Security for International Firms Entering the Chinese Market

International firms entering mainland China face a regulatory frame that does not map cleanly onto the SOC 2 / ISO 27001 / GDPR posture they arrive with. The work is not a translation exercise. ICP filing, MLPS grading, PIPL cross-border consent, and the possibility of CII designation each impose obligations whose closest Western analogs are structurally different — and whose remediation path is often hosting-architectural rather than control-incremental.

We work with international firms across the China-entry transition: pre-entry readiness assessment, hosting and architecture decision support, MLPS gap remediation, and post-entry retainer coverage as the regulatory frame evolves.

What “security” means in Chinese regulatory context

In a Western frame, “security” tends to be a confidentiality-integrity-availability conversation owned by an information-security function, governed by an audit standard, and benchmarked against industry baselines. In the Chinese regulatory frame, “security” (安全) is a broader concept that interlocks with national security, data sovereignty, and content governance.

For an international firm entering the market, this changes three orientations:

• Regulators expect a system-level grading, not a control framework. MLPS asks: what level of damage would a compromise of this system cause to social order, public interest, or national security? The grade (L1 through L5) determines the obligation set. The control framework follows the grade.
• Data is jurisdictional, not just regulated. Personal information collected from mainland-China data subjects has obligations that flow with the data — including obligations on outbound transfer that exist independent of any subject-rights framework.
• The operator carries the obligation, even where the operator is the international firm. MLPS obligations attach to whoever operates the system inside China. The firm cannot avoid them by being headquartered elsewhere.

MLPS posture mapping

A firm arriving with mature SOC 2 / ISO 27001 controls typically has 60-80% of what an MLPS L2 grade requires, and 40-60% of what L3 requires — but the gaps are not where the team expects.

What translates well: access-control discipline, audit logging, change management, encryption-in-transit standards, vendor risk management, incident response process.

What does not translate cleanly:

• Localization of audit logs. MLPS expects logs retained within China for graded systems, in a form that supports inspection. SOC 2 expects logs retained; it does not expect them retained inside a specific jurisdiction.
• Code-level review obligations. MLPS L3 introduces application-source-code review as part of the grading process. SOC 2 / ISO 27001 do not.
• Cryptographic algorithm constraints. MLPS expects state-approved cryptographic algorithms (the SM2/SM3/SM4 family) for graded systems in scope. Western posture is typically built on AES, RSA, SHA-2/3 with no jurisdictional algorithm constraint.
• Personnel review. MLPS L3+ introduces personnel-background-review obligations that map awkwardly onto Western HR-screening posture.
• The graded assessor. MLPS grading is performed by a licensed Chinese assessor. SOC 2 attestation is performed by a CPA firm. The assessor relationship is structurally different — the licensed assessor is closer to a notified body than to a third-party auditor.

The remediation path is rarely “add more controls.” It is more often “reposition existing controls to meet jurisdiction-anchored obligations” — relocate the log store, re-key the in-scope traffic with the state-approved algorithm family, run the personnel review under the China-entity’s HR posture.

For the structural mapping work, see MLPS Readiness.

Cross-border data transfer reality

The PIPL cross-border data transfer (CBDT) regime governs any export of mainland-China personal information. Three lawful bases exist:

1. CAC security assessment — required for CII operators, for any handler exporting “important data,” for any handler processing personal information of 1 million+ individuals, and for cumulative outbound flows above defined thresholds (100,000 individuals’ general PI, or 10,000 individuals’ sensitive PI, cumulatively from January 1 of the current year).
2. Standard contract filing — the SCC analog. Permitted for handlers below the CAC-assessment thresholds. Requires a Personal Information Protection Impact Assessment (PIPIA) and a filing with the provincial CAC.
3. Certification — by a CAC-recognized professional body. Less commonly used in practice.

For international firms, the practical implication is that any back-end architecture that processes mainland-China user data outside mainland China triggers a CBDT obligation — which lawful basis applies depends on the data volumes and the data classification. A firm whose product collects mainland-China user data and routes it to an EU or US back-end is making a CBDT decision whether it has formalized one or not.

For the regulatory detail, see PIPL and Cross-Border Data Transfer.

Hosting decision tree

The hosting architecture decision is the single highest-leverage choice in the China-entry posture. We walk through it as a tree:

1. Does the product collect mainland-China personal information?

• No → overseas hosting is acceptable with no PIPL CBDT exposure. ICP is required only if the service is directly marketed within mainland China.
• Yes → continue.

2. What volume of data and what data classification?

• Below the CAC-assessment thresholds, general PI only → SCC route with overseas hosting is workable; PIPIA required; standard contract filed.
• Above thresholds, or any sensitive PI volume, or any “important data” classification → CAC security assessment required for overseas hosting. The assessment is non-trivial. At this point, an in-China hosting option (Aliyun, Tencent Cloud, Huawei Cloud, AWS-China via Sinnet/NWCD) often becomes operationally simpler.

3. Is the service publicly accessible within mainland China?

• Yes → ICP filing (备案) is required. ICP requires a domestic legal entity, a domestic-hosted infrastructure, and a domain reachable from mainland-China DNS resolution paths without an overseas detour.
• No, B2B-only with overseas hosting → no ICP, but cross-border access reliability becomes a product-quality issue (Great Firewall traversal, latency, CDN availability).

4. Is the system likely to be designated CII?

• Telecom, energy, finance, transportation, water, public services, healthcare, government, defense → run CII designation evaluation early. CII status materially elevates obligations: MLPS L3 minimum, CAC security assessment for any CBDT, domestic-procurement preference for critical equipment and services.

The recommendation we issue at the end of this tree depends on the answers, but the structural pattern is consistent: above a certain data-volume threshold or in a CII-adjacent sector, in-China hosting on a Chinese cloud region with ICP is operationally cleaner than overseas hosting with CBDT compliance overhead, even though it requires a domestic-entity structure.

Engagement shape

For most international firms entering China, the work is shaped as a Custom Engagement — the scope spans regulatory mapping, hosting-architecture review, MLPS gap remediation, and (where applicable) CII evaluation, which is not a fit for a single Scoped Assessment frame.

For firms with continuous operations in China (a SaaS platform serving mainland-China customers, a connected product with an active mainland install base, a development team using mainland-China infrastructure), the post-entry phase converts naturally into a Retainer covering quarterly regulatory-change review, MLPS re-grading support, and incident-response coordination with mainland authorities under the regulatory-cooperation obligations.

Service mapping

International firms entering mainland China typically work with us across:

• GRC — for the regulatory mapping and gap analysis layer
• Architecture & Cloud Review — for the hosting decision, multi-region data-flow review, and tenant-isolation posture in the Chinese cloud environment
• MLPS Readiness — for the graded-system preparation work
• IoT & Embedded Security — for international hardware brands shipping connected products into mainland China

What buyers ask us first

Three questions surface in nearly every initial conversation with an international firm planning China entry:

“Can we just use our SOC 2 / ISO 27001 evidence?” Partially. About 60-80% of an MLPS L2 grade is satisfied by mature SOC 2 / ISO 27001 controls. The remaining 20-40% lives in jurisdiction-anchored obligations (log localization, state-approved cryptography, code-level review at L3+) that SOC 2 does not require. The evidence reuse is real; the gap is not optional and needs to be planned for.

“Do we have to host in China?” Not always. If you’re under the CAC-assessment thresholds and your data is general PI only, overseas hosting with an SCC route remains workable. Above the thresholds, or for sensitive PI volumes, or in CII-adjacent sectors, in-China hosting on a Chinese cloud region typically becomes operationally simpler than overseas hosting plus CBDT compliance overhead. The hosting-decision tree above is the practical tool we use to settle this.

“How long does the entire entry process take?” From assessment kickoff to operational mainland presence: 4-9 months. The bottlenecks are not technical — they are entity-formation (1-3 months), ICP filing (1-2 months from entity formation), and (where applicable) CAC security assessment (2-4 months). Technical remediation typically lands inside those parallel tracks.

“International firms arriving with mature security posture often underestimate how much of the China-entry work is structural rather than control-incremental. You’re not buying a few more controls — you’re re-anchoring the existing posture against a different regulatory geometry. That re-anchoring is what we do.” — Tatiana K., CEO, Melina Security

Frequently asked questions

Do we need a Chinese legal entity to enter the market?

For B2C services accessible within mainland China, effectively yes — ICP filing requires a domestic entity. For B2B services with overseas hosting and no public mainland-China web presence, you can operate without one, but you face CBDT obligations on any data flowing back and Great-Firewall-traversal reliability as a product-quality issue. Most firms that scale past initial market entry establish a domestic entity within the first 12-18 months.

Can we operate in mainland China without MLPS classification?

For systems whose compromise would not affect social order, public interest, or national security in any meaningful way, MLPS grading may not formally apply — though the registration process is still expected. In practice, almost every system serving mainland-China customers at scale receives at least L1 or L2 classification. Above L2, the grading is performed by a licensed Chinese assessor and the evidence package is meaningfully more substantive than the SOC 2 / ISO 27001 equivalent.

What about Hong Kong / Macau / Taiwan?

Mainland China’s regulatory frame (MLPS, PIPL, DSL, CII) does not apply to Hong Kong, Macau, or Taiwan. Hong Kong has its own data-protection regime (the Personal Data (Privacy) Ordinance). Taiwan has the Personal Data Protection Act. These are independent regulatory regimes with their own posture and evidence expectations. The PIPL cross-border transfer obligations may apply to flows between mainland China and Hong Kong / Macau depending on the data classification.

How does CII designation actually happen?

CII designation is performed by sector regulators based on criteria in the 2021 Critical Information Infrastructure Security Protection Regulations. Operators do not self-classify; the sector regulator (typically the industry’s primary supervisory body) issues the determination. The strategic implication: firms in CII-adjacent sectors (telecom, energy, finance, transportation, water, public services, healthcare, government, defense) should plan for the possibility of designation from day one, even if the formal determination has not yet been issued.

Is the regulatory environment stable enough to plan a multi-year roadmap?

The core architecture (MLPS / PIPL / DSL / CII) has been stable since 2021-2022. The implementation regulations and guidance documents continue to evolve, but the structural framework is now mature. Multi-year roadmaps are realistic, with the caveat that thresholds (CBDT volume thresholds, classification thresholds) may be recalibrated and CII designation criteria for newer sectors (AI infrastructure, digital health) are still developing.

Related

• PIPL — primer
• Cross-Border Data Transfer — primer
• CII Designation — primer
• China Compliance — pillar
• MLPS Compliance Pathways for Overseas SaaS — companion framework for the four-pathway taxonomy
• Industries — pillar
• Engagement models

Services we run for International Firms Entering the Chinese Market

• GRC & Compliance

  Risk assessments, control mapping, ISO 27001 / SOC 2 / NIST CSF / MLPS readiness.

• Cloud & Architecture Reviews

  Threat modeling, cloud backend assessment, Kubernetes, zero-trust design.

• IoT & Embedded Security Assessment

  Hardware teardown, firmware extraction, device-to-cloud ecosystem assessment.

Outcomes we package for this sector

• MLPS 2.0 Readiness