What is the primary objective of **DORA**?

**DORA's primary objective is to strengthen the digital operational resilience of the EU financial sector against ICT disruptions, including cyberattacks, system failures, and third-party risks.** Regulation (EU) 2022/2554 mandates proactive ICT risk management, incident reporting, resilience testing, and third-party oversight for 20 types of financial entities and critical ICT third-party providers (CTPPs), entering full application on January 17, 2025.

Who is legally or professionally required to comply with **DORA**?

**DORA applies to approximately 22,000 EU-regulated financial entities across 20 types, including credit institutions, insurance undertakings, investment firms, payment institutions, and crypto-asset service providers, plus critical ICT third-party providers (CTPPs).** CTPPs, such as cloud and data analytics firms, face direct ESA oversight, with designations expected by end-2025.

Does **DORA** require an external audit or third-party certification?

**DORA does not mandate external audits or third-party certification but requires independent digital operational resilience testing, including annual basic tests and triennial threat-led penetration testing (TLPT) for critical entities.** Testing may involve external providers, with results reported to authorities and remediated promptly, per Batch 2 RTS/ITS published July 17, 2024.

How often should an assessment for **DORA** be performed?

**DORA requires annual basic ICT resilience tests, such as vulnerability assessments, and triennial advanced TLPT for critical or designated entities.** ICT risk management frameworks must undergo annual reviews, tailored proportionally to entity size, complexity, and risk exposure.

What are the consequences of non-compliance with **DORA**?

**Non-compliance with DORA can result in administrative fines up to 2% of total global annual turnover for firms or €5 million (or 10% of annual salary) for individuals, imposed by ESAs or competent authorities.** Additional measures include oversight fees up to €1 million annually for CTPPs and potential remediation mandates.

Can **DORA** be mapped to other international frameworks?

**Yes, DORA's ICT risk management, incident reporting, testing, and third-party oversight elements can be mapped to other international frameworks, leveraging existing structures like EBA's 2019 ICT guidelines for financial entities.** Proportionality and harmonized RTS/ITS facilitate alignments, though DORA-specific requirements like 4-hour incident notifications remain unique.

What is the first step to begin implementing **DORA**?

**The first step for DORA implementation is conducting a gap analysis against the ICT risk management framework RTS published January 17, 2024, to identify, assess, and prioritize ICT risks.** Establish a comprehensive framework overseen by the management body, integrating proportionality based on entity size and mapping dependencies on ~1,000+ EU ICT providers.

What is the primary objective of **MLPS 2.0 (Multi-Level Protection Scheme)**?

**The primary objective of MLPS 2.0 is to establish a graded cybersecurity protection system for all network operators in China, ensuring security measures match the potential harm to national security, social order, public interests, and citizens' rights from system compromise.** Operationalized under Article 21 of the 2017 Cybersecurity Law, it requires classification into five levels (Level 1 minimal impact to Level 5 severe national security threats) with controls defined in GB/T 22239-2019, GB/T 25070-2019, and GB/T 28448-2019, covering physical, network, data, and management domains for modern technologies like cloud and IoT.

Who is legally or professionally required to comply with **MLPS 2.0 (Multi-Level Protection Scheme)**?

**MLPS 2.0 legally requires compliance from all 'network operators' in mainland China, broadly defined to include any entity operating networks or information systems.** This encompasses domestic enterprises, foreign multinationals with China operations, cloud providers, IoT operators, and critical infrastructure in sectors like finance and energy; virtually no organization with IT systems in China is exempt, with higher scrutiny for those handling sensitive data or public services.

Does **MLPS 2.0 (Multi-Level Protection Scheme)** require an external audit or third-party certification?

**Yes, MLPS 2.0 requires external audits and third-party evaluations by licensed Chinese firms for systems at Level 2 and above, targeting a minimum passing score of 75/100 per GB/T 28448-2019.** Level 1 relies on self-assessment; Level 2 needs biennial reviews; Level 3+ demands annual evaluations plus PSB verification, including technical testing, documentation review, and on-site inspections.

How often should an assessment for **MLPS 2.0 (Multi-Level Protection Scheme)** be performed?

**Assessments under MLPS 2.0 must be performed regularly based on protection level: biennially for Level 2, annually for Level 3, semi-annually for Level 4, and as mandated for Level 5, plus after major changes.** Self-inspections are ongoing for all levels; higher levels include third-party evaluations and PSB verifications to ensure continuous compliance with GB/T standards.

What are the consequences of non-compliance with **MLPS 2.0 (Multi-Level Protection Scheme)**?

**Non-compliance with MLPS 2.0 results in administrative fines up to RMB 1 million, operational suspensions, system shutdowns, blacklisting, and intensified inspections by PSBs.** Enforcement cases include RMB 50,000 fines for hacking failures and RMB 223 million for data breaches; severe violations risk license revocation and criminal liability for management.

Can **MLPS 2.0 (Multi-Level Protection Scheme)** be mapped to other international frameworks?

**Yes, MLPS 2.0 controls can be mapped to frameworks like ISO 27001 and NIST CSF, aligning domains such as governance, access management, and monitoring while addressing China-specific gaps like data localization and PSB oversight.** Organizations leverage existing ISMS for 70-80% coverage but must add prescriptive elements like separation-of-duties and domestic maintenance for full compliance.

What is the first step to begin implementing **MLPS 2.0 (Multi-Level Protection Scheme)**?

**The first step in implementing MLPS 2.0 is to conduct a comprehensive inventory of grading objects (networks, systems, applications) and perform preliminary classification into Levels 1-5 based on impact matrices in GB/T 22239-2019.** This self-assessment evaluates harm to national security, social order, and rights, followed by documentation and filing with local PSBs within 30 days for Level 2+ systems.

DORA vs MLPS 2.0 (Multi-Level Protection Scheme)

Standards Comparison

DORA

Mandatory

2023

EU regulation for digital operational resilience in financial sector

MLPS 2.0 (Multi-Level Protection Scheme)

Mandatory

2019

China's mandatory graded cybersecurity protection scheme.

Quick Verdict

DORA mandates ICT resilience for EU finance, while MLPS 2.0 requires graded protection for China's networks. DORA ensures financial stability via testing; MLPS enforces cybersecurity via PSB oversight. Firms adopt them for regulatory compliance and risk mitigation.

Digital Operational Resilience

DORA

Regulation (EU) 2022/2554 Digital Operational Resilience Act

Cost

€€€€

Complexity

Medium

Implementation Time

18-24 months

Key Features

Mandates comprehensive proportional ICT risk management frameworks
Enforces 4-hour initial major incident reporting timelines
Requires annual basic and triennial threat-led penetration testing
Imposes oversight on critical ICT third-party providers
Harmonizes resilience across 20 financial entity types

Cybersecurity

MLPS 2.0 (Multi-Level Protection Scheme)

Multi-Level Protection Scheme 2.0 (MLPS 2.0)

Cost

€€€€

Complexity

Medium

Implementation Time

12-18 months

Key Features

Five-level impact-based system classification
Mandatory for all China network operators
Graded technical and management controls
Third-party evaluations for Level 2+ systems
Enforcement by Public Security Bureaus

Detailed Analysis

A comprehensive look at the specific requirements, scope, and impact of each standard.

DORA Details

What It Is

DORA, formally Regulation (EU) 2022/2554, is a transformative EU regulation enhancing digital operational resilience in the financial sector against ICT risks like cyberattacks and outages. Applicable to 20 financial entity types (~22,000 entities) and critical ICT third-party providers (CTPPs), it employs a proactive, proportional, risk-based approach harmonizing rules across 27 member states, effective January 17, 2025.

Key Components

**ICT Risk ManagementFrameworks for identification, mitigation, with annual reviews.
**Incident Reporting4-hour initial, 72-hour intermediate notifications for major events.
**Resilience TestingAnnual basic tests, triennial TLPT for critical entities.
**Third-Party OversightDue diligence, monitoring, ESAs supervision via JETs. Built on proportionality; guided by RTS/ITS batches (2024).

Why Organizations Use It

Ensures legal compliance (fines up to 2% turnover).
Mitigates systemic risks (74% firms faced ransomware).
Boosts resilience post-incidents like CrowdStrike outage.
Enhances trust, drives cybersecurity investments (€10-15B EU spend).

Implementation Overview

Gap analyses, framework establishment, testing programs, vendor mapping. Tailored by size/complexity for EU financial entities; involves authority reporting, no formal certification but audits/remediation required. (178 words)

MLPS 2.0 (Multi-Level Protection Scheme) Details

What It Is

MLPS 2.0 (Multi-Level Protection Scheme 2.0) is China's mandatory regulatory framework operationalizing Article 21 of the 2017 Cybersecurity Law. It requires network operators to classify systems into five protection levels based on potential harm to national security, public order, and rights, implementing graded technical, management, and physical controls.

Key Components

Core standards: GB/T 22239-2019 (basics), GB/T 25070-2019 (technical), GB/T 28448-2019 (evaluation).
Domains: physical security, network/host protection, data security, monitoring, governance.
Five levels with escalating controls; Levels 2+ require expert review and PSB filing.
Compliance via third-party assessments (75% pass threshold).

Why Organizations Use It

Legal obligation enforced by Public Security Bureaus with fines, inspections.
Rationalizes investments, avoids over/under-protection.
Enhances resilience, integrates with ISO 27001/NIST; builds trust in China market.

Implementation Overview

Phased: inventory, grading, gap analysis, remediation, evaluation, ongoing monitoring.
Applies to all China-based networks; higher complexity/cost for Levels 3+.
Involves local experts, documentation in Chinese; annual re-assessments for higher levels.

Key Differences

Aspect	DORA	MLPS 2.0 (Multi-Level Protection Scheme)
Scope	Financial ICT resilience, third-parties	All networks, cloud, IoT, industrial systems
Industry	EU financial entities only	All sectors in China, broad applicability
Nature	Mandatory EU regulation, ESAs enforce	Mandatory Chinese law, PSBs enforce
Testing	Annual basic, triennial TLPT	Level-based evaluations, annual Level 3+
Penalties	2% global turnover fines	Fines, operations suspension, inspections