China's [Multi-Level Protection Scheme (MLPS / 网络安全等级保护 / 等保 2.0)](/knowledge/glossary/mlps/) is the foundational cybersecurity-compliance frame for information systems operating in mainland China. For overseas companies entering the China market with SaaS, IoT, or connected products, MLPS classification is typically a regulatory gating step — local hosting partners and enterprise customers will require MLPS-graded assessment results before integration. This solution covers the end-to-end readiness path: classification scoping, technical gap assessment, remediation alongside the engineering team, and coordination with the accredited assessor who issues the formal grading. ## What MLPS 2.0 grading involves MLPS 2.0 is a five-grade classification system (Grade 1 — Grade 5) with technical and management requirements escalating at each grade. For most overseas commercial systems entering China, the relevant grades are: - **Grade 2** — typical for general commercial systems whose compromise would harm legitimate rights of citizens or organizations - **Grade 3** — typical for systems whose compromise would severely harm legitimate rights or harm the public interest; commonly applied to systems handling significant volumes of personal information or operating in regulated sectors Grade 4 and Grade 5 are reserved for systems that affect national security or critical-sector operation and typically map onto [CII](/knowledge/glossary/cii/) designation. The grading process involves system classification (the operator's own classification proposal), expert review (typically by the local industry regulator and a graded assessor), technical assessment against the GB/T 22239 baseline requirements at the proposed grade, remediation of identified gaps, and re-assessment. ## Where Melina engages on MLPS readiness ### Classification scoping We assess the proposed system boundary and operational characteristics against MLPS classification criteria to support a defensible Grade 2 or Grade 3 proposal. Over-classification creates avoidable compliance cost; under-classification produces re-assessment risk later. ### Technical gap assessment against GB/T 22239 GB/T 22239 specifies the baseline technical and management requirements at each MLPS grade. The technical requirements cover identification and authentication, access control, security audit, intrusion prevention, malicious-code protection, data integrity, data confidentiality, data backup and restoration, residual-information protection, and personal-information protection. We assess the system against the requirements applicable at the proposed grade, producing a remediation list scoped to the specific technical environment. ### Remediation alongside the engineering team MLPS readiness work is most efficient when the remediation is implemented alongside the assessment — rather than as a separate post-assessment project. We work with the engineering team during remediation, both to accelerate the timeline and to ensure remediation choices integrate cleanly with the existing architecture. ### Accredited assessor coordination The formal MLPS grading is issued by accredited Chinese assessors. Our work supports the operator's relationship with the assessor — providing technical documentation, evidence packages, and pre-assessment readiness state that streamlines the formal assessment. ## What this solution does not include - Issuance of the MLPS grade itself — that is issued by the accredited Chinese assessor - Registration with the local Public Security Bureau (PSB) — operator-driven - China legal-entity formation, ICP filing, or hosting-provider procurement — operator-driven with our advisory input as appropriate ## Service mapping MLPS readiness draws across: - [Architecture & Cloud Review](/services/architecture-cloud-review/) - [IoT & Embedded Security](/services/iot-embedded-security/) — where the system includes connected devices - [GRC services](/services/grc/) — for the management-system control side ## Compliance and standards frame - MLPS 2.0 — GB/T 22239 (Baseline for Classified Protection of Cybersecurity) - GB/T 22240 (Guide for Classified Protection of Cybersecurity Classification) - GB/T 25058 (Guide for Implementation) - [PIPL](/knowledge/glossary/pipl/) and [DSL](/knowledge/glossary/dsl/) where applicable - [CII](/knowledge/glossary/cii/) for systems crossing into critical-information-infrastructure designation ## Engagement model End-to-end MLPS readiness is typically [Custom Engagement](/engagement-models/custom-engagement/) framing — the scope is necessarily shaped by the system architecture, the proposed grade, and the existing compliance posture. ## What buyers ask us first Three questions surface in most initial conversations with overseas companies evaluating China-market entry: **"Do we have to do MLPS at all?"** It depends on the deployment pathway. Overseas firms with no mainland-China infrastructure and no mainland-China user data may be able to operate outside MLPS scope under specific conditions — see the four-pathway taxonomy in our [MLPS Compliance Pathways framework](/research/mlps-overseas-saas-pathways/) for the structured decision. For any deployment that establishes mainland-China infrastructure or processes mainland-China personal information at scale, MLPS classification is typically a regulatory gating step. **"Can our existing SOC 2 / ISO 27001 evidence reduce the MLPS work?"** Partially. Mature SOC 2 / ISO 27001 controls typically satisfy 60-80% of MLPS Grade 2 technical baseline and 40-60% of Grade 3 baseline. The gaps tend to live in jurisdiction-anchored obligations — log localization, state-approved cryptography, code-level review at Grade 3+ — which require structural change rather than control additions. **"How does MLPS readiness coordinate with PIPL cross-border transfer obligations?"** The two are independent but related. MLPS classifies the system; PIPL governs personal-information processing. Most engagements scope MLPS and PIPL work in parallel because the underlying data-flow analysis serves both — but the deliverables are distinct, and the accredited-assessor relationship for MLPS is structurally different from the CAC security-assessment relationship for PIPL outbound transfers. > "Overseas firms entering China often discover that the substantive technical work is closer to their existing posture than they expected — but the structural framing has to change. MLPS is operator-centric and jurisdiction-anchored in ways that SOC 2 simply isn't. The readiness path is about re-anchoring existing controls against a different regulatory geometry, not about layering more controls on top." — Tatiana K., CEO, Melina Security ## Frequently asked questions ### How long does end-to-end MLPS readiness take? For a Grade 2 system with a typical commercial SaaS architecture and reasonable starting security maturity: 3-5 months. For Grade 3, typically 5-8 months. For systems with significant gap remediation work, multiple quarters. ### Do we need a China legal entity to obtain MLPS grading? Yes — MLPS grading applies to information systems operated in China and is issued to the operating entity. Overseas companies typically work through a Chinese legal entity (wholly-owned subsidiary, joint venture, or hosting partner) for the operational side of MLPS compliance. ### Can MLPS readiness be combined with PIPL and DSL compliance work? Yes, and typically should be. The three frameworks address overlapping but distinct requirements — MLPS covers cybersecurity-classified protection, [PIPL](/knowledge/glossary/pipl/) covers personal-information processing, [DSL](/knowledge/glossary/dsl/) covers data classification and important-data protection. Engagement scope is more efficient when the three are coordinated rather than executed sequentially. ### What's the relationship between MLPS grading and CII designation? Distinct regulatory tracks that can apply to the same system. MLPS grading is a classification system operators self-propose and then have validated through accredited assessment; CII designation is performed by sector regulators based on criteria in the 2021 Critical Information Infrastructure Security Protection Regulations. Systems in CII-adjacent sectors should treat MLPS Grade 3+ as a likely floor and plan for CII designation as a possible additional layer. ### Can readiness work continue if we don't have a Chinese legal entity yet? Partially. Technical gap assessment, architecture review, and remediation planning can proceed before legal-entity formation. The formal MLPS grading and PSB registration require the operating entity to exist. Most engagements that span the entity-formation timeline structure the work so the technical remediation runs in parallel with the legal-entity track, converging when both are ready for the formal assessment. ### Related - [What is MLPS?](/knowledge/glossary/mlps/) - [MLPS overseas — does the scheme apply to my SaaS? — FAQ](/knowledge/faq/iot-saas/mlps-overseas/) - [Industries — Cloud and SaaS companies](/industries/cloud-saas/) - [Industries — IoT and connected-device manufacturers](/industries/iot-manufacturers/) - Companion research: [MLPS Compliance Pathways for Overseas SaaS](/research/mlps-overseas-saas-pathways/)