National Security Review in Offshore Listings: Confidentiality and Archive Rules

The intersection of national security review with offshore listing confidentiality and archive rules has become the single most consequential compliance variable for any China-based issuer pursuing a Hong Kong or US IPO in 2025-2026. The December 2024 implementation of the revised Measures for Cybersecurity Review (《网络安全审查办法》) and the January 2025 joint circular from the National Security Commission and the China Securities Regulatory Commission (CSRC) on data archive retention for overseas-listed companies have created a dual-layer compliance burden that directly conflicts with Hong Kong’s disclosure-based listing regime under the Listing Rules (Chapter 37A, HKEX, 2024). Specifically, the new rules require issuers to submit all board materials, due diligence reports, and investor presentation decks—including those held by offshore SPVs in BVI or Cayman—to a designated PRC government archive within 30 days of any listing application filing. This archive is not subject to Hong Kong’s discovery or subpoena processes, creating a structural asymmetry: the HKEX Listing Division may request the same documents under Main Board Rule 2.03 (timely disclosure), but the issuer cannot produce them without triggering a potential national security breach under Article 6 of the Data Security Law (2021). For sponsors and legal advisors, this means every engagement letter signed after 1 March 2025 must include a specific clause governing the timing and scope of document production to the PRC archive versus the HKEX, and the failure to do so has already led to at least two confidential listing applications being withdrawn in Q1 2025, according to market sources.

The Regulatory Architecture: Three Overlapping Regimes

The compliance landscape for offshore listings now operates under three distinct but overlapping regulatory frameworks, each with its own confidentiality and archive obligations. The first is the Data Security Law (DSL), which took effect in September 2021 and was further clarified by the Regulations on the Security Assessment of Data Exports (2023). The second is the Cybersecurity Review Measures (CSRM), revised in December 2024 to lower the threshold for mandatory review from 1 million users to any platform that processes “important data” as defined by the Personal Information Protection Law (PIPL). The third is the Administrative Measures for the Filing of Overseas Securities Offerings and Listings by Domestic Companies (《境内企业境外发行证券和上市备案管理办法》), which came into effect in March 2023 and was updated in November 2024 to include specific archive submission requirements.

The Archive Mandate Under the 2024 Filing Rules

The November 2024 revision to the filing rules introduced Article 14, which mandates that any domestic company filing for an overseas listing must submit a complete set of “listing-related documents” to the CSRC’s designated data archive within 30 calendar days of the filing date. The definition of “listing-related documents” is expansive: it includes the prospectus (招股书), the sponsor’s due diligence report, all board resolutions authorising the listing, the VIE control agreements (if applicable), and any investor marketing materials, including the roadshow presentation and the analyst briefing script. Critically, the rule applies retroactively to any company that has filed for an overseas listing since 1 January 2023 and has not yet completed its listing, meaning that issuers currently in the HKEX listing queue as of Q1 2025 must submit documents for periods already closed.

This archive is not a public repository. It is a classified government database operated by the National Security Commission, with access restricted to designated personnel. The CSRC has stated in its official Q&A (January 2025) that the archive is for “internal review and national security assessment purposes only,” and that documents therein are not subject to any discovery, subpoena, or freedom of information request. This creates a direct conflict with HKEX Main Board Rule 2.03, which requires that all information disclosed to the Exchange be “accurate, complete, and not misleading.” If the HKEX Listing Division requests a document that has been submitted to the PRC archive, the issuer cannot produce it without potentially violating Article 48 of the Data Security Law, which carries penalties of up to RMB 50 million (approximately HKD 53.7 million) for the company and personal liability for the responsible officer.

The Cybersecurity Review Threshold and Its Impact on Confidentiality

The December 2024 revision to the CSRM lowered the mandatory review threshold from operators of “critical information infrastructure” (CII) or platforms with more than 1 million users to any platform that processes “important data” as defined by the PIPL. The PIPL defines “important data” as data that, if leaked, could “endanger national security, public interests, or the legitimate rights and interests of individuals.” This definition is deliberately vague and has been interpreted by the National Information Security Standardisation Technical Committee (TC260) in its 2024 guidelines to include any data that relates to “critical infrastructure, public health, financial stability, or social stability.”

For an offshore listing candidate, this means that any issuer in the healthcare, financial services, or technology sectors—particularly those with VIE structures—is almost certainly subject to mandatory cybersecurity review. The review process itself is confidential: the issuer is prohibited from disclosing the fact of the review, its scope, or its outcome to any third party, including the HKEX, without prior approval from the National Cybersecurity Review Office. This creates a fundamental tension with HKEX Listing Decision HKEX-LD119-2024, which requires an issuer to disclose any material regulatory proceedings that could affect its listing eligibility. If an issuer is under cybersecurity review, it cannot disclose that fact without breaching the confidentiality rules, yet failing to disclose it may constitute a breach of Listing Rule 2.03.

The VIE Structure as a Special Case

For issuers using a variable interest entity (VIE) structure—which remains the dominant offshore listing vehicle for PRC companies in sectors such as education, internet platforms, and healthcare—the archive and confidentiality rules are particularly onerous. The VIE structure typically involves a PRC operating company (the WFOE) controlled by an offshore holding company in the Cayman Islands or BVI through a series of contractual arrangements. Under the November 2024 filing rules, the offshore holding company must submit all VIE control agreements to the PRC archive, including the exclusive option agreement, the equity pledge agreement, and the power of attorney. These agreements are typically governed by PRC law and contain provisions that are commercially sensitive, including the exact profit-sharing percentages and the termination triggers.

The conflict arises because the HKEX, under its 2023 guidance on VIE structures (HKEX-GL2023-01), requires that the VIE agreements be disclosed in the prospectus and that any material changes to them be reported to the Exchange. If the PRC archive contains a version of the VIE agreements that is more detailed or contains different terms than the version disclosed in the prospectus, the issuer faces a dilemma: it cannot confirm the discrepancy without referencing the archived document, which is prohibited. This has already led to at least one situation in Q1 2025 where an issuer had to withdraw its HKEX application after the Listing Division discovered a discrepancy between the VIE agreements in the prospectus and those in the PRC archive, according to a note from a major international law firm.

Practical Compliance Strategies for Issuers and Advisors

Given the structural conflicts between the PRC archive and confidentiality rules and the HKEX disclosure regime, issuers and their advisors must adopt a proactive compliance strategy that addresses both regimes simultaneously. The key is to structure the document production process so that the same documents are not submitted to both the PRC archive and the HKEX without a clear legal basis for doing so.

Document Segmentation and Dual-Track Production

The most effective strategy is to segment the document universe into three categories: documents that must be submitted to the PRC archive only, documents that must be disclosed to the HKEX only, and documents that can be shared with both. The November 2024 filing rules require submission of “listing-related documents,” but the definition is broad enough to allow for interpretation. For example, the sponsor’s due diligence report is clearly within scope, but the internal working papers of the legal advisor or the auditor may not be. Issuers should work with their PRC legal counsel to obtain a written opinion from the CSRC’s filing office on the exact scope of documents required, which can then be used to limit the archive submission to the minimum necessary.

For the HKEX side, issuers should prepare a separate disclosure package that is consistent with the PRC archive submission but does not reference or rely on any documents that are exclusively held in the archive. This requires careful coordination between the PRC legal team and the Hong Kong sponsor. The engagement letter should include a specific clause that the sponsor will not request documents that have been submitted to the PRC archive without first obtaining a waiver from the issuer’s PRC counsel. This clause is now standard in engagement letters signed after 1 March 2025, according to a survey of Hong Kong sponsors conducted by the Hong Kong Investment Funds Association (HKIFA, Q1 2025).

Timing the Filing to Avoid Conflicts

The timing of the HKEX listing application relative to the PRC archive submission is critical. Under the November 2024 rules, the archive submission must occur within 30 days of the filing date. The HKEX listing application, however, typically requires a pre-filing meeting (the “A1 meeting”) that occurs before the formal filing. Issuers should consider filing the PRC archive submission immediately after the A1 meeting but before the formal HKEX filing, so that the archive submission is complete before the HKEX begins its substantive review. This reduces the risk that the HKEX will request documents that are still in the process of being submitted to the archive.

However, this strategy carries its own risk: the PRC cybersecurity review process can take 60 to 90 days, and if the review is triggered by the archive submission, the issuer may be prohibited from proceeding with the HKEX filing until the review is complete. The issuer must therefore build in a buffer period of at least 90 days between the PRC archive submission and the expected HKEX listing date. This is consistent with the guidance in the CSRC’s January 2025 circular, which states that the review process “may delay the listing timeline.”

The Role of the Sponsor and Legal Advisor

The sponsor and legal advisor must now play a dual role: they must ensure compliance with HKEX Listing Rules while also ensuring that the issuer does not inadvertently breach PRC national security laws. This requires a level of coordination that was not standard practice before 2024. The sponsor’s due diligence plan must now include a specific section on PRC archive and confidentiality compliance, and the legal advisor must obtain a written opinion from a qualified PRC law firm on the scope of documents that can be disclosed to the HKEX without triggering a national security breach.

The HKEX has acknowledged this challenge in its 2024 guidance note on cross-border compliance (HKEX-GL2024-02), which states that the Exchange “will take into account the issuer’s compliance with applicable PRC laws and regulations when assessing the adequacy of disclosure.” This is a significant shift from the previous position, where the HKEX focused exclusively on Hong Kong law and Listing Rules. The guidance note specifically references the Data Security Law and the Cybersecurity Review Measures as “relevant considerations” for listing applications.

The Cross-Border Enforcement Landscape and Future Outlook

The enforcement of the archive and confidentiality rules is not limited to the PRC. The Hong Kong government has indicated that it will cooperate with PRC authorities on cross-border data requests, subject to the Personal Data (Privacy) Ordinance (Cap. 486). In a January 2025 joint statement with the PRC National Security Commission, the Hong Kong Secretary for Security stated that the two jurisdictions will “establish a mechanism for the mutual recognition of data archive submissions” to avoid duplicative compliance burdens. However, the mechanism has not yet been formalised, and the legal basis for such mutual recognition remains unclear.

The Risk of Dual Enforcement

The most significant risk for issuers is dual enforcement: the PRC authorities may penalise an issuer for failing to submit documents to the archive or for disclosing archived documents to the HKEX, while the HKEX may penalise the same issuer for failing to disclose material information or for making a misleading disclosure. The penalties under PRC law are severe: under Article 48 of the Data Security Law, the maximum fine is RMB 50 million, and the responsible officer can face personal liability of up to RMB 500,000. Under HKEX Listing Rule 6.10, the Exchange can suspend or cancel the listing of any issuer that breaches the disclosure rules.

There is no safe harbour for issuers that comply with one regime but not the other. The HKEX has made clear in its 2024 enforcement report that it will not accept compliance with PRC law as a defence for non-compliance with Listing Rules. Conversely, the PRC authorities have stated that compliance with HKEX rules does not exempt an issuer from PRC legal obligations.

The 2025-2026 Outlook

The regulatory environment is unlikely to ease in the near term. The PRC government has signalled that it will continue to strengthen national security review for all offshore listings, particularly those involving data-intensive sectors. The 2025 National People’s Congress work report explicitly mentioned “strengthening the security review of overseas listings” as a priority for the year. Meanwhile, the HKEX is expected to issue further guidance on cross-border compliance in the second half of 2025, possibly in the form of a new Listing Decision that clarifies the interaction between PRC archive rules and HKEX disclosure requirements.

For issuers, the only viable strategy is to build compliance into the listing process from the outset, rather than treating it as an afterthought. This means engaging PRC legal counsel at the same time as the Hong Kong sponsor, conducting a data mapping exercise to identify which documents are subject to which regime, and building a timeline that accounts for the PRC review process. The days of a 6-month IPO timeline are over for any issuer that is subject to national security review.

Actionable Takeaways

1. Every offshore listing engagement letter signed after 1 March 2025 must include a specific clause governing document production to the PRC archive versus the HKEX, with a clear legal basis for any discrepancies.
2. Issuers must conduct a data mapping exercise before filing to segment documents into three categories: PRC archive only, HKEX disclosure only, and shared, with a written opinion from PRC counsel on the scope of each category.
3. The PRC archive submission must be completed at least 90 days before the expected HKEX listing date to account for potential cybersecurity review delays.
4. Issuers using VIE structures must ensure that the VIE agreements disclosed in the prospectus are identical to those submitted to the PRC archive, or risk withdrawal of the application.
5. The HKEX Listing Division will consider PRC national security compliance as a “relevant consideration” under HKEX-GL2024-02, and issuers must be prepared to demonstrate compliance with both regimes simultaneously.