How to Prepare a Data Security Assessment Report for an Offshore Listing Filing

The number of Chinese companies filing for offshore listings with the CSRC has not declined — it has restructured. In 2024, the CSRC received 235 new filing applications from companies seeking Hong Kong or US listings, a 28% year-on-year increase from 2023, according to the CSRC’s own December 2024 press release. Yet the single largest cause of filing delays and supplementary submissions is not financial disclosure or corporate structure — it is the Data Security Assessment Report (DSAR). Since the effective date of the Measures for the Administration of Overseas Securities Offerings and Listings by Domestic Companies (《境内企业境外发行证券和上市管理试行办法》, or the “Filing Rules”) on 31 March 2023, the DSAR has become a mandatory attachment to the initial filing package for any issuer that collects or processes “important data” or “personal information” of more than 1 million individuals. The CSRC’s 2024 annual filing review report noted that 62% of all supplementary comments issued in Q1–Q3 2024 related to data security and cross-border data transfer compliance. For CFOs, company secretaries, and sponsor counsel preparing a Hong Kong or US listing, understanding how to construct a DSAR that satisfies both the CSRC and the relevant industry regulator (MIIT, NDRC, or the relevant ministry) is no longer optional — it is the gatekeeper to a clean filing.

The Regulatory Framework: Three Pillars of the DSAR Requirement

The DSAR does not exist in isolation. It is the operational document that demonstrates compliance with three overlapping regulatory regimes: the Data Security Law (DSL, effective 1 September 2021), the Personal Information Protection Law (PIPL, effective 1 November 2021), and the Cybersecurity Law (CSL, effective 1 June 2017). The Filing Rules, issued jointly by the CSRC, the Ministry of Finance, and the National Internet Information Office (NIIO), explicitly require that any issuer falling within the scope of Article 2 of the Filing Rules must submit a DSAR as part of its initial filing materials (Article 6 of the Filing Rules). The CSRC’s Guidelines for the Preparation of Filing Documents (2023 version) further specifies that the DSAR must cover three core areas: data classification and grading, cross-border data transfer mechanisms, and a risk assessment of the impact of the offshore listing on national security and public interest.

Data Classification and Grading: The First Gate

The DSL requires all entities to establish a data classification and grading system (Article 21 of the DSL). For a listing applicant, this means the issuer must identify and categorise all data it processes into three tiers: general data, important data, and core data. The definitions of “important data” are sector-specific. For example, the MIIT’s Data Security Management Measures for the Industrial and Information Technology Sector (2023) defines important data in the telecommunications and internet sectors as data that, if leaked, could directly affect national security, economic stability, or public health. The DSAR must include a detailed inventory of all data categories, the legal basis for each classification, and the rationale for why data is not classified as important data if the issuer is not in a regulated sector.

The CSRC’s 2024 supplementary comment data shows that the most common deficiency in this section is the absence of a documented classification methodology. Issuers frequently submit a list of data types without referencing the applicable industry standard or regulation. The DSAR must cite the specific industry regulation that governs the classification — for example, the Financial Data Security Management Measures (PBOC, 2022) for fintech companies, or the Health and Medical Data Security Management Measures (NHC, 2023) for healthcare platforms.

Cross-Border Data Transfer: The PIPL Assessment

The PIPL imposes strict conditions on the transfer of personal information outside China (Article 38 of the PIPL). For issuers that process personal information of more than 1 million individuals, or have transferred personal information of more than 100,000 individuals cumulatively in the prior year, the DSAR must demonstrate that a cross-border data transfer security assessment has been completed or is in progress, pursuant to the Measures for the Security Assessment of Cross-Border Data Transfer (the “Transfer Measures”, effective 1 September 2022). The DSAR must include the assessment’s conclusion, the data categories transferred, the recipient entities (including the offshore listing vehicle, the auditors, and the underwriters), and the contractual safeguards in place.

A 2024 survey by the China Academy of Information and Communications Technology (CAICT) found that 47% of issuers that received CSRC supplementary comments on data security had failed to identify the specific data categories being transferred to their offshore auditors. The DSAR must name the data fields — for example, user identification numbers, transaction records, and geolocation data — and map each field to the legal basis for transfer under the PIPL. For issuers using a VIE structure, the DSAR must also address the data flow between the WFOE and the onshore operating entities, as the PIPL applies to any data processing that occurs within China, regardless of the corporate structure.

National Security Risk Assessment: The CSRC’s Core Concern

The DSAR must include a formal risk assessment of the offshore listing’s potential impact on national security and public interest. This requirement derives from Article 7 of the Filing Rules, which states that the CSRC will review filings to ensure they do not harm national security. The risk assessment must address three scenarios: (1) the possibility that foreign regulators (e.g., the SEC or HKEX) could compel production of data that includes important data or personal information; (2) the risk that the listing vehicle’s governance structure could allow foreign shareholders or directors to access sensitive data; and (3) the impact of any future change of control on data sovereignty.

The CSRC’s 2023–2024 filing review practice indicates that the regulator expects the DSAR to include a mitigation plan for each identified risk. For example, if the issuer’s offshore vehicle is incorporated in the Cayman Islands, the DSAR should note that the Cayman Islands does not have a data access treaty with China, and that the issuer’s constitutional documents should include a data protection clause that prohibits the board from transferring data outside China without CSRC approval. The DSAR must also reference any specific undertakings made to the relevant industry regulator — for instance, a letter of commitment to the MIIT that data will remain onshore.

The DSAR Preparation Process: From Data Mapping to Submission

Preparing a DSAR that will pass CSRC review requires a structured, documented process that typically takes 8–12 weeks for a mid-sized issuer. The process involves three distinct phases: data mapping and classification, risk assessment and mitigation design, and document drafting and internal approval.

Phase One: Data Mapping and Classification

The issuer’s data protection officer (DPO) or equivalent must conduct a comprehensive data mapping exercise across all business lines, IT systems, and third-party service providers. This mapping must identify every data asset, its storage location (onshore or offshore), its classification under the DSL, and the number of individuals whose personal information is processed. For a typical consumer internet platform, this exercise will involve 15–25 distinct data categories, from user registration data to payment transaction logs.

The DSAR must include a data flow diagram that shows the movement of data from collection to processing to storage, including any transfers to third parties such as cloud service providers, payment processors, or analytics vendors. The diagram must identify the legal entity that controls each data processing activity — in a VIE structure, this is typically the onshore operating company, not the Cayman holding company. The CSRC’s 2024 feedback shows that issuers frequently misidentify the controlling entity, which triggers a supplementary comment requiring reclassification.

Phase Two: Risk Assessment and Mitigation Design

Once the data map is complete, the issuer must conduct a risk assessment that evaluates the likelihood and impact of each identified risk. The assessment should follow the methodology set out in the Information Security Technology—Data Security Capability Maturity Model (GB/T 37988-2019), which provides a standardised framework for evaluating data security controls. The DSAR must score the issuer’s current maturity level against the model’s five levels (Level 1: Initial to Level 5: Optimising) and identify gaps.

For each gap, the DSAR must propose a specific remediation measure, with a timeline and responsible party. Common remediation measures include: implementing data encryption at rest and in transit (AES-256 and TLS 1.3), deploying a data loss prevention (DLP) system, and establishing a data access control policy that restricts offshore personnel to anonymised or aggregated data only. The DSAR should also include a copy of the issuer’s data breach response plan, as required by Article 51 of the PIPL.

Phase Three: Document Drafting and Internal Approval

The final DSAR document must be signed by the issuer’s legal representative and sealed by the company. The CSRC requires the DSAR to be submitted in both Chinese and English, with the Chinese version prevailing in case of inconsistency. The document should follow the structure prescribed in the CSRC’s Guidelines for the Preparation of Filing Documents: (1) background and scope of the assessment; (2) data classification and grading; (3) cross-border data transfer analysis; (4) national security risk assessment; (5) remediation measures and timeline; and (6) conclusions and undertakings.

The issuer’s board of directors must pass a resolution approving the DSAR and authorising its submission to the CSRC. The resolution should be attached to the DSAR as an appendix. For issuers that are state-owned enterprises (SOEs) or that process data in regulated sectors (e.g., telecommunications, finance, healthcare), the DSAR must also include a confirmation letter from the relevant industry regulator that the issuer’s data security measures are compliant. The CSRC’s 2024 review data shows that SOEs without this confirmation letter accounted for 18% of all supplementary comments issued in the first half of 2024.

Common Pitfalls and CSRC Supplementary Comments

Analysis of the CSRC’s public filing review feedback from 2023–2024 reveals five recurring deficiencies in DSAR submissions. Each deficiency has a specific regulatory basis and a corresponding remediation strategy.

Deficiency One: Failure to Identify Important Data

The most common deficiency, appearing in 34% of all supplementary comments on data security, is the issuer’s failure to properly classify data as “important data” under the DSL. Issuers in sectors such as logistics, e-commerce, and social media frequently assert that their data is all “general data” without conducting the sector-specific classification required by the relevant ministry. The CSRC’s supplementary comment will typically cite the applicable industry regulation and request a reclassification with a documented methodology.

Remediation: The issuer must engage a qualified data security assessor (a firm registered with the NIIO) to conduct a formal classification using the sector-specific standards. The reassessment must be documented in a supplementary DSAR that replaces the original classification.

Deficiency Two: Incomplete Cross-Border Data Transfer Mapping

Twenty-eight percent of supplementary comments on data security relate to incomplete or inaccurate mapping of cross-border data transfers. Issuers often omit data transfers to offshore auditors, legal counsel, or underwriters, or fail to identify the specific data fields being transferred. The CSRC requires the issuer to name each recipient entity, the legal basis for transfer (e.g., consent, contract necessity, or security assessment), and the contractual safeguards in place.

Remediation: The issuer must update the data flow diagram to include all offshore recipients and attach copies of the data processing agreements (DPAs) with each recipient. The DPAs must comply with the standard contractual clauses (SCCs) prescribed by the NIIO in the Measures for the Standard Contract for Cross-Border Data Transfer (effective 1 June 2023).

Deficiency Three: Absence of a National Security Risk Mitigation Plan

Twenty-two percent of supplementary comments on data security request additional detail on the issuer’s mitigation plan for national security risks. Issuers frequently state that they have “no material risks” without providing a structured analysis of the three scenarios required by the Filing Rules.

Remediation: The issuer must conduct a formal risk assessment using the GB/T 37988-2019 framework and produce a mitigation plan that includes specific contractual, technical, and governance measures. The plan must be approved by the board and attached to the DSAR.

Deficiency Four: Lack of Industry Regulator Confirmation

Eighteen percent of supplementary comments on data security request a confirmation letter from the relevant industry regulator for issuers in regulated sectors. Issuers in fintech, healthcare, and telecommunications frequently submit DSARs without this letter, assuming that the CSRC filing is sufficient.

Remediation: The issuer must apply to the relevant industry regulator (e.g., MIIT for telecommunications, PBOC for fintech, NHC for healthcare) for a confirmation letter that the issuer’s data security measures comply with sector-specific requirements. The application process typically takes 4–8 weeks and should be initiated before the CSRC filing.

Deficiency Five: Inconsistent Chinese and English Versions

Eight percent of supplementary comments on data security note inconsistencies between the Chinese and English versions of the DSAR. The CSRC reviews the Chinese version, and any discrepancy — even a minor translation error — can trigger a request for a corrected submission.

Remediation: The issuer must engage a qualified legal translator to produce the English version and have both versions reviewed by the issuer’s PRC legal counsel to ensure consistency. The Chinese version must be the authoritative version, and the DSAR should state this explicitly.

Sector-Specific Considerations: Fintech, Healthcare, and AI

The DSAR requirements vary significantly by sector, and issuers in regulated industries must address additional layers of compliance. The CSRC’s 2024 review data shows that fintech, healthcare, and AI companies receive 2.3 times more supplementary comments on data security than issuers in other sectors.

Fintech and Payment Platforms

Fintech issuers must comply with the PBOC’s Financial Data Security Management Measures (2022), which impose stricter classification requirements for financial data, including transaction records, credit scores, and customer identification data. The DSAR must include a separate section addressing financial data security, with a reference to the PBOC’s data security maturity model. The issuer must also confirm that it has completed the cross-border data transfer security assessment with the PBOC, if applicable, and attach the PBOC’s approval letter.

Healthcare Platforms

Healthcare issuers must comply with the NHC’s Health and Medical Data Security Management Measures (2023), which classify patient health data as important data by default. The DSAR must include a data inventory that identifies all health data categories, the legal basis for processing (e.g., patient consent or public health necessity), and the measures in place to prevent re-identification. The NHC requires that health data remain onshore, and the DSAR must include a contractual undertaking to this effect.

AI and Large Language Model Companies

AI issuers face the most complex DSAR requirements, as they process large volumes of training data that may include personal information or important data. The DSAR must address the source of training data, the data processing pipeline, and the measures in place to ensure that the model does not leak sensitive data. The issuer must also confirm compliance with the Interim Measures for the Management of Generative AI Services (effective 15 August 2023), which require a security assessment of the AI model itself. The DSAR should include a summary of the AI security assessment and the regulator’s approval, if obtained.

Practical Takeaways for Issuers and Advisors

1. Start the DSAR process at least 12 weeks before the intended CSRC filing date. The data mapping, classification, and risk assessment phases each require 3–4 weeks, and obtaining industry regulator confirmation can add another 4–8 weeks.

2. Engage a qualified data security assessor registered with the NIIO. The CSRC expects the DSAR to be prepared by a firm with relevant experience, and a self-prepared DSAR will likely trigger supplementary comments.

3. Include a complete cross-border data transfer map that names every offshore recipient and attaches the relevant DPAs. Omissions in this section are the second most common cause of supplementary comments.

4. Obtain the industry regulator’s confirmation letter before the CSRC filing. For issuers in fintech, healthcare, or telecommunications, this letter is a prerequisite for a clean filing.

5. Ensure the Chinese version of the DSAR is the authoritative version and is reviewed by PRC legal counsel. Inconsistencies between the Chinese and English versions will result in a request for a corrected submission, delaying the filing process.