China’s Multi-Level Protection Scheme (MLPS / 网络安全等级保护 / 等保 2.0) is the foundational cybersecurity-compliance frame for information systems operating in mainland China. For overseas companies entering the China market with SaaS, IoT, or connected products, MLPS classification is typically a regulatory gating step — local hosting partners and enterprise customers will require MLPS-graded assessment results before integration.
This solution covers the end-to-end readiness path: classification scoping, technical gap assessment, remediation alongside the engineering team, and coordination with the accredited assessor who issues the formal grading.
What MLPS 2.0 grading involves
MLPS 2.0 is a five-grade classification system (Grade 1 — Grade 5) with technical and management requirements escalating at each grade. For most overseas commercial systems entering China, the relevant grades are:
- Grade 2 — typical for general commercial systems whose compromise would harm legitimate rights of citizens or organizations
- Grade 3 — typical for systems whose compromise would severely harm legitimate rights or harm the public interest; commonly applied to systems handling significant volumes of personal information or operating in regulated sectors
Grade 4 and Grade 5 are reserved for systems that affect national security or critical-sector operation and typically map onto CII designation.
The grading process involves system classification (the operator’s own classification proposal), expert review (typically by the local industry regulator and a graded assessor), technical assessment against the GB/T 22239 baseline requirements at the proposed grade, remediation of identified gaps, and re-assessment.
Where Melina engages on MLPS readiness
Classification scoping
We assess the proposed system boundary and operational characteristics against MLPS classification criteria to support a defensible Grade 2 or Grade 3 proposal. Over-classification creates avoidable compliance cost; under-classification produces re-assessment risk later.
Technical gap assessment against GB/T 22239
GB/T 22239 specifies the baseline technical and management requirements at each MLPS grade. The technical requirements cover identification and authentication, access control, security audit, intrusion prevention, malicious-code protection, data integrity, data confidentiality, data backup and restoration, residual-information protection, and personal-information protection.
We assess the system against the requirements applicable at the proposed grade, producing a remediation list scoped to the specific technical environment.
Remediation alongside the engineering team
MLPS readiness work is most efficient when the remediation is implemented alongside the assessment — rather than as a separate post-assessment project. We work with the engineering team during remediation, both to accelerate the timeline and to ensure remediation choices integrate cleanly with the existing architecture.
Accredited assessor coordination
The formal MLPS grading is issued by accredited Chinese assessors. Our work supports the operator’s relationship with the assessor — providing technical documentation, evidence packages, and pre-assessment readiness state that streamlines the formal assessment.
What this solution does not include
- Issuance of the MLPS grade itself — that is issued by the accredited Chinese assessor
- Registration with the local Public Security Bureau (PSB) — operator-driven
- China legal-entity formation, ICP filing, or hosting-provider procurement — operator-driven with our advisory input as appropriate
Service mapping
MLPS readiness draws across:
- Architecture & Cloud Review
- IoT & Embedded Security — where the system includes connected devices
- GRC services — for the management-system control side
Compliance and standards frame
- MLPS 2.0 — GB/T 22239 (Baseline for Classified Protection of Cybersecurity)
- GB/T 22240 (Guide for Classified Protection of Cybersecurity Classification)
- GB/T 25058 (Guide for Implementation)
- PIPL and DSL where applicable
- CII for systems crossing into critical-information-infrastructure designation
Engagement model
End-to-end MLPS readiness is typically Custom Engagement framing — the scope is necessarily shaped by the system architecture, the proposed grade, and the existing compliance posture.
What buyers ask us first
Three questions surface in most initial conversations with overseas companies evaluating China-market entry:
“Do we have to do MLPS at all?” It depends on the deployment pathway. Overseas firms with no mainland-China infrastructure and no mainland-China user data may be able to operate outside MLPS scope under specific conditions — see the four-pathway taxonomy in our MLPS Compliance Pathways framework for the structured decision. For any deployment that establishes mainland-China infrastructure or processes mainland-China personal information at scale, MLPS classification is typically a regulatory gating step.
“Can our existing SOC 2 / ISO 27001 evidence reduce the MLPS work?” Partially. Mature SOC 2 / ISO 27001 controls typically satisfy 60-80% of MLPS Grade 2 technical baseline and 40-60% of Grade 3 baseline. The gaps tend to live in jurisdiction-anchored obligations — log localization, state-approved cryptography, code-level review at Grade 3+ — which require structural change rather than control additions.
“How does MLPS readiness coordinate with PIPL cross-border transfer obligations?” The two are independent but related. MLPS classifies the system; PIPL governs personal-information processing. Most engagements scope MLPS and PIPL work in parallel because the underlying data-flow analysis serves both — but the deliverables are distinct, and the accredited-assessor relationship for MLPS is structurally different from the CAC security-assessment relationship for PIPL outbound transfers.
“Overseas firms entering China often discover that the substantive technical work is closer to their existing posture than they expected — but the structural framing has to change. MLPS is operator-centric and jurisdiction-anchored in ways that SOC 2 simply isn’t. The readiness path is about re-anchoring existing controls against a different regulatory geometry, not about layering more controls on top.” — Tatiana K., CEO, Melina Security
Frequently asked questions
How long does end-to-end MLPS readiness take?
For a Grade 2 system with a typical commercial SaaS architecture and reasonable starting security maturity: 3-5 months. For Grade 3, typically 5-8 months. For systems with significant gap remediation work, multiple quarters.
Do we need a China legal entity to obtain MLPS grading?
Yes — MLPS grading applies to information systems operated in China and is issued to the operating entity. Overseas companies typically work through a Chinese legal entity (wholly-owned subsidiary, joint venture, or hosting partner) for the operational side of MLPS compliance.
Can MLPS readiness be combined with PIPL and DSL compliance work?
Yes, and typically should be. The three frameworks address overlapping but distinct requirements — MLPS covers cybersecurity-classified protection, PIPL covers personal-information processing, DSL covers data classification and important-data protection. Engagement scope is more efficient when the three are coordinated rather than executed sequentially.
What’s the relationship between MLPS grading and CII designation?
Distinct regulatory tracks that can apply to the same system. MLPS grading is a classification system operators self-propose and then have validated through accredited assessment; CII designation is performed by sector regulators based on criteria in the 2021 Critical Information Infrastructure Security Protection Regulations. Systems in CII-adjacent sectors should treat MLPS Grade 3+ as a likely floor and plan for CII designation as a possible additional layer.
Can readiness work continue if we don’t have a Chinese legal entity yet?
Partially. Technical gap assessment, architecture review, and remediation planning can proceed before legal-entity formation. The formal MLPS grading and PSB registration require the operating entity to exist. Most engagements that span the entity-formation timeline structure the work so the technical remediation runs in parallel with the legal-entity track, converging when both are ready for the formal assessment.
Related
- What is MLPS?
- MLPS overseas — does the scheme apply to my SaaS? — FAQ
- Industries — Cloud and SaaS companies
- Industries — IoT and connected-device manufacturers
- Companion research: MLPS Compliance Pathways for Overseas SaaS