Introduction to National Security Review for Overseas Listing

The Trial Measures for the Administration of Domestic Enterprises Overseas Securities Issuance and Listing ("Administration Measures "), issued by the China Securities Regulatory Commission ("CSRC"), became effective on March 31, 2023. Administration Measures stipulates that domestic enterprises seeking overseas issuance and listing must complete registration with the CSRC within the specified timeframe. 

In addition to overseas listing registration with CSRC, the Administration Measures also require domestic enterprises to adhere strictly to laws, regulations, and relevant provisions concerning national security, foreign investment, cybersecurity, and data security. They must complete any necessary national security reviews(“NSRs”)before submitting applications for overseas securities issuance and listing.

Furthermore, domestic enterprises seeking overseas issuance and listing must, in accordance with relevant competent authorities under the State Council, promptly undertake rectification measures, make commitments, divest business assets, and implement other actions to eliminate or mitigate the impact of overseas issuance and listing on national security.

1. Connection between Overseas Listing Registration with CSRC and NSR Procedures

The Administration Measures mandate that domestic enterprises intending to list overseas must complete overseas listing registration with CSRC[1] and fulfill corresponding obligations regarding NSRs, if applicable [2].

Additionally, the Guidelines for the Application of Regulatory Rules—Overseas Issuance and Listing No. 2: Guidelines for the Content and Format of Registration Materials ("Guidelines No. 2") explicitly state that materials required for overseas listing registration with the CSRC include security assessment review opinions issued by relevant competent authorities of the State Council, if applicable [3]. If a company deems such materials inapplicable, it should provide written explanations to the CSRC stating the reasons for not applying the security assessment review opinions [4].

Overseas listing registration with CSRC and NSR procedures are independent, but the latter must be completed before initiating the former procedure.Pursuant to Article 9 of the Administration Measures, if a domestic enterprise intending to go public is subject to NSRs, it must lawfully complete relevant security review procedures before submitting applications for issuance and listing to overseas securities regulatory authorities. As per Article 16 of the Administration Measures, issuers conducting overseas initial public offerings or listings must register with the CSRC within three working days after submitting applications for issuance and listing to overseas securities regulatory authorities. Therefore, domestic enterprises intending to go public must provide written explanations stating the inapplicability of security review opinions or obtain written opinions from NSR regulatory authorities confirming no NSRs are necessary before conducting overseas listing registration with CSRC.

2. Legal Regulatory System for NSRs

NSRs closely related to domestic enterprises' overseas listings primarily encompass the fields of foreign investment, cybersecurity, and data security. The main laws and relevant provisions involved are outlined as follows:

3. NSRs in Different Fields Concering Overseas Listing

I. Foreign Investment

In the context of domestic enterprises engaging in overseas listings, the NSR concerning foreign investment is primarily regulated by the FISR Measures. The main provisions are as follows:

In accordance with the aforementioned provisions and in conjunction with the Administration Measures, domestic enterprises seeking overseas issuance and listing should:

(1) Assess whether its business activities and scope fall within areas related to national defense security, such as military industry, military support, and areas near to military and military-related facilities; if so, they should submit a NSR declaration in accordance with the FISR Measures before listing (regardless of whether foreign investors obtain control).

(2) If the aforementioned areas are not involved but fall within the  Category II mentioned above,  a NSR declaration under the FISR Measures is required before listing if foregin investors acquire actual control over the domestic enterprises.

(3) If uncertain whether the investment falls within the scope of FISR Measures, inquiries can be made to the FISR Office regarding specific project details. Contact information can be found in the NDRC's Announcement No. 4 of 2019.

II. Cybersecurity

In the context of domestic enterprises' activities in overseas listings, the NSR related to cybersecurity is primarily governed by the Measures for Cybersecurity Review. The key provisions are as follows:

In accordance with the provisions of the Administration Measures, enterprises intending to list overseas should assess whether they need to undergo cybersecurity review based on factors such as their business scope, form, and the amount of personal information they possess. If required, they must clear cybersecurity review with Cybersecurity Review Office before conducting overseas listing registration with CSRC.

It is worth noting that the overseas listing procedure itself does not trigger obligations for cybersecurity review, except for online platform operators holding personal information of more than one million users seeking overseas listing. In the context of overseas listing, for domestic enterprises to trigger the obligation for a cybersecurity review, they need to meet all three of the following conditions:

(1) The domestic enterprise identifies itself as an “operator of online platforms.” Although currently effective laws and regulations do not define operators of online platforms, reference can be made to Article 73 of the Regulations on Cybersecurity Management of Network Data (Draft for Solicitation of Comments) for guidance. According to this provision, online platform operators are data processors offering various online platform services to users, including information publishing, social networking, transactions, payments, audiovisual services, etc. For instance, Global Mofy Metaverse Limited stated in its prospectus, “as we are not considered operators of online platforms and do not hold personal information of over one million users, we are not required to undergo cybersecurity review in accordance with the Measures for Cybersecurity Review.”

(2) The domestic enterprise holds personal information of over one million users. While the Measures for Cybersecurity Review do not clearly stipulate the calculation and measurement standards for determining the aforementioned one million users' personal information, in practice, the number of personal information subjects is typically used for calculation rather than the number of personal information items.

(3) The enterprise intends to go public overseas. Although the Measures for Cybersecurity Review do not explicitly define “going public overseas,” Article 13 of the Regulations for the Administration of Network Data Security (Draft for Solicitation of Comments) issued by the CAC during the same period distinguishes between “going public overseas” and “listing in Hong Kong.” In practice, when domestic enterprises opt for a Hong Kong listing, they may refer to this provision to assert that they are not subject to cybersecurity review. For instance, DiDa Travel Co., Ltd. mentioned in its prospectus, “although we hold personal information of over one million users, as we are seeking a listing in Hong Kong rather than overseas, the Measures for Cybersecurity Review do not apply to us.”

III. Data Security

In the context of domestic enterprises' activities in overseas listings, the NSR related to data security is primarily governed by the Measures for the Security Assessment of Outbound Data Transfer. The key provisions are as follows:

It is important to note that the act of data export itself does not automatically invoke the requirement for a data export security assessment. Only specific instances of data export meeting one of the aforementioned three conditions will trigger the obligation for such an assessment.

Additionally, the mere application by domestic enterprises for overseas listing typically does not mandate a data export security assessment. In the context of domestic enterprises' overseas listings, while data export may occur—such as providing company information, organizational structure, financial data, etc., to overseas professional intermediary agencies or regulatory authorities due to regulatory requirements, information disclosure, or business needs—this information usually does not include personal information, sensitive personal information, or important data as stipulated by the Measures for the Security Assessment of Outbound Data Transfer. Therefore, the listing process itself generally does not necessitate a data export security assessment.

However, if the domestic enterprise intending to list overseas is deemed a CIIO and its business involves providing personal information overseas, regardless of whether such data constitutes important data or whether the quantity of personal information meets certain criteria, the obligation for a data export security assessment must be fulfilled.

In summary, domestic enterprises should assess whether they are obligated to undergo a data export security assessment based on factors such as their business scope, industry attributes, status, scale, business forms, and the types and quantities of data exported. If this obligation is triggered, they should allocate sufficient time for declaration to avoid any disruption to the overseas listing process.

Author：