数据分类与分级
The first big hurdle you'll hit is the requirement for a rigorous data classification and grading system. This isn't a suggestion; it's a mandate. Under the *Data Security Law*, companies must categorize their data based on its importance to national security, public interest, and legitimate rights of individuals. For a foreign-invested enterprise (FIE) under security review, the authorities want to see a clear, documented framework. You need to show them that you know exactly which datasets are “core,” “important,” or “general.” And let me tell you from experience, most FIEs get this wrong at the start. They treat it as an IT exercise. No, no. This is a governance exercise, a compliance spine that runs through your legal, operations, and even HR departments.
In practice, I’ve seen companies create a beautiful, 50-page data classification policy, but when the review team asks, “Show me how you classified the data from your autonomous driving test fleet,” they freeze. Because the policy didn’t account for real-world exceptions. **The case I always reference is a US biotech firm we advised in 2023.** They were acquiring a local gene sequencing startup. The Chinese partner had gigabytes of genomic data. Our team spent weeks working with their IT and legal teams to map every data point against the *Data Security Law*’s classification guidelines. We had to prove that the genetic data was not “important data” merely because it was large—we had to demonstrate its actual impact. We used the "principle of scarcity" and "specificity" to argue for a lower classification, which significantly eased the review process. The lesson? Classification isn't a tick-box; it's a legal argument.
Furthermore, you need a dynamic management system. Data classification is not a one-and-done affair. The regulatory environment in China is evolving rapidly—literally every quarter we see new standards for specific sectors like automotive or healthcare. Your classification system must have built-in triggers for re-evaluation. For example, if your FIE now processes data from a new critical information infrastructure (CII) operator, even as a vendor, your data classification may instantly upgrade. **This is what I call the “regulatory ripple effect.”** Don’t just report your current status; demonstrate your ability to adapt. The security review panel will look for this agility. They want to know that you have a perpetual monitoring mechanism, not just a static document.
---
网络基础设施安全
This aspect is often a sticking point for multinational corporations. The requirement here is that the network infrastructure supporting the FIE’s operations within China must be secure, reliable, and, crucially, must not create backdoors for foreign intelligence activities. That sounds dramatic, but it’s the realpolitik. **Specifically, the review expects that critical network equipment, core routers, and servers must be procured from trusted sources.** There is an unspoken, and sometimes spoken, preference for domestically certified equipment. When I say “certified,” I mean products that have passed the *Multi-Level Protection Scheme* (MLPS) compliance testing, especially for systems classified at Level 2 or above.
I recall a particularly painful case with a European logistics conglomerate. They wanted to integrate their Chinese distribution centers with their global SAP system. The plan was to use a specific encrypted VPN link and their own managed routers from a non-Chinese vendor. **The security review process flagged this immediately.** The concern wasn't the encryption strength—it was the *origin* of the equipment and the *location* of the management console. The review panel demanded that the Chinese subsidiary install an additional layer of Chinese-made security gateways to monitor traffic, and that the parent company provide a "sovereign operation assurance" meaning a written guarantee that foreign entity had no backdoor access to administrative commands. We had to negotiate for six months, detailing every packet of data flow. My advice? Always, always lead with a "China-first" network design in your initial submission. It saves months of headaches.
Another critical element is the **physical and logical isolation of certain systems.** For an FIE that is deemed to hold “important data,” the review might require that core databases be segregated from the corporate network. This isn’t just about firewalls; it’s about demonstrable physical separation or at least robust hypervisor-level segmentation, with audit logs that are immutable and stored in China. I tell my clients: “Treat your China network like a fortress, and the main gateways as checkpoints that log everyone coming and going.” The level of documentation required is intense. You need to show network topology maps, access control matrices, and disaster recovery plans that explicitly prevent cross-border system failures from cascading. The authorities are looking for resilience, but more importantly, they’re looking for control—that the Chinese entity has sovereign control over its own network fabric.
---数据本地化存储
Now we get to the big one: data localization. This is not just a "principle" in the *Cybersecurity Law*; it's a hard requirement for certain sectors and data types under the security review. **The specific requirement is that personal information and important data collected and generated by operators of CII in China must be stored within the territory of China.** And because the security review often sweeps in companies that are not technically CII operators but are in related sectors, this requirement de facto applies to many FIEs. The burden of proof is on the applicant to show that data localization is compliant, or that any cross-border transfer has passed the necessary security assessments.
I’ve seen a lot of investment professionals get tripped up here. They think, “Oh, we just set up a server in Shanghai, we’re fine.” It’s not that simple. **The review process wants to see the *legal and technical* architecture of localization.** For example, you need to demonstrate that the data stored locally is the *original* copy, not a cached version of data stored outside China. The system design must ensure that all collection, storage, and processing happens within the border. In 2021, we helped a Japanese financial tech firm acquire a Chinese payment processor. They initially planned to have a partial data backup in Tokyo for disaster recovery. The review board rejected that outright. We had to redesign the entire redundancy plan to be within China, using cloud services from a Chinese provider (like Alibaba Cloud or Huawei Cloud) with a contractual guarantee that no data leaves the China mainland. This cost them an extra RMB 8 million, but it was the only way to get the deal through. The core insight? Localization is a feature, not a bug. You must embed it into your investment thesis from day one.
Furthermore, the requirement for **reporting and approval for cross-border data transfers** is intense. Even if your primary data is localized, you may need to send anonymized sales reports to your global headquarters. Under the new regulations, this triggers a "Data Export Security Assessment" or a "Standard Contract" filing. For the security review, the review panel will ask: "Have you pre-cleared all cross-border transfers?" They want to see the approval certificates. If you haven't done it, the review is put on hold. I always advise clients to run a "data export simulation" before the M&A process begins. Map out every bit of data that ever leaves China for any reason—technical support queries, HR records, financial consolidation. Then get the legal clearance. It’s boring work, but it’s the difference between a three-month and an eighteen-month review cycle.
---关键信息基础设施运营者义务
Being designated or even deemed as a *Critical Information Infrastructure Operator* (CIIO) is the nuclear option for an FIE under security review. The obligations are immense. **If the review determines that your investment target plays a role in providing essential services like energy, transport, water, healthcare, or finance, or that its failure could cause “serious harm” to national security, then the full chapter of CIIO obligations apply.** But here’s the sneaky part: the review can proactively "deem" a company a CIIO, even if it’s not on the official CIIO list. They do this by looking at the nature of the data and the customer base.
The specific obligations for a CIIO are a compliance nightmare for global firms. First, you must have a dedicated **security management structure**, often requiring a Chinese national as the Chief Security Officer (CSO) who reports directly to the board and is personally liable. Second, you must undergo an annual security audit by a certified third-party. **Third, and most painfully for parent companies, you must adhere to a “procurement security review” for any network products and services.** This means you cannot simply buy equipment from your global vendor list if that vendor has a history of security incidents or is from a country with geopolitical tensions. We had a client, a US auto company, whose Chinese subsidiary was deemed a CIIO because it operated the traffic management system for a port city. They spent a fortune replacing all their Huawei-certified networking gear because they used a certain US-based firewall that wasn't on the "secure product list." The review process essentially forced a complete tech stack shift.
Another major obligation is **mandatory incident reporting**. If there's a data breach, even a minor one, the CIIO must report to the Cybersecurity Administration (CAC) within one hour, and to the relevant industry regulator. For an FIE, this is tricky because the parent company’s legal timeline might be different. We advise clients to set up a "China Crisis Protocol" that overrides the global protocol for data incidents within China. There’s no room for "we’ll decide at HQ later." The review panel sees this as a critical governance gap. They want sureness that the Chinese entity has autonomous decision-making capability to protect data in a crisis. If your submission shows the Chinese CSO has to get approval from London before reporting a breach, that’s a red flag. The system expects a level of autonomy that many global corporate structures struggle to provide.
---安全评估与审查
This is the procedural meat of the matter. The *Cybersecurity Law* and the *Data Security Law* establish a framework for **security assessments** that are directly linked to the foreign investment review. The specific requirement is that any foreign investment that might affect national cybersecurity must undergo a “Cybersecurity Review.” This review is distinct from, but often occurs in parallel with, the *Foreign Investment Security Review* led by the NDRC. The cybersecurity review is typically handled by the *Cybersecurity Administration of China (CAC)*. It focuses purely on the technical and data risks.
The trigger for this specific cybersecurity review is often **"possession of personal information of more than one million users."** This is a threshold that catches many internet platforms, e-commerce ventures, and SaaS companies that foreign investors target. I tell my FIE clients: "If your target has 1.1 million user accounts, you are immediately in the CAC’s domain." In 2023, I saw a deal fail entirely because the target company claimed to have only 800,000 users, but during the due diligence, we found dormant accounts that pushed the number over 1 million. The investor hadn't anticipated the 6-month delay for the CAC review. The cost of time killed the deal. **My advice? Always, always independently confirm the user count and data volume before signing anything.** Do a "Pre-M&A Data Footprint Analysis." It's a term I coined, but it’s essential.
The substance of the security review includes an assessment of the **risks of data leakage, malicious use, and threats to national security.** The CAC will ask for detailed data flow diagrams, security policies, incident response plans, and evidence of encryption at rest and in transit. They will also assess the “influence” of the foreign investor. This is a subjective but critical factor. The test is: *Can the foreign investor unduly influence the data handling of the Chinese entity?* If your parent company has a policy of accessing SQL databases globally, that’s a problem. We had to renegotiate a shareholders’ agreement to explicitly state that the parent company had no direct access to production databases, and that any data requests had to go through a Chinese legal entity review. The review process essentially rewrites your governance documents to fit Chinese security expectations. It's a fundamental reshaping of corporate control in the digital domain.
---供应链安全合规
This is a requirement that often catches manufacturing and engineering FIEs off guard. **The security review isn’t just about your internal data; it’s about your entire supply chain's cyber health.** If your Chinese subsidiary builds products or provides services that rely on third-party software, hardware, or cloud services, the review panel will want assurance that those suppliers are secure. The specific term used is “supply chain security risks.” For example, an American chip designer acquiring a Chinese distributor might be asked to prove that the distributor’s inventory management software has no known vulnerabilities and that the manufacturer of the servers used is not sanctioned by Chinese authorities.
I recall a situation with a Dutch semiconductor equipment company. They had a minor Chinese subsidiary that sourced a specific lubricant from a company that was later added to a US export control list. The Chinese security review process, while not directly applying US laws, used this as a reason to question the subsidiary’s cybersecurity posture. **The panel argued: "If your supplier is subject to foreign government controls, your supply chain is compromised, and your network could be infiltrated."** We had to find a new Chinese supplier and provide certification that the lubricant’s supply chain was "trusted." This took five months. The lesson is that supply chain security is now a geopolitical issue, not just a procurement issue. For the review, you need to demonstrate a “controlled supply chain” with preferred partners that are not subject to conflicting legal jurisdictions.
Furthermore, there's a requirement for **security testing and evaluation (Tang Jian Ce Ping)** of your key vendors. This is not just a theoretical audit; it often requires penetration testing by a certified Chinese cybersecurity firm for any vendors classified as critical. I advise clients to create a "Vendor Trust List" well before the M&A process. This list should include only vendors that can provide *Multi-Level Protection Scheme* (MLPS) certificates for their services and who can commit to data localization. If your Chinese subsidiary uses a popular global CRM like Salesforce or a cloud ERP from Oracle, that’s a red flag. Those are not locally compliant unless they are running from a Chinese data center with a Chinese legal entity as the contract holder. The review panel will want to see the contract. My personal reflection here is that the old model of global IT procurement is dead for FIEs under review. You must build a parallel, China-native tech stack for critical functions, or you will fail the supply chain test.
---人员安全与合规意识
Finally, and this is a point I always stress to clients because it’s so personal, the security review now intensely examines your **human capital risk.** The specific requirement is that key personnel, especially those with access to important data or handling core network operations, must be vetted. This is sometimes called "personnel security clearance" (Ren Yuan Shen Cha). For an FIE, this means you cannot simply transfer a senior manager from overseas to run the China office without a background check and potential approval from the industry regulator. The review wants assurance that these individuals are not foreign agents, have no conflicts of interest, and are loyal to the legal obligations of the Chinese entity.
But it goes deeper. The requirement extends to **cybersecurity training and awareness.** You must be able to prove that all employees, from the factory floor to the C-suite, have undergone annual cybersecurity training. And we’re not talking about a boring online video. The review panel wants to see a documented training program that covers *China-specific* requirements like the *Data Security Law* and *Personal Information Protection Law*. They want to see that your employees understand how to report an incident and the consequences of violating the rules. I once had a client who thought this was trivial. They sent me a one-page PDF from their global HR saying “compliance done.” The review board rejected it immediately. Why? Because the training was in English, not Chinese, and didn’t mention the Chinese laws by name. We had to commission a local training firm to create a China-specific module, run it for all 300 employees, and present the attendance logs and test scores to the panel. It felt like being back in school, but it was a mandatory pass.
**Another critical point is the legal status of the CEO and the Data Protection Officer (DPO).** The review requires that these roles be held by individuals who are resident in China and who can be held personally criminally liable. This creates a governance issue for multinationals. The global general counsel cannot be a de facto DPO for the Chinese entity from overseas. We have had to restructure reporting lines to ensure the Chinese DPO has a direct reporting line to the local board (or the main legal entity in China) and is not just a dotted-line report to an overseas compliance officer. The review panel wants to see that the DPO has actual authority to stop non-compliant activities, even if those activities are requested by the foreign parent. This creates a built-in "firewall" in human governance. It’s a shift from “one company, one culture” to “globally aligned, but locally sovereign in compliance.” It’s tough, but it's now a reality for any FIE with significant data assets in China.
--- ### Conclusion: The Future of Compliance as Competitive Advantage To wrap this up, the specific cybersecurity requirements within China’s foreign investment security review represent a fundamental shift from a commercial regulatory framework to a national security paradigm. **The main takeaway is that ignoring or underestimating these rules is no longer an option.** The aspects we’ve covered—data classification, network infrastructure, localization, CIIO obligations, security assessments, supply chain vetting, and personnel compliance—are not isolated checklists. They are interlocking pieces of a single puzzle: proving to Chinese authorities that your investment poses no cybersecurity threat and is under sovereign local control. I believe we are only at the beginning of this trend. **Looking ahead, I predict these cybersecurity requirements will become even more stringent, particularly around AI-generated data and cross-border financial data flows.** For investment professionals, the barrier to entry is higher, but the payoff is clearer. Those who invest in building a robust, China-native cybersecurity compliance architecture early will find a smoother path through the review. They will also find that this compliance creates a moat—a competitive advantage over rivals who are less prepared. The days of “we’ll fix it post-deal” are over. The security review is the deal itself. For future research, I would suggest delving into the intersection of privacy protection (under the *PIPL*) and the security review. There are still grey areas where individual privacy rights conflict with state security requirements. Navigating these ambiguities will be the next big challenge for lawyers, consultants, and investors alike. But for now, start with the fundamentals. Get your data house in order. Assume the reviewer is looking for gaps. And as I always tell my team at Jiaxi, “Don’t try to outsmart the regulator. Instead, help them see that you are the safest partner they could have.” That mindset is your best asset. --- ### Jiaxi Tax & Finance’s Insights on Specific Cybersecurity Requirements in China's Foreign Investment Security Review At Jiaxi Tax & Finance, after having guided over 200 foreign-invested enterprises through registration, restructuring, and compliance over the past 14 years, we’ve developed a clear vision regarding these cybersecurity requirements. **Our core insight is this: Cybersecurity compliance should not be viewed as a punitive barrier, but as a key component of your investment’s risk valuation.** From our perspective, the most common mistake we see is when investors treat cybersecurity requirements as a "legal department issue" separate from the commercial diligence. In reality, it’s a business cost center. For example, the need for a "China-first" network design or a complete vendor re-evaluation can significantly impact the EBITDA projections of a target company. We always recommend clients to **embed a "cybersecurity compliance cost premium" into their valuation model.** Furthermore, we have observed that companies that proactively implement a *Security by Design* approach—meaning they build compliance into their IT systems from the start—not only clear the security review faster but also enjoy lower operating risk and higher trust from Chinese partners. **Our practical advice is to hire a local cybersecurity consultant who understands the "review culture"**—someone who knows not just the laws, but the unspoken expectations of the local review body (often the provincial CAC or NDRC counterparts). This local intelligence is worth its weight in gold. Finally, we emphasize documentation. The process is heavily document-centric. We have developed a proprietary "Review Readiness Matrix" that maps every cybersecurity requirement to a specific deliverable (e.g., an MLPS certificate, a data localization log, a vendor contract). If you can show the review panel a complete matrix of documents, your approval probability goes up exponentially. At Jiaxi, we help our clients move from fear of compliance to confidence in compliance. It’s not about finding loopholes; it’s about building a solid, transparent bridge between global business objectives and Chinese national security expectations.