Last Saturday morning: what did you have for your breakfast? Chinese Cybersecurity Review Measures may not be the expected answer but, if you were waking up in mainland China, it might have been all you wanted to get your teeth stuck into!

Forward. Post. Forward. Post. Social media accounts of anyone with half an eye on the goings-on in the mainland Chinese digital economy were alive with activity. The Cyberspace Administration of China had released a revised set of Cybersecurity Review Measures for public consultation until 25 July.

A two and a half week consultation period dedicated to 23 articles on the regulatory review of network product and service procurement proposals may not sound like weekend fun (to most people). Yet, those that had clicked into the annex of the regulatory announcement of the draft Measures quickly had their eyes drawn to some standout developments for tech players hopeful on tapping foreign capital markets.

Will the Measures impact foreign listings?

Certainly seems so. Some key points:

  • Expanded scope of application from critical information infrastructure operators to any business operator:
    • that conducts data processing activities which affect or may affect national security; or
    • possesses personal data of more than one million users and is looking to list abroad.


  1. Threshold. One million is a big number in most markets. In mainland China it is not. Some IBD analysts will have done the math better than I, but I think it is fair to say that not many businesses in China will be seeking an overseas listing with a shorter customer list than that.
  2. Hong Kong SAR. Hong Kong Special Administrative Region is part of the People's Republic of China but the legal systems differ. Is the Hong Kong Stock Exchange in or out of "abroad"? Initial thinking is HK listings will be outside of the scope of the Measures, but various stakeholders will no doubt request clarification in the consultation process.
  • Extended timetable for review for special cases (3 months) and complex cases (unspecified). This makes a lot of sense. Many mainland Chinese businesses listing on foreign markets are platforms with multiple business lines - prime example is global household name Alibaba but the list is numerous. Regulators will need time to review materials and make recommendations.

Companies, advisors and investors will need to consider the impact on listing timetables but will also presumably be keen for transparency and two-way communication on progress of reviews and possible timing if cases go beyond the initial 3 months.

  • Disclosure required of the applicant company’s “IPO materials”. In the draft rules, the intended scope of these materials is undefined. 

Questions that arise include:

  1. Do the financial advisors on the IPO need to produce their financial projections? Are underwriters' book-building excels required to be disclosed? 
  2. Do the listing legal counsel (international and domestic) need to provide various bits of advice prepared for the IPO?
  3. Must only the prospectus/offering circular accompany a review application or are other documents submitted to the overseas exchange needed?
  4. Will confidentiality safeguards remain robust? 
  5. What does it mean for client privilege to the extent it would apply in other markets?
  6. From a pure logistics perspective, what form is the submission in (e.g. are translations required where documents are not in Chinese)? 

Will the Measures impact investment in Chinatech?

It is not just wannabe listcos and their existing investors that are thinking about the issues cantered through above. Prospective investors seeking returns from mainland Chinese tech investments are also asking us what else these new measures might mean in practice, if enacted. A sample of enquiries are:

  1. Will investors pull back from Chinatech? 
  2. If there is an adjustment in investment in Chinatech, will it be temporarily or more long-term?
  3. Process-wise, will due diligence on the company need refinement before a well-advised investor commits its pre-IPO capital?

It goes without saying that investors will likely be interested to understand the particular process projected for the cybersecurity review of each target issuer. Depending on the timing of its investment, an investor will be keen to know if reviews have already been completed and, if so, what were the regulators' recommendations (if any) for the company's implementation. Due diligence manuals will need dusting off and updating accordingly.

Lots to think about! See our short bulletin for more details on these measures. 

Could you pass the milk?