NaaS Technology (NAAS) Risk Analysis

Historically, our PRC subsidiary, Kuaidian Power Beijing, operated Kuaidian. As part of the Restructuring, the ownership of Kuaidian as well as the rights to access and use certain data generated by or in the possession of Kuaidian have been transferred to a third-party service provider as of the date of this annual report. NaaS entered into a business cooperation agreement with the third-party service provider, pursuant to which NaaS will receive certain services from such operator in relation to the delivery of EV charging solutions. We and the third-party service provider face challenges with respect to the complex and evolving laws and regulations regarding cybersecurity and data privacy in China, including without limitation, the PRC Criminal Law, PRC Civil Code, PRC Cybersecurity Law, PRC Data Security Law, and PRC Personal Information Protection Law. These laws and regulations mandate the protection of the confidentiality, integrity, availability, and authenticity of the information of end-users. While we believe the third-party service provider has adopted information security policies and deployed measures to implement the policies, there could be compromise or breach of its information system due to increased level of expertise of hackers or otherwise. If the third-party service provider is unable to protect its systems, and hence the information stored in its systems, from unauthorized access, use, disclosure, disruption, modification, or destruction, such problems or security breaches could cause the termination or suspension of the business of the third-party service provider or otherwise result in material adverse impact on its operations and thereby its collaborative arrangement with us. This could in turn have material adverse impact on our business, prospects, financial condition and operating results. The PRC Criminal Law, as most recently amended on March 1, 2024, prohibits institutions, companies and their employees from selling or otherwise illegally disclosing a PRC citizen's personal information obtained during the course of performing duties or providing services, or obtaining such information through theft or other illegal ways. On November 7, 2016, the Standing Committee of the National People's Congress of the PRC issued the PRC Cyber Security Law, which became effective on June 1, 2017. Pursuant to the Cyber Security Law, network operators must not collect users' personal information without their consent and may only collect users' personal information necessary to the provision of services. Providers are also obligated to provide security maintenance for their products and services and to comply with provisions regarding the protection of personal information as stipulated under the applicable laws and regulations. On September 14, 2022, CAC issued a proposed revision of the Cyber Security Law, purporting to increase fines for serious violations of up to RMB 50 million or 5% of annual revenues from the prior year. The PRC Civil Code (issued by the National People's Congress of the PRC on May 28, 2020, and effective from January 1, 2021) provides the main legal basis for privacy and personal information infringement claims under Chinese civil law. PRC regulators have been increasingly focused on regulation in areas of data security and data protection. The PRC regulatory requirements regarding cybersecurity are constantly evolving. For instance, various regulatory bodies in China, including CAC, the Ministry of Industry and Information Technology, the Ministry of Public Security and the State Administration for Market Regulation, have enforced data privacy and protection laws and regulations with varying and evolving standards and interpretations. In addition, certain Internet platforms in China have reportedly been subject to heightened regulatory scrutiny in relation to cybersecurity matters. In April 2020 the Chinese government promulgated the Cybersecurity Review Measures, which came into effect on June 1, 2020. On December 28, 2021, the Chinese government promulgated the 2022 Cybersecurity Review Measures, which came into effect on February 15, 2022. According to the 2022 Cybersecurity Review Measures, (i) critical information infrastructure operators' purchase of network products and services and internet platform operators' data processing activities shall be subject to cybersecurity review in accordance with the 2022 Cybersecurity Review Measures if such activities affect or may affect national security; and (ii) internet platform operators holding personal information of more than one million users and seeking to have their securities listed on a stock exchange in a foreign country are required to file for cybersecurity review with the Cybersecurity Review Office. Under the Regulation on Protecting the Security of Critical Information Infrastructure promulgated by the State Council on July 30, 2021, effective September 1, 2021, "critical information infrastructure" is defined as important network facilities and information systems in important industries and fields, such as public telecommunication and information services, energy, transportation, water conservancy, finance, public services, e-government and national defense, science, technology and industry, as well as other important network facilities and information systems that, in case of destruction, loss of function or leak of data, may severely damage national security, the national economy and the people's livelihood and public interests. As of the date of this annual report, neither we nor the third-party service provider has been informed by any PRC governmental authority that we or it operates any "critical information infrastructure." The 2022 Cybersecurity Review Measures provides, among others, that: (i) internet platform operators who are engaged in data processing are also subject to the regulatory scope; (ii) CSRC is included as one of the regulatory authorities for purposes of jointly establishing the state cybersecurity review mechanism; (iii) internet platform operators holding personal information of more than one million users and seeking to have their securities list on a stock exchange in a foreign country shall file for cybersecurity review with the Cybersecurity Review Office; (iv) the risks of core data, important data or large amounts of personal information being stolen, leaked, destroyed, damaged, illegally used or illegally transmitted to overseas parties and the risks of critical information infrastructure, core data, important data or large amounts of personal information being influenced, controlled or used maliciously by foreign governments and any cybersecurity risk associated with a company's listing on a stock exchange shall be collectively taken into consideration during the cybersecurity review process; and (v) critical information infrastructure operators and internet platform operators covered by the 2022 Cybersecurity Review Measures shall take measures to prevent and mitigate cybersecurity risks in accordance with the requirements therein. On November 14, 2021, CAC released the draft Administrative Regulation on Network Data Security for public comments through December 13, 2021. Under the daft regulation, (i) data processors, i.e., individuals and organizations who can decide on the purpose and method of their data processing activities at their own discretion, that process personal information of more than one million individuals shall apply for cybersecurity review before listing in a foreign country; (ii) overseas data processors shall carry out annual data security evaluation and submit the evaluation report to the municipal cyberspace administration authority; and (iii) where the data processor undergoes merger, reorganization or subdivision that involves important data and personal information of more than one million individuals, the transaction shall be reported to the authority in-charge at the municipal level (by data processor or data recipient). As of the date of this annual report, neither we nor the third-party service provider has been directed by any PRC governmental authority to apply for cybersecurity review, or received any inquiry, notice, warning, sanction in such respect or been denied permission from any Chinese authority with respect to the listing on a stock exchange in any foreign country, the Mergers or the Transactions. However, as the PRC government has the authority and discretion to interpret and implement these laws and regulations and there remains uncertainty in the interpretation and enforcement of PRC cybersecurity laws and regulations, there is no assurance that we or the third-party service provider will not be deemed to be subject to PRC cybersecurity review requirements under the 2022 Cybersecurity Review Measures or the Draft Administrative Regulations on Network Data Security (if enacted) as a critical information infrastructure operator or an interact platform operator that is engaged in data processing activities that affect or may affect national security or holds personal information of more than one million users, nor can it be assured that we or the third-party service provider would be able to pass any cybersecurity review if required. In addition, we and the third-party service provider could become subject to enhanced cybersecurity review or investigations launched by PRC regulators in the future pursuant to any new laws, regulations or policies. Any failure or delay in the completion of the cybersecurity review or any other non-compliance with applicable laws and regulations may result in fines, suspension of business, prospects, website closure, revocation of business licenses or other penalties, as well as reputational damage or legal proceedings or actions against us or the third-party service provider, which may have a material adverse effect on our business, financial condition and results of operations. On June 10, 2021, the Standing Committee of the National People's Congress of the PRC, promulgated the PRC Data Security Law, which became effective in September 2021. The PRC Data Security Law imposes data security and privacy obligations on entities and individuals carrying out data activities, and introduces a data classification and hierarchical protection system based on the importance of data in economic and social development and the degree of harm it will cause to national security, public interests or the rights and interests of individuals or organizations when such data is tampered with, destroyed, leaked or illegally acquired or used. The PRC Data Security Law also provides for a national security review procedure for data activities that may affect national security and imposes export restrictions on certain data and information. On August 20, 2021, the Standing Committee of the National People's Congress promulgated the Personal Information Protection Law, effective November 1, 2021. The Personal Information Protection Law clarifies the required procedures for personal information processing, the obligations of personal information processors, and individuals' personal information rights and interests. The Personal Information Protection Law provides that, among other things, (i) the processing of personal information is only permissible under certain circumstances, such as prior consent from the subject individual, fulfillment of contractual and legal obligations, furtherance of public interests or other circumstances prescribed by laws and regulations; (ii) the processing of personal information should be conducted in a disciplined manner with as little impact on individuals' rights and interests as possible, and (iii) excessive collection of personal information is prohibited. In particular, the Personal Information Protection Law provides that personal information processors should ensure the transparency and fairness of automated decision-making based on personal information, refrain from offering unreasonably differentiated transaction terms to different individuals and, when sending commercial promotions or information updates to individuals selected through automated decision-making, simultaneously offer such individuals an option not based on such individuals' specific characteristics or a more convenient way for such individuals to turn off such promotions. On July 7, 2022, CAC promulgated the Measures on Security Assessment of Cross-border Data Transfer which became effective on September 1, 2022. Such data export measures requires that any data processor which processes or exports personal information exceeding certain volume threshold under such measures shall apply for security assessment by CAC before transferring any personal information abroad, including the following circumstances: (i) important data will be provided overseas by any data processor; (ii) personal information will be provided overseas by any operator of critical information infrastructure or any data processor who processes the personal information of more than 1,000,000 individuals; (iii) personal information will be provided overseas by any data processor who has provided the personal information of more than 100,000 individuals in aggregate or has provided the sensitive personal information of more than 10,000 individuals in aggregate since January 1 of last year; and (iv) other circumstances where the security assessment is required as prescribed by CAC. The security assessment requirement also applies to any transfer of important data outside of China. The Ministry of Industry and Information Technology promulgated the Administrative Measures on Data Security in the Field of Industry and Information Technology (for Trial Implementation), effect on January 1, 2023. The Measures applies to the data processing activities in the field of industry and information technology carried out within the territory of China, and sets out a series of data security protection obligations for data processors in such field, such as establishing a full life-cycle data security management system, appointing data security management personnel, and conducting filings for the important data and core data processed by the data processors. Pursuant to the 2022 Cybersecurity Review Measures, we conducted a self-assessment with respect to the status of our compliance with the Cyber Security Law, the Data Security Law, the Personal Information Protection Law, and the implementing regulations and we implemented various measures to improve the overall compliance level. We are of the view that our existing practices are compliant with applicable requirements imposed under the foregoing laws, rules and regulations, including the regulations or policies that have been issued by CAC to date, in all material respects. However, regulatory requirements on cybersecurity and data privacy are evolving and can be subject to varying interpretations or significant changes. While NaaS transferred the ownership of Kuaidian as well as the rights to access and use certain data generated by or in the possession of Kuaidian to the third-party service provider and despite our efforts to comply with laws and regulations relating to privacy, data protection and information security, there is no guarantee that the current security measures, practices and operations of ours and of the third-party service provider are and will remain compliant with applicable laws. In the event of non-compliance or any compromise of security that results in unauthorized access, use or release of personally identifiable information or other data, or the perception or allegation that any of the foregoing types of failure or compromise has occurred, our reputation could be harmed and we may be subject to investigations and penalties by PRC governmental authorities, including fines, suspension of business, and revocation of required licenses, as well as private claims and litigations, any of which could materially and adversely affect our business, prospects, financial condition and operating results and could result in a material impact on the value of our securities.

The public EV charging service market and the energy solution market in China are relatively new and competition is still developing. For our EV charging services, we primarily compete with other EV charging service providers. Some charging station customers in China require solutions not yet available and the continual arrival of new players in this market heightens the need for us to develop and maintain our competitive edge. In addition, there are multiple competitors in China with limited funding or capabilities, which could cause poor end-user experiences, hampering overall EV adoption or trust in the EV charging service market as a whole. Because the public EV charging service market in China is relatively new, we and our charging station customers have been and are expected to continue exploring different business models and creating new product and service offerings. Our station customers are launching products and services that compete with our offerings and may continue to do so in the future. In addition, charging stations will seek to acquire and connect with end-users directly and reduce their reliance on third-party EV charging service providers like us. They may also be able to drive out EV charging service providers like us from certain geographical areas by dominating or monopolizing EV charging services in those areas. In late August 2023, three major charging station operators in China simultaneously terminated their collaboration with us in a coordinated effort. This resulted in the disconnection of a meaningful percentage of the total charging stations and charging ports on our network. There are also other means for charging EVs in China, which could affect the level of demand for public charging capabilities at charging stations. For example, certain EV OEMs have built and will continue to build their own supercharger network across China for their EVs, which could reduce overall demand for EV charging services at other sites or eliminate the need for services from third-party EV charging service providers altogether. Also, third-party contractors can provide basic electric charging capabilities to potential customers seeking to have on-premise EV charging capability as well as for home charging. In addition, many charger manufacturers and EV OEMs are offering home charging equipment, which could reduce demand for public charging infrastructure if EV owners find charging at home to be sufficient for their needs. We have seen a significant increase in our energy solutions revenues in 2023 as compared with 2022. The increase reflects the expansion of our business, as we added a new unit focused on the delivery of our energy solutions to our existing operations, and was primarily driven by the initial phase of the Anji Green and Low-carbon Supply Chain Construction Project in Anji County, Zhejiang Province, and our acquisition of a majority stake in Sinopower Holdings International Co. Limited in June 2023. We may not be able to maintain a similar rate of growth, which is a risk often shared by companies with limited operating histories participating in rapidly evolving industries with intense competition. Further, our current or potential competitors may be acquired by third-parties with greater available resources or greater ability to access the capital markets for additional funding. As a result, competitors may be able to respond more quickly and effectively than us to new or changing opportunities, technologies, standards or customer requirements and may have the ability to initiate or withstand substantial price competition. In addition, competitors may in the future establish cooperative relationships with vendors of complementary products, technologies or services to increase the availability of their solutions in the marketplace. This competition may also materialize in the form of costly intellectual property disputes or litigation. New competitors or alliances may emerge in the future that have greater market share, more widely adopted proprietary technologies, greater marketing expertise and greater financial resources, which could put us at a competitive disadvantage. Future competitors could also be better positioned to serve certain segments of our current or future target markets, which could create price pressure. In light of these factors, such current or potential customers may accept competitive solutions. If we fail to adapt to changing market conditions or to continue to compete successfully with current charging service providers or new competitors, our growth will be limited, which would adversely affect our business and results of operations.

As a publicly listed company, we are required to file periodic reports with the SEC upon the occurrence of matters that are material to ourselves and our shareholders. In some cases, we may need to disclose material agreements or results of financial operations that we would not be required to disclose if we were a private company. Our competitors may have access to this information, which would otherwise be confidential. This may give such competitors advantages in competing with us. Similarly, as a U.S.-listed public company, we will be governed by U.S. laws which our non-publicly traded competitors are not required to follow. To the extent compliance with U.S. laws increases our expenses or decreases our competitiveness against such companies, it could affect our results of operations.

Global pandemics, epidemics in China or elsewhere in the world, or fear of spread of contagious diseases, such as COVID-19, Ebola virus disease, Middle East respiratory syndrome, severe acute respiratory syndrome, H1N1 flu, H7N9 flu, and avian flu, as well as hurricanes, earthquakes, tsunamis, or other natural disasters could disrupt our business operations, reduce or restrict our supply of materials and services, incur significant costs to protect our employees and facilities, or result in regional or global economic distress, which may materially and adversely affect our business, financial condition, and results of operations. Actual or threatened war, terrorist activities, political unrest, civil strife, and other geopolitical uncertainty could have a similar adverse effect on our business, financial condition, and results of operations. Any one or more of these events may impede our production and delivery efforts and adversely affect our sales results, or even for a prolonged period of time, which could materially and adversely affect our business, financial condition, and results of operations. We are also vulnerable to natural disasters and other calamities. Although we have servers that are hosted in an offsite location, our backup system does not capture data on a real-time basis and we may be unable to recover certain data in the event of a server failure. We cannot assure you that any backup systems will be adequate to protect us from the effects of fire, floods, typhoons, earthquakes, power loss, telecommunications failures, break-ins, war, riots, terrorist attacks, or similar events. Any of the foregoing events may give rise to interruptions, damage to our property, delays in production, breakdowns, system failures, technology platform failures, or internet failures, which could cause the loss or corruption of data or malfunctions of software or hardware as well as adversely affect our business, financial condition, and results of operations.

We do not typically install charging stations at customer sites. These installations are typically performed by our partners or electrical contractors with an existing relationship with the customer and/or knowledge of the site. The installation of charging stations at a particular site is generally subject to oversight and regulation in accordance with PRC laws and regulations related to building codes, safety, environmental protection and related matters, and typically requires various local and other governmental approvals and permits. In addition, building codes, accessibility requirements or regulations may hinder EV charger installation because they end up costing the developer or installer more in order to meet the code requirements. Meaningful delays or cost overruns may impact our recognition of revenue in certain cases and/or impact customer relationships, either of which could impact our business and profitability. Furthermore, we may in the future undertake to construct charging stations or install chargers at customer sites or manage contractors. Working with contractors may require us to obtain licenses or require us or our charging station customers to comply with additional rules, working conditions and other union requirements, which can add costs and complexity to a construction or installation project. In addition, if we or the contractors are unable to provide timely, thorough and quality construction or installation-related services, station customers could fall behind their construction schedules leading to liability to us or cause station customers to become dissatisfied with the solutions our offers and our overall reputation would be harmed.

In connection with our hardware procurement solutions, we may in the future maintain an inventory of hardware, such as chargers, and to directly undertake the procurement and sales activities. As a result, we may be exposed to significant inventory risks that may adversely affect our results of operations of due to seasonality, new product launches, rapid changes in product cycles and pricing, defective merchandise, changes in charging station demand and preference and charging station spending patterns, spoilage, and other factors. Demand for charging station hardware products may change between the time inventory or components are ordered and the date of sale. The acquisition of certain types of inventory or components may require significant lead-time and prepayment and they may not be returnable. Any one of the inventory risk factors set forth above may adversely affect our business, financial condition, and results of operations.