From China

A guide for UK digital and tech businesses receiving investment from China, the risks you should be aware of and how to manage them.

From China

A guide for UK digital and tech businesses receiving investment from China, the risks you should be aware of and how to manage them.

Receiving investment from China presents significant opportunities for UK digital and tech businesses to grow and to improve their reach and expertise, but there are challenges to be aware of.

You may need specialist advice on the legal, commercial and ethical risks when engaging with Chinese entities. This site offers you a starting point to successfully accept investment from China including, the risks you need to be aware of, what you can do to manage them and where to get further advice.

Before accepting investment from China, you might find it helpful to ask yourself the following questions.


Do I want to use investment to grow my business, or to fund my expansion into China?


Have I discussed the possibility of securing investment from China with existing shareholders, investors and key stakeholders?


Am I fully aware of regulatory requirements for working with Chinese investors, such as the National Security and Investment Act 2021, anti-money laundering regulations and China’s rules on outbound investment?


Have I registered my intellectual property for the China market? This might include filing patents, registering trademarks or obtaining copyright protection.


Have I conducted due diligence on potential investors?

If you have further questions about receiving investment from China, DIT and China Britain Business Council are available to help.

Risk and strategic consulting firm Control Risks have provided the following questions to ask yourself when you are considering working with a Chinese partner.

Checking corporate filings is helpful, but superficial. Do not rely on global blacklist databases, as they rarely capture Chinese names accurately and can generate false positives.

Are they integral to my business and how much value do they add?

Ask a Chinese-speaking colleague or contact to spend some time on Baidu or Google researching the company. This will help to detect any issues of concern such as court cases, bribery allegations, or unexpected commercial or political ties.

Public records are limited in China. It is important to be aware that it is illegal to obtain full paper corporate filings held by the AMR business registration authorities (these contain financial data and other information beyond that in the public accessible online version), individual household registration records and a complete list of an individual’s corporate interests.

Control Risks is not the only organisation that provides this service. Control Risks are not endorsed or recommended by HMG. You should research whether this service provider will be suitable. HMG does not accept any liability arising to any person for any loss or damage suffered through using these service providers or this information.

Before receiving investment from China, you should be aware of the potential commercial risks to your business and how to mitigate them. This will help you protect your assets, data and IP – and ultimately improve your chances of long-term success in China.

Taking legal steps to protect your IP in China is important, but you should also consider your cybersecurity.

In September 2020 the then Foreign Secretary also warned of Chinese global cyber attacks. More information on this and previous announcements can be found here.

In July 2021 the UK joined like-minded partners to confirm Chinese state-backed actors were responsible for gaining access to computer networks via Microsoft Exchange servers.

The UK opposes and defends against the targeted theft of UK knowledge assets and expertise.

Asking yourself the following questions is a good way to start to address potential commercial risks:

China has recently shown considerable efforts in creating stronger intellectual property rights (IPR) protection systems. However, counterfeiting, trademark infringements and other IPR infringements remain major issues. For the most up-to-date information on IP rights, visit this page. This free, fast and easy-to-use online IP Health Check tool can also help you identify your IP assets and provide you with the next steps on how to protect them. IP rights are territorial. If you want your IP rights to be enforced in China, you need to ensure they’re registered there. For advice on registering and enforcing your rights within China, the Intellectual Property Office has a number of factsheets, and an IP attaché team in China which can offer advice on specific issues with registering and enforcing your IPR in China.

Have you put in place technical measures to limit access to that data, such as segregating sensitive networks from those accessible to the wider organisation and overseas parties? This also includes data related to the user base of your technology, for example personal data collected and generated by technologies in smart city infrastructures. You should also consider data sharing from an ethical perspective.

Following these principles will help to ensure any risks to your IP, data or knowledge assets are appropriately mitigated. The NCSC provides practical guidance and uses industry and academic expertise to nurture the UK’s cyber security capability. To protect your organisation in cyberspace, you can follow these ten steps. If you’re a business with 250 employees or fewer, there is advice on being cyber secure tailor-made to suit your business. There are plenty of other ways you can protect your business and improve your approach to cyber security. If you want to know more about protecting your research, you can find further information here.

China is developing the CSCS to improve company regulation. The system is administered by the Chinese government and involves three components: (i) rating companies against a range of metrics; (ii) collecting regular information and updating ratings accordingly; (iii) shaping company behaviour via incentives and sanctions. You should monitor the situation and ensure you are receiving legal advice when setting up in China. This document from the European Chamber provides more detail on the CSCS. See also this MERICS report for more information.

When partnering with Chinese companies, UK businesses should consider whether they are on the entity listings of other countries, for example the United States, especially if they are already doing business in those countries.

The Centre for the Protection of National Infrastructure (CPNI) and National Cyber Security Centre (NCSC) have produced guidance to help you start to identify and mitigate some of these risks.

Before receiving investment from China, there are a number of UK and Chinese laws you should be aware of. If you fail to adhere to these laws, even inadvertently, you could risk damage to your organisation’s assets and your ability to operate in China.

There are a number of potential pitfalls UK businesses need to avoid when entering the China market, investing in China, or trading with Chinese parties.

The UK, like China, reserves the right to scrutinise and intervene in foreign investment, irrespective of origin, where there are potential risks to national security. The government keeps all its powers under review and will not hesitate to take further action if it judges this necessary to protect national security.

The National Security and Investment Act 2021 came into force on 4 January 2022. Under these rules the government is able to scrutinise and intervene in certain acquisitions made by anyone, including businesses and investors, that could harm the UK’s national security.

Along with a non-sector specific voluntary notification option and the power to scrutinise qualifying acquisitions that have not been notified, the Act makes provision for a mandatory notification and pre-approval requirement for those sectors of the economy where it is considered national security issues are particularly likely to be an issue. The scope of this requirement, referred to as the ‘mandatory notification regime’, can be found here.

You should ensure you are compliant with the Modern Slavery Act and the UK Bribery Act (which applies to non-UK companies working in the UK and to UK companies working overseas). You should also ensure your company is GDPR compliant.

The 2017 Chinese Cyber Security Law governs cybersecurity and data in China. There are strong rules about collecting, using, saving and transferring (especially for cross-border transfer) ‘important data’ and personal data. Important and sensitive data collection, use or cross-border transfer needs prior government approval.  The personal data rules are similar to GDPR, and are based on informed consent. In the event of violation, penalties include warnings, confiscation of illegal gains, fines, and suspension or stoppage of relevant websites and businesses. This guide from the CBBC can help you to stay compliant.

This law states that all organisations and citizens shall provide support and assistance to, and cooperate with, national intelligence work, and guard the secrecy of any national intelligence work they are aware of. There are differing interpretations of this law. An unofficial translation can be found here.

China’s regulatory framework for data falls under the Cybersecurity Law, Data Security Law, and Personal Information Protection Law. The new laws represent the Chinese government’s continued efforts to protect data security and personal information, as handled by private entities, and regulate cross-border data transfer. China has, in a relatively short space of time, legislated for one of the most comprehensive set of data laws in the world; the full implications of these new laws on foreign businesses are unclear. It is therefore essential that UK companies are aware of their obligations and the potential impact of the new laws on their operations in China.

The Data Security Law (DSL) came into effect on 1st September 2021 and represents the Chinese government’s further efforts to protect data security and regulate cross-border data transfers. The law includes new concepts such as “National Core Data”, provisions for handling data requests from foreign judicial or law enforcement organisations, and confidentiality obligations. An unofficial translation of the law can be found here.

China’s Ministry of Industry and Information Technology has drawn up a regulation clarifying how firms should handle sensitive industrial and telecoms data as part of the new regime. The draft measures were out for consultation in February, and include some changes from a previous draft published in September 2021. The most significant amendment is the removal of the outright ban on exporting “core data” out of China.

The Personal Information Protection Law (PIPL) came into effect on 1st November 2021 and provides a comprehensive framework for the handling of personal data in China. The law regulates the handling of personal information, and the handling of ‘sensitive personal information’ requires additional measures. The law also makes provision for the transfer of personal data overseas under certain circumstances. A guide to the new law can be found here.

You should also be aware that if you provide online services, the regulations on algorithmic recommendation systems are likely to have some impact on your operations in China. The regulations came into effect on 1 March 2021, and a translation can be found here. Their enforcement is a stated focus of the Cyberspace Administration of China in 2022. A detailed analysis of an earlier draft of the regulations can be found here.

The Regulations provide long-awaited details about how critical information infrastructure (CII) operators will be designated and what their responsibilities will be to protect the security of networks that they build and operate. This summary from Stanford University’s DigiChina project can help you stay compliant.

The new law came into effect on 1 January 2022. The law regulates how Chinese technology-related industrial policies operate and how state guidance funds for sciences and technology are run. The law also features more ‘buy domestic’ provisions, in line with the Chinese government’s efforts to increase technological self-reliance and encourage foreign firms to relocate production in China.

The provisions in the law do not in theory discriminate against Foreign Invested Enterprises in the government procurement process, including both Joint Ventures and Wholly-Owned Foreign Enterprises, as long as they produce or provide services within the customs territory of China.

The China-Britain Business Council has a helpful explainer here. An unofficial translation of the law can be found here.

For further advice, you can contact CBBC or the IP attaché team in China. Always seeks expert legal advice before setting up in China.

When seeking or considering investment from China, you should consider the ethical implications of engaging with China on emerging technologies.

The UK Government is committed to upholding human rights and has serious concerns regarding the Chinese State’s use of technologies in ways that violate human rights and harm individuals and society. Where China is not meeting its obligations under international law and falls below the standards required and expected of responsible governments and nation states, the UK Government will continue to speak out publicly.

Our concerns include China’s use of facial recognition and predictive computer algorithms for mass surveillance, profiling and repression of ethnic minorities in Xinjiang and elsewhere; automated internet and media surveillance and censorship including in a number of new ‘smart cities’, to expand social control and limit individual freedoms.

While engagement offers many opportunities, there is a risk that your company’s technology could be used to violate human rights, posing a significant risk to your business’s reputation. Businesses engaging in joint research and development activities in the fields of surveillance, biometrics, or tracking technology are at a heightened risk.

In addition, you should be aware of China’s programme of Civil Military Fusion (highlighted below). As well as ensuring that you are abiding by the relevant legal obligations, you may want to consider the possible reputational consequences if your company’s technology contributes to China’s military development.

Asking yourself the following questions may be a good way to start addressing the potential ethical challenges of doing business with China.

You should consider this from an ethical and legal perspective. For more information, please refer to the UN’s Guiding Principles on Business and Human rights here.

In their planning documents China says Military Civil Fusion requires ‘mutual open sharing of basic science and technology resources’ and ‘effective two-way transfer of technology’ – seeking accelerated development and transfer of technologies from civil to military sectors. Because of this, the end use of your technology may not be limited to civilian contexts. The UK government has serious concerns that advanced dual-use technology and knowledge, and research by UK firms and academic institutions, may be diverted to assist Chinese military programmes. Without proper due diligence, there could be legal and reputational implications for your business.

You should ensure you understand whether your products, services and expertise could be used to violate human rights or contribute to military capabilities. This includes considering alternative uses for the data collected or generated by your technology particularly if it will be aggregated, for example in smart city infrastructures. Further research into Chinese partners or customers may also reveal concerning historical behaviours, show links to Chinese defence companies and universities, or reveal a declared MCF business strategy. If you or your company are found to be aiding human rights violations or advancing Chinese military capabilities, it could severely damage your reputation. There may also be legal implications if you have violated UK Export Controls or international sanctions. This also applies to research.

Organisations with links to severe human rights abuses, such as those taking place in Xinjiang, face reputational and legal risks.

Though analysis by Verisk Maplecroft suggests that standard due diligence practices are unlikely to be effective in preventing links to human rights violations, companies can take the following steps:

  1. Align approaches to business policies, strategy, systems, supplier codes of practice, KPIs and training programmes, helping to raise awareness of social and environmental issues;
  2. Map operations of suppliers and subsidiaries to identify where the most salient risks lie;
  3. Set up audit programmes for the highest risk areas identified in mapping exercises. You may wish to enlist the assistance of independent, third-party auditors to check your assessments;
  4. Collaborate with industry peers, suppliers, governments, NGOs and other local partners to share knowledge, good practice and on-the-ground projects.

A good resource to further understand the different types of human rights issues and how they impact your supply chain is the Human Rights & Business Dilemmas Forum produced by Verisk Maplecroft and the UN Global Compact.

Human rights organisations have also suggested the following best practice when conducting due diligence:

  1. Be transparent about whom you are doing business with, including publishing the names of local partners, suppliers and collaborators. This could include any government agencies, public security bureau-affiliated research laboratories, or military-economic entities.
  2. Publicly report on human rights due diligence to display that you have a strategy, that you have applied it, and that you have assessed the risks.

You may find it helpful to contact specialists who offer advice and knowledge on doing business in China. Who can I talk to?

Department for
International Trade (DIT)

The Department for International Trade (DIT) helps businesses export and grow into global markets, as well as helping overseas companies locate and grow in the UK.

DIT’s network of trade advisors across the UK can help create a tailored export growth action plan, advise you on which markets are best for your business and put you in touch with contacts who can help you expand internationally.

China-Britain Business
Council (CBBC)

The China-Britain Business Council (CBBC) is the leading organisation helping UK companies grow and develop their business with China. CBBC provides advice, support and networking opportunities for companies at every stage of their China journey.

Visit CBBC’s website for detailed practical guidance for tech companies on the business environment, setting-up, finding partners, and business risks.

Intellectual Property Office

HMG’s Intellectual Property Office website hosts detailed, cross-sector information on GOV.UK about protecting and enforcing IP when working with China.

A number of factsheets, and an IP attaché team in China which can offer advice on specific issues with registering and enforcing your IP rights in China.

British Chamber of
Commerce in China

British Chamber of Commerce in China is a membership organisation for British businesses focused on boosting UK-China trade and investment. It has chapters in Beijing, Shanghai, Guangzhou and Southwest China, and provides a wide programme of events, publications and industry insights.

Secure Innovation

The Centre for Protection of National Infrastructure (CPNI) and the National Cyber Security Centre (NCSC) are the national technical authorities on physical, people and cyber security. They have created Secure Innovation to help founders and CEOs of emerging technology startups and their investors protect fledgling companies so that they can thrive.

Detailed guidance is available to empower startups and investors with the tools to foster a healthy security culture from the outset and continue to protect vital company assets as businesses scale and collaboration opens up overseas opportunities.

Informed Investment

The Centre for Protection of National Infrastructure (CPNI) and the National Cyber Security Centre (NCSC) are the national technical authorities on physical, people and cyber security. Together with the Department for Business, Energy and Industrial Strategy (BEIS), they have created Informed Investment to help businesses of any size to understand and reduce potential risks related to overseas investment.

Visit CPNI website

NCSC for Startups

NCSC for Startups is the successor to the NCSC Cyber Accelerator, a programme which helped more than 40 tech companies raise in excess of £100m in external investments. The aim is to bring together innovative startups with NCSC technical expertise to solve some of the UK’s most important cyber challenges.

NCSC for Startups offers something for startups at all stages of maturity; from those developing a Minimum Viable Product (MVP), to those with established solutions looking to expand into new markets. There are also opportunities for organisations to get involved with the programme to bring additional support and expertise through:

  • Shaping technical challenges to bring a focus to areas of interest
  • Working together and directly with startup companies to influence their products
  • Providing technical leadership and influence to encourage the growing cyber eco-system

Where can I go to get advice on travelling to China?

The FCDO also provides details and up to date information on doing business in China.

Visit the FCDO website for information on getting a visa, as well as up-to-date travel advice for China – including on coronavirus.

How can I develop working relationships if there is a language barrier?

GOV.UK has a list of translators and interpreters in China. You should research whether a service provider will be suitable.

The FCDO does not accept any liability arising to any person for any loss or damage suffered through using these service providers or this information.

This representative example is based on real cases where digital and tech companies have failed to negotiate the complexities of the Chinese market.

An emerging UK-registered robotics company (Company A) secured contracts to sell its unique robot-assisted manufacturing system to six international product development companies. Company A holds exclusive intellectual property rights (IPR) to the technology and is the first ever company to develop a system of this kind.

The company was approached by a Chinese venture capital firm (Investor A) that was suspected of having links to the Chinese state. The investment offer contained a 12% minority equity stake and the right to appoint an individual to sit on Company A’s Board of Directors.

Having accepted the offer, Company A later discovered that the individual appointed by Investor A gained unauthorised access to sensitive company data and knowledge assets. The information secured by the individual was shared with Investor A, whose senior officials later founded a new Chinese technology company (Company B) that developed an identical robot-assisted manufacturing system to the one created by Company A.

This had significant commercial ramifications for Company A. Company B began rapidly selling the product across the Chinese, UK and European markets at a heavily reduced rate, undercutting Company A’s ability to compete.

The growing competition led to a downturn in Company A’s profits and a loss of several valuable commercial opportunities in China, Europe and the UK.

Following internal investigations, Company A recorded that it had failed to take the necessary measures to protect their data and knowledge assets and failed to implement robust technical measures needed to restrict access to its sensitive company data.

Company A has since sought guidance from relevant public authorities and taken a number of different measures to mitigate such risks from recurring in the future, including:

  1. Signing a Non-Disclosure Agreement with the investor to protect the wider sharing of sensitive information.
  2. Ensuring effective cyber arrangements are implemented to audit access to sensitive information.