---
title: "One Company, Four Reviews: JunHe Maps China's Security-Review 'Matrix' in the Security-First Era"
author: "DCC Editorial"
published: 2026-07-15T04:00:00.000Z
url: https://datacompliancechina.com/posts/china-four-security-review-matrices/
description: "With the Measures for Network Data Security Risk Assessment (Order No. 24) in place, China's security-review architecture has four operating pillars: foreign investment security review (NDRC + MOFCOM), cybersecurity review (CAC + 12 departments), data export security assessment (CAC), and the new normalized network data security risk assessment (CAC coordination + sectoral authorities). JunHe lawyer Chen Sijia walks each regime through the same five questions — who reviews, what is reviewed, when review is triggered, and with what legal consequences — and lands on two points overseas counsel should not miss. First, the four regimes differ in kind: the first three are ex-ante, admission-style reviews with veto power, while the risk assessment is an annual, improvement-oriented 'physical exam.' Second, review decisions are effectively final — the mainstream view treats them as final administrative acts with no administrative reconsideration or litigation available — so cooperation during the review is the only real strategy. A closing lifecycle walkthrough shows how a single AI-model company can trip all four lines in sequence: FDI review at fundraising, cybersecurity review at GPU procurement, export assessment at model training, cybersecurity review again at foreign listing, and the annual risk assessment as a standing duty."
tags: ["security-review", "national-security", "cybersecurity-review", "data-export", "risk-assessment", "foreign-investment", "overseas-listing", "important-data", "ai-companies", "compliance"]
laws_cited: ["network-data-security-risk-assessment-measures", "cybersecurity-review-measures", "data-export-security-assessment-measures", "foreign-investment-security-review-measures", "csl", "dsl", "pipl", "network-data-security-regulations", "gbt-45577-data-security-risk-assessment"]
domains: ["data-security", "cross-border", "cybersecurity-review"]
account: "junhe-legal-review"
original_title: "君合法评丨《网络数据安全风险评估办法》出台 安全至上时代企业如何应对中国四大安全审查\"矩阵\"？"
original_author: "陈思佳 (Chen Sijia), JunHe LLP"
original_publication: "君合法律评论 (JunHe Legal Review) WeChat Official Account"
original_url: "https://mp.weixin.qq.com/s/5eWIRTfZ7tVgWLJhP1mfaA"
source_language: "zh"
---

> **Source: Data Compliance China** — https://datacompliancechina.com/posts/china-four-security-review-matrices/ · China data law, translated and annotated for overseas counsel. Cite as: Data Compliance China, "One Company, Four Reviews: JunHe Maps China's Security-Review 'Matrix' in the Security-First Era", https://datacompliancechina.com/posts/china-four-security-review-matrices/
> *Editor's Note — DCC.*
>
> The Measures for Network Data Security Risk Assessment
> (《网络数据安全风险评估办法》, CAC–MIIT–MPS Order No. 24) were promulgated
> June 18, 2026 and take effect August 20, 2026. DCC has published
> [the full instrument and a close reading](/posts/network-data-risk-assessment-measures-operationalizing-the-dsl/)
> and [a self-identification guide for important-data handlers](/posts/important-data-handler-self-identification-annual-assessment/).
> This JunHe piece answers the next question: where the new Measures sit in
> China's wider security-review architecture. Its useful move is to run four
> regimes — foreign investment security review, cybersecurity review, data
> export security assessment, and the new risk assessment — through one
> five-question grid, and its practical warning is about finality: for the
> three admission-style reviews there is effectively no ex-post remedy.
>
> Two reading notes. The author cites the Cybersecurity Law by its
> 2025-amended article numbering (e.g., the penalty for using unreviewed
> products appears as Article 67). And the "matrix" characterizations —
> filter, gatekeeper, pass, physical exam — are the author's, as is the
> closing AI-company walkthrough. The tables below are reconstructed from
> the original.

On June 18, 2026, the Cyberspace Administration of China (CAC) released the
[Measures for Network Data Security Risk Assessment](/laws/network-data-security-risk-assessment-measures/)
— adding another important piece to China's security-review puzzle.

## I. The map of China's security reviews

The foundation of security review is national security, and national security
has been the theme of the era. Geopolitical conflict and great-power
competition have pushed its importance to a new height, and China — guided by
the holistic approach to national security (总体国家安全观) — is accelerating
a new "security first" (安全至上) macro-governance posture.

China has no single, unified national security review system. Instead,
national security is broken down into separate dimensions — foreign
investment; specific items and key technologies; network information
technology products and services — each with its own security review.

A preliminary survey of security-review provisions at the level of statute:

| Review field | Law | Key provision |
| --- | --- | --- |
| National security | National Security Law (2015, Presidential Decree No. 29) | The State establishes systems and mechanisms for national security review and oversight, conducting national security review of **foreign investment; specific items and key technologies; network information technology products and services; construction projects involving national-security matters; and other major matters and activities** that affect or may affect national security, to effectively prevent and defuse national-security risks. |
| Foreign investment | Foreign Investment Law (2020, Presidential Decree No. 26) | The State establishes a foreign investment security review system to review foreign investment that affects or may affect national security. A security review decision made in accordance with law is **final**. |
| Foreign investment | Anti-Monopoly Law (2022, Presidential Decree No. 116) | Where a foreign investor's merger with or acquisition of a domestic enterprise, or other participation in a concentration of undertakings, involves national security, a national security review must be conducted under relevant state provisions in addition to the concentration review under the Anti-Monopoly Law itself. |
| Foreign investment | Food Security Guarantee Law (2023, Presidential Decree No. 17) | Foreign investment in grain production and operation that affects or may affect national security must undergo foreign investment security review under relevant state provisions. |
| Foreign investment | Hainan Free Trade Port Law (2021, Presidential Decree No. 85) | The foreign investment security review system is implemented in the Hainan Free Trade Port in accordance with law, reviewing foreign investment that affects or may affect national security. |
| Network information technology products and services | Cybersecurity Law (2025 amendment) | Where a critical information infrastructure operator (CIIO) procures network products and services that may affect national security, the procurement must pass a national security review organized by the national cyberspace administration together with relevant State Council departments. |
| Network information technology products and services | Data Security Law (2021, Presidential Decree No. 84) | The State establishes a data security review system, conducting national security review of data processing activities that affect or may affect national security. |
| Network information technology products and services | Cryptography Law (2020, Presidential Decree No. 35) | Where a CIIO procures network products and services involving commercial cryptography that may affect national security, the procurement must pass a national security review organized by the national cyberspace administration together with the state cryptography administration and other relevant departments, per the Cybersecurity Law. |
| Biology / agriculture | Biosecurity Law (2024 amendment) | The State establishes a biosecurity review system: major biological-field matters and activities that affect or may affect national security undergo biosecurity review by relevant State Council departments. |
| Biology / agriculture | Seed Law (2022, Presidential Decree No. 105) | The State establishes a national security review mechanism for the seed industry, covering overseas institutions' and individuals' investment in, acquisition of, or technical cooperation with domestic seed enterprises and research institutes. |

Most of these statutory provisions run to only an article or two. Making
security review actually operate usually requires more concrete implementing
rules — and those rules are the core of China's security-review system.

## II. The four security-review "matrices"

To implement security review in the foreign-investment field, the
[Measures for the Security Review of Foreign Investments](/laws/foreign-investment-security-review-measures/)
were adopted. (With the issuance of the Provisions of the State Council on
Outbound Investment (《国务院关于对外投资的规定》), an outbound-investment
national security review was also established at the administrative-regulation
level, creating two-way review of investment "coming in" and "going out" —
but because the detailed implementing rules have not yet landed, the author
leaves it outside this article's scope.)

To implement security review in the network field, the
[Cybersecurity Review Measures](/laws/cybersecurity-review-measures/) were adopted.

To implement the PIPL's security assessment for providing personal information
abroad and the DSL's export security management of important data, the
[Measures for the Security Assessment of Data Export](/laws/data-export-security-assessment-measures/)
were adopted.

To implement security review in the data field, the Measures for Network Data
Security Risk Assessment were adopted.

Together these build China's four security-review "matrices," marking a new,
more granular and standardized stage of security governance. How these
parallel, differently focused reviews are understood and applied is a
red line for corporate operations. Below, each matrix is unpacked against the
same questions: who reviews, what is reviewed, and when review is mandatory.

### 1. Foreign investment security review

**Background.** The current Measures for the Security Review of Foreign
Investments (2020) implement the security-review system created by the Foreign
Investment Law and are China's first dedicated foreign-investment
security-review instrument.

**Who reviews?** The State has established a working mechanism for foreign
investment security review, responsible for organizing, coordinating, and
guiding the work. The working mechanism's office is housed at the National
Development and Reform Commission (NDRC); the NDRC and the Ministry of
Commerce (MOFCOM) take the lead and handle day-to-day review work.

**What is reviewed?**

- Investment in key sectors bearing on national defense — military industry,
  military-industry support, and similar fields — and investment in areas
  near military facilities and military-industry facilities: subject to
  review **regardless of whether control is acquired**.
- Investment in important agricultural products, important energy and
  resources, major equipment manufacturing, important infrastructure,
  important transport services, important cultural products and services,
  important information technology and internet products and services,
  important financial services, key technologies, and other important fields
  bearing on national security, **where the investor acquires actual control**
  of the invested enterprise.

**When?** Ex-ante. During the review period and before the working mechanism
office issues its decision, the parties must not implement the investment.

**Legal consequences.**

- Cleared: the investment may proceed.
- Prohibited: the investment must not proceed; if already implemented, the
  parties must divest equity or assets within a prescribed period and take
  other necessary measures to restore the pre-investment state and eliminate
  the national-security impact.
- Conditionally cleared: the investment proceeds subject to the attached
  conditions.
- Failure to file when filing was required: ordered to file; on refusal,
  ordered to divest equity or assets within a prescribed period and restore
  the pre-investment state.

### 2. Cybersecurity review

**Background.** The 2016 Cybersecurity Law established that CIIO procurement
of network products and services that may affect national security must pass
a national security review organized by the national cyberspace
administration together with relevant State Council departments. The 2017
trial measures for network products and services were the first
implementation; the Cybersecurity Review Measures followed in 2020 and were
revised in 2021 into the currently effective text.

Per the CAC's own press Q&A, the 2021 revision responded to the Data Security
Law taking effect on September 1, 2021, which mandated a state data security
review system: the revision brought network platform operators' data
processing activities that affect or may affect national security into the
review scope, and required network platform operators holding personal
information of more than one million users to file for cybersecurity review
before listing abroad.¹

**Who reviews?** Under the leadership of the Central Cybersecurity and
Informatization Commission, the CAC together with twelve departments — NDRC,
MIIT, MPS, MSS, MOF, MOFCOM, PBOC, SAMR, NRTA, CSRC, the State Secrecy
Administration, and the State Cryptography Administration — has established
the national cybersecurity review working mechanism. The Cybersecurity Review
Office, housed at the CAC, drafts the rules and organizes reviews.

**What is reviewed?**

*CIIO procurement* of network products and services, where the products and
services in use affect or may affect national security, including:

- the risk of critical information infrastructure being illegally controlled,
  interfered with, or destroyed once the products or services are in use;
- the harm a supply interruption would do to business continuity of critical
  information infrastructure;
- the security, openness, transparency, and diversity of sources of the
  products and services; the reliability of supply channels; and the risk of
  supply interruption from political, diplomatic, or trade factors;
- the provider's record of compliance with Chinese laws, administrative
  regulations, and departmental rules.

*Foreign listings* by network platform operators holding personal information
of more than one million users — presumed capable of affecting national
security and therefore subject to mandatory filing with the Cybersecurity
Review Office. The factors include:

- the risk of core data, important data, or large volumes of personal
  information being stolen, leaked, destroyed, illegally used, or illegally
  transferred abroad;
- the risk of critical information infrastructure, core data, important data,
  or large volumes of personal information being influenced, controlled, or
  maliciously used by foreign governments after listing, plus network
  information security risks.

In short: cybersecurity review targets the supply-chain stability and
security of CIIO procurement, and the risk that a platform with more than one
million users' personal information comes under foreign-government influence,
control, or malicious use after a foreign listing.

**When?**

- *Procurement* — unlike the FDI measures, there is no express bar on closing
  the purchase before a decision, but Article 3 states that cybersecurity
  review combines ex-ante review with continuous supervision.
- *Listing* — before submitting the listing application to the foreign
  securities regulator. The CAC's press Q&A confirms this timing.²

**Legal consequences.** Article 67 of the Cybersecurity Law (2025 amendment):
a CIIO that uses network products or services that have not undergone or have
not passed security review will be ordered to stop using them and fined
between one and ten times the procurement amount; directly responsible
supervisors and other directly responsible personnel face fines of RMB 10,000
to 100,000.

For overseas listings, there is no express penalty for failing review, and
regulators have not published any penalty decision resting solely on
"failure to file for cybersecurity review." But the reviews launched against
DiDi, Yunmanman, Huochebang, BOSS Zhipin, and other US-listed companies show
the pattern: during the investigation, new-user registration is suspended and
apps are removed from stores — up to, in the end, delisting-and-rectification
demands.

### 3. Data export security assessment

**Background.** Article 39 of the Cybersecurity Law [2025-amended numbering
— Ed.] requires CIIOs to store personal information and important data
collected and generated in their China operations inside China, and to pass a
security assessment before any genuinely necessary export. Article 31 of the
Data Security Law applies the Cybersecurity Law's rule to CIIOs' important
data and directs the CAC and State Council departments to write export rules
for everyone else's important data — a step-by-step widening of scope from
CIIOs to all handlers. Article 40 of the PIPL adds that CIIOs and handlers
processing personal information above CAC-set volume thresholds must pass a
CAC-organized security assessment before providing personal information
abroad. The Measures for the Security Assessment of Data Export implement all
three statutes.

**Who reviews?** The handler files with its provincial-level cyberspace
administration; once materials are complete they are forwarded to the
national cyberspace administration, which organizes the assessment with
relevant State Council departments, provincial cyberspace administrations,
and specialized agencies.

**What triggers assessment?**

1. Providing important data abroad;
2. A CIIO, or a handler processing the personal information of more than one
   million individuals, providing personal information abroad;
3. A handler that since January 1 of the previous year has cumulatively
   provided abroad the personal information of 100,000 or more individuals,
   or the sensitive personal information of 10,000 or more individuals.

**What is assessed?**

- the legality, legitimacy, and necessity of the export's purpose, scope, and
  method;
- the impact of the data-security policies, regulations, and cybersecurity
  environment of the recipient's country or region on the security of the
  exported data; whether the overseas recipient's protection level meets
  Chinese laws, administrative regulations, and mandatory national standards;
- the scale, scope, categories, and sensitivity of the exported data, and the
  risks of tampering, destruction, leakage, loss, transfer, or illegal
  acquisition or use during and after export;
- whether data security and personal information rights and interests can be
  fully and effectively safeguarded;
- whether the legal documents between the handler and the overseas recipient
  adequately allocate data-protection responsibilities and obligations;
- compliance with Chinese laws, administrative regulations, and departmental
  rules.

In short: the assessment targets whether personal information and important
data face risks of tampering, destruction, leakage, loss, transfer, or
illegal acquisition and use during and after export.

**When?** Ex-ante. Article 5 requires the handler to conduct a data export
risk self-assessment before filing.

**Legal consequences.** The Measures set no new penalties; superior law
applies. The Cybersecurity Law points to handling under relevant laws and
administrative regulations; under the DSL and PIPL, unlawful exports draw
consequences from warnings and fines up to revocation of the relevant
business permit or business license and termination of services, depending on
the violation.

### 4. Network data security risk assessment

**Background.** Per MIIT press Q&A and expert commentary,³ the Measures
implement Articles 22 and 30 of the DSL — which call for a centralized,
unified, efficient, and authoritative data security risk assessment mechanism
and require important-data handlers to assess their processing activities
periodically and report to competent authorities — and the Regulation on
Network Data Security Management, which requires important-data handlers to
assess annually and before providing, entrusting the processing of, or
jointly processing important data. The Measures turn those principles into a
concrete institutional path, answering the practical questions of **who
assesses, how, and what the results are used for**.

**Who reviews?** The central national-security leadership body has
established a national data security work coordination mechanism; under its
guidance, the CAC together with the State Council's telecommunications,
public security, and other relevant departments has built a special working
mechanism for network data security risk assessment that guides and
supervises the work. Sectoral authorities organize regular assessments in
their own industries under the principle "whoever is in charge of the
business is in charge of the business data and is in charge of data
security."

**What is assessed?** Under GB/T 45577-2025 (Data Security Technology — Data
Security Risk Assessment Method), the assessment centers on data and
data-processing activities, focusing on risks to data confidentiality,
integrity, and availability and to the reasonableness of processing
activities — to grasp the overall security posture, find hidden dangers,
propose management and technical measures, and improve resistance to attack,
sabotage, theft, leakage, and abuse.

**When?** This is not a one-vote-veto ex-ante review but a normalized,
continuous-improvement exercise:

1. Important-data handlers assess annually.
2. Where a material change in the security status of important data may
   adversely affect data security, the changed part and its impact must be
   assessed promptly.
3. General-data handlers are encouraged to assess at least once every three
   years.

**Legal consequences.** Where authorities find in a risk assessment that an
important-data handler's processing may endanger national security or the
public interest, they order rectification; a handler that refuses or falls
short can be required to stop processing important data, among other
measures.

In short: the object is the security of network data and network
data-processing activities within China — an ongoing "physical exam," not an
admission gate.

**Data security review vs. network data security risk assessment.** Recall
that the 2021 revision of the Cybersecurity Review Measures was how the DSL's
"data security review" landed. How does that review differ from the new risk
assessment?

1. **Scope.** The Cybersecurity Review Measures review data-processing
   activities for their impact on *national security*. But under Article 17
   of the new Measures and GB/T 45577-2025, data-security incidents cover
   risks to national security, the public interest, *and the lawful rights
   and interests of organizations and individuals* — a wider net.
2. **Rhythm.** Cybersecurity review is a node-based review triggered when a
   specific event may affect national security — like a visit to a specialist
   clinic. The risk assessment is periodic, reported to authorities, and
   improvement-oriented — more like an annual physical.

The risk-assessment mechanism is a foundational institution of the whole
data-security regime — the root consideration that determines which
protection strategies and management measures a network data handler adopts.
It is not merely a national-security review; it is a broader security base
for the data-security field.

## III. The four matrices compared

1. **Foreign investment security review** is the *filter* at the capital
   entrance, watching whether foreign capital gains control of sensitive
   enterprises or sectors. **Cybersecurity review** is the *gatekeeper* of
   supply-chain security, watching CIIO procurement and the
   foreign-government-influence risk of platforms listing abroad with more
   than one million users' personal information. **Data export security
   assessment** is the *pass* for cross-border flows, watching whether
   personal information and important data can be abused once abroad.
   **Network data security risk assessment** is the *physical-exam chart* for
   data security — a comprehensive checkup of network data and processing
   activities within China.

2. The first three are ex-ante, admission-style reviews. The risk assessment
   is normalized and is not an admission review.

3. On remedies: the foreign-investment security review and the data security
   review are both expressly **final decisions**; the Cybersecurity Law and
   the Cybersecurity Review Measures provide no reconsideration or
   re-examination; the export assessment result can be re-assessed, but the
   re-assessment is final. The mainstream academic view treats these reviews
   as final administrative acts — parties can neither apply for
   administrative reconsideration nor bring administrative litigation. For
   companies there is effectively **no ex-post remedy**, which is why active
   cooperation and careful handling during the review matter so much.

| Dimension | Foreign investment security review | Cybersecurity review | Data export security assessment | Network data security risk assessment |
| --- | --- | --- | --- | --- |
| Characterization | Capital-entrance "filter" | Supply-chain "gatekeeper" | Cross-border "pass" | Data-security "physical exam" |
| Lead authority | NDRC + MOFCOM | CAC + 12 departments | National cyberspace administration | Cyberspace administration coordination + sectoral division of labor |
| Trigger | Before the investment | Before procurement / before listing | Before data export | Annual, plus material changes |
| Nature | Admission-style (veto) | Admission-style (veto) | Admission-style (veto) | Normalized (improvement-oriented) |
| Core focus | Foreign control + key technologies | Supply chain + listing security | Post-export abuse of data | Full-lifecycle data risk |
| Remedy | Final decision | Final decision | Re-assessment possible (final) | — |

## IV. One company, full lifecycle: an AI-model company

In real business scenarios these seemingly separate reviews can run through a
company's entire life, in parallel. Take an AI-model company:

**1. Fundraising.** To launch or scale financing by bringing in foreign
capital or a VIE structure, first ask whether the AI model falls in
defense-and-military-related fields, or whether the deal is an investment in
important information technology and internet products and services with the
foreign investor taking actual control. If so, the FDI security review
decision must be in hand *before* the investment — on top of
industrial-policy requirements like the foreign investment negative list.

**2. Equipment procurement.** Financing closed, the company buys
high-performance GPUs, optical modules, and the like. Set aside whether the
exporting country will sell and what trade controls apply: on the Chinese
side, if the purchaser has been identified as a CIIO, the procurement itself
may trigger cybersecurity review — the Cybersecurity Review Office's
conclusion must come before the purchase, on pain of fines and a ban on use.

**3. Model training.** If the model will serve overseas users, be sold and
deployed overseas, or transfer data abroad: under the China (Beijing) Pilot
Free Trade Zone / National Comprehensive Demonstration Zone for Expanding
Opening-up of the Services Sector Data Export Management List (Negative List)
(2025 edition), high-value sensitive data bearing on industrial
competitiveness that is collected and generated in R&D and design counts as
important data — so the CAC's export security assessment result must come
before the data leaves.

**4. Listing.** Business grows; a US listing beckons. Any to-C business at
listing scale almost certainly holds personal information of more than one
million users — which triggers the mandatory cybersecurity review before
filing with the foreign securities regulator.

**5. Routine data processing.** Large-model training and inference inevitably
process massive data. Unless the product is purely on-device — and it almost
never is — the normalized network data security risk assessment applies too.

## V. Closing

A single AI company can trip all four lines at once: the security-review
matrix sits much closer to ordinary businesses than it looks. Threading it
precisely is hard, and — unlike other administrative acts — there is no
ex-post remedy, so the cost of getting it wrong is extremely high.

Rather than blanket anxiety or wishful thinking, the author's advice is to
embed compliance across the whole management lifecycle: understand precisely
what each review targets in each scenario, identify the red lines, build an
effective governance system, defuse risks early, and turn the external
constraint into internal security capability.

---

**Notes**

1. CAC press Q&A on the revised Cybersecurity Review Measures, January 4,
   2022: <https://www.cac.gov.cn/2022-01/04/c_1642894602460572.htm>
2. Same source as note 1.
3. CAC release accompanying the Measures, June 18, 2026:
   <https://www.cac.gov.cn/2026-06/18/c_1783525612886783.htm>

---

**Source:** 陈思佳 (Chen Sijia), "《网络数据安全风险评估办法》出台
安全至上时代企业如何应对中国四大安全审查'矩阵'？," published on the JunHe
Legal Review (君合法律评论) WeChat Official Account,
[original article](https://mp.weixin.qq.com/s/5eWIRTfZ7tVgWLJhP1mfaA).
Chen Sijia is a lawyer at JunHe LLP whose practice covers telecommunications,
information technology and high tech, competition law, and dispute
resolution. Per the source's own disclaimer, the article represents the
author's personal views and is not a formal legal opinion of JunHe.

— Not legal advice.
