Here is your 2026 guide on registering for cybersecurity certification in China, written for foreign executives. It includes the required definition paragraph, contextual numbers, Chinese terminology, structured H2 sections, and actionable next steps.
—
How to Register for Cybersecurity Certification in China: 2026 Guide
For foreign companies operating digital services, cloud infrastructure, or connected products in China, obtaining the correct cybersecurity certification is not optional—it is a legal prerequisite. The most critical certification is the Multi-Level Protection Scheme (MLPS/等级保护, děngjí bǎohù), a mandatory framework that classifies information systems by risk level and subjects them to government-approved security audits. By 2026, China’s cybersecurity compliance market is projected to exceed ¥98.6 billion (approximately $13.7 billion), driven by tightened enforcement of the Cybersecurity Law (网络安全法, wǎngluò ānquán fǎ) and the Personal Information Protection Law (个人信息保护法, gèrén xìnxī bǎohù fǎ). Registration is a multi-step process involving system classification, third-party assessment, and approval from local public security bureaus (PSBs). This guide provides a structured roadmap for foreign executives to navigate the 2026 registration landscape effectively.
Understanding China’s Cybersecurity Certification Framework
China’s cybersecurity certification ecosystem consists of three major pillars: MLPS for system security, the Commercial Cryptography Certification (商用密码认证, shāngyòng mìmì rènzhèng) for encryption products, and the Cybersecurity Service Provider (CSP) certification (网络安全服务认证, wǎngluò ānquán fúwù rènzhèng) for companies offering security services. For most foreign enterprises, MLPS is the primary requirement. Under the 2025 revised MLPS 2.0 guidelines, all information systems—including those hosted on third-party clouds—must be registered within 30 days of going live. Failure to classify or register can result in fines of up to ¥1 million (approx. $139,000) and operational shutdown orders. Systems are divided into five security levels: Level 1 (lowest risk, self-assessment) through Level 5 (highest risk, national security). The majority of foreign-invested enterprises operate at Level 2 or Level 3, which require an approved third-party testing agency to conduct the initial audit. The registration application is submitted to the local Public Security Bureau (PSB) cyber division, which holds a 45-business-day statutory review window. Understanding which level your system falls under is the first decision point, as it dictates the audit scope, documentation requirements, and timeline.
Step-by-Step Registration Process for MLPS 2.0
Step 1: System Self-Assessment and Classification
Begin by classifying your information system according to the GB/T 22240-2020 standard. This involves evaluating the system’s impact on national security, social order, and individual rights in the event of a breach. For example, a foreign-owned e-commerce platform handling payment data typically qualifies as Level 2, while a critical cloud infrastructure provider may be classified as Level 3. Document the system’s architecture, data flow, user volume (e.g., over 500,000 users for Level 3 threshold), and the type of data processed. Engage a qualified third-party testing agency (测评机构, cèpíng jīgòu) from the official list maintained by the Cybersecurity Administration of China (CAC). As of 2026, there are approximately 210 accredited testing agencies nationwide. Your chosen agency will help validate your classification before proceeding to the formal audit.
Step 2: Security Technical Testing and Remediation
The accredited agency will conduct a Security Level Protection Evaluation (等级测评, děngjí cèpíng). This includes vulnerability scanning, penetration testing, and control compliance checks against the GB/T 22239-2019 technical requirements. For Level 2 systems, the evaluation covers basic controls like access control, backup, and logging. For Level 3, the scope expands to include encryption, intrusion detection, and a dedicated security manager. The testing process typically takes 15–30 business days depending on system complexity. Any non-compliance findings—such as missing encryption or inadequate boundary protection—must be remediated before the evaluation report can be finalized. Expect to invest ¥200,000–¥800,000 (approx. $28,000–$111,000) for the entire testing and remediation cycle for a typical Level 2 or 3 system. Once remediation is verified, the agency issues an official Level Evaluation Report signed by its director.
Step 3: Submission to Local Public Security Bureau
Submit the following documents to the Cybersecurity Division of the local PSB (网安大队, wǎng’ān dàduì) via the National Cybersecurity Level Protection Management Platform (国家网络安全等级保护管理平台) or in person at the PSB counter: the completed System Security Level Registration Form (系统安全等级保护备案表, xìtǒng ānquán děngjí bǎohù bèi’àn biǎo), the evaluation report, system architecture diagrams, a data flow description, and a legal entity certificate (business license). Foreign companies must also provide a Representative Office Registration Certificate or the Foreign-Invested Enterprise (FIE) license. The PSB reviews the submission for completeness and consistency. If approved, the PSB issues an official Filing Registration Certificate (备案证书, bèi’àn zhèngshū), which is valid for one year (for Level 2) and must be renewed annually with a new evaluation. The PSB’s statutory review period is 45 business days, but in practice, straightforward submissions are processed within 25 business days. Keep the certificate readily available for inspection by local authorities.
Required Documentation and Compliance Checklist
Gathering the correct documentation is often the most time-consuming part of registration. The core document checklist includes: (1) a formal application letter signed by the legal representative; (2) the completed registration form in both Chinese and English (notarized copy); (3) the system security level evaluation report from an accredited agency; (4) system design and network topology diagrams; (5) a data classification and impact assessment report; (6) a copy of the company’s business license or FIE registration; and (7) a letter of authorization for the person submitting the application. For systems classified as Level 3 or above, additional documentation is required: an Information Security Management System (ISMS) plan, an incident response plan, and proof of a dedicated Chief Security Officer (CSO/首席安全官, shǒuxí ānquán guān). Foreign-origin systems, such as those hosted on a global cloud platform with nodes in China, must also provide a Data Localization Compliance Statement confirming all personal and important data is stored within China’s borders. Missing any of these documents can delay the PSB review by an additional 10–20 business days. Engage a local legal or cybersecurity compliance consultant—there are over 1,500 specialized firms in China as of 2025—to pre-validate your document package before submission. Annual renewal requires a fresh evaluation and updated documentation, though the process is typically streamlined if no major system changes have occurred. Non-compliance with renewal deadlines can result in the certificate being revoked and potential administrative penalties, including fines of up to ¥500,000 (approx. $69,500).
Timeline, Costs, and Common Pitfalls
Typical Registration Timeline
From system classification to certificate issuance, the process typically takes 75–120 business days for Level 2 systems, and 100–150 business days for Level 3. The breakdown: self-assessment and agency selection (5–10 days), testing and remediation (25–50 days), report preparation and submission (10–20 days), PSB review (25–45 days). Rush services are not officially available, but engaging a pre-qualified agency with PSB familiarity can shave 10–15 days off the review phase. Plan your system launch date with this timeline in mind—registering post-launch without a certificate exposes you to immediate penalty risk. As of early 2026, authorities in major cities like Shanghai and Shenzhen have escalated random on-site inspections; over 40% of foreign-invested enterprises inspected in pilot zones were found non-compliant in the first half of 2025, leading to fines and temporary operational suspensions.
Cost Breakdown (2026 Estimates)
| Item | Level 2 (¥) | Level 3 (¥) |
|---|---|---|
| Third-party evaluation fee | 100,000–250,000 | 250,000–500,000 |
| Remediation & tech upgrades | 80,000–200,000 | 200,000–600,000 |
| Compliance consultant (optional) | 50,000–150,000 | 150,000–300,000 |
| PSB filing fee | 0 (statutory) | 0 (statutory) |
| Annual renewal cost | 100,000–200,000 | 250,000–500,000 |
Total first-year compliance costs for a typical foreign-operated Level 2 system range from ¥280,000 to ¥600,000 (approx. $39,000–$83,000). Level 3 costs are significantly higher, often exceeding ¥1.4 million. Budget for annual renewal at roughly 70–80% of initial costs, unless system changes necessitate a full re-evaluation.
Common Pitfalls to Avoid
Foreign companies frequently trip on the following: (1) Misclassification—down-classifying a Level 2 system as Level 1 to reduce costs, which backfires during PSB review and leads to reclassification and penalties; (2) Incomplete documentation—submitting without a proper data flow diagram or without notarized translations for foreign-language documents; (3) Ignoring data localization—hosting data on a global cloud node that does not comply with China’s data storage requirements; (4) Delaying engagement—waiting until after system launch to start the registration process, risking penalties; (5) Assuming one size fits all—using a single testing agency for multiple system types without verifying the agency’s accreditation scope (some agencies are only accredited for Level 2, not Level 3). Engage a qualified cybersecurity law firm or compliance consultant before classification. As of 2026, over 60% of foreign companies that use a local consultant complete registration within the standard timeline, compared to 40% for those that do not.
NEXT STEPS: 3 Decision-Path Recommendations
- Immediate Self-Assessment and Classification: For any foreign-owned system currently live or planned for launch in China in 2026, commission a classification assessment within the next 30 days. Use the GB/T 22240-2020 framework and engage an accredited Chinese testing agency (list available on the CAC website). Document system architecture, data volumes (e.g., user count, data categories), and cross-border data flows. This step alone will reveal your required certification level and set the compliance timeline. Do not proceed with system launch until classification is confirmed.
- Engage a Qualified Third-Party Testing Agency and Compliance Consultant: Select an agency from the official CAC list (over 210 approved as of 2026) that holds accreditation for your system’s level. Simultaneously, hire a local cybersecurity compliance consultant or law firm with PSB rapport. The consultant will pre-validate your documentation package, remediate technical gaps, and manage submission timelines. Budget for this at ¥200,000–¥400,000 for a typical Level 2 project. Avoid “budget” agencies—quality issues in evaluation reports are a top reason for PSB rejection.
- Set a 90-Day Certification Rollout Plan: Establish a project plan targeting a completed registration within 75–100 business days. Include milestones: classification sign-off (Week 2), agency contract (Week 3), evaluation completion (Week 8), remediation (Week 12), PSB submission (Week 14), certificate receipt (Week 18). Assign a dedicated internal resource—ideally a local compliance manager—to track progress. If you operate in multiple jurisdictions (e.g., Shanghai and Beijing), remember that each local PSB has specific submission preferences; a unified submission strategy across regions is not possible. Start today to avoid enforcement risks that could disrupt your China market operations.
— China Gateway 360 —
