On this page
Plenty of businesses treat Hong Kong and Mainland China as one market with one IT setup. Then they open the Shenzhen office, and nothing quite works: the VPN to the global file server crawls, Teams drops, the new starter can’t reach the company’s apps, and the “quick” cloud rollout stalls on a question nobody asked — where is the data allowed to live? The two are separate IT worlds sitting an hour apart, and the gap between them is where cross-border projects quietly fail.
This is a practical playbook for running IT across both — for the foreign-invested or regionally-headquartered business that operates in Hong Kong and the Mainland. It’s the cross-border view that most providers (who are Hong Kong-only) can’t give you. We keep the legal points to practical navigation, not legal advice — take qualified PRC/HK advice on the specifics, and we’ll operationalise it alongside them, to our own ISO/IEC 27001 and 20000 disciplines. For the deeper detail behind each section, we link to our China IT services, China & Hong Kong for foreign companies, and data-laws guide.
TL;DR
- Hong Kong and Mainland China are two separate IT worlds — different internet, cloud, data law, AI access and vendors. "One global setup, extended to China" is the design that breaks.
- Connectivity comes first: compliant cross-border links (leased line, MPLS or SD-WAN with a licensed China link), not consumer VPNs.
- Microsoft 365 needs a deliberate choice between your global tenant and 21Vianet — most multi-site firms run a designed split.
- Data moving Mainland → Hong Kong is still a regulated cross-border transfer under PIPL. Map your data first, then design the cloud and connectivity around it.
- Run Hong Kong, the Mainland and Singapore as one coordinated operating model with a partner on the ground in each — not three silos.
Two countries, two IT worlds
Before any decision, internalise that almost everything differs across the boundary:
| Hong Kong | Mainland China | |
|---|---|---|
| Internet | Open, global | Behind the Great Firewall — many global services blocked or throttled |
| Cloud | Global Microsoft 365 / Azure / AWS / Google | A separate sovereign cloud (e.g. Azure operated by 21Vianet); global tenants are slow/unreliable |
| Privacy/data law | PDPO (technology-neutral) | PIPL + Cybersecurity Law + Data Security Law; data-localisation and cross-border-transfer rules |
| AI tools | ChatGPT/Gemini reachable; Claude not first-party | Western tools blocked; domestic models (Qwen, DeepSeek, etc.) |
| Everyday tools | Microsoft 365, Google, the global stack | WeChat Work, DingTalk, local equivalents alongside (a degraded) M365 |
| Language/vendors | English-capable, global vendors | Mandarin-first; local entities, RMB invoicing, local carriers |
“One global setup, extended to China” is the design that breaks. The right model treats the Mainland as its own environment that bridges cleanly to the rest of your estate.
1. How do you get reliable connectivity across the Great Firewall?
With compliant cross-border connectivity — a leased line / MPLS or an SD-WAN with a licensed China link — so your Mainland offices reach the systems they need with stable latency. A consumer VPN is not a corporate answer: it’s legally grey, operationally fragile, and may stop working overnight. Treat connectivity as the first design decision, not a workaround.
The single biggest cross-border issue is simply reaching things. Inside the Mainland, access to global services is filtered, slow and unpredictable. Get connectivity wrong and every other system feels broken; get it right and the rest of the playbook becomes possible. (For how the filtering actually works, see the Great Firewall explained, and top things to know about VPNs in China.)
2. Should China users run your global Microsoft 365 tenant or 21Vianet?
There’s no perfect answer, only a deliberate one. A global tenant keeps one identity but performs unreliably from the Mainland and raises data-residency questions; Microsoft 365 operated by 21Vianet — a physically separate, China-sovereign instance — keeps data in-country and performs well locally, but has to be bridged to your global estate. Most multi-site firms land on a designed split.
The three patterns:
- Global tenant, accessed from China — simplest to administer and keeps one identity, but performance from the Mainland is variable and it raises data-residency questions.
- 21Vianet tenant — keeps data in-country and performs well locally, but it’s a separate tenant with its own licensing and feature set, so identity, email and collaboration have to be bridged to your global estate without creating accidental cross-border data flows.
- A deliberate split / hybrid — most multi-site firms land here, with a clear rule for which data and users live where.
The mistake is drifting into one by default. We walk through the trade-off in Microsoft 365 in China: global vs 21Vianet, and design and run it as part of cloud services and China IT.
3. What data can legally cross the Hong Kong–China border?
Moving personal data out of Mainland China — including to Hong Kong — is a regulated cross-border transfer under PIPL, with thresholds that decide whether you’re exempt, need a standard-contract filing, or need a full security assessment. Some data must stay in the Mainland. Map your data first; design the cloud and connectivity around it. (The mechanisms, thresholds and exemptions are set out in our cross-border data transfer guide.)
This is the section that turns an IT project into a compliance question — so treat it as navigation, and take legal advice on your specifics. The practical shape:
- Mainland China regulates personal and “important” data heavily. Moving personal data out of the Mainland (to your HQ, your global tenant, Hong Kong, or a vendor) is a regulated cross-border transfer, with thresholds that decide whether you’re exempt, need a standard-contract filing, or need a full security assessment. Some data may need to stay in the Mainland.
- Hong Kong is a separate regime under the PDPO — and crucially, moving data Mainland ⇄ Hong Kong is still a cross-border transfer under PIPL, not an internal move.
- The decision that flows from this: map your data first — what personal/regulated data you hold, where it’s created, and where it needs to go — then design the cloud and connectivity around it, not the other way round.
Our Hong Kong & China data-laws guide has a self-check to size your exposure, and we turn the result into working, audited systems alongside your legal advisers — we don’t claim to be them.
4. AI across the border: a split you have to design around
AI makes the two-worlds problem sharper. The Western frontier tools your Hong Kong team uses (ChatGPT, Claude, Copilot) are blocked or unreliable in the Mainland, while the Mainland has its own capable models (Qwen, DeepSeek and others) — and feeding business data to any of them runs straight into the data rules above. The workable pattern mirrors the cloud one: a governed Western route for Hong Kong and cross-border-permissible work (often via a cloud platform pinned to Singapore), and a compliant domestic option for Mainland data — chosen use-case-first, never tool-first. We cover the decision framework in practical AI advisory and the system-by-system detail in AI tools compared for Hong Kong & China.
5. Security across two regimes
Security has to satisfy two rule-sets at once: Hong Kong’s expectations under the PDPO, and the Mainland’s network-security and graded-protection regime. In practice that means consistent identity and endpoint protection across both estates, but with local nuance — what’s logged, where it’s stored, and which controls are mandated differ by side of the border. Designing one coherent security posture that respects both, rather than two disconnected ones, is the goal. This is core cybersecurity work, run to our ISO/IEC 27001 practices.
6. People, procurement and delivery on the ground
The last gap is physical. Remote-only support across the border doesn’t cut it when an engineer needs to be in the Shenzhen office, hardware needs RMB invoicing and local fulfilment, and a regional rollout has to be coordinated across time zones, languages and customs. This is where “we support Asia from one city” quietly fails. The cross-border answer is genuine local presence — on-site engineers actually in the Mainland, local procurement, and project delivery that speaks the local programme — coordinated as one engagement, not three.
The operating model: one coordinated partner, not three silos
The thread through all six sections is the same: the cost of cross-border IT isn’t any single decision — it’s the coordination between them. The businesses that get it right run Hong Kong, the Mainland and (often) Singapore as one coordinated operating model with deliberate bridges, not three providers who don’t talk to each other. That’s the Hong Kong–China–Singapore triangle, and it’s exactly where a single accountable, on-the-ground, vendor-neutral partner earns its place — because the gaps between the regions are precisely what no single-territory provider can see.
How PTS helps
PTS runs IT across Hong Kong, Mainland China and Singapore from owned offices and engineers in each — British-owned and on the ground since 2001, vendor-neutral, and certified to ISO/IEC 27001 and 20000. We design the connectivity, the cloud split, the data flows, the AI approach and the security to work across the border, and then we run them as one coordinated managed service — operationalising the rules alongside your legal advisers, so you get a setup that actually works in both places.
If you operate in Hong Kong and the Mainland — or you’re about to — talk to PTS and we’ll map the cross-border picture with you.
Related reading: China IT services · China & Hong Kong for foreign companies · Hong Kong & China data laws · Microsoft 365 in China · Practical AI advisory
Tags:
Relevant service
Managed IT Services in China
On-the-ground IT in Mainland China — Shanghai entity, Mandarin engineers, compliant cross-border setup.