(Editor’s note: This article originally appeared on SaaS Mag )
Companies looking to expand in China and deploy cloud architecture often grapple with how to enter the market compliantly. There have been frequent headlines in the past year about Chinese regulators cracking down on China tech giants, as well as added scrutiny around what data can cross China’s borders. Global executives understandably want to decipher how the developing regulatory environment can impact practical business and IT decisions around their China strategy. Unfortunately, there is a fair amount of misunderstanding regarding licenses, privacy, data security, and business models, making it hard for executives to know what impact these issues will have on their China market entry decisions.
Executives need a reliable framework for decision-making to help them work through their company’s specific compliance, data security, and IT infrastructure needs. Such a roadmap needs to address numerous questions executives ask, including:
- Can we enter the market by ourselves, or do we need a local partner?
- Can we start by leveraging our global cloud or do we need to bring our entire infrastructure into China?
- What are our possible entry options and what are the related regulatory risks?
- How long will it take before we are operating in China? How long until we see our first revenue? Should we measure our KPIs in months or in years?
This article will help executives to begin to address these questions in their organizations. In the first section, we will provide some background on China’s current cloud regulatory environment, the rationale behind the regulations, and some perspective on where these regulations are heading. We’ll also discuss how licensing and data security requirements determine a company’s cloud infrastructure needs. Most importantly, we’ll touch on what most companies want to know: when can companies enter China in a staged manner by leveraging their global clouds and ideally avoiding landing a fully standalone cloud in China, which is too often perceived to be the only entry option for cloud companies in China.
Still Early Days for SaaS with Ample Opportunity
For many enterprise cloud companies, China is often one of the last major untapped global markets. Even though China is now the world’s second-largest economy, SaaS adoption is just starting to take off, driven by the country’s roughly 32 million SMEs, as well as the more than 50,000 large China companies with revenue in excess of US$150 million. Additionally, many SaaS solutions are also being pulled into the market by their existing global multinational customers with operations in China, which is often a great place to begin to generate initial revenues.
Increasingly regulated – but not necessarily towards foreign companies.
Prior to 2017, foreign (and even domestic) companies were allowed to deploy cloud services in China with little government oversight. It was reasonably easy for companies to get a basic ICP registration, set up a CDN, land their clouds or even just put some servers inside of the Great Firewall of China, while transferring data globally. This was especially true for enterprise solutions which are not often operating in areas that the China government considers “sensitive.”
In the last 5 years, however, China has increasingly directed the promotion of cloud services to spur growth and innovation in light of looming demographic headwinds. The government has been laying both the regulatory and physical groundwork necessary to mobilize the country’s resources (similar to when it transformed into a leading mobile-first economy). That said, the transition to the cloud has been challenging for China due to its large geography, the dominant position held by global technology infrastructure players and the general hesitancy of IT departments and of the government itself.
Starting in 2016, new regulations emerged that altered the course of the industry in China:
- 2016: China amended its regulations governing its “Value-Added Telecom” industry – which covers licensing requirements for cloud operations and information businesses – and which included restrictions on what licenses could be obtained by foreign companies
- 2017: Cybersecurity regulations covering data and privacy were introduced, with major implementation rules and drafts actively coming out in 2021
In recent years, China’s cloud regulations have been solidifying (rules in China go through a process of guiding principles, draft regulations, and finally implementation rules), with the framework becoming clearer. In our view, regulations have been following a consistent path that in many areas tracks closely with similar regulations in other countries and regions. In fact, many aspects of China’s new regulations will be familiar to companies that have already had to deal with similar issues in other countries, most notably the EU’s GDPR rules.
In our view, we see 4 overarching themes:
- China wants to build and leverage its cloud infrastructure as a key national security asset to underpin its future economic growth. The government wants Chinese companies to control the country’s cloud infrastructure and to also take some of the responsibility for what runs on top of it.
- Foreign companies in China need to comply with local rules and regulations if they want equal access and a level playing field.
- “Sensitive” data should be properly accounted for and maintained inside of China and not leave the country without the reasonable need (and follow the procedures).
- Personal data controls will continue to emerge to enhance individuals’ control and rights over their personal data (with required access by the state in whatever jurisdiction they reside.
While breaking regulatory rules in China can carry serious business (and potentially even personal) consequences – as they can in any market – one critical thing to understand is that these regulations are not intended to keep foreign companies out of the China market – especially for innovative SaaS companies. It seems to be understood in Beijing, albeit perhaps begrudgingly, that building a globally leading cloud industry needs a diversity of innovative solutions from all over the world. This helps to attract local companies to migrate to the cloud as well as to drive overall economic growth.
Of course, China would love to see its homegrown companies and products succeed both domestically and globally, but global companies’ solutions still have many advantages that the China market needs. In our experience, Western companies also tend to be more compliant than local Chinese companies, which is likely why major regulatory actions have been focused on local companies to this point. With the exception of Western companies that are looking to operate in politically sensitive areas and/or large global companies with dominant market shares, we believe most Western companies face a relatively low chance of regulatory interference in the near term so long as they are following the rules and making genuine efforts to be compliant.
Whereas some might look at increased regulation as a negative, the emerging clarity of the regulations should be viewed as encouraging news overall for cloud companies that have been looking for the right time to enter. Some companies have delayed entering the market until a clearer compliance path was presented – such a path has now emerged for many of these companies.
Why Most SaaS Companies Can Enter China by Starting with Their Global Cloud
A common misconception is that cloud companies are not allowed to do business in China from abroad (or if they do, they are putting the company at serious risk). This is often not accurate, especially with enterprise solutions. In reality, many enterprise cloud companies can find a path that allows them to start their China entry by using partners like ADG to deploy some light architecture in China to comply with data residency requirements or performance issues. From there they can rely on resellers and other channel partners to develop their business.
To determine if a company can start to sell into the market quickly and with a relatively low level of initial investment, SaaS executives need to focus on three regulatory areas that could have a major impact on their entry options:
- Whether they are likely to be considered as a BTS or VATS business.
- What data needs to cross China’s border and the sensitivity of the data.
- Whether there are any industry / product-specific certifications or licenses that have high barriers or may take significant time to obtain.
Let’s go deeper into these three areas.
BTS vs VATS
Companies need to investigate whether they are likely to be classified as a Value-Added Telecom Service (VATS) business or as a Basic Telecom Service (BTS) business. In China, a BTS business usually only needs standard business licenses – which can typically be obtained without much difficulty – and should be sufficient for most SaaS companies to operate and sell in China. On the other hand, VATS licenses (the most common of which is a Commercial ICP License) can usually only be obtained through a Chinese partner – whether as part of a joint venture, operating partner, licensing agreement or through a Variable Interest Entity (VIE) structure.
Unfortunately for many executives looking at China, there is a widely held misconception that if you are planning to sell a product commercially in China and you have any cloud infrastructure then you need to obtain a VATS license. This is not correct. The actual analysis can be complicated but generally speaking, if you are not fully entering and operating your business in China then there is a good chance the VATS topic will not be applicable to your approach (although a local partner may or may not need one).
Data security is a related but separate topic from telecom operations licensing in China and covers personal data, “sensitive” data and cross-border data flows.
How China regulators classify different types of data – and whether that data must remain inside China or can be transferred across its borders – has become increasingly clear in 2021. A recent analysis by Stanford University provides some great insights into the new data security rules. In our view, as mentioned above, the recent regulations indirectly acknowledge the importance and expectation that data needs to flow across China’s borders in both directions. This is a positive development from previous draft regulations that originally took a stricter approach to cross-border data flows.
From a business planning perspective, executives need to consider how – and more importantly, where – they will manage their data inflow, storage, and processing, in order to stay in compliance. In summary:
- Data that isn’t considered “sensitive” can flow across borders
- Personal data can also go across borders subject to complying with newly defined processes (the standard contract template was just released in July 2022).
- Most “sensitive” data cannot flow across borders. In some cases, companies can apply to have some “sensitive” data transferred but must prove a strong need and pass a security assessment (the process for which isn’t yet defined)
- There are additional considerations and actions that may be necessary for companies collecting large amounts of data
- There are often technical solutions to filter out “sensitive” data or anonymize the data to comply with the regulations
From a practical perspective, a company’s in-China IT investments will not only depend on the type of data being collected but also on the nature of its solutions. For example, a solution may be required to store data in China without allowing it to cross borders. For one company that could mean they simply set up a local database to store the data for use by a local customer. However, what if a company also needs to process the data? In this case, there may be additional requirements, such as bringing the processing aspects of the cloud (e.g., the AI or ML engine) into China – which may increase costs and potentially raise IP protection considerations.
Special Licenses and Certifications
In addition, to sell certain products and solutions in China a company may need special licenses. For this topic, we are not referring to regular licenses such as ICP registrations, import and sales licenses, or the many other “regular course” licenses that can be predictable and easy to obtain by following standard business processes. These special licenses are generally not related to the business – or even whether a company is foreign or domestic – but specifically to the industry. While these licenses won’t come as a surprise to industry insiders, some of these licenses may require a significant lead time to obtain, so companies should factor that into their go-to-market plans. Examples include: importing hardware that may need CCC or SRRC certification; AI-related software that may be classified as a medical device; and security software that needs to be certified before being sold to a certain subset of customers.
2022 and Beyond: More Involved Planning, but Clearer Entry Paths
While China’s tech ecosystem is constantly changing, 2021 will likely be remembered as an inflection point regarding regulations. While stepping up pressure on domestic firms, regulators have also offered more clarity as to where certain types of data fall on the regulatory spectrum. As global SaaS companies have been going to China for years, these clarifications should make it easier for executives to get comfortable with their legal, technical, and operational requirements.
There are still several areas that we expect will be further clarified in the next year, including better definitions of “sensitive” data, the procedures for security reviews (when needed), and more clarity around VATS categories and qualifications. Despite the politics and headline-grabbing news, we do not expect any major surprises to the general direction of the policies as they apply to SaaS companies looking to enter the China market.
Regardless, careful planning through a process that includes concurrently examining business classifications, licensing, data security, and cloud infrastructure is required. Executives that carry out such a process will be able to better understand the regulatory boundaries and lower the risk of triggering compliance issues that can unexpectedly add years and millions of dollars to their path to market.