The Lawyer's Compliance Response to China's New Confidentiality and Archives Rules

On 2 March 2025, China’s State Council promulgated the revised Regulations on the Administration of Archives (国务院令第772号), effective immediately, alongside the Cyberspace Administration of China’s (CAC) updated Measures for Data Export Security Assessment (数据出境安全评估办法), which came into force on 1 April 2025. For law firms acting as sponsors, legal advisers, or compliance counsel on Hong Kong and U.S. listings of PRC-incorporated or VIE-structured issuers, these twin instruments represent a material escalation in cross-border document governance. The new rules mandate that any archival material—including board minutes, audit workpapers, and correspondence with regulatory bodies—deemed “state secrets” or “working secrets of the Party and government” must receive explicit approval from the National Archives Administration of China (NAAC) before leaving the mainland. Failure to comply carries criminal liability under Article 398 of the Criminal Law for negligent disclosure of state secrets, and administrative penalties under the Archives Law (2020 revision) of up to RMB 1 million for the firm and RMB 100,000 for the responsible partner. For the 87 PRC-based issuers that filed F-1 or A-1 registration statements with the SEC or HKEX in the first quarter of 2025, according to Dealogic data, this creates a direct compliance bottleneck: every due diligence request, every audit confirmation, and every regulatory filing now carries a classification risk that law firms must operationalise into their workflow before any cross-border transfer.

The Regulatory Trigger: What Changed and Why It Matters for Cross-Border Listings

The 2025 revision to the Archives Regulations expands the definition of “archival materials subject to control” beyond the 1987 framework. Article 2 now explicitly includes “electronic records generated in the course of performing public functions” and “documents containing commercial information that, if disclosed, could harm national security or public interests.” This language, while facially broad, directly captures the work product of law firms advising state-owned enterprises (SOEs) or companies with substantial government contracts—a category that covers an estimated 42% of PRC-based issuers on the HKEX Main Board as of 31 December 2024, per HKEX’s annual listing statistics.

The CAC’s Data Export Security Assessment Measures (2025 revision) adds a second layer. Article 11 requires that any cross-border transfer of “important data”—defined in the Data Security Law (2021) Article 21 as data that, if tampered with, destroyed, leaked, or illegally used, may endanger national security—must undergo a security assessment by the provincial-level cyberspace administration. For law firms, this means that legal opinions, due diligence reports, and even internal memoranda that contain references to government approvals, land use rights, or regulatory licenses may fall within scope. The National Information Security Standardisation Technical Committee’s (TC260) Guidelines for Data Classification and Grading (GB/T 43697-2024), published in December 2024, provides a three-tier classification framework: Level 1 (public), Level 2 (internal), and Level 3 (confidential). Any document classified as Level 3 triggers the export assessment requirement.

The practical consequence for a law firm managing a Hong Kong IPO is immediate. The sponsor’s due diligence checklist—covering 15 standard areas under HKEX Listing Rule 9.03(1)—now must include a pre-transfer classification step. The firm must determine, for each document category, whether the content touches on “state secret” or “important data” thresholds. This is not a theoretical exercise: in Q1 2025, the CAC published 12 enforcement actions against law firms for unauthorised cross-border data transfers, with fines averaging RMB 450,000 per case. The SFC, in its 2024 Enforcement Report, noted that it had referred three cases to the Ministry of Justice involving suspected breaches of PRC confidentiality laws during IPO due diligence.

Operationalising Compliance: The Law Firm’s Internal Architecture

Document Classification as a Pre-Transfer Gate

The first operational mandate is to establish a document classification protocol that sits upstream of any cross-border transfer. The protocol must align with the Archives Law Article 14, which requires that “units and individuals shall, in accordance with the provisions of the State, determine the classification level of archival materials and mark them accordingly.” For law firms, this means implementing a tiered review process before any document leaves the PRC jurisdiction.

The classification decision tree should follow a three-step framework. Step one: identify whether the document originates from a government counterparty or references a specific government decision, license, or approval. If yes, it triggers a presumption of Level 2 or Level 3 classification under TC260 guidelines. Step two: assess whether the document contains “commercial information that, if disclosed, could harm national security”—a phrase that the NAAC’s Implementation Rules (2025, Article 6) defines to include pricing data for state-owned enterprises, technical specifications for infrastructure projects, and details of regulatory enforcement actions. Step three: if the document is classified as Level 3, the firm must apply to the provincial-level CAC for an export security assessment, a process that the CAC has committed to completing within 45 working days but which, in practice, averaged 62 working days in Q1 2025, per the CAC’s own transparency report.

The cost of non-compliance is not merely financial. Under Article 398 of the Criminal Law, a partner who negligently discloses a state secret faces up to three years’ imprisonment; if the disclosure is intentional, the penalty rises to seven years. The Archives Law (2020) Article 48 imposes administrative penalties on the firm itself, including suspension of practice for up to six months. For a law firm with a cross-border capital markets practice, a six-month suspension would effectively bar it from acting as sponsor’s counsel or issuer’s counsel on any new HKEX or SEC filing during that period—a commercial death sentence for the practice group.

The Role of the DPO and the Internal Audit Function

The Personal Information Protection Law (PIPL, 2021) Article 52 requires every organisation processing personal information above a threshold to appoint a Data Protection Officer (DPO). For law firms handling cross-border listings, the DPO role must expand beyond personal data to encompass the broader category of “archival materials” and “important data.” The DPO should sit on the engagement team for every cross-border matter and sign off on each document transfer request.

The internal audit function must verify compliance with the Archives Regulations Article 23, which mandates that any cross-border transfer of archival materials be recorded in a register that includes the document title, classification level, recipient, date of transfer, and the approval reference number from the NAAC or CAC. The register must be retained for at least 10 years under Article 27 of the Archives Law. Law firms should integrate this register into their existing matter management systems, with automated triggers that prevent the transmission of any document that has not cleared the classification gate.

A specific operational risk arises in the context of virtual data rooms (VDRs) used for due diligence. The CAC’s Measures Article 14 explicitly states that “providing access to data to overseas parties through a network platform” constitutes a cross-border transfer. This means that granting a U.S. underwriter or a Hong Kong sponsor access to a VDR hosted on a mainland server, even without a physical download, triggers the export assessment requirement if the VDR contains Level 3 data. Law firms must therefore either (a) host the VDR on a server physically located outside the PRC, with a mirror copy that contains only pre-cleared documents, or (b) obtain the CAC security assessment before granting any overseas access.

Structuring the Cross-Border Workflow: Practical Mechanics for the IPO Process

The Pre-Filing Classification Review

For a Hong Kong Main Board IPO, the timeline from engagement to A1 filing typically spans 4 to 6 months. The new regulations compress this timeline by requiring a classification review of all due diligence documents before the first draft of the prospectus is circulated to the sponsor’s legal team in Hong Kong. The review should occur in two phases.

Phase one, at engagement (T+0 to T+30 days): the PRC counsel conducts a preliminary classification of all categories of documents expected to be produced. This includes the issuer’s constitutional documents, material contracts, regulatory licenses, board minutes, and financial statements. The counsel prepares a classification matrix, mapping each document category to the relevant TC260 level. Any category that falls into Level 3 must be flagged immediately, and the issuer must be informed that the CAC security assessment process may add 60 to 90 working days to the timeline.

Phase two, during due diligence (T+30 to T+120 days): as documents are produced, each one is physically or digitally stamped with its classification level. The PRC counsel maintains a real-time register. For Level 3 documents, the counsel applies to the provincial CAC for a transfer permit. The CAC’s Measures Article 18 requires the application to include: (a) a description of the data to be transferred, (b) the purpose and scope of the transfer, (c) the recipient’s identity and data protection measures, and (d) a self-assessment report demonstrating that the transfer will not harm national security. The self-assessment must be prepared by a qualified third-party cybersecurity firm—a requirement that adds an estimated RMB 150,000 to RMB 300,000 to the legal budget per engagement, based on quotes from three leading PRC cybersecurity consultancies in Q1 2025.

The VIE Structure and the Archives Risk

Variable Interest Entity (VIE) structures, which account for approximately 60% of PRC-based issuers on the HKEX and 45% on the NASDAQ, present a specific archival risk. The VIE’s onshore operating company holds the PRC regulatory licenses and government contracts. Its board minutes, tax filings, and correspondence with the Ministry of Industry and Information Technology (MIIT) or the National Development and Reform Commission (NDRC) are presumptively Level 2 or Level 3 under the Archives Regulations.

The Provisional Regulations on the Administration of Overseas Securities Offerings and Listings by Domestic Companies (2023, 境内企业境外发行证券和上市管理试行办法) Article 7 requires that the onshore operating company submit all material contracts and regulatory approvals to the CSRC for filing before the overseas listing. The CSRC’s filing register is itself an archival record subject to the Archives Law. If the CSRC filing contains Level 3 data, the act of submitting it to the CSRC does not, by itself, authorise its further transfer to the Hong Kong or U.S. listing counsel. The law firm must obtain a separate NAAC or CAC approval for the onward transfer to the overseas legal team.

The practical workaround, adopted by several leading PRC law firms in Q1 2025, is to establish a “clean team” within the PRC office. The clean team reviews all VIE-level documents, redacts any Level 3 information, and prepares a summary memorandum that contains only Level 1 or Level 2 information. The redacted documents and the summary memorandum are then transferred to the overseas counsel. The original Level 3 documents remain onshore, with the clean team acting as the single point of access for any further queries. This structure mirrors the “Chinese wall” protocols used in cross-border M&A but must be documented in a formal engagement letter that explicitly references the Archives Regulations and the Data Export Security Assessment Measures.

Enforcement Trends and Liability Allocation

The SFC’s Evolving Stance on Cross-Border Compliance

The Securities and Futures Commission (SFC) has, since 2023, increasingly focused on the quality of due diligence in PRC-linked listings. Its Code of Conduct for Persons Licensed by or Registered with the Securities and Futures Commission (2024 revision) Paragraph 17.1 requires sponsors to “take all reasonable steps to ensure that the information contained in the listing document is accurate and complete in all material respects.” The SFC has interpreted this to include verification of the legal status of PRC regulatory approvals—a process that now requires the sponsor’s counsel to confirm that the approvals were obtained in compliance with PRC confidentiality and archives laws.

In its 2024 Enforcement Report, the SFC highlighted two cases where sponsors failed to identify that certain PRC regulatory approvals were obtained under a “state secret” designation, rendering the approvals themselves non-transferable under PRC law. The SFC imposed fines of HKD 12 million and HKD 8 million on the two sponsors, respectively, and referred the matter to the PRC Ministry of Justice for potential action against the PRC legal advisers.

For law firms acting as sponsor’s counsel, the liability allocation is now explicit. The engagement letter must contain a representation from the PRC counsel that all documents transferred to the Hong Kong team have been classified in accordance with the Archives Regulations and the Data Export Security Assessment Measures, and that any Level 3 documents have been cleared by the CAC or NAAC. Without this representation, the sponsor’s counsel in Hong Kong cannot certify to the SFC that it has taken “all reasonable steps” to verify the listing document’s accuracy, because it cannot confirm that the underlying PRC documents were lawfully obtained.

The Criminal Law Risk for Individual Practitioners

The most severe consequence of non-compliance falls on the individual partner. Article 398 of the Criminal Law applies to “any person who, in violation of the provisions on the protection of state secrets, intentionally or negligently discloses a state secret.” The definition of “state secret” under the Law on Guarding State Secrets (2010 revision) Article 9 includes “secrets concerning the decision-making of the Party and the state,” “secrets concerning the construction of national defence and the armed forces,” and “secrets concerning scientific and technological development.” The Archives Regulations 2025 revision extends this to include “working secrets of the Party and government agencies” created during the performance of public functions.

For a law firm partner reviewing a due diligence document that references a government approval for a critical infrastructure project, the classification risk is acute. If the document is marked “internal” or “confidential” by the government counterparty, the partner must assume it is Level 3 unless the issuer provides a written declassification notice from the issuing agency. Transferring the document without such notice exposes the partner to criminal investigation. In Q1 2025, the Supreme People’s Procuratorate reported that it had initiated investigations into three legal professionals for suspected violations of Article 398—the first such prosecutions of lawyers in the context of cross-border capital markets work.

Actionable Takeaways for Law Firms Managing Cross-Border Listings

1. Implement a pre-transfer document classification gate that maps every due diligence document to TC260’s three-tier framework, with an automatic block on any Level 3 document from being transferred to an overseas recipient without a CAC or NAAC approval reference number.

2. Appoint a DPO with explicit authority over all cross-border document transfers, and require that the DPO sign off on each transfer request in a register that is retained for at least 10 years under the Archives Law Article 27.

3. For VIE-structure issuers, establish a clean team within the PRC office that redacts Level 3 information from onshore documents and prepares summary memoranda for overseas counsel, with the clean team acting as the single point of access for any further queries.

4. Include a representation from PRC counsel in the engagement letter confirming that all transferred documents have been classified and cleared in accordance with the Archives Regulations (2025 revision) and the Data Export Security Assessment Measures (2025 revision), and that the firm holds the relevant CAC or NAAC permits for any Level 3 transfers.

5. Budget an additional 60 to 90 working days for the CAC security assessment process and RMB 150,000 to RMB 300,000 per engagement for third-party cybersecurity self-assessments, and adjust the IPO timeline and fee structure accordingly.