Clearer Regulations in China are Informing Global SaaS Companies’ Expansion Plans

by | Jan 27, 2022 | Markets

SaaS companies looking towards a China expansion continue to grapple with how to enter the market. There have been frequent headlines in the past year about Chinese regulators cracking down on China tech giants, as well as added scrutiny around what data can cross China’s borders. Global executives understandably want to decipher how the developing regulatory environment can impact practical decisions around their China strategy. Unfortunately, there is a fair amount of misunderstanding regarding licenses, privacy, data security and business models, making it hard for executives to know what impact these issues will have on their China market entry decisions. 

Executives need a reliable framework for decision-making to help them work through their company’s specific compliance, data security and IT infrastructure needs. Such a roadmap needs to address numerous questions executives ask, including:  

– Can we enter the market by ourselves, or do we need a local partner? 
– Can we start by leveraging our global cloud or do we need to bring our entire infrastructure into China?  
– What are our possible entry options and what are the related regulatory risks? 
– How long will it take before we are operating in China?
– How long until we see our first revenue?
– Should we measure our KPIs in months or in years?  

This article will help executives to begin to address these questions in their organizations. In the first section, we will provide some background on China’s current cloud regulatory environment, the rationale behind the regulations, and some perspective on where these regulations are heading. We’ll also discuss how licensing and data security requirements determine a company’s cloud infrastructure needs. Most importantly, we’ll touch on what most SaaS companies want to know: when can companies enter China in a staged manner by leveraging their global clouds and ideally avoiding landing a standalone cloud in China, which is too often perceived to be the only entry option for SaaS in China? 

Still Early Days for SaaS with Ample Opportunity 

For many global B2B SaaS companies, China is often one of the last major untapped global markets. Even though China is now the world’s second-largest economy, SaaS adoption is just starting to take off, driven by the country’s roughly 32 million SMEs, as well as the more than 50,000 large China companies with revenue in excess of US$150 million. Additionally, many SaaS solutions are also being pulled into the market by their existing global multinational customers with operations in China, which is often a great place to begin to generate initial revenues. 

Increasingly Regulated – But Not Necessarily Towards Foreign Companies 

Prior to 2017, foreign (and even domestic) companies were allowed to deploy cloud services in China with little government oversight. It was reasonably easy for companies to get a basic ICP registration, set up a CDN, land their clouds or even just put some servers inside of the Great Firewall of China, while transferring data globally. This was especially true for enterprise solutions which are not often operating in areas that the China government considers “sensitive.”  

In the last 5 years, however, China has increasingly directed the promotion of cloud services to spur growth and innovation in light of looming demographic headwinds. The government has been laying both the regulatory and physical groundwork necessary to mobilize the country’s resources (similar to when it transformed into a leading mobile-first economy). That said, the transition to the cloud has been challenging for China due to its large geography, the dominant position held by global technology infrastructure players and the general hesitancy of IT departments and of the government itself. 

Starting in 2016, new regulations emerged that altered the course of the industry in China: 

– 2016: China amended its regulations governing its “Value-Added Telecom” industry – which covers licensing requirements for cloud operations and information businesses – and which included restrictions on what licenses could be obtained by foreign companies 

– 2017: Cybersecurity regulations covering data and privacy were introduced, with major implementation rules and drafts actively coming out in 2021 

In recent years, China’s cloud regulations have been solidifying (rules in China go through a process of guiding principles, draft regulations and finally implementation rules), with the framework becoming clearer. In our view, regulations have been following a consistent path that in many areas tracks closely with similar regulations in other countries and regions. In fact, many aspects of China’s new regulations will be familiar to companies that have already had to deal with similar issues in other countries, most notably the EU’s GDPR rules. 

In Our View, We See 4 Overarching Themes:

1. China wants to build and leverage its cloud infrastructure as a key national security asset to underpin its future economic growth. The government wants Chinese companies to control the country’s cloud infrastructure and to also take some of the responsibility for what runs on top of it  

2. Foreign companies in China need to comply with local rules and regulations if they want equal access and a level playing field 

3. “Sensitive” data should be properly accounted for and maintained inside of China and not leave the country without reasonable need 

4. Personal data controls will continue to emerge to enhance individuals’ control and rights over their personal data (with required access by the state in whatever jurisdiction they reside) 

While breaking regulatory rules in China can carry serious business (and potentially even personal) consequences – as they can in any market – one critical thing to understand is that these regulations are not intended to keep foreign companies out of the China market – especially for innovative SaaS companies. It seems to be understood in Beijing, albeit perhaps begrudgingly, that building a globally leading cloud industry needs a diversity of innovative solutions from all over the world. This helps to attract local companies to migrate to the cloud as well as to drive overall economic growth.  

Of course, China would love to see its homegrown companies and products succeed both domestically and globally, but global companies’ solutions still have many advantages that the China market needs. In our experience, Western companies also tend to be more compliant than local Chinese companies, which is likely why major regulatory actions have been focused on local companies to this point. With the exception of Western companies that are looking to operate in politically sensitive areas and/or large global companies with dominant market shares, we believe most Western companies face a relatively low chance of regulatory interference in the near term so long as they are following the rules and making genuine efforts to be compliant. 

Whereas some might look at increased regulation as a negative, the emerging clarity of the regulations should be viewed as encouraging news overall for cloud companies that have been looking for the right time to enter. Some companies have delayed entering the market until a clearer compliance path was presented – such a path has now emerged for many of these companies.  

Why Most SaaS Companies Can Enter China by Starting with Their Global Cloud  

A common misconception is that cloud companies are not allowed to do business in China from abroad (or if they do, they are putting the company at serious risk). This is often not accurate, especially in the world of B2B SaaS. In reality, most SaaS companies can find a path that allows them to start their China entry by leveraging their global cloud to serve customers in China. The key point to understand is that China’s rules and regulations include many aspects that require self-determination, and these define the boundaries of what is possible while also providing guidance on where adjustments can be made that can help to avoid issues. From a practical perspective, this relates to how a company’s IT infrastructure needs to be designed when selling to different types of Chinese customers, what legal structures and/or partnerships can be used, and when companies can start doing business in China with little or no physical operating presence. This can be done on their own if they build a local entity, or through cross-border sales contracts, resellers or partners. Collecting payments from customers in China through a SaaS platform can get a bit more complicated, but there are options that can provide compliant alternatives. Once a company sees sufficient traction in China, it can scale up operations and cloud infrastructure as needed. 

To determine if a company can start to sell into the market quickly and with a relatively low level of initial investment, SaaS executives need to focus on three regulatory areas that could have a major impact on their entry options:  

1. Whether they are likely to be considered as a BTS or VATS business 

2. What data needs to cross China’s border and the sensitivity of the data  

3. Whether there are any industry/product specific certifications or licenses that have high barriers or may take significant time to obtain 

Let’s go deeper into these three areas.  

BTS vs VATS 

Companies need to investigate whether they are likely to be classified as a Value-Added Telecom Service (VATS) business or as a Basic Telecom Service (BTS) business. In China, a BTS business usually only needs standard business licenses – which can typically be obtained without much difficulty – and should be sufficient for most SaaS companies to operate and sell in China. On the other hand, VATS licenses (the most common of which is a Commercial ICP License) can usually only be obtained through a Chinese partner – whether as part of a joint venture, operating partner, licensing agreement or through a Variable Interest Entity (VIE) structure. Going this route can increase the upfront investment and complexity while possibly lowering control of the China business. For many Western companies – unless they are extremely confident about China – they will often decommit from the China market when presented with the expensive and involved business case needed to enter as a VATS business.  

Unfortunately for many executives looking at China, there is a widely held misconception that SaaS solutions are required to obtain a VATS license. In fact, the regulations don’t specifically address which companies are considered VATS or BTS businesses, and for the most part companies self-designate as one or the other. That said, sometimes companies that declare themselves as BTS business are challenged by a cloud operator or regulator, or (most likely) flagged by a competitor, arguing that they should be a VATS business. If this occurs, it’s important that the company is prepared to present a clear case as to why they are a BTS business. Even so, there is precedence (and feedback from discussions with regulators) that SaaS solutions are not the focus of regulators regarding VATS licenses, and therefore face a low risk of needing a VATS license, even if flagged. 

Data Security 

Data security is a related but separate topic from telecom operations licensing in China and covers personal data, “sensitive” data and cross-border data flows.  

How China regulators classify different types of data – and whether that data must remain inside China or can be transferred across its borders – has become increasingly clear in 2021. A recent analysis by Stanford University provides some great insights into the new data security rules. In our view, as mentioned above, the recent regulations indirectly acknowledge the importance and expectation that data needs to flow across China’s borders in both directions. This is a positive development from previous draft regulations that originally took a stricter approach to cross-border data flows.  

From a business planning perspective, executives need to consider how – and more importantly, where – they will manage their data inflow, storage, and processing, in order to stay in compliance. In summary: 

– Data that isn’t considered “sensitive” can flow across borders 

– Personal data can also go across borders subject to complying with newly defined processes 

– Most “sensitive” data cannot flow across borders. In some cases, companies can apply to have some “sensitive” data transferred but must prove a strong need and pass a security assessment (the process for which isn’t yet defined) 

– There are additional considerations and actions that may be necessary for companies collecting large amounts of data  

– There are often technical solutions to filter out “sensitive” data or anonymize the data to comply with the regulations 

From a practical perspective, a company’s in-China IT investments will not only depend on the type of data being collected but also on the nature of its solutions. For example, a solution may be required to store data in China without allowing it to cross borders. For one company that could mean they simply set up a local database to store the data for use by a local customer. However, what if a company also needs to process the data? In this case there may be additional requirements, such as bringing the processing aspects of the cloud (e.g. the AI or ML engine) into China – which may increase costs and potentially raise IP protection considerations.  

Special Licenses and Certifications 

In addition, to sell certain products and solutions in China a company may need special licenses. For this topic, we are not referring to regular licenses such as ICP registrations, import and sales licenses, or the many other “regular course” licenses that can be predictable and easy to obtain by following standard business processes. These special licenses are generally not related to the business – or even whether a company is foreign or domestic – but specifically to the industry. While these licenses won’t come as a surprise to industry insiders, some of these licenses may require a significant lead team to obtain, so companies should factor that into their go-to-market plans. Examples include: importing hardware that may need CCC or SRRC certification; AI-related software that may be classified as a medical device; and security software that needs to be certified before being sold to a certain subset of customers.   

2022 and Beyond: More Involved Planning, But Clearer Entry Paths 

While China’s tech ecosystem is constantly changing, 2021 will likely be remembered as an inflection point regarding regulations. While stepping up pressure on domestic firms, regulators have also offered more clarity as to where certain types of data fall on the regulatory spectrum. As global SaaS companies have been going to China for years, these clarifications should make it easier for executives to get comfortable with their legal, technical, and operational requirements. 

There are still several areas that we expect will be further clarified in the next year, including better definitions of “sensitive” data, the procedures for security reviews (when needed) and more clarity around VATS categories and qualifications. Despite the politics and headline-grabbing news, we do not expect any major surprises to the general direction of the policies as they apply to SaaS companies looking to enter the China market. 

Regardless, careful planning through a process that includes concurrently examining business classifications, licensing, data security and cloud infrastructure is required. We’ve put together an in-depth checklist on this process to help executives looking at China. Executives that carry out such a process will be able to better understand the regulatory boundaries and lower the risk of triggering compliance issues that can unexpectedly add years and millions of dollars to their path to market. 


About the Authors

Chris DeAngelis is a Partner & GM at ADG, has lived in China since 2005 and is considered a leading expert on the China technology scene and its emerging trends. Prior to joining ADG, Chris was a VP at GE Capital where he underwrote over US$1 billion in transactions supporting U.S. and cross-border leveraged buyouts on behalf of global private equity funds. 

ADG’s Chad Catacchio worked in China for a decade, and has held management positions in B2B SaaS companies in the US.


Recent Posts

Explore Topics