---
title: "Why China Used Foreign Investment Security Review on Manus — Not Tech or Data Export"
author: "DCC Editorial"
published: 2026-04-28T01:00:00.000Z
url: https://datacompliancechina.com/posts/manus-foreign-investment-security-review/
description: "Hong Yanqing on Beijing's banning of Meta's Manus acquisition. The regulator's choice of pathway — Foreign Investment Security Review, not Technology or Data Export — signals a shift from 'transaction-level' to 'capability-level' oversight of frontier AI projects, with implications for any overseas tech investment touching China."
tags: ["foreign-investment-security-review", "manus", "ai-agent", "cross-border", "commentary"]
laws_cited: ["pipl", "dsl", "data-export-security-assessment-measures", "foreign-investment-security-review-measures"]
domains: ["cross-border", "ai-governance", "cybersecurity-review"]
account: "wangan-xunluren"
original_title: "Manus 案的监管范式选择：为什么是外商投资安全审查？"
original_author: "洪延青"
original_publication: "网安寻路人"
original_url: "https://mp.weixin.qq.com/s/2Vs70BM2ILAE_qqKsdfAjw"
source_language: "zh"
---
> *Editor's Note — DCC.*
>
> Hong Yanqing is one of the most influential voices on Chinese
> data-protection law. His commentary often focuses on conceptual structure —
> what regime applies, why it applies, what it can and cannot do. When the
> Chinese state acts, Hong's habit is to read the regulator's choice of
> pathway rather than just the outcome.
>
> On April 27, 2026, the NDRC's Foreign Investment Security Review Office
> banned an unnamed foreign acquirer — widely reported to be Meta — from
> acquiring "the Manus project" and ordered the parties to unwind the
> transaction. The official announcement was one sentence. No transaction
> structure, no reasoning, no remedies specified. Most overseas commentary
> read this as a geopolitical signal. Hong reads it as a
> regulatory-architecture signal — and finds the *choice of pathway*, not the
> outcome, to be the more important story.
>
> We rewrote rather than literally translated his analysis because the
> framing he uses — "capability-level" versus "transaction-level" regulation —
> is exactly the kind of reframing that gets lost in plain rendering but
> reshapes how an overseas compliance reader should understand China's
> emerging cross-border M&A regime for frontier technologies.

On April 27, 2026, an unusually terse one-sentence notice appeared on the National Development and Reform Commission's website. The NDRC's Foreign Investment Security Review Office had banned an unnamed foreign acquirer from acquiring "the Manus project" (Manus 项目) and ordered the parties to unwind the transaction.

That was the entire announcement. No transaction structure. No reasoning. No remedial measures specified. Just the decision.

Manus is an AI Agent — not a chatbot but a system that plans tasks, calls tools, generates code, conducts market research, builds applications, and operates browser and local computing environments. Its corporate parent at the time of the deal was a Singapore entity, Butterfly Effect Pte, but the project traces back to a Beijing-registered entity. By the acquirer's public account, the post-acquisition plan was for Manus to discontinue operations in China.

Most overseas commentary treated the decision as a geopolitical signal — China blocking a Big Tech acquisition. Hong Yanqing, in an April 28 analysis on his WeChat channel 网安寻路人, treats it as something more specific: a regulatory-architecture signal. The question he asks is not *whether* the deal should have been blocked, but *how* — through which regulatory regime.

The choice, Hong argues, matters enormously. The Manus deal could plausibly have been routed through at least three different regulatory pathways. The one Beijing chose — Foreign Investment Security Review — signals that China's regulators have rewritten the conceptual frame for handling cross-border transactions in frontier-technology projects.

## Three pathways, three different theories of what is at risk

Hong walks through the three plausible regulatory routes and what each can and cannot do.

**Technology Import/Export Management.** Under the Regulations on the Administration of Technology Import and Export and the Catalogue of Technologies Prohibited or Restricted from Export, regulators can control the transfer of specific technologies, technical secrets, patent licenses, technical services, and engineering documentation. The protected interest is *the order of technology flows* and national economic-technological interests. The granularity is technology-item-level — which specific technology, is it on a prohibited or restricted list, has it been properly licensed, has it been illegally exported.

Routing Manus through this regime, Hong notes, would have focused on the Agent orchestration framework, the browser-operation modules, the tool-invocation system, the model-tuning methodology, the evaluation system, the source code — examining for each whether it was formed in China, whether it was transferred through relocation, code sync, licensing, or service, and whether the transfer required an export licence. But technology-export rules are best suited to *specific technology objects in transit*, not to a wholesale capability being absorbed. An AI Agent's core value rarely sits in a single patent or a single code file. It sits in team know-how, engineering systems, evaluation pipelines, product-iteration capacity, and future research direction — things that keep migrating through people, organizations, processes, and ongoing collaboration. Hard to enumerate. Hard to catalog. Technology-export rules catch what passes through a gate; the gate is not where the loss is happening.

**Data Export Security.** Under DSL, PIPL, and the cross-border data-transfer regime, regulators can control the export of personal information and important data. The protected interest is the security of personal information, the security of important data, and the orderliness of cross-border data flows. The granularity is data-level — which data, was it collected in domestic operations, is it personal information or important data, has it cleared the security assessment or standard contract pathway.

But Manus did not primarily serve the Chinese public. Without a substantial body of domestic user data, the data-export pathway can only address residual traces — historical beta data, R&D data, employee debugging data, Chinese-language evaluation samples, early PoC data. Useful as a supplementary route, perhaps, but not the spine of the case. The deeper problem, Hong notes, is that AI-system data risk is *derivative*: data that has flowed into model fine-tuning, evaluation pipelines, agent strategies, or tool-invocation flows no longer exists as a discrete, identifiable file you can ask someone to delete. The remedy in such cases is not to "delete data" — it is to identify and dispose of the model versions, agent components, evaluation systems, and derivative outputs that bear the imprint of China-origin data, code, or technical assistance. That is not a data-export problem any more.

**Foreign Investment Security Review.** Under the Foreign Investment Security Review Measures, regulators can review foreign investment in China that affects or may affect national security. Article 2 covers new projects, M&A of equity or assets, and other forms of domestic investment by foreign investors — direct or indirect. Article 4 brings important information technology, internet products and services, and key technologies into the mandatory pre-notification scope. The legal test is *actual control* — defined broadly to include not just over-50-percent equity, but voting-share thresholds and "other circumstances that can materially influence operational decisions, personnel, finance, or technology."

The protected interest under FISR is not a single technology or a single dataset. It is *control of key sectors* and the security of national capability as a whole. The granularity is capability-level — after the deal closes, who controls this technology project, this team, this R&D direction, this industrial capacity.

This, Hong argues, is the heart of the Manus case.

## From transaction-level to capability-level

The Manus risk Hong identifies has three components, and none of them is captured well by the first two regimes.

First, the transaction would have moved a China-origin technology asset in the general AI Agent space wholesale into a foreign tech ecosystem.

Second, it would have absorbed the core R&D personnel, engineering systems, and product team into a foreign company's structure. Reuters reported that some Manus employees had already moved into the acquirer's Singapore office, with the project still being pushed forward. Whatever the individual founder's arrangement, the team- and project-level integration was already advanced enough that the acquisition was not of a discrete software product but of an ongoing, evolving research-and-development capability.

Third, it would have placed Manus's future technology roadmap, product direction, and commercial path under the acquirer's control. In AI Agent development, Hong notes, competition is not a one-time delivery — it is continuous iteration. Whoever controls team, compute, capital, product surface, and global distribution channels controls the direction in which the capability evolves.

The three regimes answer three different questions. Technology export answers *did technology cross a border?* Data export answers *did data cross a border?* Only Foreign Investment Security Review answers *did a capability come under foreign control?*

By routing Manus to FISR, Hong argues, the regulator made a paradigm choice. The regulatory object has shifted from *single technology flow* to *frontier capability ownership*.

## The Singapore problem — and the look-through answer

There is an obvious legal-technical problem with using FISR here. The acquirer formally bought a Singapore entity (Butterfly Effect Pte), not a Chinese company. Article 2 of the FISR Measures applies to investment "within China." How does it bite on an offshore equity deal?

This is the heart of the *zǒu chū qù Xīnjiāpō* — "leave for Singapore" — strategy that has become common for Chinese tech founders thinking about overseas capital: relocate the registered entity, operations, IP, and core personnel offshore first, then have a foreign investor acquire the offshore vehicle. The argument is that the subsequent capital transaction sits outside the Chinese foreign-investment security regime.

The Manus decision suggests the Chinese regulator did not stop at registered location. Hong's read of the analytical method is a "look-through" test, asking:

- Where was the core technology formed?
- Where did the core R&D team complete primary development?
- Did the IP, code, model components, technical documentation, and evaluation systems sit at any point with a Chinese-domiciled entity?
- Are the Singapore relocation and the subsequent acquisition coordinated arrangements — coupled in time and purpose?
- Does the offshore equity transaction substantively transfer control of the China-origin key technology project?

A scholar Hong quotes, Cui Fan of the University of International Business and Economics, sketches the technical mechanism. Manus's onshore Beijing entity is held through a domestic WFOE ("Red Butterfly"), which is contractually controlled by an offshore VIE structure that goes Hong Kong → Cayman. The Cayman entity's shareholders are the founders plus the past investment rounds. When the foreign acquirer purchases the Cayman vehicle, the ultimate controller of Red Butterfly changes — and under the Foreign Investment Enterprise Information Reporting System, that is a *mandatory reportable material change*. The regulator does not need a Chinese-counterparty equity deal in order to have jurisdiction. The change in ultimate control of a contractually controlled onshore entity is enough.

Worth noting too: the NDRC announcement used the phrase "Manus project" (Manus 项目), not "a certain Singapore company." The "project" framing is deliberate. It treats Manus as a composite of technology, team, IP, code, product, and commercial arrangements rather than as a single registered legal entity. The regulator declined to limit the inquiry to corporate form.

## What "eliminating the impact on national security" looks like

If the deal had been routed through technology export, the toolbox would have been about disposing of specific technology assets — classification, licensing, contract registration, halting unauthorized transfers, recalling or sealing technical materials. If it had been routed through data export, the toolbox would have been about controlling data flows — localization, security assessment, standard contracts, deletion of non-compliant exports.

Because it was routed through FISR, the toolbox is about *unwinding control*. Hong walks through what a credible remedy package would look like:

- **Unwind the transaction and restore the pre-deal state.** Rescind the acquisition; refund payments; restore pre-deal equity, governance, and voting arrangements; cancel board seats, observer rights, vetoes, options, convertibles, and side letters that could constitute disguised control.
- **Strip de facto control.** Even if the equity layer is unwound, check whether the acquirer retains effective control through management agreements, technology-integration contracts, exclusive partnerships, cloud-infrastructure dependencies, code-repository permissions, model-repository permissions, sysadmin permissions, or product-roadmap authority. FISR is not about paper equity; it is about actual control.
- **Build a China-origin controlled-asset inventory.** The inventory should include core code, the Agent planner, tool-invocation frameworks, browser-operation modules, sandbox environments, model components, fine-tuning data, evaluation systems, technical documentation, product roadmaps, internal experiment records, Chinese-language task samples, early PoC data, and engineering know-how. Without such an inventory, "restoration" and "elimination of impact" cannot meaningfully be carried out or audited.
- **Disable, roll back, retrain, or clean-room rebuild contaminated models.** This is Hong's most novel point. In an AI-system context, it is not realistic to "precisely delete" specific data from a trained model's parameters. The credible remedy is to identify the model versions, agent components, workflow templates, evaluation systems, and product features that were influenced by China-origin controlled assets, and to disable, roll back, retrain, or clean-room rebuild them. The acquirer can keep developing its own AI Agent. It cannot use Manus's China-origin controlled assets as a shortcut.
- **Separate personnel from controlled technical assistance.** Hong distinguishes carefully between *restricting personnel mobility* — which he views as likely overreach — and *restricting controlled technical assistance*, which he views as appropriate. The remedy should not be that founders cannot join the acquirer; it should be that they cannot supply the acquirer with non-public code walkthroughs, architecture migrations, model-tuning training, evaluation-system reproduction, or product-integration assistance, and that personnel already at the acquirer cannot continue accessing Manus's China-origin controlled assets.
- **Independent technical audit and ongoing supervision.** Company self-certification is not enough. The remedy should require independent technical audits of equity arrangements, contracts, code repositories, model repositories, cloud resources, access logs, Git commit histories, documentation systems, personnel training records, and product integration — verifying that what looks unwound on paper has in fact been unwound in operations.

## Why this matters for overseas counsel

For practitioners advising on cross-border technology investment into or out of China, the Manus decision carries several immediate practical implications.

- **Registration location is not the end of the analysis.** A clean Singapore (or Cayman, or BVI) corporate structure does not, by itself, place a transaction outside the reach of Chinese foreign-investment security review. The regulator will look through to where the technology was formed, where the R&D happened, how the IP moved, and whether the offshore restructuring and the acquisition form a coordinated whole.
- **AI Agent and other "frontier capability" deals are now squarely within the FISR scope.** The regulator's choice of pathway tells you which objects it considers worth protecting. Frontier AI capability is now one of them.
- **Expect remedies to focus on control, not on code transfer.** If a deal is challenged, the remedies will be drafted to unwind control — including remedies such as model rollback and clean-room rebuild that have no precedent in the technology-export or data-export toolkits.
- **The "project" framing widens the universe.** When the regulator analyzes the object of a transaction as a project rather than as a registered entity, the universe of touchpoints expands. Contracts, personnel, repositories, cloud arrangements, and evaluation pipelines all become part of the object under review.

Hong's framing — *where this capability came from, where it is going, and who will ultimately control it* — is the question overseas advisors will need to answer before transactions, not after a regulator's one-sentence decision.

---

— Hong Yanqing, *Manus 案的监管范式选择：为什么是外商投资安全审查？* (The Choice of Regulatory Paradigm in the Manus Case: Why Foreign Investment Security Review?), 网安寻路人 WeChat Official Account, April 28, 2026. [Original article.](https://mp.weixin.qq.com/s/2Vs70BM2ILAE_qqKsdfAjw)

*Not legal advice.*