China exempts Hong Kong listings from finalised cybersecurity review rules for offshore IPOs, analysts say

Internet platforms operators with more than 1 million users in China must go through a cybersecurity review before they apply to “foreign” regulators to raise funds through IPOs, the Cyberspace Administration of China (CAC) said.

The regulation did not mention Hong Kong, a special administrative region (SAR) that is not considered a “foreign” authority under China’s “one country, two systems” governance arrangement. That means IPOs by Chinese technology companies will be exempted from the review, according to an article on the Chinese blog Xiaobei Talks Security, a cybersecurity policy-themed blog started by a group of cybersecurity lawyers and scholars.

“The policy is clear now; the document only proposed requirements for IPOs in foreign markets without mentioning Hong Kong, which means cybersecurity reviews are not required for companies going public in Hong Kong,” according to the article.

The new review regulation was approved by China’s State Council and is backed by 13 government ministries, including the CAC, the National Development and Reform Commission (NDRC), the Ministry of Industry and Information Technology (MIIT), the Ministry of Public Security and the Ministry of State Security, as well as the China Securities Regulatory Commission (CSRC).