Get more with myNEWS
A personalised news feed of stories that matter to you
Learn more
China is introducing new rules on “critical information infrastructure” amid a widespread cybersecurity crackdown, but ambiguity about the term remains. Photo: Shutterstock

China’s top cybersecurity officials seek to calm investor concerns that new regulation could put chill on overseas IPOs

  • Officials from Beijing’s top cybersecurity agencies said a regulation on ‘critical information infrastructure’ does not target foreign businesses or IPOs
  • Probes into Didi and other tech companies has caused speculation about the meaning of the term in question, which is used but not defined in recent laws

China’s top cybersecurity brass assured investors at a government press conference that a new regulation designed to protect the country’s “critical information infrastructure” is not meant to target foreign businesses or overseas initial public offerings.

Officials from the Cyberspace Administration of China (CAC), the Ministry of Industry and Information Technology (MIIT), the Public Security Bureau and the Ministry of Justice gathered on Tuesday to explain the new “Regulations on Safeguarding Critical Information Infrastructure” that goes into effect next month. It is expected to have a sweeping impact on how companies in sectors such as information, energy and finance manage their data systems in the country.

Companies and legal experts have been waiting for clarity on the concept of critical information infrastructure, which was identified in China’s Cybersecurity Law in 2017 without being clearly defined. Companies with systems considered to be part of such infrastructure bear greater responsibilities for ensuring security and are subject to additional regulatory scrutiny under the law.

Why are so many Chinese agencies reviewing ride-hailing giant Didi?

China’s cybersecurity probe into ride-hailing giant Didi Chuxing, led by the CAC, has fanned speculation about whether the company’s systems, which contain domestic mapping and user data, fall under these guidelines.
Along with Didi, Full Truck Alliance and Boss Zhipin were also hit with cybersecurity reviews after all three companies listed in New York in June. However, CAC deputy head Sheng Ronghua said at the press conference that the new regulation is not meant to curtail overseas listings.

“For a long period of time, we have been supporting internet companies to raise funds in accordance with laws and regulations,” Sheng said. “No matter the ownership of a business, where it goes public, it has to meet the two conditions of complying with state laws and ensuring the security of critical information infrastructure and personal information.”


“[A company’s] operations won’t be affected [by the regulation] as long as it meets the two conditions,” Sheng added.

Cyberspace security cadres like Sheng rarely make public comments, but they now wield an increasing amount of power over the fate of China’s technology giants as security has taken centre stage in Beijing’s internet management.


Why China is tightening control over cybersecurity

Why China is tightening control over cybersecurity

Sheng, 59, has only made a few public speeches himself since taking up his current position in May 2019. In a press conference this past May, he said the administration would carry out an annual “cleaning” campaign starting this year to crack down on offences such as “inflated traffic by click farms”, “algorithm abuse” and “historical nihilism”, referring to historical accounts that conflict with Communist Party doctrine, in a bid to create “a clean and clear cyberspace for the people”.

At the press conference on Tuesday, Sheng was joined by Sun Weimin, the head of the cybersecurity coordination bureau at the CAC. The bureau is the primary agency involved in organising and implementing cybersecurity reviews like the one Didi is undergoing. The CAC published an amended version of its cybersecurity regulations last month, and Sun’s bureau is in charge of collecting and reviewing public feedback on it.

Wang Yingwei, the head of cybersecurity at the Ministry of Public Security, also joined the press conference. As China’s top officer in charge of cybercrimes, Wang has rarely made public appearances since he took the position in 2019. Wang, who has a PhD in applied mathematics from Peking University, was known for applying big data analysis to law enforcement during his tenure as deputy police chief in Guizhou province before his promotion.

Wang Yingwei was appointed head of cybersecurity at the Ministry of Public Security in 2019 after becoming known for applying big data analysis to policing in Guizhou province. Photo: ifeng

Sui Jing, the cybersecurity bureau chief at MIIT, was present at the event, as well. Her bureau has also been gaining prominence as Beijing has placed an increasing emphasis on cybersecurity.


While the press conference was light on specifics regarding critical information infrastructure and didn’t mention any company by name, it served as a clear message that Beijing cares a lot about threats to and leaks from the country’s information systems.

“It shows the importance of regulating critical information infrastructure,” said Xia Hailong, a lawyer at Shanghai Shenlun law firm.

This article appeared in the South China Morning Post print edition as: New regulation ‘not targeting foreign businesses’