduct due diligence of your service providers in China to ensure they are compliant with the required security requirements.
(iii) Technical maintenance and support of your systems (for tier 3 and above) may need to be done in China unless certain conditions are met.
(iv) Data protection requirements will also need to be complied with and implications on data residency/ localisation requirements should be considered.