MLPS 2.0 (Multi-Level Protection Scheme)
China's mandatory multi-level cybersecurity protection regime
ISO 27701
International standard for Privacy Information Management Systems
Quick Verdict
MLPS 2.0 mandates graded cybersecurity for China networks via PSB enforcement, while ISO 27701 offers voluntary global privacy certification. Chinese firms adopt MLPS for legal compliance; multinationals use ISO 27701 for auditable PII governance.
MLPS 2.0 (Multi-Level Protection Scheme)
Multi-Level Protection Scheme 2.0 (GB/T 22239-2019)
Key Features
- Five-level classification based on societal impact harm
- Mandatory third-party audits for Level 2+ systems
- PSB enforcement with inspections and certifications
- Extended controls for cloud, IoT, ICS, big data
- Governance structures with role separation and training
ISO 27701
ISO/IEC 27701:2025 Privacy Information Management
Key Features
- Establishes Privacy Information Management System (PIMS)
- Controller- and processor-specific privacy controls
- Extends ISO 27001 with privacy risk assessments
- Maps directly to GDPR Article requirements
- Enables standalone certification with audits
Detailed Analysis
A comprehensive look at the specific requirements, scope, and impact of each standard.
MLPS 2.0 (Multi-Level Protection Scheme) Details
What It Is
MLPS 2.0 (Multi-Level Protection Scheme) is China's legally mandated cybersecurity framework under the 2017 Cybersecurity Law (Article 21). It requires network operators to classify systems into five protection levels based on potential harm to national security, social order, and public interests, using an impact-based risk methodology.
Key Components
- Core domains: physical security, network protection, data security, access control, monitoring, governance.
- Common controls for all levels plus extended requirements for cloud, IoT, big data, ICS.
- Standards: GB/T 22239-2019 (baseline), GB/T 25070-2019 (technical), GB/T 28448-2019 (evaluation).
- Compliance via self-classification, third-party audits (Level 2+), PSB approval.
Why Organizations Use It
- Mandatory for all China-based networks to avoid fines, suspensions.
- Enhances resilience, supports market access, aligns with data laws.
- Builds regulator trust, reduces enforcement risks.
Implementation Overview
Phased: scoping, classification, gap analysis, remediation, audits, ongoing re-evaluations. Applies to all sizes in China; Level 3+ needs annual audits. Costs tens of thousands USD yearly.
ISO 27701 Details
What It Is
ISO/IEC 27701:2025 is the international standard for establishing, implementing, maintaining, and improving a Privacy Information Management System (PIMS). It extends ISO 27001 with privacy-specific requirements, using a risk-based, PDCA (Plan-Do-Check-Act) management system approach for PII controllers and processors.
Key Components
- Clauses 4–10 cover context, leadership, planning, support, operation, evaluation, and improvement.
- Annex A (controllers) and Annex B (processors) provide ~50 privacy controls.
- Built on ISO 27001/27002; includes GDPR mappings (Annex D).
- Certification via accredited bodies, 3-year cycle with surveillance audits.
Why Organizations Use It
- Demonstrates accountability for privacy laws like GDPR.
- Manages PII risks, enhances trust, aids procurement.
- Reduces fines, integrates security/privacy governance.
Implementation Overview
- Phased: scope, gap analysis, controls, audits.
- 6–12 months typical; suits all sizes/industries.
- Requires RoPA, DSAR processes, DPIAs, training.
Key Differences
| Aspect | MLPS 2.0 (Multi-Level Protection Scheme) | ISO 27701 |
|---|---|---|
| Scope | Graded cybersecurity for all networks/systems | Privacy management for PII processing |
| Industry | All sectors in mainland China | Global, all PII-processing organizations |
| Nature | Mandatory regulation by PSBs | Voluntary PIMS certification standard |
| Testing | Third-party audits, PSB approval, periodic re-evals | Certification audits, annual surveillance |
| Penalties | Fines, suspensions, inspections | Loss of certification, no legal penalties |
Scope
Industry
Nature
Testing
Penalties
Frequently Asked Questions
Common questions about MLPS 2.0 (Multi-Level Protection Scheme) and ISO 27701
MLPS 2.0 (Multi-Level Protection Scheme) FAQ
ISO 27701 FAQ
You Might also be Interested in These Articles...

DORA Third-Party Risk Management: A Consultant’s Guide to Mapping Critical ICT Service Providers in 2026
Navigate DORA's complex third-party risk pillar. Step-by-step consultant guide to identify critical ICT providers, remediate Article 30 contracts, and build the

ISO 27701 2025 Update: Navigating Standalone Certification Myths, Audit Realities, and a 90-Day PIMS Launch Plan
Debunk ISO 27701 2025 standalone certification myths vs ISO 27001. Get a 90-day PIMS launch roadmap, checklists & audit prep to certify faster amid global priva

Unpacking the True Cost: A Guide to Calculating TCO for Modern Compliance Monitoring Software
Unpack the true Total Cost of Ownership (TCO) for compliance monitoring software. Factor in licenses, implementation, training, maintenance, and ROI savings for
Run Maturity Assessments with GRADUM
Transform your compliance journey with our AI-powered assessment platform
Assess your organization's maturity across multiple standards and regulations including ISO 27001, DORA, NIS2, NIST, GDPR, and hundreds more. Get actionable insights and track your progress with collaborative, AI-powered evaluations.
Check out these other Gradum.io Standards Comparison Pages
ISO 9001 vs ISO 55001
Explore ISO 9001 vs ISO 55001: QMS for quality excellence vs AMS for asset lifecycle mastery. Uncover key differences, benefits & choose your path to efficiency now!
FERPA vs ISO 26000
Compare FERPA vs ISO 26000: U.S. student privacy law meets global social responsibility guidance. Unlock key differences, compliance strategies & implementation tips for educators. Dive in!
ISO 27001 vs SQF
Compare ISO 27001 vs SQF: ISO 27001 masters info security resilience; SQF ensures food safety/quality compliance. Discover key differences, benefits & choose wisely for your ops.