Under the new rules Chinese NPOs holding more than 1 million individuals’ personal information must apply for a cybersecurity review prior to listing abroad.

By Hui Xu, Kieran Donovan, and Bianca Lee

On February 15, 2022, the Cybersecurity Review Measures (2021) (CRM 2021, unofficial English text available here) took effect. CRM 2021 was promulgated on December 28, 2021, by the Cyberspace Administration of China (CAC) and 12 other Chinese central authorities, including the Ministry of State Security, the Ministry of Industry and Information Technology (MIIT), and the China Securities Regulatory Commission (CSRC). The CAC published the first draft of CRM 2021 on July 10, 2021, for public comments, and published the final version on January 4, 2022. The CAC cites the Data Security Law (DSL) as the legal basis for the authority of CRM 2021.

The promulgation of CRM 2021 marks a step forward in China’s strict regulation of Chinese companies’ overseas listing and adds another hurdle to companies’ listing process. However, as the CSRC has repeatedly emphasized to the media, the Chinese government has no intention of banning Chinese companies from listing overseas, but rather wants to strengthen regulation from a national security and data security perspective.

See Latham’s Client Alert for a detailed discussion of CRM 2021, the new requirements that it introduces, and what Chinese companies will need to focus on when considering an overseas listing.