China’s internet regulator, the Cyberspace Administration of China, enacted its rules on security reviews last year as part of its framework for safeguarding the nation’s digital infrastructure.
Those regulations stopped short of requiring companies like Didi to undergo a formal security check before filing for an overseas initial public offering, but that would change under the revisions proposed by the agency on Saturday.
The revised rules say a security review would be mandatory for any business possessing information on more than one million users that seeks to list its shares abroad. Such companies would need to submit materials related to their I.P.O.s, as well as procurement documents and contracts.
Under the existing rules, the security review is aimed at addressing the risks to national security and business continuity posed by the servers, software, cloud services and other products that major tech companies use.
The revised rules add two more risks to the list: the possibility that important data could be “stolen, leaked, damaged and illegally exploited or moved overseas,” and that data could be “influenced, controlled or maliciously exploited by foreign governments” after an overseas I.P.O.