The Triggers for a 'Security Review' in an Offshore Listing Filing

The decision by the China Securities Regulatory Commission (CSRC) on 17 February 2025 to formally reject the offshore listing filing of a Cayman-incorporated, VIE-controlled PRC technology firm—the first such explicit refusal since the Measures for the Administration of Overseas Securities Offerings and Listings by Domestic Companies (《境内企业境外发行证券和上市管理试行办法》, hereafter the “Trial Measures”) took effect on 31 March 2023—has crystallised a question that had previously been left to legal interpretation: what precisely constitutes a “trigger” for a national security review under Article 9 of the Trial Measures? The rejection, which the CSRC attributed to the applicant’s “core business falling within a sector subject to a national security review and the applicant failing to demonstrate compliance with the applicable review procedures,” has sent a shockwave through the cross-border IPO pipeline. Between 1 April 2023 and 31 January 2025, the CSRC had accepted 287 offshore listing filings (including both Hong Kong Main Board and US exchange listings), of which 273 had received a “filing completion notice” (备案通知书) without any public mention of a security review referral. That clean record has now been broken. The affected company, which had already submitted its A-1 filing to the HKEX on 3 December 2024 and had been scheduled for a hearing in late March 2025, must now either restructure its VIE to remove the sensitive business line or seek a formal security review clearance from the relevant PRC ministry—a process with no statutory timeline and, as of this writing, no publicly known completed precedent. This article deconstructs the five triggers that can activate a security review referral under the current framework, using the CSRC’s published guidance, the National Security Review Measures (《外商投资安全审查办法》, effective 18 January 2021), and the 2024 revision of the Cybersecurity Review Measures (《网络安全审查办法》, effective 15 February 2022).

The Statutory Architecture: Article 9 and Its Delegated Authorities

The Trial Measures do not themselves define “national security review.” Instead, Article 9 of the Trial Measures states that an offshore listing filing “shall not proceed” if the domestic company’s overseas offering and listing “involves matters subject to a national security review under laws and administrative regulations” and the applicable review procedures have not been completed. This creates a delegation: the trigger is not in the CSRC’s own rules but in the underlying security review regimes administered by other PRC state organs.

The three parallel review regimes. Three distinct statutory instruments can independently block an offshore listing filing. First, the National Security Review Measures (《外商投资安全审查办法》), jointly issued by the NDRC and the Ministry of Commerce, apply to “foreign investments” that may affect national security. A Cayman or BVI holding company listing on the HKEX or a US exchange is, under PRC law, a foreign investor acquiring control over or a substantial interest in a PRC domestic entity through its VIE or direct equity structure. Second, the Cybersecurity Review Measures (《网络安全审查办法》), issued by the Cyberspace Administration of China (CAC), apply to “critical information infrastructure operators” (CIIOs) and to “online platform operators” that hold personal information of more than one million users when they seek a foreign listing. Third, the Data Security Law (《数据安全法》, effective 1 September 2021) and its implementing regulations create a separate review pathway for “important data” and “core data” that, if transferred offshore, may threaten national security.

The CSRC’s gatekeeping role. The CSRC does not conduct the security review itself. Under Article 9, the CSRC acts as a gatekeeper: upon receiving a filing application, it examines whether the applicant’s business falls within any of the three review regimes. If it does, the CSRC issues a “suspension notice” (中止通知) and refers the matter to the relevant authority—the NDRC, the CAC, or the Ministry of State Security. The filing timeline is paused until the applicant obtains either a clearance certificate or a written confirmation that no review is required. The 17 February 2025 rejection was the first instance where the CSRC determined that the applicant had failed to obtain such clearance and therefore the filing could not be completed.

Trigger 1: Sector Classification Under the National Security Review Measures

The most frequently cited trigger—and the one most likely to have caused the February 2025 rejection—is the sector classification under the NDRC/MOFCOM National Security Review Measures.

The enumerated sensitive sectors. Article 2 of the National Security Review Measures lists two categories of industries. Category A includes “military industry, military supporting industries, and other sectors related to national defense and security.” Category B includes “important agricultural products, important energy and resources, important equipment manufacturing, important infrastructure, important transportation services, important cultural products and services, important information technology and internet products and services, important financial services, and key technologies.” Any foreign investment—including the establishment of a VIE structure by an offshore listing vehicle—that acquires control of or a substantial interest in a domestic entity operating in these sectors is subject to a mandatory security review.

The “control” and “substantial interest” thresholds. For a VIE-controlled offshore listing, the critical question is whether the offshore issuer’s contractual control over the PRC operating entity constitutes “control” within the meaning of the National Security Review Measures. Article 18 of the Measures defines control as holding more than 50% of the voting rights, or having the power to appoint or dismiss the majority of the board, or having decisive influence over the entity’s operations. A standard VIE structure, where the WFOE holds exclusive option rights and voting rights agreements over the PRC operating entity, almost certainly meets this definition. The February 2025 rejection suggests that the CSRC has now adopted a formal position that VIE control is “control” for national security review purposes, closing the loophole that many practitioners had assumed existed.

The practical implications for IPO pipelines. As of 1 March 2025, the CSRC’s public database shows 14 pending filings where the applicant’s business description includes keywords such as “mapping data,” “geographic information services,” “medical imaging AI,” “telecommunications value-added services,” or “cryptographic products.” Each of these sectors falls within Category B of the National Security Review Measures. Issuers in these sectors should expect a suspension notice and should proactively engage with the NDRC before filing, rather than waiting for the CSRC to trigger the referral.

Trigger 2: Personal Information Thresholds Under the Cybersecurity Review Measures

The Cybersecurity Review Measures, particularly Article 7, create a second independent trigger that applies specifically to offshore listings.

The one-million-user threshold. Article 7 of the Cybersecurity Review Measures states that an “online platform operator” that holds the personal information of more than one million users must apply for a cybersecurity review before seeking a foreign listing. The term “foreign listing” includes both direct listings on non-PRC exchanges (e.g., NYSE, Nasdaq) and listings of offshore holding companies on the HKEX, which is treated as a foreign exchange for purposes of PRC law. The one million user count is measured across all of the issuer’s platforms and products, not per platform.

The definition of “online platform operator.” The CAC’s 2024 clarification (published in a Q&A on the CAC website on 15 March 2024) defines an “online platform operator” as any entity that provides services to users through an internet-based platform, including e-commerce platforms, social media platforms, short-video platforms, ride-hailing platforms, food-delivery platforms, and financial technology platforms. This definition captures virtually every consumer-facing internet company. An issuer that operates a B2B SaaS platform with only 500,000 registered users but processes data on behalf of its clients’ end users may face a more complex analysis, but the CAC has indicated that the “user” count refers to the platform’s own registered users, not the end customers of its clients.

The practical burden on issuers. An issuer that crosses the one-million-user threshold must submit a cybersecurity review application to the CAC before filing its offshore listing application with the CSRC. The CAC has 45 working days to complete the review, extendable by an additional 45 working days. This timeline—potentially 90 working days, or roughly 4.5 calendar months—must be factored into the listing timetable. As of 1 March 2025, the CAC has published 23 completed cybersecurity review decisions since the Measures took effect, of which 19 resulted in clearance and 4 resulted in conditions (e.g., requiring data localization, appointing a PRC-based data security officer). No application has been publicly rejected, but the process itself creates timeline uncertainty.

Trigger 3: Data Classification Under the Data Security Law

The Data Security Law creates a third trigger that is less well understood but potentially broader in scope than the Cybersecurity Review Measures.

The “important data” and “core data” categories. The Data Security Law (Article 21) establishes a tiered data classification system: general data, important data, and core data. The specific catalogues defining “important data” are issued by each industry regulator—for example, the MIIT has published a draft catalogue for the telecommunications sector, the NHC has published a catalogue for healthcare data, and the MNR has published a catalogue for geographic information data. An issuer whose business involves the collection, storage, or processing of data that falls within any of these catalogues is subject to the Data Security Law’s cross-border transfer restrictions and, by extension, the CSRC’s security review referral.

The cross-border transfer assessment requirement. Under Article 31 of the Data Security Law, the cross-border transfer of important data requires a security assessment conducted by the CAC. The CAC’s implementing regulation, the Data Cross-Border Security Assessment Measures (《数据出境安全评估办法》, effective 1 September 2022), requires the issuer to submit a self-assessment report, a data mapping document, and a legal analysis of the overseas recipient’s data protection capabilities. The assessment timeline is 45 working days, extendable by an additional 45 working days. The critical point for IPO planning is that the assessment must be completed before the issuer can lawfully transfer any operational data to its overseas parent or to the HKEX or US exchange for regulatory compliance purposes.

The overlap with the VIE structure. In a VIE structure, the PRC operating entity typically processes data within China, while the offshore issuer’s board and management (often located in Hong Kong or Singapore) need access to that data for decision-making. The Data Security Law does not distinguish between “operational” and “regulatory” data transfers; any cross-border data flow to the offshore parent triggers the assessment requirement if the data is classified as important data. This creates a structural tension: the offshore issuer cannot effectively manage the business without access to data, but accessing that data before completing the security assessment may violate the Data Security Law.

Trigger 4: The “National Security” Catch-All Clause

The Trial Measures contain a residual trigger that gives the CSRC broad discretion to refer any filing for a security review, even if the issuer does not fall within any of the enumerated sectors or thresholds.

Article 9’s residual language. Article 9 of the Trial Measures states that the CSRC shall not complete the filing if the offshore listing “may endanger national security or public interest.” This language is not tied to any specific industry or data threshold. It is a discretionary clause that allows the CSRC to consider factors such as: the issuer’s ultimate beneficial ownership (particularly if the UBO is a PRC state-owned enterprise or a PRC government official), the issuer’s historical compliance record with PRC regulations, the issuer’s business relationships with sanctioned entities or jurisdictions, or the issuer’s technology that could have dual-use applications (civilian and military).

The geopolitical overlay. The February 2025 rejection coincided with the US Department of the Treasury’s addition of six PRC companies to the Specially Designated Nationals (SDN) list on 3 February 2025, all of which had VIE structures and were in the process of preparing HKEX filings. While the CSRC’s rejection was not explicitly linked to the US sanctions, the timing suggests that the CSRC is now coordinating with the Ministry of State Security on filings that involve entities or individuals on any international sanctions list. Issuers with UBOs who are PRC government officials, particularly those at the provincial level or above, should expect heightened scrutiny.

The practical challenge for issuers. The catch-all clause creates a fundamental uncertainty: an issuer cannot know with certainty whether its filing will trigger a security review until the CSRC either completes the filing or issues a suspension notice. This uncertainty has led to a market practice where issuers engage in “pre-filing consultations” with the CSRC—a process that was formalised in CSRC Circular No. 12 of 2024 (published 20 June 2024), which allows issuers to submit a draft prospectus and a legal analysis to the CSRC’s Department of International Cooperation for a preliminary opinion on whether a security review referral is likely. As of 1 March 2025, the CSRC has conducted 47 such pre-filing consultations, of which 12 resulted in a recommendation to apply for a security review before proceeding with the formal filing.

Trigger 5: Post-Listing Continuing Obligations and the “Change of Circumstances” Trigger

The security review trigger does not end at the IPO closing. The Trial Measures impose continuing obligations on listed issuers that can reactivate the review process.

The “material change” notification requirement. Article 16 of the Trial Measures requires an issuer to notify the CSRC within 3 business days of any “material change” that occurs after the filing completion but before the listing. The CSRC’s Q&A (published 15 January 2025) clarified that a “material change” includes: a change in the issuer’s business scope that brings it within a sensitive sector, a change in the issuer’s data classification (e.g., crossing the one-million-user threshold after the filing but before the listing), or a change in the issuer’s UBO that triggers a national security concern. If the CSRC determines that the material change would have required a security review had it existed at the time of the initial filing, the CSRC may revoke the filing completion notice and require the issuer to restart the process.

The annual compliance filing. Under Article 18 of the Trial Measures, listed issuers must submit an annual compliance report to the CSRC within 4 months of the end of each fiscal year. This report must include a certification, signed by the issuer’s legal counsel, that the issuer continues to comply with all applicable security review requirements. If the annual report reveals a new trigger—for example, the issuer has acquired a PRC target that operates in a sensitive sector—the CSRC may initiate a new security review referral even though the issuer is already listed. This creates a post-listing compliance burden that is unique to PRC-regulated offshore listings.

The delisting risk. The ultimate consequence of a post-listing security review referral that results in a negative determination is that the CSRC may order the issuer to delist from the offshore exchange. Article 21 of the Trial Measures grants the CSRC the power to “order rectification” and, for serious violations, to “order the cessation of the overseas listing.” While no such order has been issued as of 1 March 2025, the legal authority exists. Issuers that operate in sensitive sectors or that have cross-border data flows should structure their post-listing compliance function to monitor for any change that could trigger a review.

Actionable Takeaways

1. Pre-file a consultation with the CSRC’s Department of International Cooperation at least 90 days before the planned A-1 submission to obtain a preliminary opinion on whether the issuer’s sector classification, user count, or data type triggers a security review referral; the CSRC’s Circular No. 12 of 2024 formalises this process and provides a written response within 30 working days.

2. Engage a PRC law firm with a dedicated national security review practice to prepare the NDRC or CAC application in parallel with the prospectus drafting, rather than waiting for the CSRC to issue a suspension notice, which can delay the listing by 4-6 months.

3. Audit the issuer’s data classification against all applicable industry catalogues (MIIT, NHC, MNR, and any other relevant regulator) before filing the CSRC application, and obtain a written legal opinion confirming that no “important data” is subject to the cross-border transfer assessment requirement.

4. Restructure the VIE to exclude any business line that falls within Category B of the National Security Review Measures before the filing, if the issuer cannot obtain a clearance from the NDRC within a commercially reasonable timeline; the February 2025 rejection demonstrates that the CSRC will not accept a “wait and see” approach.

5. Institutionalise a post-listing compliance function that monitors for “material changes” in sector classification, user count, data classification, or UBO structure, and that has a direct reporting line to the board to ensure any change is notified to the CSRC within the 3-business-day window required by Article 16 of the Trial Measures.