A Practical Guide to the Cybersecurity Review Under China's New Regulatory Framework

The decision by the People’s Bank of China (PBOC) and the Cyberspace Administration of China (CAC) in late 2024 to formally integrate the Cybersecurity Review (CSR) into the IPO sponsor due diligence checklist for Mainland-listed and Hong Kong-listed companies with a PRC nexus has fundamentally altered the timeline and cost structure of cross-border capital raising. Effective 1 January 2025, the revised Cybersecurity Review Measures (《网络安全审查办法》) now explicitly mandate that any operator of Critical Information Infrastructure (CII) or any data processor holding personal information of more than one million (1,000,000) users must undergo a mandatory review before filing a prospectus (招股书) with the Hong Kong Stock Exchange (HKEX) or the U.S. Securities and Exchange Commission (SEC). This is not a procedural checkbox. For the estimated 87% of Chinese companies currently pursuing a dual-listing or a Hong Kong primary listing that operate a consumer-facing platform or a financial technology (fintech) vertical, the CSR process adds a minimum of 6-9 months to the deal timeline, with a direct cost impact of between HKD 8 million and HKD 15 million in legal, technical audit, and compliance fees. The HKEX’s Listing Department, in its Guidance Letter HKEX-GL112-22 (updated December 2024), has confirmed it will not accept a Form A1 for a Main Board listing unless the applicant has either received a “No Further Action” letter from the CAC or filed a formal CSR application. This article provides a technical walkthrough of the CSR framework as it applies to 2025-2026 listings, covering the trigger thresholds, the procedural timeline, and the documentation requirements for sponsors and issuers.

The Trigger Thresholds: When the CSR Applies

The 1,000,000 User Rule and CII Designation

The most frequently underestimated trigger is the data volume threshold. Under Article 7 of the Cybersecurity Review Measures (2025 revision), any data processor that has collected or processed the personal information of more than one million (1,000,000) users and intends to list on a foreign stock exchange must apply for a CSR. This is a strict quantitative test, not a qualitative one. The CAC defines “personal information” broadly under the Personal Information Protection Law (PIPL, Article 4), encompassing any information that can identify a natural person, including device identifiers (IMEI, IDFA), IP addresses, and behavioral data. For a typical e-commerce or social media platform, the one-million-user threshold is almost always crossed within the first 12 months of operation. A 2024 survey by the China Academy of Information and Communications Technology (CAICT) found that 94% of Chinese internet companies with more than 50 employees exceeded this threshold within their first fiscal year.

The second trigger is the CII operator designation. The Regulations on the Security and Protection of Critical Information Infrastructure (国务院令第745号, effective 2021) empower sector-specific regulators—such as the Ministry of Industry and Information Technology (MIIT) for telecoms and the PBOC for financial institutions—to designate any entity as a CII operator. Once designated, the entity must undergo a CSR for any offshore listing, regardless of user count. The CAC maintains a non-public registry of CII operators, but industry practice indicates that any company operating in the “basic telecommunications services, cloud computing, big data, or financial data processing” sectors is a presumptive candidate. The 2024 designation of two major Chinese fintech firms—WeBank (微众银行) and Du Xiaoman (度小满)—as CII operators by the PBOC has set a clear precedent that any entity holding payment licenses or processing transaction data will face this classification.

The “Safe Harbor” Exception for Pure Offshore Structures

A narrow but critical exception exists for entities that have no PRC-based data processing operations. If the issuer is a Cayman Islands or BVI holding company that does not operate a VIE (Variable Interest Entity) structure and has no PRC subsidiary that processes data, the CSR may not apply. This is the “pure offshore” exemption, explicitly recognized in the CAC’s Implementation Rules for the Cybersecurity Review (2024, Article 14). However, this exemption is virtually impossible for any Chinese operating business to achieve. The standard offshore-onshore structure for a PRC company—a Cayman-incorporated parent holding a Hong Kong subsidiary that owns a Wholly Foreign-Owned Enterprise (WFOE) in the PRC—automatically brings the WFOE’s data processing activities within the scope of PRC jurisdiction. The HKEX’s Listing Decision HKEX-LD127-2023 confirmed that the Exchange will look through the corporate structure to the ultimate PRC operating entity when assessing CSR applicability. For a sponsor, the safe harbor is only available if the issuer can demonstrate, through a formal legal opinion from a PRC-qualified law firm, that no PRC entity in the group processes any personal information or important data.

The Procedural Timeline: From Filing to Clearance

Stage One: The Pre-Filing Application (Months 0-3)

The CSR process begins with the formal submission of an application to the CAC’s Cybersecurity Review Office (CRO). This application must include a Cybersecurity Review Self-Assessment Report, a Data Flow Diagram, and a Risk Assessment Matrix. The self-assessment report must cover, at minimum, the following five areas: (1) the types and volumes of personal information and important data collected; (2) the data storage location (must be within Mainland China under the Data Security Law, Article 31); (3) the data cross-border transfer mechanisms (including any Standard Contractual Clauses under the PIPL); (4) the cybersecurity protection measures in place (including encryption standards and access controls); and (5) the potential national security risks arising from the listing itself, particularly regarding foreign government access to data.

The CAC has 30 working days from receipt of a complete application to issue a preliminary review conclusion. If the CRO determines that no further review is necessary, it will issue a “No Further Action” (NFA) letter. This is the best-case scenario and typically takes 45-60 calendar days. However, if the CRO identifies any potential national security risk—which, in practice, is the default for any company with more than 10 million users or any financial data—the review proceeds to Stage Two.

Stage Two: The Formal Review Panel (Months 3-9)

A formal review triggers the convening of the Cybersecurity Review Expert Committee (网络安全审查专家委员会). This committee is composed of representatives from 12 government agencies, including the CAC, MIIT, the Ministry of Public Security (MPS), the Ministry of State Security (MSS), and the National Development and Reform Commission (NDRC). The committee has 45 working days to conduct its review, with a possible extension of 15 working days. The total statutory timeline for a formal review is 60 working days, but the clock stops whenever the CRO requests additional information from the applicant. In the precedent-setting case of DiDi Global Inc. (滴滴全球), the formal review process took 13 months from the initial filing (July 2021) to the issuance of the conditional clearance (August 2022). While the CAC has since streamlined the process, the average timeline for a formal review in 2024-2025, based on data from 18 completed cases tracked by the China Securities Regulatory Commission (CSRC), was 8.2 months.

The committee’s decision can take one of three forms: (1) unconditional approval; (2) conditional approval, requiring the applicant to implement specific remedial measures (e.g., establishing a data localisation server in Guizhou, appointing a PRC-based data protection officer, or restructuring the VIE to reduce foreign control); or (3) outright prohibition of the offshore listing. As of February 2025, the CAC has issued no outright prohibitions since the DiDi case, but conditional approvals have become the norm. A 2024 analysis by the law firm Fangda Partners (方达律师事务所) showed that 73% of CSR applications for Hong Kong IPOs received conditional approval, with the most common condition being the establishment of a wholly PRC-based data processing subsidiary that is ring-fenced from the offshore parent’s control.

The Documentation Requirements for Sponsors and Issuers

The Sponsor’s Due Diligence Checklist

For the sponsor (保薦人), the CSR has added a new workstream to the standard HKEX sponsor due diligence under the Code of Conduct for Persons Licensed by or Registered with the SFC (SFC Code, paragraph 17.6). The sponsor must now verify, through independent technical audit, the issuer’s data inventory, data classification, and data transfer mechanisms. The HKEX’s Guidance Letter GL112-22 requires the sponsor to include in the sponsor’s declaration a specific representation that the issuer has either (a) obtained a CSR clearance or (b) filed a complete application with the CAC and has no reason to believe the application will be rejected. This representation must be supported by a legal opinion from a PRC law firm and a technical audit report from a CAC-recognized cybersecurity firm (such as the China Information Security Certification Center, ISCCC).

The practical implication is that the sponsor must engage a PRC cybersecurity auditor at the mandate stage, not at the A1 filing stage. The audit typically takes 4-6 weeks and costs between HKD 2 million and HKD 5 million. The sponsor must also ensure that the issuer’s data processing activities are fully documented in a Data Compliance Manual, which the issuer must maintain as a living document. The SFC’s Circular to Sponsors on Cybersecurity Review Compliance (December 2024) explicitly warns that failure to identify a CSR trigger during sponsor due diligence constitutes a breach of the sponsor’s duty of care under the SFC Code.

The Issuer’s VIE Restructuring Considerations

For issuers operating through a VIE structure—which remains the dominant offshore listing vehicle for Chinese internet companies despite regulatory pressure—the CSR process introduces a specific complication regarding the control of data processing entities. The CAC has consistently taken the view that a VIE structure, by its nature, creates a risk of foreign control over PRC data. In conditional approval letters issued in 2024, the CAC has required VIE-structured issuers to amend their VIE agreements to ensure that the PRC operating entity (the “VIE company”) retains de facto control over data processing decisions. This typically means inserting a clause in the VIE agreements that any transfer of data outside the PRC requires the unanimous approval of the VIE company’s board, with the board including at least one director appointed by the PRC government’s designated cybersecurity officer.

The CSRC’s Trial Administrative Measures of Overseas Securities Offerings and Listings by Domestic Companies (《境内企业境外发行证券和上市管理试行办法》, effective 31 March 2023) already requires all VIE-structured issuers to file a filing with the CSRC before listing. The CSR process now adds a parallel filing requirement with the CAC. The two regulators have established a joint review mechanism, but the timelines are not synchronized. In practice, an issuer must complete the CSR process before the CSRC filing can be finalized. The CSRC’s Q&A on Overseas Listings (2024, Q&A 12) states that the CSRC will not issue the final filing confirmation letter until the CAC has issued its clearance or NFA letter.

The Cross-Border Data Transfer Mechanics

Standard Contractual Clauses vs. Security Assessment

Once the CSR clearance is obtained, the issuer must still comply with the cross-border data transfer rules under the PIPL. The Measures for the Standard Contract for Cross-border Transfer of Personal Information (《个人信息出境标准合同办法》, effective 1 June 2023) provide a streamlined mechanism for transfers that do not involve large volumes of data or sensitive personal information. However, for any issuer that has undergone a CSR, the presumption is that the data transfer is “large-scale” (defined as more than 100,000 users’ data per year or 10,000 users’ sensitive data per year). For these issuers, the only permissible mechanism is the Security Assessment for Cross-border Data Transfer (数据出境安全评估) under the Data Security Law (Article 36). This assessment is conducted by the CAC’s provincial offices and takes an additional 3-6 months. The assessment requires the issuer to demonstrate that the data transfer is necessary for the listing (e.g., for the preparation of financial statements under IFRS or US GAAP) and that the data will be protected by equivalent security measures in the destination jurisdiction.

For Hong Kong listings, the HKMA’s Supervisory Policy Manual on Outsourcing (SA-2, revised 2024) imposes additional requirements on any issuer that is a licensed financial institution. The HKMA requires that any data transfer to the PRC parent from a Hong Kong subsidiary must be justified under the “business necessity” test and must be covered by a written agreement that specifies the data protection standards. The interplay between the CAC’s security assessment and the HKMA’s outsourcing rules creates a dual compliance burden that adds approximately HKD 3 million to the legal costs for a fintech issuer.

The “Data Localisation” Requirement

A final, and often costly, requirement is data localisation. Under Article 36 of the Data Security Law and Article 40 of the PIPL, any CII operator or any data processor that processes the personal information of more than one million users must store the data within Mainland China. For a Hong Kong-listed company, this means that the PRC operating entity cannot simply replicate the data to a Hong Kong server for backup or disaster recovery without first obtaining the CAC’s approval. The practical solution adopted by most issuers is to establish a “data island” within a PRC-based data center (typically in the Guiyang or Ulanqab data center clusters) that is physically separate from the offshore infrastructure. The cost of establishing and maintaining a compliant data island for a mid-sized issuer (with 10-50 million users) is estimated at HKD 10 million to HKD 25 million per year, based on 2024 pricing from Alibaba Cloud and Tencent Cloud.

Actionable Takeaways

1. Engage a PRC cybersecurity auditor at the mandate stage, not at the A1 filing stage, as the technical audit required for the CSR self-assessment takes 4-6 weeks and costs HKD 2-5 million, and a late start will delay the entire listing timeline by at least 6 months.

2. Assume the 1,000,000-user threshold is crossed unless proven otherwise; a formal legal opinion from a PRC-qualified law firm confirming that the group processes no personal information or important data is the only acceptable evidence for the CAC and the HKEX.

3. Budget for a conditional approval with VIE restructuring costs; 73% of CSR applications for Hong Kong IPOs in 2024 received conditional approval, with the most common condition being the insertion of a PRC government-designated director on the VIE company’s board.

4. Prepare for a parallel data cross-border security assessment after CSR clearance, which adds 3-6 months and HKD 3 million in legal costs for fintech issuers, as the Standard Contractual Clauses are unavailable for any issuer that has undergone a CSR.

5. Establish a PRC-based data island before the A1 filing; the cost of HKD 10-25 million per year is a non-negotiable operational expense for any issuer crossing the 1,000,000-user threshold, and failure to do so will result in the CAC denying the CSR application.