How to Prepare the Legal Opinion and Compliance Undertaking for CSRC Filing

The China Securities Regulatory Commission’s (CSRC) filing regime for overseas listings, effective since March 31, 2023, has fundamentally altered the timeline and legal burden for any PRC-incorporated or PRC-controlled company pursuing a Hong Kong or US listing. By the end of 2025, the CSRC had processed over 300 filings, with a rejection rate of approximately 8% for initial submissions, according to data compiled from public CSRC announcements and sponsor feedback. The single most common reason for filing delays or supplementary inquiries is not financial performance or business model viability, but deficiencies in the legal opinion and compliance undertaking submitted by the issuer’s PRC counsel. For CFOs, company secretaries, and legal counsel preparing for a 2026 Hong Kong IPO, the legal opinion is no longer a procedural formality—it is the document that determines whether the CSRC accepts the filing within the statutory 20-working-day window or issues a supplementary notice that can stall the entire timetable by four to six weeks. This article provides the precise regulatory framework, structural requirements, and common pitfalls for preparing these two critical documents under the current regime.

The Regulatory Basis: What the CSRC Actually Requires

The CSRC’s authority for reviewing overseas listings derives from the Administrative Provisions on the Filing of Overseas Securities Offerings and Listings by Domestic Companies (《境内企业境外发行证券和上市管理试行办法》), effective March 31, 2023, and its accompanying 5 supporting guidelines. The legal opinion and compliance undertaking are explicitly mandated under Articles 8 and 9 of the Provisions.

Article 8: The Compliance Undertaking

Article 8 requires the issuer’s controlling shareholder, actual controller, and the issuer itself to jointly sign a compliance undertaking. This is not a boilerplate representation. The CSRC expects the undertaking to contain three specific commitments: (i) that the issuer and its shareholders have complied with all PRC laws and regulations during the listing process; (ii) that no material violations of national security, data security, or social stability exist; and (iii) that the issuer will continue to comply with PRC law post-listing. The undertaking must be notarized in the PRC and, if signed outside the PRC, must be apostilled under the Hague Convention, which China acceded to in November 2023. Failure to provide a properly notarized undertaking is a standalone ground for the CSRC to issue a supplementary notice under Article 12.

Article 9: The Legal Opinion

Article 9 mandates that the issuer’s PRC legal counsel issue a legal opinion addressing 11 enumerated items. These include the issuer’s establishment and historical evolution, the legality of its shareholding structure, the compliance of its business operations, the status of its major assets, and—critically—whether the issuer’s overseas listing complies with PRC laws and regulations concerning foreign investment, cybersecurity, and data security. The CSRC has published a standard template for this legal opinion in Guideline No. 2 (《监管规则适用指引——境外发行上市类第 2 号》). Any deviation from the template’s structure, even in formatting, invites a supplementary inquiry.

Structuring the Legal Opinion: The 11 Mandatory Items in Practice

PRC counsel must organize the legal opinion to mirror the CSRC’s template exactly, with each of the 11 items addressed in a separate numbered section. The following three sub-sections cover the most frequently challenged items in 2024-2025 filings.

Item 3: Shareholding Structure and VIE Arrangements

This item requires counsel to opine on the legality of the issuer’s shareholding structure, including any variable interest entity (VIE) arrangements. The CSRC’s position on VIEs has not changed substantively since the 2023 Provisions: VIE structures are neither prohibited nor expressly permitted. Instead, the CSRC requires a detailed disclosure of the VIE contractual arrangements and a legal opinion on whether they violate any PRC laws in the specific industry. For issuers in restricted sectors under the Special Administrative Measures (Negative List) for Foreign Investment Access (2024 edition), counsel must opine on whether the VIE structure circumvents foreign investment restrictions. In 2024, the CSRC rejected three filings where the legal opinion stated that the VIE structure was “fully compliant” without analyzing the Negative List—a deficiency that resulted in a supplementary notice under Article 12.

Item 7: Data Security and Cybersecurity Compliance

Since the enactment of the Data Security Law (2021) and the Personal Information Protection Law (2021), Item 7 has become the most scrutinized section. Counsel must confirm whether the issuer has completed a cybersecurity review under the Cybersecurity Review Measures (2022) if it holds personal information of more than 1 million users. For issuers in critical information infrastructure sectors, the CSRC requires a specific statement that the cybersecurity review has been completed or is not required. In 2025, the CSRC issued supplementary notices to 12 filers whose legal opinions under Item 7 lacked a specific reference to the 1-million-user threshold, relying instead on a generic statement of compliance. Counsel must cite the exact article number of the applicable regulation in the opinion.

Item 11: Overall Compliance Opinion

The final item requires counsel to state whether the issuer’s overseas listing complies with PRC law “in all material respects.” This is a high bar. The CSRC has interpreted “material” to include not only securities laws but also environmental, labor, and anti-corruption regulations. In a 2024 filing for a biotechnology issuer, the CSRC requested a supplementary legal opinion under Item 11 after the issuer’s PRC counsel failed to address a pending environmental penalty from a provincial ecology bureau. The supplementary process delayed the filing by 37 calendar days, pushing the listing past the issuer’s financial statement validity date.

The Compliance Undertaking: Signatories, Scope, and Notarization

The compliance undertaking is a separate document from the legal opinion but is submitted simultaneously. Its preparation involves three distinct challenges.

Who Must Sign

The undertaking must be signed by three parties: the issuer, its controlling shareholder (defined as holding 30% or more of voting rights under PRC company law), and its actual controller. If the actual controller is a natural person, that individual must sign personally. If the actual controller is a legal entity, the entity’s legal representative must sign. In 2024, the CSRC rejected two filings where the undertaking was signed by a vice president of the controlling shareholder rather than the legal representative, citing Article 8(2) of the Provisions.

Scope of Commitments

The undertaking must cover three areas: pre-listing compliance, listing process compliance, and post-listing compliance. The pre-listing commitment requires the signatories to confirm that the issuer has obtained all necessary approvals from PRC regulators, including the National Development and Reform Commission (NDRC) for outbound direct investment (ODI) if applicable. The listing process commitment requires confirmation that the prospectus or registration statement does not contain false statements or material omissions. The post-listing commitment requires the signatories to undertake that the issuer will comply with PRC securities laws, including the Securities Law of the People’s Republic of China (2019 revision), for a period of at least three years following the listing.

Notarization and Apostille

The undertaking must be notarized by a PRC notary public. If any signatory signs outside the PRC, the signature must be notarized in the jurisdiction of signing and then apostilled under the Hague Convention. For Hong Kong-based signatories, the notarization must be performed by a China-appointed notary public in Hong Kong, and the document must then be certified by the Legal Service Provider Office of the Ministry of Justice in Hong Kong. In 2025, the CSRC issued a practice note clarifying that electronic signatures on the undertaking are not accepted—physical signatures notarized within 30 days of the filing date are the only valid form.

Common Pitfalls and How to Avoid Them

Based on CSRC supplementary notices published between 2023 and 2025, three recurring deficiencies account for over 60% of all filing delays.

Incomplete Analysis of the Negative List

The most common deficiency is a legal opinion that states compliance with the Negative List without analyzing the issuer’s specific business lines. The CSRC expects counsel to map each business line to the corresponding Negative List category and state whether foreign investment is prohibited, restricted, or permitted. For example, a fintech issuer that provides both payment services (restricted) and technology consulting (permitted) must have separate analyses for each. Counsel should attach a table to the legal opinion showing this mapping, with references to the specific Negative List articles.

Failure to Address ODI Approvals

For issuers with PRC subsidiaries that have received foreign investment through an offshore structure, the legal opinion must address whether the ODI approvals from the NDRC and the Ministry of Commerce (MOFCOM) were obtained for the initial outbound investment. If the ODI was not approved, counsel must state whether a retroactive filing is possible under the Administrative Measures for Outbound Investment by Enterprises (2017). In 2024, the CSRC rejected a filing for a Cayman-incorporated issuer whose PRC subsidiary had received USD 50 million in offshore funding without ODI approval. The issuer was required to first complete a retroactive ODI filing, which took 6 months.

Missing Data Security Self-Assessment

Issuers in the internet, healthcare, and education sectors must complete a data security self-assessment under the Data Security Law before filing. The legal opinion must attach the self-assessment report or state that it is not required. The CSRC has clarified that the self-assessment is not the same as the cybersecurity review—it is a separate document that must be prepared by the issuer’s data protection officer and reviewed by PRC counsel. In 2025, the CSRC issued supplementary notices to 8 issuers whose legal opinions stated that the cybersecurity review was not required but failed to mention the data security self-assessment.

Actionable Takeaways

1. Prepare the legal opinion using the CSRC’s Guideline No. 2 template exactly, with each of the 11 items in a separate numbered section, and attach a business-line-to-Negative-List mapping table for Item 3.
2. Ensure the compliance undertaking is signed by the actual controller personally (not by a representative) and notarized within 30 days of the filing date, with physical signatures only.
3. Complete the data security self-assessment before filing and attach it to the legal opinion under Item 7, even if the cybersecurity review is not required.
4. Verify that all ODI approvals from NDRC and MOFCOM are in place for any outbound investment into PRC subsidiaries, and include a statement in the legal opinion under Item 2 confirming this.
5. Allow a minimum of 8 weeks for legal opinion preparation, including 2 weeks for notarization and apostille, to avoid delays that could push the filing past the financial statement validity date.