New Cybersecurity Review Rules – 5 Major Impacts on Foreign Listing of Chinese Companies

Data security of Chinese companies has been under scrutiny by Chinese authorities. In early July, the Cyberspace Administration of China (the “CAC”) announced a cybersecurity review on a top ride-hailing platform in China, taking China’s tech companies and international markets by surprise. This was followed by similar investigations initiated by the CAC on three other Chinese tech companies that have recently been listed in the US. It is evident that such an approach was  taken due to concerns on data security. To close the perceived loopholes in the current regulations, on 10 July 2021, the CAC issued a draft amendment to the existing Cybersecurity Review Measures (the “Draft Measures”) for public comment.

Here are five major impacts of the Draft Measures on foreign listings of Chinese companies.

1. Expanding triggering events of a cybersecurity review

Unlike the previous version, the Draft Measures include several additional triggering events for a cybersecurity review. Most notably, operators which hold more than “one million user personal information” must report to the Cybersecurity Review Office established by the CAC for a cybersecurity review before being listed on foreign stock markets. In addition, if the authority believes that a foreign listing affects or could affect national security, a cybersecurity review may be initiated. Further, data processing activities of Chinese companies that affect or could affect China’s national security will trigger a cybersecurity review.

It is unclear whether the expression of “one million user personal information” means one million pieces of personal information or the personal information of one million users.  However, in any event one million is a relatively low bar to meet, and it is likely that the vast majority of the Chinese tech companies aspiring for an initial public offering (“IPO”) in foreign stock markets would be subject to a cybersecurity review. Accordingly, China Securities Regulatory Commission has been added as one of the supervising authorities of the cybersecurity review. The cybersecurity review will focus on, among other things, the risk that critical information infrastructure, core data, important data or large amounts of personal information are “affected, controlled, or maliciously used” by foreign governments after foreign listings.

2. Affecting businesses’ decision on place of listing

It is worth noting that the term “foreign listing” is used in the Draft Measures, instead of the traditional expression of “overseas listing” as commonly used in Chinese securities regulations. This seems to indicate that Hong Kong listings are exempted from the Draft Measures. If so, the Draft Measures provide a strong incentive for Chinese companies to go public in Hong Kong so as to avoid complex regulatory approval processes. However, given that the data security legal regime of Hong Kong is significantly different from that of Mainland China, and that data transfers from Mainland China to Hong Kong are treated as cross-border data transfers under existing Chinese regulations, CAC’s position on Hong Kong listings is to some extent unclear and remains to be clarified in the future.

3. Increasing materials required for a cybersecurity review

In addition to the requested materials under the previous version, IPO materials to be filed (with foreign regulators) are specifically required under the Draft Measures. Although the Draft Measures do not specify the IPO materials, prospectuses will likely be required as well as such other documents as the Cybersecurity Review Office deem necessary. In this regard, companies should ensure that the sharing of such information with Chinese authorities would not violate the listing rules of the relevant jurisdiction.

4. Extending timeline of special review process

Under the previous version, a general review process will be completed in 45 working days, which may be extended by 15 working days in complex cases. If a unanimous agreement on the case cannot be reached by the relevant authorities, a special review process will be triggered, which takes 45 working days and can be further extended with no time limit. The Draft Measures further change the timeline of the special review process from 45 working days to 3 months. If triggered, the special review process would bring uncertainty to the listing schedule and may pose additional legal risks to those Chinese companies.

5. Having a retroactive effect on Chinese companies already listed abroad

The Draft Measures do not explicitly require Chinese companies that have already listed abroad prior to the implementation of the Draft Measures to apply for cybersecurity reviews. However, if the foreign listing of a Chinese company is deemed to affect or could affect China’s national security, a cybersecurity review may still be initiated. It is unclear what enforcement actions Chinese authorities would take if a foreign-listed Chinese company is found to pose risks to China’s national security, e.g., whether such a company would be required to delist from foreign stock markets.


If enacted in its current form, the Draft Measures will have a significant impact on Chinese companies contemplating to go public in foreign countries. Due to the differences between Hong Kong and Mainland China’s data security legal regimes, it remains unclear as to whether Hong Kong listings would be deemed to pose risks to China’s national data security and thus trigger a cybersecurity review. Chinese companies should closely monitor the fast-evolving legal landscape and ensure strict compliance with data security laws and regulations in China.

Registered Foreign Lawyer, SF Lawyers in association with KPMG Law

Legal Manager, Shanghai SF Lawyers in association with KPMG Law

Associate, Shanghai SF Lawyers in association with KPMG law