What is the primary objective of MLPS 2.0 (Multi-Level Protection Scheme)?

The primary objective of MLPS 2.0 is to establish a graded cybersecurity protection system for all network operators in China, ensuring security controls match the potential harm from system compromise to national security, social order, public interests, and citizens' rights. Operationalized under Article 21 of the 2017 Cybersecurity Law, it classifies systems into five levels via standards like GB/T 22239-2019 (baseline requirements), GB/T 25070-2019 (technical design), and GB/T 28448-2019 (evaluation), covering cloud, IoT, big data, and industrial controls with technical, management, and physical safeguards.

Who is legally or professionally required to comply with MLPS 2.0 (Multi-Level Protection Scheme)?

MLPS 2.0 legally requires compliance from all "network operators" in mainland China, defined broadly to include any entity operating networks or information systems. This encompasses domestic enterprises, foreign multinationals with China operations, cloud providers, and critical infrastructure operators across sectors like finance and energy. Virtually no size threshold applies; even small systems must classify and file, with Levels 2+ needing PSB registration within 30 days.

Does MLPS 2.0 (Multi-Level Protection Scheme) require an external audit or third-party certification?

Yes, MLPS 2.0 mandates external audits and third-party evaluations for systems at Level 2 and above, conducted by licensed Chinese firms per GB/T 28448-2019 scoring (typically ≥75/100 pass threshold). Level 1 relies on self-assessment; Level 3+ requires annual technical/management reviews, PSB verification, and documentation like topology diagrams, with potential on-site inspections.

How often should an assessment for MLPS 2.0 (Multi-Level Protection Scheme) be performed?

Assessments under MLPS 2.0 must occur biennially for Level 2 systems, annually for Level 3, semi-annually for Level 4, and as mandated for Level 5, plus self-inspections and re-evaluations after major changes. Initial classification follows system deployment (filing within 30 days for Level 2+), with ongoing PSB oversight including ad-hoc checks.

What are the consequences of non-compliance with MLPS 2.0 (Multi-Level Protection Scheme)?

Non-compliance with MLPS 2.0 triggers administrative fines (e.g., RMB 10,000 to over 50 million under related data laws), operational suspensions, blacklisting, and potential criminal liability via PSB enforcement. Over 6,400 investigations since 2017 include dawn raids, license revocations, and network shutdowns for unremedied gaps like poor segmentation or logging.

Can MLPS 2.0 (Multi-Level Protection Scheme) be mapped to other international frameworks?

Yes, MLPS 2.0 controls map to frameworks like ISO 27001 and NIST CSF, aligning domains such as governance, access, and monitoring while requiring China-specific overlays for grading, localization, and PSB filing. Existing ISMS structures support gap analysis, but MLPS adds prescriptive baselines and enforcement unique to its regime.

What is the first step to begin implementing MLPS 2.0 (Multi-Level Protection Scheme)?

The first step in MLPS 2.0 implementation is conducting a comprehensive inventory of grading objects (networks, systems) and preliminary self-classification into Levels 1–5 based on impact to national security and public interests. Follow with gap analysis against GB/T 22239-2019 baselines, documenting rationale for PSB filing (30 days for Level 2+).

What is the primary objective of ITIL?

The primary objective of ITIL is to provide best-practice guidelines for IT Service Management (ITSM) that align IT services with business objectives through the Service Value System (SVS). ITIL 4 emphasizes value co-creation via 34 practices across general, service, and technical management, incorporating the six Service Value Chain activities (Plan, Improve, Engage, Design & Transition, Obtain/Build, Deliver & Support) and seven guiding principles like Focus on Value and Progress Iteratively with Feedback.

Who is legally or professionally required to comply with ITIL?

No organizations are legally required to comply with ITIL, as it is a voluntary framework of best practices, not a mandatory regulation. Professionally, IT leaders, service managers, and ITSM practitioners in enterprises adopt it for alignment, with 87% global IT organizations using it; certifications via PeopleCert (Foundation to Strategic Leader) are recommended for roles like Service Owner and Process Owner.

Does ITIL require an external audit or third-party certification?

ITIL does not require external audits or third-party certification, as it is a non-prescriptive framework. Organizations may pursue voluntary ISO/IEC 20000 certification, which aligns with ITIL practices, but ITIL itself focuses on internal continual improvement through the SVS, with PeopleCert managing practitioner certifications rather than organizational audits.

How often should an assessment for ITIL be performed?

ITIL assessments should be performed continually as part of the SVS's Continual Improvement practice, using the seven-step improvement model. This involves regular gap analyses during implementation (e.g., via the ten-step roadmap's ITIL-Assessment phase) and ongoing reviews of KPIs like incident resolution times and change success rates across the 34 practices.

What are the consequences of non-compliance with ITIL?

There are no legal consequences for non-compliance with ITIL, since it is a voluntary best-practices framework. Potential business impacts include suboptimal service quality, higher costs, increased downtime, and missed ROI (e.g., no access to reported 10:1 to 38:1 gains), but failure stems from internal choices, not penalties.

Can ITIL be mapped to other international frameworks?

Yes, ITIL can be mapped to other international frameworks through its flexible 34 practices and SVS alignment. ITIL 4 supports integrations with Agile, DevOps, Lean, and Site Reliability Engineering (SRE), with practices like Change Enablement and Configuration Management (CMDB) facilitating compatibility while customizing to organizational contexts.

What is the first step to begin implementing ITIL?

The first step to implement ITIL is Project Preparation in the ten-step roadmap, securing executive sponsorship and defining scope. This aligns with the guiding principle Start Where You Are, followed by Business Case development and ITIL-Assessment to evaluate current processes against the SVS and 34 practices.

Standards Comparison

MLPS 2.0 (Multi-Level Protection Scheme) vs ITIL

MLPS 2.0 (Multi-Level Protection Scheme)

Mandatory

2019

China's mandatory graded protection cybersecurity framework

ITIL

Voluntary

2019

Global framework for IT service management best practices.

Quick Verdict

MLPS 2.0 mandates graded cybersecurity for China networks, enforced by PSBs with fines. ITIL provides voluntary ITSM best practices globally for service efficiency. Chinese operators comply with MLPS legally; worldwide firms adopt ITIL for optimized operations.

Cybersecurity

MLPS 2.0 (Multi-Level Protection Scheme)

Multi-Level Protection Scheme 2.0 (MLPS 2.0)

Cost

€€€€

Complexity

Medium

Implementation Time

12-18 months

Key Features

Five-level impact-based system classification
Mandatory registration with Public Security Bureaus
Graded controls for cloud IoT ICS
Strict separation of duties requirements
Ongoing third-party evaluations oversight

IT Service Management

ITIL

ITIL 4 IT Service Management Framework

Cost

€€€

Complexity

High

Implementation Time

12-18 months

Key Features

Service Value System (SVS) with 34 flexible practices
Seven guiding principles for value-focused decisions
Four dimensions of service management
Continual improvement model across all elements
Integration with DevOps, Agile, and Lean

Detailed Analysis

A comprehensive look at the specific requirements, scope, and impact of each standard.

MLPS 2.0 (Multi-Level Protection Scheme) Details

What It Is

MLPS 2.0 (Multi-Level Protection Scheme 2.0) is China's mandatory cybersecurity regulation operationalizing Article 21 of the 2017 Cybersecurity Law. It requires network operators to classify systems into five protection levels based on potential harm to national security, social order, and public interests, implementing graded technical and management controls.

Key Components

Core standards: GB/T 22239-2019 (basics), GB/T 25070-2019 (technical), GB/T 28448-2019 (evaluation).
Domains: physical security, network/host protection, data security, monitoring, governance.
Extensions for cloud, IoT, big data, ICS.
Compliance via self-assessment, expert review (Level 2+), PSB filing, periodic evaluations (75% pass threshold).

Why Organizations Use It

Legal obligation avoids fines, suspensions; enhances resilience; rationalizes investments; builds trust with regulators, partners. Strategic for China operations, integrates with ISO 27001/NIST.

Implementation Overview

Phased: inventory/grading, gap analysis, remediation, third-party evaluation, ongoing monitoring. Applies to all China network operators; high complexity for multinationals. Requires local expertise, documentation.

ITIL Details

What It Is

ITIL (formerly Information Technology Infrastructure Library, standalone since 2013) is a best-practices framework for IT Service Management (ITSM). Its primary purpose is aligning IT services with business objectives across the full lifecycle, emphasizing value co-creation. ITIL 4 uses a value-driven methodology through the Service Value System (SVS).

Key Components

Service Value System (SVS): Guiding principles, governance, service value chain (6 activities), 34 practices, continual improvement.
34 Practices: 14 general management, 17 service management (e.g., incident, change), 3 technical management.
Seven Guiding Principles: Focus on value, start where you are, progress iteratively, etc.
Certification model: PeopleCert-managed, from Foundation to Strategic Leader.

Why Organizations Use It

Cost efficiencies, reduced downtime, 87% global adoption.
Risk mitigation (e.g., cyber resilience), compliance alignment (ISO 20000).
Enhanced customer satisfaction, ROI (up to 38:1).
Integrates DevOps/Agile, boosts careers/stakeholder trust.

Implementation Overview

Phased ten-step roadmap: Assessment, gap analysis, role definition, training, integration.
Tailored for all sizes/industries; voluntary, no audits required. (178 words)

Key Differences

Aspect	MLPS 2.0 (Multi-Level Protection Scheme)	ITIL
Scope	Cybersecurity graded protection levels	IT service management practices
Industry	China network operators all sectors	Global IT organizations all sizes
Nature	Mandatory Chinese regulation enforced	Voluntary best practices framework
Testing	Third-party evaluations PSB verification	Self-assessments continual improvement
Penalties	Fines operational suspensions blacklisting	No legal penalties lost efficiency

Scope

MLPS 2.0 (Multi-Level Protection Scheme)

Cybersecurity graded protection levels

ITIL

IT service management practices

Industry

MLPS 2.0 (Multi-Level Protection Scheme)

China network operators all sectors

ITIL

Global IT organizations all sizes

Nature

MLPS 2.0 (Multi-Level Protection Scheme)

Mandatory Chinese regulation enforced

ITIL

Voluntary best practices framework

Testing

MLPS 2.0 (Multi-Level Protection Scheme)

Third-party evaluations PSB verification

ITIL

Self-assessments continual improvement

Penalties

MLPS 2.0 (Multi-Level Protection Scheme)

Fines operational suspensions blacklisting

ITIL

No legal penalties lost efficiency

Frequently Asked Questions

Common questions about MLPS 2.0 (Multi-Level Protection Scheme) and ITIL

MLPS 2.0 (Multi-Level Protection Scheme) FAQ

ITIL FAQ

You Might also be Interested in These Articles...

The Reasons Why NIS2 is Fundamental for Cyber Resilience in Europe

Uncover why NIS2 transcends compliance burdens, delivering real cyber resilience value through enforced measurements and activities. Explore insights via our pa

Beyond Reactive: Transforming Compliance into Real-Time Threat Prevention

Discover how modern compliance monitoring tools leverage continuous, real-time oversight and automated alerts to shift organizations from reactive problem-solving to proactive threat detection and prevention, safeguarding against emerging risks before they escalate.

From Data Fragments to Strategic Insight: Powering Intelligent Risk Management with Integrated Compliance Monitoring

Transform data fragments into strategic insights with integrated compliance monitoring. Automate real-time risk management, ensure GDPR & SOC 2 compliance, and

Run Maturity Assessments with GRADUM

Transform your compliance journey with our AI-powered assessment platform

Assess your organization's maturity across multiple standards and regulations including ISO 27001, DORA, NIS2, NIST, GDPR, and hundreds more. Get actionable insights and track your progress with collaborative, AI-powered evaluations.

100+ Standards & Regulations

AI-Powered Insights

Collaborative Assessments

Actionable Recommendations

Explore More Comparisons

See how MLPS 2.0 (Multi-Level Protection Scheme) and ITIL compare against other standards

Other MLPS 2.0 (Multi-Level Protection Scheme) Comparisons

Other ITIL Comparisons

What It Is

Key Components

Core standards: GB/T 22239-2019 (basics), GB/T 25070-2019 (technical), GB/T 28448-2019 (evaluation).

Domains: physical security, network/host protection, data security, monitoring, governance.

Extensions for cloud, IoT, big data, ICS.

Compliance via self-assessment, expert review (Level 2+), PSB filing, periodic evaluations (75% pass threshold).

What It Is

Key Components

Service Value System (SVS): Guiding principles, governance, service value chain (6 activities), 34 practices, continual improvement.

34 Practices: 14 general management, 17 service management (e.g., incident, change), 3 technical management.

Seven Guiding Principles: Focus on value, start where you are, progress iteratively, etc.

Certification model: PeopleCert-managed, from Foundation to Strategic Leader.

Aspect

MLPS 2.0 (Multi-Level Protection Scheme)

ITIL

Scope

Cybersecurity graded protection levels

IT service management practices

Industry

China network operators all sectors

Global IT organizations all sizes

Nature

Mandatory Chinese regulation enforced

Voluntary best practices framework

Testing

Third-party evaluations PSB verification

Self-assessments continual improvement

Penalties

Fines operational suspensions blacklisting

No legal penalties lost efficiency