Knowledge Center / China PIPL/CSL
PRC Government · China

China PIPL / Cybersecurity Law / MLPS

China's data-protection, cybersecurity and grading regime.

Introduction: China's Data and Cyber Trinity

China governs data and cybersecurity through a tightly interlocked trinity of national laws: the Cybersecurity Law (CSL, effective 1 June 2017), the Data Security Law (DSL, effective 1 September 2021) and the Personal Information Protection Law (PIPL, effective 1 November 2021). Sitting beneath these statutes is the Multi-Level Protection Scheme (MLPS 2.0), the mandatory technical grading and certification regime for network operators codified in GB/T 22239-2019. Together these instruments create one of the most demanding, extraterritorial and enforcement-active data governance environments in the world. For any organisation that markets to, processes the data of, or operates infrastructure serving individuals in the People's Republic of China, compliance is not optional and the penalties are severe.

This guide is written for two audiences at once: the auditor or assessor who must test conformity and gather evidence, and the CISO, DPO or China-market implementer who must build and operate the control environment. It maps the specific obligations, thresholds, filing deadlines, control families and lifecycle requirements unique to the CSL/DSL/PIPL/MLPS stack. Article numbers, grading levels and regulatory bodies are cited to the operative Chinese-language instruments; all explanatory text is original and no copyrighted statutory text is reproduced.

Standards and Copyright Note
MLPS technical baselines are published as GB/T national standards (notably GB/T 22239-2019 Baseline for Classified Protection of Cybersecurity and GB/T 22240-2020 for grading) by SAC/TC260 and are subject to Chinese copyright. Cross-border transfer standards such as GB/T 35273-2020 (PI Security Specification) and the CAC Standard Contract are likewise controlled documents. This guide paraphrases requirements for assessment purposes and does not reproduce standard text. Licensed copies must be obtained from official Chinese sources (SAMR/SAC). Verify the current version before certification, as GB/T 22239 and CAC measures are periodically revised.

What is China PIPL/CSL

The framework is a layered regulatory system rather than a single act. Each layer addresses a distinct object of protection and is enforced by overlapping regulators.

The Cybersecurity Law (CSL)

The CSL is the foundational statute establishing network security obligations for all 'network operators' and heightened duties for operators of Critical Information Infrastructure (CII). It introduces MLPS as a legal mandate (Article 21), CII protection (Articles 31-39), data localisation for CII (Article 37), real-name registration, network product and service security review, and incident response and reporting duties. Enforcement sits primarily with the Ministry of Public Security (MPS) and the Cyberspace Administration of China (CAC).

The Data Security Law (DSL)

The DSL governs all data processing activities (not just personal data) and introduces a national data classification and hierarchical protection system, distinguishing ordinary data, 'important data' and 'core data' (national security relevant). It imposes risk assessment, incident reporting, and a controversial blocking provision (Article 36) prohibiting the transfer of data stored in China to foreign judicial or enforcement authorities without Chinese approval.

The Personal Information Protection Law (PIPL)

PIPL is China's comprehensive personal data statute, frequently compared to the EU GDPR but stricter in several respects. It defines lawful bases for processing (consent-centric, no legitimate-interest ground), sensitive personal information, individual rights, cross-border transfer mechanisms (Articles 38-43), separate consent requirements, and extraterritorial reach (Article 3). It appoints CAC as lead regulator and imposes fines up to RMB 50 million or 5% of prior-year turnover.

The Multi-Level Protection Scheme (MLPS 2.0)

MLPS is the technical certification backbone. Every network/system must be self-graded from Level 1 to Level 5 based on the harm its compromise would cause to citizens, legal persons, social order or national security. Grade 2 and above require filing with the local Public Security Bureau (PSB) and, for Grade 3+, periodic expert testing (dengbao) by an accredited assessment organisation.

Who Must Comply / Scope of Applicability

Scope is broad and expressly extraterritorial. The following table summarises who is captured and under which instrument.

Entity / TriggerInstrumentObligation summary
Any 'network operator' (owner/administrator of a network) in ChinaCSL / MLPSMLPS grading, filing, technical baseline controls, incident reporting
Operators of Critical Information Infrastructure (finance, energy, transport, telecom, e-gov, public utilities, etc.)CSL Arts 31-39Enhanced protection, data localisation, annual review, CAC security review for procurement
Any organisation processing personal information of individuals located in ChinaPIPL Art 3(1)Full PIPL obligations regardless of where processing occurs
Foreign entities processing PI to provide products/services to, or analyse behaviour of, China-based individualsPIPL Art 3(2)PIPL applies extraterritorially; must appoint a local representative (Art 53)
Processors handling 'important data' or 'core data'DSLClassification, risk assessment, designated data security officer, reporting
Large-volume PI handlers (per CAC thresholds)PIPL Art 52 / CAC rulesAppoint DPO, annual compliance audit, possible security assessment for transfers
Any entity transferring PI or important data out of ChinaPIPL Arts 38-43 / DSLCAC security assessment, SCC filing, or certification
Providers of algorithmic recommendation / generative AI servicesAlgorithm & Gen-AI regulationsAlgorithm filing, labelling, security assessment
  • Data localisation is mandatory for CII operators and for PI handlers reaching CAC volume thresholds; other data may in principle leave China only via an approved transfer mechanism.
  • There is no small-business blanket exemption; SMEs processing China PI are in scope, though audit and DPO thresholds scale with volume.
  • State organs and public bodies have a dedicated PIPL chapter (Chapter 2, Section 3) with additional constraints.

Structure of China PIPL/CSL

The framework can be decomposed into statutory pillars, each with its operative article ranges and implementing rules. The table below is the structural map an assessor uses to build a coverage matrix.

Pillar / DomainPrimary instrument & articlesCore requirementsLead regulator
Network security baseline (MLPS)CSL Art 21; GB/T 22239-2019Self-grade, PSB filing, tiered technical & management controls, dengbao testingMPS / PSB
Critical Information InfrastructureCSL Arts 31-39; CII Security Protection Regulations 2021Identification, localisation, procurement security review, annual assessmentCAC / competent departments
Data classification & securityDSL Arts 21-30Ordinary/important/core tiers, risk assessment, catalogues, DSOCAC / MIIT / sector regulators
Personal information processingPIPL Arts 13-27Lawful basis, notice, separate consent, minimisation, automated decision rulesCAC
Sensitive personal informationPIPL Arts 28-32Specific purpose + necessity, separate consent, impact assessmentCAC
Individual rightsPIPL Arts 44-50Access, copy, correction, deletion, portability, explanation, complaintCAC
Cross-border transferPIPL Arts 38-43; DSL Art 36Security assessment / SCC / certification; export blocking; PIPIACAC
Accountability & governancePIPL Arts 51-58DPO, compliance audit, PIPIA, records, local representative, incident dutyCAC
Breach & incident responseCSL Art 25; DSL Art 29; PIPL Art 57Emergency plan, notification to authority and individuals, remediationCAC / MPS / sector
Algorithm & generative AIAlgorithm Rec. Provisions 2022; Gen-AI Measures 2023Filing, transparency, labelling, security & data-source assessmentCAC

Master Assessment Checklist

This is the operative core of the guide. Each control group below carries a table of what the auditor must verify and the typical evidence that proves conformity. No control area is skipped; groups follow the statutory pillars above.

Group 1 — MLPS Grading and Filing (CSL Art 21)

What to verifyTypical evidence
Every in-scope system has been graded 1-5 per GB/T 22240-2020 with documented rationaleGrading report, expert review minutes, harm-analysis worksheet
Grade 2+ systems are filed with the local Public Security BureauPSB filing certificate (beian) with record number
Grade 3+ systems undergo periodic (at least annual) expert testing (dengbao)Testing report from accredited assessment institution, remediation log
Grading is reassessed after major architecture or business changeChange records linking to re-grading decisions
Selected level matches actual harm potential (no under-grading)Independent reviewer assessment, sector guidance mapping

Group 2 — MLPS Technical Controls (GB/T 22239-2019, secure computing environment)

What to verifyTypical evidence
Physical and environmental security proportionate to grade (access, power, fire, monitoring)Data-centre access logs, environmental monitoring reports
Network zoning, boundary protection and secure communication (encryption in transit)Network diagrams, firewall rulesets, TLS/SM cipher configuration
Identity authentication, least-privilege access and dual-factor for privileged usersIAM policy, MFA configuration, privileged account inventory
Malware defence, intrusion prevention and centralised log collectionEDR/IPS console, SIEM log retention (>=6 months) proof
Data integrity, confidentiality and secure backup/restoreBackup schedule, restore-test records, encryption key management
Use of commercial cryptography (SM2/SM3/SM4) where mandatedOSCCA-approved crypto product certificates, algorithm inventory
Security management centre for Grade 3+ (centralised control, audit, monitoring)SMC architecture, operator roster, monitoring dashboards

Group 3 — MLPS Management Controls (GB/T 22239-2019, management dimension)

What to verifyTypical evidence
Security policy framework and defined organisational structureApproved policy set, org chart, role appointment letters
Personnel security (screening, training, on/offboarding)Training records, NDAs, access-revocation tickets
Construction/build security management (design, testing, delivery acceptance)SDLC gates, acceptance test reports, vendor security clauses
Operations and maintenance management (change, patch, vulnerability, media)Change-management records, patch cadence evidence, media handling log
Security incident and emergency response proceduresEmergency plan, drill records, incident register

Group 4 — Critical Information Infrastructure (CSL Arts 31-39)

What to verifyTypical evidence
CII identification confirmed with the competent sector authorityCII designation notice, sector identification correspondence
Dedicated security management body and responsible person appointedAppointment records, budget allocation, headcount
Data and PI generated/collected in China are stored within ChinaData-residency map, hosting contracts, storage location attestations
Network products/services procurement passed CAC security review where requiredSecurity review filing/approval, procurement risk assessments
Annual security inspection and risk assessment performedAnnual assessment report submitted to competent department
Background review of key personnel and supply-chain risk managementPersonnel vetting records, supplier security assessments

Group 5 — Data Classification and Security (DSL Arts 21-30)

What to verifyTypical evidence
Data inventory classified into ordinary / important / core categoriesData catalogue with classification tags, sector important-data list mapping
Important data identified against national and sector cataloguesImportant-data register, classification methodology
Data security officer and management body designated for important-data handlersAppointment letter, responsibilities matrix
Regular risk assessments of important-data processing conducted and reportedRisk assessment reports filed with competent authority
Article 36 blocking control: no data provided to foreign authorities without approvalLegal-request handling procedure, approval records
Data lifecycle security (collection, storage, use, transfer, deletion) documentedData flow maps, retention schedule, secure deletion evidence

Group 6 — Lawful Basis and Processing Principles (PIPL Arts 5-13)

What to verifyTypical evidence
A valid Art 13 lawful basis exists for each processing activityRoPA with basis column, consent capture records or contract references
Principles of legality, legitimacy, necessity, good faith and minimisation appliedData-minimisation assessment, purpose-limitation policy
Processing is limited to the stated purpose and least data necessaryField-level justification, collection scoping review
Openness/transparency: accurate, up-to-date, complete dataData quality controls, correction workflow
Retention limited to the shortest period necessaryRetention matrix, automated purge job logs

Group 7 — Notice and Consent (PIPL Arts 14-18)

What to verifyTypical evidence
Privacy notice discloses identity, purpose, method, categories, retention and rights before processingPublished privacy notice, versioned notice archive
Consent is freely given, informed and specific; obtained before processingConsent logs with timestamp, UI screenshots
Separate consent obtained for sensitive PI, transfers, third-party sharing, public disclosureDistinct consent records per scenario
Consent withdrawal is as easy as giving it, with no service denial for optional processingWithdrawal mechanism, opt-out logs
Notice re-issued and consent refreshed when purpose/method/category changesChange-triggered re-consent records

Group 8 — Sensitive Personal Information (PIPL Arts 28-32)

What to verifyTypical evidence
Sensitive PI (biometrics, religion, health, financial accounts, location, minors under 14) is inventoriedSensitive-PI register with categories
Specific purpose and demonstrated necessity documented for each sensitive categoryNecessity justification, DPIA/PIPIA excerpts
Separate, explicit consent obtained for sensitive PIDedicated consent records
Minors under 14 handled with guardian consent and a dedicated rules documentGuardian consent records, children's data policy
Enhanced protection measures (encryption, restricted access) appliedAccess-control lists, encryption configuration

Group 9 — Automated Decision-Making (PIPL Art 24)

What to verifyTypical evidence
Automated decisions are transparent, fair and non-discriminatory in pricing/termsAlgorithm fairness assessment, price-consistency testing
Individuals can opt out of profiling-based marketing / receive non-targeted optionsOpt-out toggle evidence, alternative-content path
Right to explanation and to refuse decisions with significant effect is honouredExplanation request handling, human-review workflow
Algorithmic recommendation services filed and assessed where applicableAlgorithm filing record, security self-assessment

Group 10 — Individual Rights (PIPL Arts 44-50)

What to verifyTypical evidence
Access and copy requests fulfilled promptlyRequest register with response timestamps
Correction and completion of inaccurate data supportedCorrection tickets, audit trail
Deletion honoured on withdrawal, purpose fulfilment, illegality or breachDeletion logs, downstream propagation records
Data portability to another handler enabled where conditions metExport/transfer request records, format specification
Explanation of processing rules provided on requestExplanation responses, plain-language rule descriptions
Rights of deceased persons' next-of-kin recognised (Art 49)Procedure and handled-request evidence
Complaint/refusal handling procedure with reasons for any denialComplaints log, refusal justification records

Group 11 — Cross-Border Data Transfer (PIPL Arts 38-43)

What to verifyTypical evidence
A valid transfer mechanism is in place: CAC security assessment, SCC filing, or certificationCAC assessment approval, filed Standard Contract, or certification proof
Threshold analysis performed against CAC volume rules (important data, CIIO, PI volumes)Threshold worksheet, export-volume tracking
A cross-border PIPIA (transfer impact assessment) completed and retained (>=3 years)PIPIA report with recipient risk analysis
Separate consent for transfer obtained with recipient identity, purpose and rights disclosedTransfer-specific consent records
Overseas recipient bound to equivalent protection by contractExecuted data processing/transfer agreement
Foreign recipient's obligations to Chinese individuals are enforceableRecipient attestations, liability clauses

Group 12 — Entrusted Processing and Sharing (PIPL Arts 20-23)

What to verifyTypical evidence
Processor (entrusted) agreements define purpose, scope, method and protectionExecuted processing agreements, DPA clauses
Handler supervises processors and prohibits sub-processing without consentVendor audit records, sub-processor approval log
Joint processing arrangements allocate responsibility and joint liabilityJoint-controller agreement
Third-party sharing carries recipient identity, purpose, method disclosure + separate consentSharing register, consent evidence
On processor termination, data is returned or deletedReturn/deletion certificates

Group 13 — Governance, DPO and Compliance Audit (PIPL Arts 51-54)

What to verifyTypical evidence
Internal management systems, operating procedures and classified management implementedPolicy suite, procedure library
DPO appointed where processing volume meets CAC threshold; contact publishedDPO appointment, published contact details
Local representative appointed for extraterritorial (Art 3(2)) processors; details filed with CACRepresentative appointment, CAC filing
Regular compliance audits of PI processing conducted (self or third-party per CAC audit measures)Audit reports, audit schedule
Technical measures (encryption, de-identification, access control) commensurate with riskControl inventory, encryption/de-identification evidence
Security training and drills conductedTraining attendance, drill after-action reports

Group 14 — PIPIA / Impact Assessment (PIPL Art 55-56)

What to verifyTypical evidence
PIPIA performed before sensitive PI, automated decisions, entrusting, sharing, disclosure and transferPIPIA reports for each trigger scenario
PIPIA evaluates legality, necessity, impact on rights and adequacy of protectionCompleted PIPIA template with risk scoring
PIPIA reports and processing records retained at least three yearsDocument retention register

Group 15 — Breach and Incident Response (CSL Art 25; DSL Art 29; PIPL Art 57)

What to verifyTypical evidence
Emergency response plan for network security and data incidents maintainedApproved incident response plan, RACI
On a breach, remedial measures taken and CAC/relevant authority notified promptlyIncident report to authority, timeline log
Affected individuals notified unless effective mitigation removes harmIndividual notification records, mitigation justification
Incident reporting to sector regulators (e.g. finance/telecom) meets sector timelinesSector filing acknowledgements
Post-incident review and control improvement performedRoot-cause analysis, corrective action tracker

Group 16 — Algorithm and Generative AI Governance

What to verifyTypical evidence
Algorithmic recommendation services filed in the CAC algorithm registryFiling record / registry number
Generative AI services meet content, data-source and labelling requirementsSecurity self-assessment, synthetic-content labelling evidence
Training data lawfully sourced and free of infringing/illegal content controlsData provenance records, filtering configuration
User-facing transparency about algorithmic mechanisms providedPublished algorithm description, opt-out options

Scoping and Materiality / Tiering

Effort must be proportioned to the harm potential and data sensitivity. The framework provides several native tiering axes that drive scope.

  • MLPS grade (1-5): the higher the grade, the more control objectives, the mandatory security management centre (Grade 3+) and more frequent dengbao testing.
  • DSL data tier (ordinary / important / core): 'core data' attracts the strictest controls and is largely un-exportable; 'important data' triggers risk assessment and possible CAC security assessment for transfer.
  • PI volume thresholds: CAC volume bands (e.g. handling PI of large numbers of individuals, or cumulative export volumes) trigger DPO appointment, security assessment for export, and mandatory compliance audits.
  • CII designation: being named a CII operator escalates every obligation, adds localisation and procurement security review.
  • Sensitive PI presence: any sensitive-PI processing raises the assessment to PIPIA-mandatory and separate-consent-mandatory.
Materiality driverLow scopeHigh scope
MLPS gradeGrade 1-2, filing onlyGrade 3-5, SMC + annual dengbao
Data tierOrdinary dataImportant / core data
PI volumeBelow CAC thresholdsAbove thresholds: DPO + audit + assessment
CII statusNot designatedDesignated CII operator
Cross-borderNo PI/important-data exportRegular export requiring CAC route

Implementation Approach

A phased programme lets organisations reach defensible compliance while sequencing filings and testing windows correctly.

Phase 1 — Discovery and Grading (Weeks 1-4)

  • Activities: system inventory, data mapping, MLPS self-grading per GB/T 22240, DSL data classification, applicability analysis (CII, extraterritorial, thresholds).
  • Deliverables: system register with MLPS grades, data catalogue with tiers, applicability memo, gap-analysis baseline.

Phase 2 — Filing and Legal Foundations (Weeks 3-8)

  • Activities: PSB filing for Grade 2+ systems, appoint DPO and (if extraterritorial) local representative, draft PIPL notices and consent flows, establish RoPA.
  • Deliverables: PSB filing certificates, appointment records, published privacy notices, consent architecture, records of processing.

Phase 3 — Control Build and Remediation (Weeks 6-16)

  • Activities: implement MLPS technical/management controls, deploy SM cryptography, build security management centre (Grade 3+), stand up incident response, deploy rights-fulfilment workflows.
  • Deliverables: hardened control environment, IR plan and drills, DSAR/rights portal, encryption and access-control evidence.

Phase 4 — Assessments and Transfers (Weeks 12-20)

  • Activities: conduct PIPIAs, select and execute cross-border transfer mechanism (CAC assessment / SCC filing / certification), commission dengbao testing for Grade 3+.
  • Deliverables: PIPIA reports, filed Standard Contract or CAC approval, dengbao test report and remediation log.

Phase 5 — Sustain and Improve (Ongoing)

  • Activities: annual compliance audit, annual CII assessment, re-grading on change, algorithm/AI filings, continuous monitoring and metric reporting.
  • Deliverables: annual audit report, updated filings, KPI dashboard, management review minutes.

Maturity / Tiering Model

Beyond the statutory MLPS grades, organisations should track programme maturity to prioritise investment. The model below combines an operational maturity ladder with the corresponding MLPS/DSL posture.

LevelNameCharacteristicsTypical MLPS/DSL posture
1InitialAd-hoc, no grading, no filing, consent gapsUngraded or under-graded; high exposure
2DevelopingSystems graded and filed; basic PIPL notices; partial controlsGrade 1-2 filed; core controls emerging
3DefinedDocumented policies, RoPA, PIPIA process, IR plan, DPO appointedGrade 2-3 with dengbao passed once
4ManagedMetrics-driven, transfers via approved mechanism, annual audits, SMC operatingGrade 3 sustained; important-data risk assessments
5OptimisedContinuous monitoring, automated rights, mature AI governance, board oversightGrade 3-4 with proactive re-grading and testing

Assessment and Audit Approach

  1. Confirm applicability: establish which instruments bind the entity (network operator, CII, extraterritorial PIPL, important-data handler) and record the legal basis for scope.
  2. Verify grading and classification: test MLPS grades against GB/T 22240 and DSL tiers against sector catalogues; challenge any under-grading.
  3. Validate filings: confirm PSB beian for Grade 2+, DPO/representative appointments and CAC transfer filings exist and are current.
  4. Test technical controls: sample MLPS baseline controls per grade, verify SM cryptography, access control, logging and the security management centre where required.
  5. Examine PI processing: trace lawful basis, notice, consent (including separate consent), minimisation and retention across representative data flows.
  6. Assess transfers: verify the transfer mechanism, PIPIA and consent for each cross-border flow; confirm no unlawful data provision to foreign authorities (DSL Art 36).
  7. Review rights and incidents: test DSAR fulfilment timeliness and incident-response readiness, including notification records and drill evidence.
  8. Evaluate governance: assess DPO effectiveness, compliance-audit cadence, training and management oversight.
  9. Report and remediate: produce a findings register scored by severity, with corrective actions, owners and deadlines aligned to filing/testing windows.

Evidence Request List

The following categorised list is issued to the auditee ahead of fieldwork.

  • Governance: security and privacy policy suite, org chart, DPO and local-representative appointments, compliance-audit reports, training records.
  • Grading & filing: MLPS grading reports, PSB filing certificates, dengbao test reports and remediation logs.
  • Data mapping: system inventory, data catalogue with DSL tiers, RoPA, data-flow diagrams, important-data register.
  • PI processing: privacy notices (versioned), consent logs, separate-consent records, retention schedule, deletion logs.
  • Sensitive PI & minors: sensitive-PI register, children's data policy, guardian-consent records.
  • Cross-border: PIPIAs, CAC security assessment approvals, filed Standard Contracts, certifications, transfer consent records.
  • Technical: IAM/MFA configuration, encryption and SM-crypto certificates, SIEM/log retention proof, backup/restore test records, network diagrams.
  • CII (if applicable): CII designation notice, localisation attestations, procurement security-review approvals, annual assessment reports.
  • Incident: IR plan, drill records, incident register, authority and individual notification evidence.
  • Vendors & AI: processor agreements, sub-processor approvals, algorithm filings, generative-AI self-assessments and labelling evidence.

Roles and Responsibilities

RolePrimary responsibilities
Legal representative / senior managementUltimate accountability; approves policies; resourcing; personal liability exposure under PIPL Art 66
Data Protection Officer (Art 52)Oversees PI processing and protection; point of contact for CAC and individuals
Data Security Officer (DSL)Manages important-data classification, risk assessment and reporting
CII security responsible personRuns the dedicated CII security body; localisation and procurement review
Network security / MLPS ownerMaintains grading, filing, technical baseline and dengbao readiness
Local representative (Art 53)Represents extraterritorial processor to Chinese regulators; details filed with CAC
IT / SecOpsImplements and operates technical controls, SIEM, IR execution
Business / product ownersDefine lawful basis, notices and consent at collection points
Internal audit / complianceRuns the mandatory compliance audits and tracks remediation

KPIs / Metrics to Track

  • Percentage of in-scope systems correctly graded and filed (target 100%).
  • Grade 3+ systems with a current, passed dengbao test.
  • DSAR/rights requests fulfilled within committed timelines.
  • Percentage of cross-border flows covered by a valid transfer mechanism and current PIPIA.
  • Consent capture rate and separate-consent coverage for sensitive PI/transfers.
  • Time to notify authority and individuals after a confirmed breach.
  • Number of important-data risk assessments completed on schedule.
  • Open high-severity findings age and remediation burn-down.
  • Security-training completion and incident-drill frequency.
  • Algorithm/AI services with current CAC filings and self-assessments.

Readiness Checklist

  • All in-scope systems graded under MLPS and Grade 2+ filed with the PSB.
  • Grade 3+ systems have a passed dengbao test and a security management centre.
  • Data classified into DSL tiers with an important-data register maintained.
  • CII applicability determined and, if designated, localisation and procurement review in place.
  • PIPL lawful basis, notices and consent (including separate consent) implemented at every collection point.
  • Sensitive PI and minors' data controls, with PIPIAs, in place.
  • DPO appointed and, for extraterritorial processing, a local representative filed with CAC.
  • Every cross-border flow uses an approved mechanism (CAC assessment / SCC / certification) with a retained PIPIA.
  • Individual rights workflows (access, correction, deletion, portability, explanation) operating.
  • Incident response plan tested, with authority and individual notification procedures.
  • Mandatory compliance audit scheduled and vendor/AI filings current.
  • Records (RoPA, PIPIA, incidents) retained for at least three years.

Common Gaps and Findings

  • Under-grading MLPS systems to avoid dengbao testing and management-centre obligations.
  • Treating GDPR compliance as sufficient, missing PIPL's separate-consent and no-legitimate-interest requirements.
  • Cross-border transfers running without a completed PIPIA or an approved transfer mechanism.
  • Missing or generic consent that fails the 'separate consent' standard for sensitive PI, sharing and export.
  • No appointed local representative despite extraterritorial (Art 3(2)) processing.
  • Data localisation not enforced for CII or above-threshold PI handlers.
  • Sensitive-PI and minors' data processed without PIPIA or guardian consent.
  • Retention periods undefined or excessive, breaching the minimisation principle.
  • Incident-response plans untested and unclear authority-notification timelines.
  • DSL Article 36 exposure: responding to foreign legal requests without Chinese approval.
  • Algorithmic recommendation and generative-AI services unfiled with the CAC registry.

China PIPL/CSL Mapped to Other Frameworks

The mapping below helps organisations reuse existing controls, while flagging where China-specific obligations have no direct equivalent.

China obligationGDPR (EU)ISO/IEC 27001 & 27701India DPDP Act 2023NIST CSF
MLPS grading & baseline (GB/T 22239)No direct equivalent27001 Annex A controlsNo direct equivalentProtect / Detect functions
PIPL lawful basis & consentArt 6 lawful bases / Art 7 consent27701 PIMSConsent + legitimate usesGovern (privacy)
Separate consent (sensitive/transfer)Explicit consent (Art 9)27701 controlsConsent for sensitive processingGovern
Cross-border transfer (Arts 38-43)Chapter V (SCCs/adequacy)27701 transfer controlsRestricted-country transfer rulesGovern / Protect
PIPIA (Arts 55-56)DPIA (Art 35)27701 privacy risk assessmentDPIA for significant fiduciariesIdentify (risk assessment)
Breach notification (Art 57)Arts 33-34 (72h)27001 incident mgmt / 27035Board notification dutyRespond
DPO (Art 52)DPO (Arts 37-39)27701 accountability roleData Protection Officer (SDF)Govern
CII protection (CSL 31-39)NIS2 (analogous)27001 for critical assetsNo direct equivalentIdentify / Protect
Data classification (DSL)No direct equivalent27001 A.5.12 classificationNo direct equivalentIdentify (asset mgmt)
Algorithm/Gen-AI rulesEU AI Act (analogous)42001 AI mgmtUnder sectoral rulesGovern (AI)
How CyberSigma Helps
CyberSigma brings CERT-In empanelled auditors and privacy specialists who operationalise the full CSL/DSL/PIPL/MLPS stack end to end. We run MLPS self-grading and prepare Grade 2+ PSB filings, coordinate accredited dengbao testing, build the security management centre for Grade 3+ systems, and deploy SM-cryptography and baseline controls. On the data side we deliver DSL classification, PIPL notice and consent architecture, PIPIAs, DPO and local-representative arrangements, and the correct cross-border transfer route (CAC security assessment, Standard Contract filing or certification). Our SigmaGRC platform tracks every control, filing deadline and KPI in a single evidence-linked dashboard, and our advisory team runs the mandatory compliance audits and incident-response drills. The result is defensible, board-ready China compliance that unlocks the market while containing regulatory and personal-liability risk.

Frequently asked questions

What is MLPS 2.0?
China's Multi-Level Protection Scheme grades information systems by importance and mandates commensurate security controls and testing.
Official documents
CyberSigma resources

Need help with China PIPL/CSL?

CERT-In empanelled, PCI QSA senior auditors can take you from reading about it to compliant — with a scoped, guided programme.