Guide to the Process and Material Preparation for China's Foreign Investment Security Review

一、审查范围与启动机制

The Guide first clarifies the **trigger conditions** for a security review, which is a recurring headache for practitioners. According to the text, the review applies to any foreign investment (including greenfield, M&A, and even certain "VIE" structures) that could affect national security, especially in sectors like defense, critical infrastructure, sensitive technologies, and key data services. But here’s the nuance: the review is not automatic. It’s either initiated by the authorities on their own motion or triggered by a voluntary application from the investor.

I recall a case from 2021 involving a Singaporean fund investing in a cloud computing startup. The startup’s technology wasn’t directly defense-related, but because it handled data from government contracts, the local commerce bureau flagged it. The investor hadn’t filed voluntarily, thinking they were below the radar. **This is where the Guide’s clarity is invaluable**: it explicitly lists specific types of "sensitive data" and "critical technology" that warrant a filing, even if the investment size is small. For instance, any investment involving "personal information of more than one million users" or "key information infrastructure" now clearly triggers a mandatory notification. The Guide effectively lowers the ambiguity threshold, pushing investors to err on the side of caution.

Moreover, the Guide outlines a **phased review timeline**. The initial "general review" takes 15 working days; if issues are found, it escalates to a "special review" lasting up to 60 working days (potentially extendable with reason). This contrasts sharply with the old "black box" approach where clients would wait months without any feedback. My advice to clients now is: treat the timeline as a minimum. Prepare materials in parallel, and assume the special review will always be triggered for any investment touching "national security" keywords. This proactive stance saved one of my biotech clients nearly two months of delay last year.

二、核心申报材料清单与准备技巧

The Guide provides a standardized checklist of documents, which feels like a breath of fresh air compared to the previous "submit whatever we ask for" approach. The core materials include: a detailed investment plan, the investor’s ownership structure (up to the ultimate beneficial owner), a description of the target company’s business scope, and a specific matrix mapping the investment’s potential impact on national security. But the devil, as always, is in the details.

Let me share a practical tip from my experience. The **"Impact Assessment Report"** is often the weakest link in filings. Many clients submit boilerplate statements like "this investment will not affect national security." The Guide explicitly requires a **comparative analysis**: how the investment changes the target’s governance, technology flow, and supply chain dependencies. I’ve found that preparing a parallel analysis from an independent third party (e.g., a cybersecurity audit firm) significantly strengthens the submission. For example, for a client in the semiconductor supply chain, we included a detailed report on how their investment would not transfer core lithography know-how, but instead would rely on domestic Chinese substitutes. This proactive evidence likely shortened their general review period by 10 days.

Another critical document is the **"Beneficial Ownership Structure Chart"**. The Guide demands transparency up to the "natural person or state-controlled entity" level. I’ve seen filings stall because the chart included opaque offshore holding companies in the Cayman Islands. The key is to ensure each layer has a clearly verifiable "business purpose"—a regulatory term that the Guide repeats. If a holding company serves no active business function, the reviewer may view it as a "control mechanism" that skirts security scrutiny. My team now advises clients to restructure any passive upstream entities before filing, adding a brief business description for each tier.

三、审查机构的协同与中立性

The Guide establishes a **multi-agency review panel**, typically led by the National Development and Reform Commission (NDRC) and the Ministry of Commerce, with participation from the Ministry of State Security, the Ministry of Industry and Information Technology, and others. This is not just bureaucratic formality; it reflects a real "turf awareness." For instance, a project involving 5G technology will have the MIIT reviewing it under a "technology sovereignty" lens, while the NSB focuses on "data sovereignty."

I once advised a client in the satellite communication sector. The initial NDRC submission sailed through the general review, but the special review dragged on because the Ministry of State Security raised concerns about the investor’s prior involvement in a US-based defense project. The Guide now offers a **mechanism for pre-review consultation**: investors can request a preliminary, non-binding opinion from the lead agency about whether a full review is likely. This is a huge improvement. In my client’s case, if we had sought pre-review, we would have known to proactively address the U.S. defense connection by demonstrating that the Chinese subsidiary had completely separate personnel and R&D facilities. The Guide’s explicit mention of this consultation pathway removes a lot of guesswork.

Furthermore, the Guide introduces a **conflict of interest disclosure** requirement for panel members. While this may seem procedural, it signals a shift toward procedural fairness. In practice, it means that if an agency has a direct regulatory or competitive relationship with the target company, the lead agency may rotate the review to another ministry. This reduces the risk of "regulatory capture" by a specific industry regulator, a concern often raised by foreign law firms. I’ve seen this play out positively in a fintech case where the People’s Bank of China voluntarily recused itself, leaving the review to the NDRC alone.

四、附条件批准与合规期制度

One of the most practical innovations in the Guide is the **system of "conditional approval with compliance period"**. Historically, a rejected application was a dead end. Now, if the panel identifies mitigable risks, they can issue approval subject to specific conditions, such as establishing a data security committee, restricting technology transfer, or appointing a Chinese-origin CEO. The investor is then given a **compliance period** (typically 6-12 months) to implement these conditions, with follow-up audits by the local commerce bureau.

I personally managed a compliance period for a Korean auto parts client. Their conditional approval required that "all core algorithms for autonomous driving be stored on servers within China." This was a heavy operational lift. But the Guide provides a **compliance milestone reporting schedule**: quarterly reports with evidence of server localization, plus an annual external audit. The trick is to negotiate these conditions during the review phase, not after approval. The Guide explicitly allows for a "pre-submission discussion of potential remedies." We used that window to narrow the condition from "all data" to "data related to L4-level autonomous driving only," which saved significant costs. The Guide’s conditional approval framework turns a potential "no" into a "yes with strings," which is far more palatable for strategic investments.

However, be warned: the Guide also mandates that **failure to comply with conditions can retroactively revoke approval**. This is a sword of Damocles. I advise all clients to incorporate these conditions directly into their investment agreements, with liability clauses for non-compliance. For example, in the Korean case, we added a clause that the Chinese joint venture must provide monthly server logs to the Korean parent, ensuring transparency. This dual-track approach—legal compliance plus operational transparency—has been our standard recommendation since the Guide was published.

五、国家安全例外与申诉机制

A unique feature of the Guide is its explicit reference to **"national security exceptions"** that allow the panel to reject even a fully compliant application if "broader strategic considerations" warrant it. This is both a power and a risk. The Guide attempts to define these exceptions narrowly: threats to "economic sovereignty," "public health security during pandemics," or "critical supply chain resilience." But the wording remains deliberately vague, retaining a degree of official discretion.

I have personal experience with this ambiguity. In 2022, a Swiss nutrition company sought to acquire a Chinese infant formula plant. The deal met all material requirements, but the panel cited "national food security" as a reason to conditionally approve with a restriction on importing certain raw ingredients. The investor initially felt this was punitive. However, the Guide now includes a **two-tier appeal mechanism**: first, an internal review by the panel itself within 30 days, and second, a request for administrative reconsideration by the State Council. The Swiss client used the first tier, providing economic modeling to show that the ingredient restriction would not affect China’s domestic supply. The panel eventually relaxed the condition. This shows that even within the "national security" black box, there is room for evidence-based negotiation.

For practitioners, the key lesson is to **document every justification with quantitative evidence**. If you claim a condition harms your investment, don’t just say it; show it with cost-benefit analysis. The Guide’s appeal framework is a welcome addition, but it’s not a magic wand. I’ve seen three clients use it; only one succeeded fully. So, treat the appeal as a safety net, not a primary strategy. And always prepare a "Plan B" for structuring the investment to avoid triggering the exception in the first place.

六、存量投资的申报义务与追溯效力

Many foreign investors assume that the FISR only applies to new transactions. The Guide dispels this myth. It explicitly states that **existing foreign-controlled entities that undergo significant changes in control (e.g., a change of ultimate beneficial owner, or a transfer of board control) must re-file**. This is a "hold separate" concept borrowed from merger control but adapted for security. The Guide also addresses **retroactive review**: the authorities can, within three years of a transaction, initiate a review if new information emerges that the original investment posed a previously undisclosed national security risk.

This retroactive power is an operational nightmare if not managed. I recall a case where a French investor had completed an acquisition in 2020. In 2023, the target company started producing components for a military radar supplier—something the French parent hadn’t disclosed. The panel launched a review and imposed a **divestiture order**, forcing the French firm to sell within 12 months. The Guide now requires that investors submit **"post-completion monitoring reports"** for three years for any investment in the "sensitive technology" category. This is burdensome, but it’s also a shield: if you file these reports voluntarily and in good faith, the panel is less likely to launch a surprise retroactive review. My firm now includes a standard clause in exit agreements requiring the seller to indemnify the buyer for any retroactive review penalties, which has become industry best practice.

For investors holding pre-existing investments in sectors like advanced materials or cybersecurity, I recommend conducting a **"health check"** against the Guide’s updated criteria. Even if the original transaction was compliant, changes in the business scope (e.g., adding a new product line that touches military applications) could trigger a fresh obligation. The Guide’s language is clear: "any material change in the investment’s impact on national security requires re-notification." Ignorance is no longer an excuse.

七、律师与中介机构的角色定位

The Guide dedicates a surprising amount of space to the **role of professional advisors**, urging them to maintain "professional ethics and objectivity." This is a subtle but important signal: the authorities are cracking down on "opinion shopping" where advisors provide rosy assessments to get deals signed. The Guide requires that the applicant’s legal opinion be signed by a partner-level lawyer and include a disclosure of any prior relationships with the review panel members. This raises the stakes for us as advisors.

I’ve had colleagues who were sanctioned for submitting misleading beneficial ownership charts. The Guide now explicitly states that "intentional omission or false statements may result in blacklisting of the advisory firm for 1-3 years." This is a career-ending risk. My approach has always been to **conduct a full "pre-review audit"** that goes beyond the application materials. For instance, we now run a data-mapping exercise for every client to identify whether any of their customers or suppliers are on the "unreliable entities list" or subject to Chinese export controls. This forward-leaning due diligence often uncovers issues that the client themselves didn’t know existed. Just last month, one such audit revealed that a client’s cloud service provider was a subsidiary of a firm sanctioned by the U.S. OFAC—a fact that would have been a red flag for the Chinese panel.

The Guide also recommends that advisors **maintain a "communication log"** with the panel, documenting every oral or written interaction. This is bureaucratic, yes, but it’s also a safeguard. In one case, a client’s verbal assurance during a meeting was later used against them because the panel claimed they had promised a divestiture timeline that they later failed to meet. Now, I insist on sending a formal written summary after every meeting, with a copy to the panel secretary, to ensure a consistent record. This may seem like overkill, but in the high-stakes world of FISR, **documentation is the only currency that retains value**.