CAC releases final form of revised Cybersecurity Review Measures

China’s internet regulator, the Cyberspace Administration of China (or CAC), waited only a few hours into the new working year before releasing the final form of its revisions to the Cybersecurity Review Measures (CRM). According to the interesting article below, the Hong Kong stock market was immediately jolted back to the previous year’s sense of trepidation.


Put simply, published in July last year, the previous draft of the CRM had left many mainland Chinese issuers looking at overseas listings with questions about their route to market. In particular, the draft proposed that the CAC should have a veto over any “foreign” listing of a business holding more than 1 million individuals' personal information.

Few substantive changes have been made to that draft and the key “1 million individuals” provision has been retained. Admittedly it seems that the scope of businesses caught in the CAC’s net has been reduced to “network platform operators”. However, there is no definition of “network platform” in the CRM!

In addition, the final CRM do not expressly answer the market’s (literally multi-)million dollar question as to whether the Hong Kong Stock Exchange is a “foreign” venue for the purpose of these rules.

Read more

Read our latest DigiLinks post for our analysis on these and other key points spotted in the rules.