China plots tougher cyber scrutiny for tech firms in Hong Kong IPOs
New draft regulations underline that if companies choose to IPO in Hong Kong, they will be forced to carry out a cyber security review


China could force companies to carry out a cyber security review should they seek an IPO in Hong Kong as it looks to implement new laws on data security management, regulating network data processing, and protecting individuals in cyber space.
The Cyberspace Administration of China (CAC) released a draft document named “Regulations on Network Data Security Management” which is open for feedback until 12 December. The document stipulates that when data processors go public in Hong Kong, which affects or may affect national security, they will have to apply for a network security review in accordance with national regulations.
A number of Chinese tech firms were planning to launch an IPO in Hong Kong after US regulators have been applying greater scrutiny to new listings and are moving forward with plans to delist stocks whose auditors refuse to comply with US oversight, as reported by Bloomberg.
This could force around $2 trillion worth of Chinese listings to move out of US exchanges from 2024, as tensions between the two countries continue to grow.
This wasn’t the only rule put forward by CAC, it is also looking to ensure internet platforms amassing data relevant to national security and public interest seek security clearance before spin-offs, mergers, and restructuring. Plus, large internet companies will need to report to regulators before setting up overseas headquarters or centres for operations and R&D.
RELATED RESOURCE
Why faster refresh cycles and modern infrastructure management are critical to business success
The connection between modern server infrastructure and business agility
Additionally, companies that process important data or those that process data and list overseas must carry out an annual security review on how they share, store, and trade data. Platforms with over 100 million daily active users also need to obtain approval on major updates to platform operations, data privacy, and user rights.
CAC said it is implementing these regulations in order to implement other laws on data security management, regulating network data processing activities, and protecting individuals and organisations in cyberspace. These laws are the 2017 Cybersecurity law, and this year’s Data Security Law and the Personal Information Protection Law (PIPL).
Get the ITPro daily newsletter
Sign up today and you will receive a free copy of our Future Focus 2025 report - the leading guidance on AI, cybersecurity and other IT challenges as per 700+ senior executives
PIPL was passed at the start of November and stipulates how data can be collected and used in the country while governing the actions of companies hoping to move data out of the country. It regulates personal information processing activities in China, as well as any activities carried out by state agencies. It also applies to foreign organisations that process personal data overseas.
Zach Marzouk is a former ITPro, CloudPro, and ChannelPro staff writer, covering topics like security, privacy, worker rights, and startups, primarily in the Asia Pacific and the US regions. Zach joined ITPro in 2017 where he was introduced to the world of B2B technology as a junior staff writer, before he returned to Argentina in 2018, working in communications and as a copywriter. In 2021, he made his way back to ITPro as a staff writer during the pandemic, before joining the world of freelance in 2022.
-
M&S suspends online sales as 'cyber incident' continues
News Marks & Spencer (M&S) has informed customers that all online and app sales have been suspended as the high street retailer battles a ‘cyber incident’.
By Ross Kelly
-
Manners cost nothing, unless you’re using ChatGPT
Opinion Polite users are costing OpenAI millions of dollars each year – but Ps and Qs are a small dent in what ChatGPT could cost the planet
By Ross Kelly
-
PowerEdge - Cyber resilient infrastructure for a Zero Trust world
Whitepaper Combat threats with an in-depth security stance focused on data security
By ITPro
-
Anticipate, prevent, and minimize the impact of business disruptions
Whitepaper Nine best practices for building operational resilience
By ITPro
-
Three steps to transforming security operations
Whitepaper How to be more agile, effective, collaborative, and scalable
By ITPro
-
Top ten ways to anticipate, eliminate, and defeat cyber threats like a boss
Whitepaper Improve your cyber resilience and vulnerability management while speeding up response times
By ITPro
-
The complete SaaS backup buyer's guide
Whitepaper Informing you about the realities of SaaS data protection and why an SaaS back up is essential
By ITPro
-
The 'cyber aSaaSin' manual
Whitepaper Providing valuable insights to identify SaaS data enemies and win the battle against SaaS data threats
By ITPro
-
Best practices for Microsoft 365 business continuity
Whitepaper Discover how to mitigate the effects of large-scale, high-cost data loss disasters
By ITPro
-
Latitude Financial's data policies questioned after more than 14 million records stolen
News Some of the data is from at least 2005 and includes customers’ name, address, and date of birth
By Zach Marzouk