Chinese tech giants to face cybersecurity reviews for IPOs in Hong Kong, but rules more lenient than foreign listings
- A draft regulation from the Cyberspace Administration of China clarifies rules for listing in Hong Kong, but keeps them separate from foreign IPOs
- Tech companies seeking overseas IPOs were forced to reassess options this year under cybersecurity review rules for companies with data on 1 million users

China will impose a cybersecurity review on mainland companies seeking initial public offerings in Hong Kong on national security grounds, according to a draft regulation released on Sunday, adding a new layer of oversight for Chinese tech giants from ByteDance to Didi Chuxing if they choose to sell shares in the city.
The Cyberspace Administration of China (CAC), the country’s top cybersecurity authority, released the draft regulation titled “Network Data Security Management Regulations” for public consultation through December 13, with the final version being subject to change. The regulation stipulates that “data-processing entities seeking a listing in Hong Kong that will influence or may influence national security” must apply for a cybersecurity check.
The draft is the first time the Chinese government has clarified that some IPOs in Hong Kong will be subject to a data security screening. New rules earlier this year required such a review for foreign IPOs of some companies, but the rules for Hong Kong were unclear. The new regulation could introduce an additional regulatory layer for listing in the city.
The proposed regulation does not specify criteria to merit national security concerns, but explanatory notes list a wide range of “important data” that could qualify, including unpublished government data, data on key technologies and scientific research, data on the economy and key sectors such as telecoms, finance and energy, as well as data regarding national geography, key infrastructure and genetics.
The draft regulation is designed for the implementation of the country’s three major laws governing data collection and usage: the 2017 Cybersecurity Law, and this year’s Data Security Law and the Personal Information Protection law.