Understanding China’s Cybersecurity Grade Protection (等级保护) System and 2.0 Standards

1. Development of the Grade Protection System

The grade protection system is grounded in several legal documents, such as the Computer Information System Security Protection Regulation (1994) , the People’s Republic of China Police Law (1995, 2012) , the 2008 State Council "Three‑Set" Plan , and the Cybersecurity Law (2016) . Policy directives like the 2003 opinion on strengthening information security, the 2004 implementation opinion, and the 2006 management measures further define the framework. The Public Security Ministry, together with the National Confidentiality Administration and the National Cryptography Administration, oversees the system.

Grade protection is defined as a hierarchical security approach that classifies information systems—ranging from state secrets to public data—into five levels, each requiring specific protection measures, product management, and incident response.

The work includes five stages: classification, filing, system construction/rectification, assessment, and periodic supervision . Successful implementation relies on guidance from supervisory authorities and the deployment of a comprehensive security standards system.

2.0 Upgrade

Since the Cybersecurity Law’s enactment on June 1, 2017, the system entered the 2.0 era, introducing new legal, policy, standard, technical, talent, training, and assurance frameworks. It expands protection to network infrastructure, critical information systems, websites, big‑data centers, cloud platforms, IoT, industrial control systems, and public service platforms, and incorporates enterprises into the protection regime.

New technical measures such as risk assessment, security monitoring, incident investigation, emergency drills, disaster backup, supply‑chain security, and effectiveness evaluation are now mandated.

2. Standard System of Cybersecurity Grade Protection

The 2.0 standard system includes major standards such as:

Cybersecurity Grade Protection Regulation (Draft) – overarching requirements

Implementation Guide (GB/T25058‑2020)

Classification Guide (GB/T22240‑2020)

Basic Requirements (GB/T22239‑2019)

Design Technical Requirements (GB/T25070‑2019)

Assessment Process Guide (GB/T28449‑2018)

The core standard is the Basic Requirements (GB/T22239‑2019) , which contains general security requirements and extended security requirements . General requirements address common protection needs, while extended requirements target specific technologies such as cloud computing, mobile internet, IoT, and industrial control systems.

Key technical items include physical environment security, communication network security, boundary security, computing environment security, and security management center. Management items cover security policies, institutions, personnel, construction management, and operation management.

Extended requirements for cloud computing, mobile internet, IoT, and industrial control systems are detailed, specifying measures like virtualisation protection, mobile device control, sensor node protection, and control system network architecture.

3. Work Process of Cybersecurity Grade Protection

The protection workflow consists of six main activities:

Classification (定级)

Filing (备案)

System construction and rectification

Level assessment

Supervisory inspection

Continuous supervision

Filing is required for systems above level 2, with specific documentation (forms 1‑4) submitted within defined timeframes after construction and assessment.

Construction and rectification aim to bring the system to the required protection level, ensuring capabilities such as unified security policies, resistance to large‑scale attacks, disaster tolerance, virus protection, intrusion detection, incident response, accountability tracking, rapid recovery, and centralized control of resources.

Assessment is performed by accredited agencies according to national standards, with frequency depending on the system level (e.g., level 3 annually, level 2 every two years).

Supervisory departments conduct regular inspections to verify compliance.