China: MLPS 2.0 - An introduction to the 2019 Implementation Guide
On 30 August 2019, the State Administration for Market Regulation ('SAMR') and the Standardization Administration of the People's Republic of China ('SAC') jointly released the Information Security Technology - Implementation Guide for Classified Protection of Cybersecurity (GB/T 25058-2019) ('the 2019 Implementation Guide') to provide business operators with guidance on how to implement the Multi-layered Protection Scheme ('MLPS') in practice. This recommended national standard became effective on 1 March 2020. Part one of this series presents an overview of the Information Security Technology - Technical Requirements of Security Design for Cybersecurity Classification Protection (GB/T 25070-2019). In part two, Dr. Annie Xue, Partner at GEN Law Firm, provides a brief overview of the standard making background, the highlights of the 2019 Implementation Guide, and the potential legal consequence in case of violation.
The MLPS only officially came to the public light when the Cybersecurity Law ('CSL') revealed 'MLPS 2.0' in response to the latest technology developments, such as cloud computing, mobile networks, the Internet of Things ('IoT'), industrial control systems, and Big Data. The CSL requires network operators and critical information infrastructure operators ('CIIO') to apply MLPS as major baselines to fulfill their security regulatory obligations.
The MLPS 1.0 started from the Computer Information System Security Protection Regulations of the PRC of 1994 ('the 1994 Regulations') promulgated by the State Council, but was officially established by the Administrative Measures for the Hierarchical Protection of Information Security of 2007 ('the 2007 Measures') released by the Ministry of Public Security ('MPS'). In the MLPS 1.0 era, dozens of implementing rules and standards guiding authorities' enforcement actions and companies' compliance work were already in existence. Moreover, the 2019 Implementation Guide came out as an update to its counterpart in the MLPS 1.0 era – the Information Security Technology-Implementation Guide for Classified Protection of Information System (GB/T 25058-2010 ('the 2010 Implementation Guide'). The early development stage of digital China and the heavy focus on public service and critical sectors (such as transportation, finance, energy, telecom etc.) have long made MLPS a niche area only familiar to a very small group of targeted entities, of which most are state-owned enterprises, public unities, and government agencies. It is the profound development and sweeping application of new technologies that exposed the importance of MLPS as an important institutional tool to enforce a layered methodology in the field of regulating cybersecurity across various information systems and companies.
Highlights of the 2019 Implementation Guide
- Self-protection: it is the entities that operate or use the information systems that are primarily responsible for the MLPS grading and the ensuing differentiated protection.
- Differentiated protection: prioritise resource allocation to high grading object of protection to achieve effective and efficient protection of core business or critical information assets.
- Simultaneous construction of security facilities: construction of security facilities shall be taken into account when an object of protection is up to new construction, rebuilding or extension.
- Dynamic adjustment: where there appear material changes to the application scope, components, security measure, security status, etc., of the object of protection, reassessment of the grading is called for, and where needed, adjustment to the grading shall be made.
Key players in MLPS
Image 1: Summary by author
General process of MLPS implementation
Image 2: Summary by author
- The competent authority shall order to make correction and issue: a warning if the operator refuses to make correction or endangers network security or causes any other consequences, a fine of not less than RMB 10,000 (approx. €1,375) but not more than RMB 100,000 (approx. €13,740) shall be imposed on it; and a fine of not less than RMB 5,000 (€690) but not more than RMB 50,000 (€6,870) shall be imposed on the person directly in charge (see Article 59 of the CSL).
- Where an operator of key information infrastructures fails to perform the network security protection obligations prescribed in Articles 33, 34, 36, and 38 hereof, the relevant competent authority shall order it to make a correction and issue: a warning if the operator refuses to make correction or endangers network security or causes any other consequences; a fine of not less than RMB 100,000 (approx. €13,740) but not more than RMB 1 million (approx. €137, 400) shall be imposed on it, and a fine of not less than RMB 10,000 (approx. €1,375) but not more than RMB 100,000 (approx. €13,740) shall be imposed on the person directly in charge (see Article 59 of the CSL).
- Where an entity operating or using an information system of tier-3 or higher violates the 2007 Measures and commits any of the following acts, the relevant public security organ, the relevant State confidentiality work department, or the relevant State password administration shall order the said entity to make correction within the prescribed time period according to the division of duties; and, where the said entity fails to correct by the prescribed deadline, the relevant public security organ, the relevant State confidentiality work department, or the relevant State password administration shall issue a warning to the said entity, inform its superior competent department of relevant information, suggest measures to be taken against the primary person in charge of the said entity who is subject to direct liabilities and other personnel subject to direct liabilities, and provide timely feedback on handling results:
- where the said entity fails to go through record-filing or examination and approval pursuant to the 2007 Measures;
- where the said entity fails to enforce security management rules or measures pursuant to the 2007 Measures;
- where the said entity fails to inspect the security conditions of the said information system pursuant to the 2007 Measures;
- where the said entity fails to test and evaluate the security technology of the said information system pursuant to the 2007 Measures;
- where the said entity refuses to make rectification upon receipt of the rectification notice;
- where said entity fails to select or use information security products and testing and evaluation agencies pursuant to the 2007 Measures;
- where the said entity fails to provide relevant documents and supporting materials in a truthful manner pursuant to the 2007 Measures;
- where the said entity violates the provisions on confidentiality management;
- where the said entity violates the provisions on password management; or
- where the said entity violates other provisions of the 2007 Measures.
- Where the said entity violates the preceding Paragraph and causes serious damage, it shall be dealt with by relevant departments in accordance with applicable laws and regulations (see Article 40 of the 2007 Measures).
- Whoever commits any of the following acts violating the provisions of the 1994 Regulations shall be given a warning or ordered to suspend computer operation for rectification by public security organs: violating the safety grading protection system of computer information systems as to endanger the safety thereof (see Article 20 of the 1994 Regulations).
Network service providers who do not perform their duties of safety administration on information network provided by laws and administrative regulations, and refuse to correct their acts after the regulatory authorities order them to take corrective measures shall be sentenced to fixed-term imprisonment of not more than three years, criminal detention, or public surveillance, and shall also or only be fined if their actions:
- result in the dissemination of a large number of illegal information;
- cause the disclosure of user information, resulting in serious consequences;
- cause the loss of evidence in a criminal case, if the circumstances are serious; or
- have other serious circumstances.
When an entity commits the offence in the preceding paragraph, it shall be fined, and the person directly in charge and the other directly liable persons shall be penalised according to the preceding paragraph.
Whoever has the acts as described in the previous two paragraphs and commits other offences in the meantime shall be convicted and penalised according to the provisions of the heavier penalty (see Article 286 (A) of the Criminal Law of the People's Republic of China).
Dr. Annie Xue Partner
GEN Law Firm, Beijing