Understanding China’s Cybersecurity Graded Protection System (GB/T 22239‑2019) 2.0: Key Changes, Assessment Process, and Enterprise Guidance

The National Cybersecurity Graded Protection System (often called "等级保护" or "GB/T 22239‑2019") version 2.0 was officially released on May 13 and will be enforced from December 1, 2019. It is a mandatory compliance framework for almost all enterprises in China, covering basic technical and management requirements as well as extended requirements for cloud computing, mobile Internet, IoT, industrial control, and big data.

What is Graded Protection? It classifies information systems into five security levels and mandates security controls, product selection, and incident response according to the assigned level. The standard defines both basic security requirements and higher‑level requirements for critical sectors such as finance, healthcare, and education.

Major Changes in 2.0

Transition from a “guideline” to a legally enforceable standard – non‑compliance can lead to penalties.

Introduction of the “one center, three‑layer protection” architecture: a Security Management Center plus protection of the computing environment, network perimeter, and communication network.

Stricter encryption management requirements, including early‑stage design, key management, and mandatory use of national cryptographic standards.

Elevated role of Trusted Computing for configuration integrity verification.

Assessment Process

Level determination – identify system functions, responsibilities, and impact; obtain approval from the supervising authority for levels 4 and above.

Registration – submit the determined level to the local public security authority within 30 days of operation (or 30 days after level determination for new systems).

Formal assessment – engage an accredited assessment agency to conduct the evaluation and issue a report and certification.

Security construction and remediation – implement required security products, policies, and controls; remediate gaps and report to the authority.

Supervision – public security agencies conduct periodic inspections and audits.

How Enterprises Can Pass Quickly

Adopt a unified cloud security operation platform for vulnerability intelligence, threat detection, incident response, baseline compliance, and data leakage monitoring.

Strengthen key management and end‑to‑end encryption for data at rest and in transit.

Establish solid security governance on the cloud platform: asset inventory, configuration baseline, vulnerability management, penetration testing, and continuous improvement.

Focus on personal information and data protection, using data masking, tokenization, and secure display techniques.

Avoid common pitfalls such as ignoring the extended requirements for new industries, insufficient pre‑assessment of the correct level, and lack of post‑assessment monitoring.

Q&A Highlights

• Tencent Cloud can provide compliant cloud platforms (Tier‑3 for public cloud, Tier‑4 for financial cloud) and a suite of security products (WAF, DDoS protection, bastion host, database audit, AI‑based risk analysis, etc.).

• Encryption or masking is required for storing personal ID numbers; data export must be authorized and protected.

• For UI display, mask sensitive fields (e.g., replace characters with asterisks) and provide controlled “view” actions.

Expert Profile

Wang Yu – 18 years in information security, over 100 graded‑protection projects, certified as a Graded Protection Assessment Engineer, International Certified Information Security Auditor, ISO‑27001 Lead Auditor, and other professional credentials.

Appendix

Link to the national directory of recommended graded‑protection assessment agencies: http://www.djbh.net/webdev/web/LevelTestOrgAction.do?p=nlbdLv3&id=402885cb35d11a540135d168e41e000c