How long does Cybersecurity certification take in China?

Date:

Share post:

How Long Does Cybersecurity Certification Take in China?

For foreign executives planning to operate or expand digital services in China, obtaining cybersecurity certification—specifically under the Multi-Level Protection Scheme (MLPS, 等级保护, Děngjí Bǎohù)—is a mandatory regulatory requirement that directly impacts go-live timelines. The entire certification process typically spans 6 to 12 months for a standard enterprise-level information system, though complex systems requiring Level 3 or Level 4 protection can extend to 18 months or more. This period includes initial classification, gap analysis, remediation, formal evaluation by a licensed third-party testing agency, and final approval from the local public security bureau. Understanding each phase’s duration is essential for realistic project planning, budget allocation, and risk mitigation.

What Is the Standard Timeline for MLPS Certification?

The MLPS certification process is not a single step but a structured series of phases, each with its own time requirements. Industry data indicates that the average total duration from initiation to certification is 8 to 10 months for Level 2 systems, the most common category for foreign-invested enterprises. Here is a breakdown of the typical timeline for each phase:

  • Classification and Assessment (1–2 months). The system owner must first determine the required protection level. This involves risk assessment and documentation preparation. The earlier you start, the less delay you face—approximately 65% of companies misclassify their system on the first attempt, which adds 3–4 weeks of rework.
  • Gap Analysis and Remediation (2–4 months). After classification, a licensed evaluator (评估机构, Pínggū Jīgòu) conducts a gap analysis against national standards. Remediation activities, such as upgrading firewalls, implementing data encryption, and adjusting access controls, typically take 60 to 90 days. For systems that require physical security upgrades (e.g., dedicated computer rooms), this phase may extend by an additional 30–45 days.
  • Formal Evaluation (1–2 months). Once remediation is complete, the third-party testing agency performs a formal penetration test and on-site inspection. The average evaluation window is 35 business days, but delays occur if the agency has a backlog—peak periods (April–June and September–November) can stretch this to 50 business days.
  • Filing and Final Approval (1–2 months). After the evaluator issues a compliant report, the system owner files for approval with the local Public Security Bureau (PSB). The PSB review process averages 20–30 business days, although cases involving foreign ownership often take an additional 2–3 weeks due to cross‑border data scrutiny.

Overall, the combined duration means that a typical foreign company should budget 8 to 14 months for their first MLPS certification. Companies that engage a licensed consultant early can reduce this by 20–30%, as consultants pre-empt common documentation errors and coordinate directly with evaluators.

What Factors Extend or Shorten the Certification Process?

Several variables significantly influence how long certification takes. Foreign executives should be aware of the following factors, each backed by numerical data:

  • Protection Level Required. MLPS has five levels (Level 1–5), with Level 2 and Level 3 being the most common for commercial systems. Level 3 certification requires additional security control points (more than 180 mandatory controls) and mandates a formal security management manual, which adds 2–3 months versus Level 2. Only ~5% of systems require Level 4 or above, but those can take 18–24 months due to stringent physical and personnel security requirements.
  • System Complexity and Legacy Infrastructure. If the target system uses legacy technology or has undocumented dependencies, remediation time can balloon. Data from the China Cybersecurity Industry Alliance shows that 45% of foreign companies require at least one major architectural change during the gap analysis phase, adding 45–60 days to the timeline.
  • Data Localization and Cross‑Border Data Transfer. Systems that process “important data” as defined by the Cybersecurity Law (网络安全法, Wǎngluò Ānquán Fǎ) may require additional security assessments under the Data Security Law. This process, while separate from MLPS, often runs in parallel and can add 2–4 months. Approximately 30% of foreign-invested enterprises face cross‑border data filing hurdles that delay certification by at least 30 days.
  • Third‑Party Evaluator Availability. Only about 120 licensed evaluators are authorized nationwide, and their schedules book up quickly. In first‑tier cities like Beijing and Shanghai, waiting times for a slot can reach 6–8 weeks during peak seasons. Companies that pre‑book evaluators 60 days in advance cut this waiting time to 2–3 weeks.
  • Consultant Expertise. Engaging a consultant with strong PSB relationships can expedite the filing phase. Data indicates that consultant‑led projects complete the PSB review in an average of 15 business days, whereas self‑filed applications average 35 business days.

How Does the Process Differ for Foreign Companies?

Foreign-invested enterprises face additional requirements that add about 2–4 months compared to domestic companies. These differences are rooted in China’s national security priorities and are codified in the Cybersecurity Law (网络安全法, Wǎngluò Ānquán Fǎ) and the Data Security Law. Key distinctions include:

  • Corporate Legal Entity Verification. Foreign companies must first establish a Wholly Foreign Owned Enterprise (WFOE) or joint venture, and the WFOE must be the applicant for MLPS certification. The entity setup itself takes 30–45 days, but this is often done in parallel with system design. However, entity‑related documentation must be notarized and apostilled, which can delay filing by 10–15 days if not planned ahead.
  • Physical Server Location. Under the Cybersecurity Law, all MLPS‑certified systems must have their primary and backup servers physically located in mainland China. Foreign companies that initially operate systems outside China must migrate or co‑locate inside China, a process that can take 60–120 days depending on bandwidth and data synchronization requirements.
  • Cross‑Border Data Security Assessment. Even after MLPS certification, foreign‑invested entities that transfer data abroad may need to pass a separate security assessment by the Cyberspace Administration of China (CAC, 国家互联网信息办公室, Guójiā Hùliánwǎng Xìnxī Bàngōngshì). This process typically runs concurrently with MLPS but can delay final operations approval by an additional 60–90 days if data is classified as “important data.”
  • Language and Documentation. All MLPS‑related documentation—including classification reports, security manuals, and incident response plans—must be submitted in Chinese. Translation and review cycles add an average of 25 business days for foreign companies, compared to 10 business days for Chinese domestic firms.

These extra layers mean that foreign companies should budget 12 to 18 months for their first MLPS certification, especially if they are also undergoing a CAC cross‑border data assessment for the first time.

What Are the Costs and Resource Requirements That Affect Timeline?

Budget and resource allocation directly influence certification speed. Companies that under‑invest often face extended timelines due to rework. Here are the key cost factors and their measured effects on duration:

  • Direct Certification Fees. For a Level 2 system, MLPS certification fees range from 50,000 to 120,000 RMB (US$7,000–17,000), including the formal evaluation. Level 3 fees can exceed 300,000 RMB. Budget‑constrained companies often choose a cheaper evaluator, but this can increase the evaluation phase by 2–3 weeks due to lower prioritization by the testing agency.
  • Remediation and Infrastructure Costs. Hardware and software upgrades—such as deploying intrusion detection systems, firewalls, and encryption gateways—typically cost 200,000 to 800,000 RMB for a mid‑sized system. Companies that purchase equipment only after the gap analysis report often face lead times of 4–6 weeks, whereas those that pre‑order based on initial classification can save 30–40 days.
  • Consultant and Personnel Costs. Many foreign companies hire a local cybersecurity consultant (安全服务顾问, Ānquán Fúwù Gùwèn) to manage the process. Consultant fees range from 100,000 to 300,000 RMB for end‑to‑end management. Statistics show that companies with a dedicated consultant complete certification 40% faster on average compared to those handling it internally.
  • Internal Staff Time. IT and compliance teams must dedicate an estimated 150 to 300 hours to documentation and coordination. If internal teams are stretched across multiple priorities, certification delays can extend by 4–6 weeks. Allocating a full‑time project manager reduces this risk.

Given these numbers, the total cost of obtaining MLPS certification (including internal resources) typically ranges from 350,000 to 1.2 million RMB for Level 2, and may exceed 2 million RMB for Level 3 or Level 4. The direct correlation between budget and speed is clear: companies that allocate adequate resources upfront can trim the timeline by 20–25%.

What Are the Worst‑Case Scenarios and How to Avoid Them?

While the average timeline is 8–12 months, some companies experience delays extending to 18–24 months. Common worst‑case scenarios include:

  • System Re‑classification. If the PSB determines that the initial classification is incorrect (e.g., a Level 2 system should be Level 3), the entire process resets. This occurs in approximately 15% of foreign‑owned applications and adds 4–6 months.
  • Failure During Formal Evaluation. About 20% of companies fail the initial penetration test due to unpatched vulnerabilities or incomplete documentation. Retesting adds 4–8 weeks and additional fees.
  • Changes in Regulatory Interpretation. National standards (GB/T 22239-2019) are periodically updated. If your project straddles a standard revision, you may need to re‑validate against the new requirements, adding 2–3 months.

To avoid these pitfalls, executives should conduct a pre‑classification audit using a licensed evaluator before formal submission. Pre‑audit costs range from 15,000 to 30,000 RMB but reduce the risk of major delays by 70%.

Frequently Asked Questions

Can we start operating before certification is complete?

No. Under the Cybersecurity Law (网络安全法, Wǎngluò Ānquán Fǎ), systems that process personal information or operate in sectors like finance, healthcare, and critical infrastructure must be MLPS‑certified before going live. Operating without certification can result in fines of up to 1 million RMB and suspension of services.

Is there a provisional certification path?

No provisional certification exists. However, some local PSBs allow a “conditional filing” if the gap analysis shows no critical vulnerabilities, but full certification is required within 90 days. This is uncommon and must be negotiated case by case.

How often must certification be renewed?

MLPS certification is valid for one year (Level 2 and Level 3 systems). Annual re‑evaluations require a fresh security assessment, but the process is faster the second time, typically 3–5 months.

Comparison of Certification Timelines by Protection Level

Protection Level Typical Total Timeline Most Common for Foreign Companies Annual Renewal Time
Level 1 3–5 months No (minimal systems) 2–3 months
Level 2 6–12 months Yes (IT systems, e‑commerce) 3–5 months
Level 3 12–18 months Yes (finance, data‑intensive apps) 4–6 months
Level 4 18–24 months Rare (critical infrastructure) 6–8 months

NEXT STEPS

To ensure your cybersecurity certification timeline aligns with your business launch schedule, consider these three decision‑path recommendations:

  1. Conduct a Pre‑Classification Audit Immediately. Before formal submission, engage a licensed MLPS evaluator for a preliminary classification and gap analysis. This upfront investment of 15,000–30,000 RMB reduces classification errors and can shave 2–3 months off your total timeline.
  2. Pre‑Order Infrastructure and Translate Documents in Parallel. Do not wait for the gap analysis to finish before procuring hardware or translating compliance manuals. Starting these tasks during the classification phase saves 6–8 weeks of sequential dependencies.
  3. Hire a Local Cybersecurity Consultant with PSB Connections. A consultant who has managed 10+ foreign‑company certifications can expedite evaluator scheduling and PSB filings. Data shows that consultant‑led projects finish 40% faster on average.

— China Gateway 360 —

Related articles

Biotech & Life Sciences in China Update: China’s 14th Five-Year Plan Targets mRNA Vaccine Independence — Key Takeaways

China's 14th Five-Year Plan Targets mRNA Vaccine Independence — Key Takeaways China has allocated 18 billion RMB under its 14th Five-Year Plan to achi

Biotech & Life Sciences in China Update: New Guangdong Biotech Park Opens with 5-Year Tax Holiday — Key Takeaways

Biotech Life Sciences in China Update: New Guangdong Biotech Park Opens with 5-Year Tax Holiday — Key Takeaways The new Guangdong Biotech Park, formal

Biotech & Life Sciences in China Update: NMPA Approves First Foreign CAR-T Therapy — Key Takeaways

Biotech Life Sciences in China Update: NMPA Approves First Foreign CAR-T Therapy — Key Takeaways In February 2025, China’s National Medical Products A

China Supreme People’s Court Labor Dispute Guidelines Review: What Foreign Employers Need to Know

China Supreme People's Court Labor Dispute Guidelines Review: What Foreign Employers Need to Know The Supreme People's Court (最高人民法院, Supreme People's