Skip to content

Does the new Chinese Cybersecurity law Increase Your Manufacturing or Supply Chain Risk?

That is the question business leaders are asking themselves across the world in light of the new version of China’s Multi-Level Protection Scheme law, known as MLPS 2.0, another Chinese cybersecurity regulation that comes into effect December 1, 2019. An expansion on the existing cyber security laws in China today, this regulation mandates greatly enhanced monitoring and inspection powers by Chinese government officials for all businesses in China, irrespective of ownership makeup, by widening the scope of what constitutes as “critical” and lowering the threshold for requiring government inspection and monitoring.

While this regulation does not guarantee any business will be purposely breached, it does impose a number of concerning controls for non-Chinese entities who seek to maintain confidentiality of their IP and supply chain. By example, while non-Chinese government owned VPN’s have been considered illegal for some time, the rule has not been effectively enforced. Under the MLPS 2.0 it is expected that all businesses connecting out of the country will have to use a Chinese government approved VPN. This one change indicates the government’s willingness to seriously inspect any and all traffic entering or leaving the country, no matter how potentially business sensitive it is.

Previous protections that applied to foreign owned entities have been repealed; this new law applies to virtually all businesses operating in China. With this new business reality, organizations who operate in China, or who rely on supply chain partners who operate in China, have new decisions to make when it comes to managing their Intellectual Property, customer data, and data privacy risks.

For some time, many organizations have accepted the risks of operating in China as the cost of doing business because the threat of government inspection was less likely to apply to a foreign entity. Under the new law, all entities are covered and will likely be “inspected” by local officials who have this new sweeping power and authority. With requirements like complete access included to encrypted or sensitive data, this could effectively mean the end of confidentiality and competitive advantage for many organizations operating in China today.

So, while confidentiality may be much more difficult to maintain, new protection will require an adept cyber security strategy that considers all geolocation and geopolitical considerations.

Organizations should engage in a China specific risk assessment if they or their supply chain operate in China and have access to confidential or sensitive business data. With that said, the exercise will be a muscle building experience as China will not be the last country to exert this new power. There are several nation states who are looking to ramp up their surveillance capabilities.

Posted in

Dave Tyson

Dave Tyson is the Managing Partner of CISO Insights Cyber Security Risk Advisory. Tyson has served as CISO and security leader at organizations including SC Johnson, Nike, PG&E, eBay, and as chairman and president of ASIS. Contact:, (408) 464-5310.

Leave a Comment

Ready to Get Started?

Click on the button below to take the first step towards securing your organization against cyber security threats.

Preparation for Next Crisis

Top 10 Ways to be Better Prepared for the Next Crisis

Dave Tyson | Posted in Risk Management

If we can say nothing else about this crisis, it has been a paradigm shifting moment for most of us. Just about everything we thought we knew about what “normal” life is, has been disrupted and tested for strength. In many cases we have embraced the be…

Read more

Looking Forward

Dave Tyson | Posted in Risk Management

The news for security from the 2020 World Economic Forum Risks Report is really a simple as it gets, the 4th industrial revolution (4IR) is upon us, and the opportunities and benefits for the world are amazing and here to stay. The report indicates tha…

Read more

To Zoom or not to Zoom

Dave Tyson | Posted in Vendor Security

Zoom, and products like it, are fantastic tools, and any digital tools like these is an ecosystem unto itself, and with the right rules and governance, the risk can be managed. Read this post to better understand how to managed that risk.

Read more

Scroll To Top