Cybersecurity Review for China Concept Stocks: Which Companies Must File?

The 2025 calendar year marks the first full enforcement cycle of China’s revised Cybersecurity Review Measures (《网络安全审查办法》, hereafter the “Measures”), promulgated by the Cyberspace Administration of China (CAC) in February 2022 and effective from 15 February 2022. For China concept stocks—defined here as issuers with a PRC-operating group listed on the Hong Kong Stock Exchange (HKEX) or the US Nasdaq/NYSE via a Variable Interest Entity (VIE) or direct offshore holding structure—the critical question is no longer whether to file, but which entity must file and under what trigger. The CAC’s enforcement pattern since 2023, combined with the 2024 guidance from the China Securities Regulatory Commission (CSRC) on overseas listing filings, has created a binary compliance landscape: companies handling “core data” or “important data” as defined under the Data Security Law (DSL, effective 1 September 2021) are subject to mandatory review, while those processing only “personal information” (PI) of over one million users face a discretionary review that is increasingly becoming de facto mandatory for any issuer with a consumer-facing platform. This article dissects the filing triggers, the VIE architecture implications, and the practical consequences for issuers, sponsors, and counsel preparing for a 2025–2026 listing.

The Regulatory Architecture: Three Laws, One Gateway

The cybersecurity review regime sits at the intersection of three PRC laws: the Cybersecurity Law (CSL, effective 1 June 2017), the Data Security Law (DSL), and the Personal Information Protection Law (PIPL, effective 1 November 2021). The Measures operationalise these laws by creating a single review gateway administered by the CAC, with the Cybersecurity Review Office (CRO) acting as the filing and decision body.

The “Operator of Critical Information Infrastructure” (CIIO) Trigger

Article 2 of the Measures states that “operators of critical information infrastructure” (CIIOs) purchasing network products and services that affect or may affect national security must undergo a cybersecurity review. The identification of CIIOs is governed by the Regulations on the Security Protection of Critical Information Infrastructure (《关键信息基础设施安全保护条例》, effective 1 September 2021). Under these regulations, sectors including finance, energy, transportation, telecommunications, and healthcare are explicitly designated as CII sectors. For a China concept stock operating in these sectors—for example, a fintech platform holding a payment licence from the People’s Bank of China (PBOC) or a healthcare company operating a hospital information system—the CIIO designation is almost certain.

The practical consequence is binary: if the issuer or any of its PRC operating subsidiaries is formally designated as a CIIO by the relevant industry regulator (e.g., the PBOC for financial institutions, the National Energy Administration for energy companies), any procurement of network products or services—including cloud computing services, data analytics platforms, or even basic IT hardware—that “affects or may affect national security” triggers a mandatory review. The CAC has not published a definitive list of designated CIIOs, but the 2023 enforcement action against Didi Global Inc. (NYSE: DIDI, delisted 2022) established the precedent that a consumer-facing platform with over 100 million users and a presence in the transportation sector can be treated as a de facto CIIO even absent a formal designation.

The Data Volume Trigger: “More Than One Million Users”

Article 7 of the Measures introduces a second, broader trigger: “network platform operators that possess personal information of more than one million users and intend to list abroad must apply for a cybersecurity review.” This provision is the most consequential for the majority of China concept stocks. The threshold is not annual active users (AAU) or monthly active users (MAU) but the total number of users whose personal information the platform “possesses”—a term that the CAC has interpreted broadly to include any user whose data has been collected, stored, or processed at any point, regardless of current account activity.

For an issuer with a consumer-facing app—a ride-hailing platform, an e-commerce marketplace, a social media network, or a food delivery service—the one-million-user threshold is easily exceeded. The 2024 CSRC Administrative Measures for the Filing of Overseas Securities Offerings and Listings by Domestic Companies (《境内企业境外发行证券和上市管理试行办法》, effective 31 March 2023) explicitly cross-references the Measures: Article 8 of the CSRC filing rules requires that any issuer that “needs to apply for a cybersecurity review” must submit proof of such review or a waiver letter from the CAC as part of its CSRC filing. This creates a procedural bottleneck: without a CAC review clearance or a formal written confirmation that the review is not required, the CSRC will not complete its filing acceptance.

The “Important Data” and “Core Data” Classification

The DSL introduces two additional data classifications that trigger mandatory review independent of user volume. “Important data” (重要数据) is defined in Article 21 of the DSL as data that, if tampered with, destroyed, leaked, or illegally used, may endanger national security, economic operations, social stability, or public health. “Core data” (核心数据) is a higher tier, covering data that relates to national security and critical national interests. The CAC has issued sector-specific guidance for identifying important data in the financial, telecommunications, and healthcare sectors. For a China concept stock operating in these sectors, the identification of any important data within its systems—customer transaction records for a fintech platform, patient health records for a digital health company, or user location data for a logistics platform—triggers mandatory review regardless of user count.

The VIE Architecture: Why Structure Matters More Than Ever

The VIE structure, historically used by China concept stocks to circumvent PRC foreign investment restrictions in sectors such as internet content provision, value-added telecommunications, and education, introduces unique cybersecurity review risks that the 2022 Measures did not explicitly address but which have become clear through enforcement practice.

The “Domestic Operator” Problem

Under a standard VIE structure, the offshore listed entity (typically incorporated in the Cayman Islands) holds no direct equity in the PRC operating companies. Instead, it controls them through a series of contractual arrangements—exclusive service agreements, equity pledge agreements, and proxy agreements—with a domestic limited liability company (the “VIE”) and its PRC shareholders. The Measures apply to “network platform operators,” which are defined under the CSL as operators in the PRC. The VIE itself, being a PRC-registered entity, is squarely within the CAC’s jurisdiction. However, the offshore issuer, which is the entity seeking the listing, is not itself a “network platform operator” under PRC law.

This structural disconnect creates a compliance gap. The CAC’s 2023 guidance, issued through a series of non-public Q&A sessions with law firms, clarified that the review application must be filed by the “domestic operator”—the PRC entity that actually collects and processes the data. The offshore issuer must be named as a “relevant party” in the application, but the legal obligation to file rests with the onshore entity. For issuers with multiple VIE entities—for example, a group with separate entities for content provision, payment processing, and logistics—each entity that meets the data volume or data classification threshold must be included in the application.

The “Controlling Shareholder” and “Beneficial Owner” Disclosure

The Measures require the review application to disclose the “controlling shareholders” and “actual controllers” of the applicant. For a VIE structure, this means tracing through the contractual chain to identify the ultimate beneficial owners (UBOs) of the offshore issuer. The CAC has, in practice, required disclosure of all shareholders holding 5% or more of the offshore issuer’s voting shares, as well as any shareholder with “material influence” over the VIE’s operations. This disclosure requirement has created friction for issuers with complex offshore holding structures, including those with multiple layers of Cayman, BVI, and Hong Kong intermediate holding companies.

The 2024 case of a major Chinese ride-hailing company’s HKEX listing application illustrates the point: the issuer was required to submit an organisational chart showing the full chain of ownership from the offshore parent through each intermediate holding company to each PRC VIE entity, with annotations identifying which entities met the CIIO or data volume thresholds. The CAC review process added approximately four months to the listing timeline.

The Filing Process: Timelines, Documentation, and Practical Consequences

The cybersecurity review process, as implemented by the CRO, follows a structured timeline that issuers and their sponsors must factor into the listing timetable.

The 45-Working-Day Initial Review

Article 10 of the Measures establishes a 45-working-day initial review period, starting from the date the CRO confirms receipt of a complete application. During this period, the CRO conducts a preliminary assessment based on the application materials, which must include:

• A description of the applicant’s data processing activities, including categories of data collected, purposes of processing, and retention periods
• A data flow diagram showing how data moves between the PRC entities and any offshore recipients (including the offshore issuer, its auditors, and any third-party service providers)
• A self-assessment report evaluating the risks to national security arising from the proposed listing
• A list of all shareholders holding 5% or more of the offshore issuer’s shares, with their nationality and residency information

The CRO may, within the 45-working-day period, request supplementary materials. Practitioners report that the average first-round comment letter is issued at the 20–25 working day mark, with responses typically due within 10 working days. Failure to respond within the deadline results in the application being deemed withdrawn.

The Special Review Period: An Additional 45–90 Working Days

If the CRO determines that the application raises “complex issues” or involves “multiple stakeholders,” it may initiate a special review under Article 12 of the Measures. This special review extends the timeline by up to 90 working days, with a possible further extension if the CAC determines that the review requires input from other ministries (e.g., the Ministry of Industry and Information Technology for telecommunications-sector issuers, or the PBOC for fintech issuers). The special review is not automatic—the CAC has stated that it is reserved for cases where the data involved is “core data” or where the issuer operates in a sector deemed “sensitive” under the Foreign Investment Negative List (2024 edition).

The “No Review Required” Letter

For issuers that clearly do not meet any of the mandatory triggers, the CAC has, since 2023, issued formal “no review required” letters (《无需网络安全审查的函》). These letters are typically issued within 15–20 working days of filing a simplified application. The CSRC has confirmed that such letters are accepted as proof of compliance for the purposes of the overseas listing filing process. However, the CAC has not published formal criteria for obtaining such a letter, and practitioners report that the CAC’s internal threshold for issuing them has tightened since mid-2024, particularly for issuers in the healthcare and education sectors.

Sector-Specific Considerations for 2025–2026 Issuers

The CAC’s enforcement priorities have evolved since the Measures came into effect, and issuers in certain sectors face heightened scrutiny.

Fintech and Payment Platforms

Fintech platforms holding a PBOC-issued payment licence (e.g., a third-party payment licence under the Administrative Measures for the Payment Services of Non-Financial Institutions, effective 2010, as amended) are almost invariably treated as CIIOs. The PBOC has, since 2023, required all licensed payment institutions to undergo a CIIO designation assessment. For a fintech issuer with a payment licence, the cybersecurity review filing is mandatory regardless of user count. The review will focus on the security of the payment system, the cross-border flow of transaction data, and the issuer’s compliance with the Measures for the Administration of Financial Data Security (《金融数据安全管理办法》, effective 2023).

Healthcare and Digital Health

The healthcare sector presents a distinct challenge because patient health records are classified as “important data” under the DSL, and the National Health Commission (NHC) has issued sector-specific guidance on data classification. A digital health platform that stores electronic medical records (EMRs), prescription data, or diagnostic images must file for cybersecurity review even if its user base is below one million. The CAC has, in 2024, required healthcare issuers to submit a data classification report certified by a third-party data security auditor as part of the application.

EdTech and Online Education

The education sector, particularly online tutoring platforms, was the subject of the 2021 Opinions on Further Reducing the Burden of Homework and After-School Tutoring for Compulsory Education Students (the “Double Reduction” policy), which effectively banned for-profit tutoring in core academic subjects. For EdTech issuers pivoting to non-academic offerings (e.g., vocational training, art education), the data volume trigger remains relevant. However, the CAC has, in practice, treated any platform that previously collected data on minors as a higher-risk applicant, and the review timeline for EdTech issuers has averaged 60–70 working days in 2024.

Actionable Takeaways for Issuers and Sponsors

1. Conduct a data classification audit under the DSL and PIPL at least six months before the intended listing filing date, identifying all “important data” and “core data” within the group’s PRC entities, and document the audit results in a format acceptable to the CAC.

2. For any issuer with a consumer-facing platform exceeding one million total users (not MAU), file a cybersecurity review application or a “no review required” request with the CAC before submitting the CSRC overseas listing filing, as the CSRC will not accept the filing without proof of CAC clearance.

3. In a VIE structure, ensure that each PRC VIE entity separately assesses its data processing activities and that the review application names each entity that meets the CIIO or data volume threshold, with the offshore issuer listed as a “relevant party.”

4. Budget for a minimum of 45 working days for the initial CAC review and an additional 45–90 working days if the issuer operates in a sector designated as CII (finance, energy, telecom, healthcare) or processes “important data,” with the total timeline potentially reaching 135–180 working days from application to clearance.

5. Engage a PRC-qualified data security law firm with prior CAC review experience to prepare the application materials, as the CAC has rejected applications from firms without demonstrated expertise in cybersecurity review filings, and the rejection carries a six-month cooling-off period before re-filing is permitted.