What is the primary objective of **MLPS 2.0 (Multi-Level Protection Scheme)**?

**The primary objective of MLPS 2.0 is to establish a graded cybersecurity protection system for all network operators in China, ensuring security controls match the potential impact of system compromise on national security, social order, public interests, and citizens' rights.** Operationalized under Article 21 of the 2017 Cybersecurity Law, it classifies systems into five levels (1-5) based on harm severity, mandating technical, management, physical, and personnel controls via standards like **GB/T 22239-2019**, **GB/T 25070-2019**, and **GB/T 28448-2019**.

Who is legally or professionally required to comply with **MLPS 2.0 (Multi-Level Protection Scheme)**?

**All "network operators" in mainland China must comply with MLPS 2.0, encompassing virtually any entity operating networks or information systems, including domestic firms, foreign multinationals, cloud providers, and critical infrastructure operators.** This broad scope, per the Cybersecurity Law, covers traditional IT, cloud, IoT, big data, and industrial control systems; higher levels (3+) apply to finance, energy, and platforms handling significant data volumes.

Does **MLPS 2.0 (Multi-Level Protection Scheme)** require an external audit or third-party certification?

**MLPS 2.0 requires external audits and third-party evaluations for systems at Level 2 and above, conducted by licensed Chinese firms per GB/T 28448-2019, targeting a minimum 75/100 score.** Level 1 relies on self-assessment; Level 3+ mandates annual testing, PSB verification, and documentation submission, with PSBs issuing certification post-review.

How often should an assessment for **MLPS 2.0 (Multi-Level Protection Scheme)** be performed?

**Assessments under MLPS 2.0 must occur biennially for Level 2 systems, annually for Level 3, semi-annually for Level 4, and as mandated for Level 5, plus upon major changes.** Self-inspections are ongoing; third-party evaluations and PSB verifications ensure continuous compliance, with online examinations and re-evaluations triggered by system updates.

What are the consequences of non-compliance with **MLPS 2.0 (Multi-Level Protection Scheme)**?

**Non-compliance with MLPS 2.0 results in administrative fines up to RMB 1 million, operational suspensions, system shutdowns, blacklisting, and intensified PSB inspections.** Enforcement cases include RMB 50,000 fines for hacking failures and RMB 223 million for data breaches; severe violations risk license revocation and criminal liability for managers.

Can **MLPS 2.0 (Multi-Level Protection Scheme)** be mapped to other international frameworks?

**Yes, MLPS 2.0 controls map to frameworks like ISO 27001 and NIST CSF, aligning domains such as physical security, access management, and monitoring, but require China-specific adaptations for grading, data localization, and PSB oversight.** Organizations leverage existing ISMS for 70-80% coverage, adding prescriptive elements like separation of duties and domestic maintenance.

What is the primary objective of **ISO 22301**?

**ISO 22301:2019 specifies requirements for establishing, implementing, maintaining, and continually improving a Business Continuity Management System (BCMS).** It enables organizations to protect against, reduce the likelihood of, and recover from disruptive incidents, ensuring continuity of critical products and services through its PDCA (Plan-Do-Check-Act) cycle across 10 clauses.

Who is legally or professionally required to comply with **ISO 22301**?

**ISO 22301 applies to organizations of all sizes and sectors seeking resilience, with heightened professional requirements in critical sectors like utilities, transport, health, finance, and IT services.** It supports regulatory compliance such as the EU's NIS Directive for essential services operators and digital providers, where BCM is mandated to mitigate disruptions affecting public welfare.

Does **ISO 22301** require an external audit or third-party certification?

**ISO 22301 certification requires a two-stage external audit by an accredited body: Stage 1 (readiness review) and Stage 2 (effectiveness audit), typically taking 6-8 weeks.** Certification is valid for 3 years, followed by annual surveillance audits and recertification to verify ongoing BCMS conformance.

How often should an assessment for **ISO 22301** be performed?

**ISO 22301 mandates internal audits at planned intervals, typically annually, alongside management reviews and periodic testing of business continuity plans.** The standard follows a 5-year review cycle, with certifications requiring annual surveillance audits and full recertification every 3 years to ensure continual improvement.

What are the consequences of non-compliance with **ISO 22301**?

**Non-compliance with ISO 22301 exposes organizations to unmitigated disruptions, resulting in financial losses, reputational damage, and regulatory penalties under frameworks like the NIS Directive.** Certified organizations avoid these risks, while lapses can lead to failed audits, loss of certification, and inability to maintain critical operations amid incidents like cyberattacks or natural disasters.

Can **ISO 22301** be mapped to other international frameworks?

**Yes, ISO 22301 seamlessly maps to other frameworks via its Annex SL high-level structure, particularly aligning with standards focused on management systems.** Its PDCA cycle and clauses 4-10 facilitate integration for comprehensive resilience, with specific synergies in areas like risk assessment and operational controls.

What is the first step to begin implementing **ISO 22301**?

**The first step in implementing ISO 22301 is conducting a gap analysis against clauses 4-10, starting with Clause 4 to understand the organization's context, internal/external issues, and interested parties.** This informs BCMS scoping, followed by leadership commitment (Clause 5) and Business Impact Analysis (BIA) to prioritize critical functions.

MLPS 2.0 (Multi-Level Protection Scheme) vs ISO 22301

Q: What is the first step to begin implementing **MLPS 2.0 (Multi-Level Protection Scheme)**?

**The first step for MLPS 2.0 implementation is conducting a comprehensive inventory of systems and preliminary grading based on impact to national security, social order, and public interests.** Define boundaries, assess harm severity per GB/T 22239-2019 matrices, document rationale, and file with local PSB within 30 days for Level 2+ systems.

Standards Comparison

MLPS 2.0 (Multi-Level Protection Scheme)

Mandatory

2019

China's mandatory graded cybersecurity protection for networks

ISO 22301

Voluntary

2019

International standard for business continuity management systems

Quick Verdict

MLPS 2.0 mandates graded cybersecurity for China's network operators via levels and PSB enforcement, while ISO 22301 offers voluntary BCMS certification globally for resilience. Companies adopt MLPS for legal compliance; ISO for risk mitigation and trust.

Cybersecurity

MLPS 2.0 (Multi-Level Protection Scheme)

Multi-Level Protection Scheme 2.0 (MLPS 2.0)

Cost

€€€€

Complexity

Medium

Implementation Time

12-18 months

Key Features

Five-level classification based on impact to national security
Mandatory registration and expert review for Level 2+ systems
Graded controls across physical, network, data, governance domains
Enforced by Public Security Bureaus with fines and inspections
Extended requirements for cloud, IoT, big data, ICS

Business Continuity

ISO 22301

ISO 22301:2019 Business continuity management systems Requirements

Cost

€€€

Complexity

Medium

Implementation Time

0-6 months

Key Features

PDCA cycle for continual BCMS improvement
Business Impact Analysis to prioritize functions
Leadership commitment and BCMS policy requirements
Risk assessment and recovery strategy testing
Annex SL integration with ISO 27001

Detailed Analysis

A comprehensive look at the specific requirements, scope, and impact of each standard.

MLPS 2.0 (Multi-Level Protection Scheme) Details

What It Is

MLPS 2.0 (Multi-Level Protection Scheme 2.0) is China's mandatory cybersecurity regulation operationalizing Article 21 of the 2017 Cybersecurity Law. It classifies networks into five protection levels based on potential harm to national security, social order, and public interests, requiring graded technical, management, and physical controls per standards like GB/T 22239-2019.

Key Components

Core domains: physical security, network protection, data security, security operations, governance.
Common controls for all levels plus extended for cloud, IoT, big data, ICS.
Compliance via self-assessment, expert review (Level 2+), PSB filing, third-party evaluations scoring ≥75%.

Why Organizations Use It

Mandated for all network operators in China; avoids fines, inspections, operational disruptions. Enhances risk management, rationalizes investments, builds regulatory trust, integrates with DSL/PIPL.

Implementation Overview

Phased roadmap: inventory/grading, gap analysis, remediation, evaluation, ongoing monitoring. Applies to all sizes/industries in China; high complexity demands local expertise, recurring audits.

ISO 22301 Details

What It Is

ISO 22301:2019 is the international standard titled Security and resilience — Business continuity management systems — Requirements. It specifies requirements for a Business Continuity Management System (BCMS) to protect against, reduce likelihood of, and recover from disruptions. Employs a risk-based approach via PDCA (Plan-Do-Check-Act) cycle and Annex SL high-level structure for flexibility across contexts.

Key Components

10 clauses (4-10 core): context, leadership, planning (BIA, risk assessment), support, operation (strategies, testing), evaluation (audits, reviews), improvement.
No fixed controls; tailored to organization.
Built on PDCA; certification every 3 years with annual surveillance.

Why Organizations Use It

Builds resilience, minimizes downtime/financial losses.
Meets regulatory needs (e.g., NIS Directive, NIST).
Enhances risk management, stakeholder trust, reputation.
Provides competitive edges like procurement advantages, lower insurance.

Implementation Overview

Phased: gap analysis, BIA/RA, training, testing, audits.
Applies to all sizes/sectors globally.
Two-stage certification (6-8 weeks), tools accelerate (e.g., 60 days prep).