VNET Group, Inc. Sponsored ADR (VNET) Risk Factors

We are subject to various privacy and data protection laws and regulations in China and other jurisdictions, including, without limitation, the PRC Cyber Security Law, or the Cyber Security Law. The regulatory framework for the collection, use, safeguarding, sharing, transfer and other processing of personal information and important data worldwide is rapidly evolving and is likely to remain uncertain for the foreseeable future. Regulatory authorities in China have implemented and may implement further legislative and regulatory proposals concerning cybersecurity, information security, privacy and data protection. New laws and regulations that govern new areas of data protection or impose more stringent requirements may be introduced in China. In addition, the interpretation and application of cybersecurity, information security, privacy and data protection laws in China are often uncertain and in flux. It is possible that existing or newly-introduced laws and regulations, or their interpretation, application or enforcement, could significantly affect our business practice and force us to change our business practices. For example, in November 2016, the SCNPC promulgated the Cyber Security Law, which requires network operators to perform certain functions related to cyber security protection and strengthen network information management through taking technical and other necessary measures as required by laws and regulations to safeguard the operation of networks, responding to network security effectively, preventing illegal and criminal activities, and maintaining the integrity and confidentiality and usability of network data. In addition, the Cyber Security Law imposes certain requirements on the CIIOs. For example, CIIOs generally shall, during their operations in the PRC, store the personal information and important data collected and produced within the territory of PRC, and shall perform certain security obligations as required under the Cyber Security Law. The Cyber Security Law is relatively new and subject to interpretation by the regulator. In light of rapid advances in its implementation, the implementation of the Cyber Security Law involves potential risks to our business because we may be deemed as the CIIO thereunder. Furthermore, on December 28, 2021, the CAC issued the Cybersecurity Review Measures, which replaced the Measures on Cybersecurity Review. The Cybersecurity Review Measures provides, among others, (i) the purchase of cyber products and services by the CIIOs and the network platform operators, which engage in data processing activities that affects or may affect national security shall be subject to the cybersecurity review by the Cybersecurity Review Office, the department which is responsible for the implementation of cybersecurity review under the CAC; and (ii) the network platform operators with personal information of over one million users that seek for listing on a foreign stock exchange are obliged to apply for a cybersecurity review by the Cybersecurity Review Office. The Cybersecurity Review Measures further elaborates the factors to be considered when assessing the national security risks of the relevant activities, including among others, the risk of core data, important data or a large amount of personal information being stolen, leaked, destroyed, and illegally used or exited the country. In addition, the Cybersecurity Review Measures provides that the relevant competent governmental authorities may initiate a cybersecurity review against the relevant CIIOs and network platform operators if the authorities believe that the network product or service or data processing activities of such operators affect or may affect national security. However, the Cybersecurity Review Measures does not provide any explanation or interpretation of "affect or may affect national security", and PRC authorities may have broad discretion in interpreting and enforcing these laws and regulations. As the revised Cybersecurity Review Measures are newly issued, we still face uncertainties that the measures may be interpreted or implemented in ways that will negatively affect us. Pursuant to the Regulations on Protection of Security of Critical Information Infrastructures promulgated by the State Council on August 17, 2021 and took effect on September 1, 2021, "critical information infrastructures" refer to critical network facilities and information systems involved in important industries and fields, such as public communication and information services, energy, transportation, water conservancy, finance, public services, governmental digital services, science and technology related to national defense industry, as well as those which may seriously endanger national security, national economy and citizen's livelihood or public interests if damaged or malfunctioned, or if any leakage of data in relation thereto occurs. Pursuant to these regulations, the relevant governmental authorities are responsible for promulgating rules for the identification of critical information infrastructures with reference to several factors set forth in the regulations, and further identify the CIIO in the related industries in accordance with such rules. The relevant authorities shall also notify operators identified as the CIIO. However, as these regulations were newly issued and the governmental authorities may further enact detailed rules or guidance with respect to the interpretation and implementation of such regulations, it remains unclear whether we will be identified as a CIIO. If we provide or are deemed to provide network products and services to CIIO, or we are deemed as a CIIO, we would be required to follow the relevant cybersecurity review procedures, and could be subject to cybersecurity review by the CAC and other relevant PRC regulatory authorities. During such review, we may be required to suspend providing the existing or any new services to our clients, and such review could also result in negative publicity to us and diversion of our managerial and financial resources. Furthermore, if we are identified as a CIIO, additional obligations will be imposed on us with respect to the protection of critical information infrastructure, including the obligations to set up a special security administration department and to conduct security review on the background of personnel in charge of such department or holding other key positions in such department. On November 14, 2021, the CAC published the Draft Data Security Regulations, for public comments, which provides that data processors conducting the following activities must apply for cybersecurity review: (i) merger, reorganization or division of Internet platform operators that have acquired a large number of data resources related to national security, economic development or public interests affects or may affect national security; (ii) listing abroad of data processors processing over one million users' personal information; (iii) listing in Hong Kong which affects or may affect national security; or (iv) other data processing activities that affect or may affect national security. The Draft Data Security Regulations requires that data processors processing important data or being listed outside China shall carry out data security assessment annually by itself or through a third-party data security service provider and submit assessment report to local agency of the CAC before January 31 each year. As advised by our PRC legal counsel, the draft measures were released for public comment only, and its provisions and anticipated adoption or effective date may be subject to change and thus its interpretation and implementation remain substantially uncertain. The draft measures also remain unclear on whether the relevant requirements will be applicable to companies that have been listed in the United States, such as us. We cannot predict the impact of the draft measures, if any, at this stage, and we will closely monitor and assess any development in the rule-making process. As of the date of this annual report, we have not received any notice from any authority identifying us as a CIIO or requiring us to undertake a cybersecurity review. There can be no assurance that we would be able to complete the applicable cybersecurity review procedures in a timely manner, or at all, if we are required to follow such procedures. Any failure or delay in the completion of the cybersecurity review procedures may prevent us from using or providing certain network products and services, and may result in government enforcement actions and investigations, fines, penalties, suspension of our non-compliant operations, among other sanctions. Our reputation and results of operations could be materially and adversely affected, if we are to be deemed a CIIO using network products or services without having completed the required cybersecurity review procedures. In June 2021, the SCNPC promulgated the PRC Data Security Law, which took effect on September 1, 2021. The PRC Data Security Law introduces a data classification and hierarchical protection system based on the importance of data and provides a national security review procedure for those data activities, which may affect national security and imposes export restrictions on certain data and information. In addition, certain PRC regulatory authorities issued the Opinions on Strictly Cracking Down Illegal Securities Activities in Accordance with the Law on July 6, 2021 which further emphasized the need to strengthen the cross-board regulatory collaboration, to improve relevant laws and regulations on data security, cross-border data transmission, and confidential information management, and provided that efforts will be made to revise the regulations on strengthening the confidentiality and file management relating to the offering and listing of securities overseas, to implement the responsibility on information security of overseas listed companies, and to strengthen the standardized management of cross-border information provision mechanisms and procedures. Furthermore, on August 20, 2021, the SCNPC promulgated the PRC Personal Information Protection Law, which integrates the scattered rules with respect to personal information rights and privacy protection and took effect in November 2021. Currently, the interpretation, application and enforcement of these laws, rules and regulations are evolving continuously and compliance with such laws or regulations may require us to incur material capital expenditures or other obligations or liabilities. Compliance with the above PRC laws and regulations including the Cyber Security Law, the Regulations on Protection of Security of Critical Information Infrastructure, the Cybersecurity Review Measures and the Data Security Law, as well as additional laws and regulations that PRC regulatory bodies may enact in the future, including laws and regulations regarding the cybersecurity, information security, privacy and data protection, may result in additional expenses to us and subject us to negative publicity, which could harm our reputation and business operations. There are also uncertainties with respect to how such laws and regulations will be implemented and interpreted in practice. PRC regulators, including the Department of Public Security, the MIIT, the State Administration for Market Regulation of the PRC, or the SAMR and the CAC, have been increasingly focused on regulation in the areas of data security and data protection, and are enhancing the protection of privacy and data security by rule-making and enforcement actions at central and local levels. We expect that these areas will receive greater and continued attention and scrutiny from regulators and the public going forward, which could increase our compliance costs and subject us to heightened risks and challenges associated with data security and protection. If we are unable to manage these risks, we could become subject to penalties, including fines, suspension of business and revocation of required licenses, and our reputation and results of operations could be materially and adversely affected. We only collect basic user personal information that is necessary to provide the corresponding services. We do not collect any sensitive personal information or other excessive personal information that is not related to the corresponding services. We update our privacy policies from time to time to meet the latest regulatory requirements of CAC and other authorities and adopt technical measures to protect data and ensure cybersecurity in a systematic way. While we have taken various measures to comply with all applicable laws and regulations regarding cybersecurity, information security, privacy and data protection in China, we cannot assure you that the measures we have taken or will take are adequate under the Cyber Security Law, and we may be held liable in the event of any breach of the relevant requirements under the Cyber Security Law or other relevant laws and regulations. Any failure or perceived failure by us to prevent information security breaches or to comply with data security and privacy policies or related legal obligations, or any compromise of security that results in the unauthorized use, release or transfer of personally identifiable information or other data, could cause our customers to lose trust in us and could expose us to legal claims or penalties. Any perception by the public that privacy of user information or data security are becoming increasingly unsafe or vulnerable to attacks could inhibit the growth of our products and services generally. We expect that these areas will be subject to greater public scrutiny and attention from regulators and more frequent and rigid investigation or review by regulators, which will increase our compliance costs and subject us to heightened risks and challenges. We may also be held liable in the event of any breach of general clauses on our compliance with such statutory requirements as well as some other specific requirements related to data protection under the relevant customer contracts. We may have to spend much more personnel cost and time evaluating and managing these risks and challenges in connection with our products and services in the ordinary course of our business operations, and cooperated and will keep cooperating in the future with the competent regulators in these respects. If further changes in our business practices are required under China's evolving regulatory framework for the protection of information in cyberspace, our business, financial condition and results of operations may be adversely affected. These proceedings or actions could subject us to significant penalties and negative publicity, require us to change our business practices, increase our costs and severely disrupt our business, hinder our global expansion or negatively affect the trading prices of our ADSs, shares and/or other securities. If we are unable to manage these risks, we could become subject to penalties, including fines, suspension of business and revocation of required licenses, and our reputation and results of operations could be materially and adversely affected.

Our success depends in part upon our relationships with third-party suppliers, primarily China Telecom and China Unicom, for key elements of network infrastructure and telecommunication network services, including hosting facilities and bandwidth, and to some extent, optical fibers. We directly enter into agreements with the local subsidiaries of China Telecom and China Unicom, from whom we lease cabinets in the data centers built and operated by them, with power systems, cabling and wiring and other data center equipment pre-installed. Because each local subsidiary of China Telecom and China Unicom has independent authority and budget to enter into contracts, our contract terms with these subsidiaries vary and are determined on a case-by-case basis. We generally define "partnered" data centers as the data center space and cabinets we lease from China Telecom, China Unicom and other third parties through agreements. Based on the specific requests of our customers, demands in different cities and our strategy for points of presence, or POP, establishment, the locations and number of our partnered data centers may change from time to time. As of December 31, 2021, we leased a total of 4,397 cabinets that are housed in our 64 partnered data centers, accounting for approximately 6% of the total number of our cabinets under management. We also rely on our internet bandwidth suppliers, consisting primarily of China Telecom, China Unicom and China Mobile, for a significant portion of our bandwidth needs and lease optical fibers from them to connect our data centers with each other and with the telecommunications backbones and other internet service providers. Our agreements with local subsidiaries of major telecommunication carries usually have a term of one to three years and an automatic renewal option. We can offer no assurances that these service providers will continue to provide services to us on a cost-effective basis or on otherwise competitive terms, if at all, or that these providers will provide us with additional capacity to adequately meet customer demand or to expand our business. Any of these factors could limit our growth prospects and materially and adversely affect our business. China Telecom and China Unicom also provide data center and bandwidth services and directly compete with us while we exercise little control over them. See "- We may not be able to compete effectively against our current and future competitors." We believe that we have good business relationships with China Telecom and China Unicom, and we have access to adequate hosting facilities and bandwidth to provide our services. However, there can be no assurance that we can always secure hosting facilities and bandwidth from China Telecom and China Unicom on commercially acceptable terms, or at all. In addition, we currently purchase routers, switches and other equipment from a limited number of suppliers. We do not carry significant inventories of the products we purchase, and we have no guaranteed supply arrangements with our suppliers. The loss of any significant vendor could delay the build-out of our infrastructure and increase our costs. If our suppliers fail to provide products or services that comply with evolving internet standards or that interoperate with other products or services we use in our network infrastructure, we may be unable to meet all or a portion of our customer service commitments, which could materially and adversely affect our business and results of operations. Furthermore, we have experienced and expect to continue to experience interruptions or delays in network services. Any failure on our part or the part of our third-party suppliers to achieve or maintain high data transmission capacity, reliability or performance could significantly reduce customer demand for our services and damage our business and reputation. As our customer base grows and their usage of telecommunications resources increases, we may be required to make additional investments in our capacity to maintain adequate data transmission speed. The availability of such capacity may be limited or the cost may be unacceptable to us. If adequate capacity is not available to us as our customers' usage increases, our network may be unable to achieve or maintain sufficiently high data transmission capacity, reliability or performance. In addition, our operating margins may suffer if our bandwidth suppliers increase the prices for their services and we are unable to pass along the increased costs to our customers.

We compete with various industry players, including telecommunication carriers such as China Telecom and China Unicom, carrier-neutral service providers in China such as SINNET and GDS, cloud services providers such as AWS and Alibaba Cloud, virtual private network, or VPN, service providers such as Citic Telecom CPC, China Telecom, PCCW, and CBC, as well as new market entrants in the future. Competition is primarily centered on the quality of service and technical expertise, security, reliability and functionality, reputation and brand recognition, financial strength, the breadth and depth of services offered, geographic coverage and price. Some of our current and future competitors may have substantially greater financial, technical and marketing resources, greater brand recognition, and more established relationships with current or potential customers than we do, which would allow them to: - adapt to new or emerging technologies and changes in customer requirements more quickly;- bundle certain services and provide to customers at reduced prices;- take advantage of acquisition and other opportunities more readily;- adopt more aggressive pricing policies and devote greater resources to the promotion, marketing, and sales of their services; and - devote greater resources to the research and development of their products and services. If we are unable to compete effectively and successfully against our current and future competitors, our business prospects, financial condition and results of operations could be materially and adversely affected.

To be successful, we must improve the performance, features and reliability of our services and adapt our business strategies to the rapidly changing market, which may cause us to incur substantial costs. We may not be able to adapt on a timely basis to changing technologies, if at all. Our ability to sustain and grow our business would suffer if we fail to respond to these changes in a timely and cost-effective manner. New technologies or industry standards have the potential to replace or provide lower cost alternatives to our data center services. The adoption of such new technologies or industry standards could render some or all of our services obsolete or unmarketable. We cannot guarantee that we will be able to identify the emergence of all of these new service alternatives successfully, modify our services accordingly, or develop and bring new products and services to market in a timely and cost-effective manner to address these changes. If and when we do identify the emergence of new service alternatives and introduce new products and services, those new products and services may need to be made available at lower price points than our then-current services. Failure to provide services to compete with new technologies or the obsolescence of our services could lead us to lose current and potential customers or could cause us to incur substantial costs, which would harm our results of operations and financial condition. Our introduction of new alternative products and services that have lower price points than current offerings may result in our existing customers switching to the lower cost products, which could reduce our revenues and have a material adverse effect of our results of operations.

A party who is able to compromise the security measures of our data centers and networks or the security of our infrastructure could misappropriate either our proprietary information or the information of our customers, or cause interruptions or malfunctions in our operations. In addition, we have limited control over our partnered data centers, which are primarily operated by China Telecom or China Unicom. We may be required to devote significant capital and resources to protect against such threats or to alleviate problems caused by security breaches. As techniques used to breach security change frequently and are generally not recognized until launched against a target, we may not be able to implement security measures in a timely manner or, if and when implemented, we may not be certain whether these measures could be circumvented. Any breaches that may occur could expose us to increased risk of lawsuits, material monetary damages, potential violations of applicable privacy and other laws, penalties and fines, loss of existing or potential customers, harm to our reputation and increases in our security and insurance costs, which could have a material adverse effect on our business, financial condition and results of operations. For a detailed discussion, see "Item 4. Information on the Company-B. Business Overview-Regulations - Regulations on Internet Security." In addition, the local authorities in the PRC may conduct various reviews and inspections on our business operations from time to time, which could cover a broad range of aspects, including network and information security, and compliance with applicable laws, rules and regulations. If any non-compliance incidents in our business operation are identified, we may be required to take certain rectification measures in accordance with applicable laws and regulations, or we may be subject to other regulatory actions such as administrative penalties. For example, in November 2020, the MIIT conducted an inspection on us and identified certain security issues in our cloud systems. We were ordered to rectify such issues before December 11, 2021. As of the date of this annual report, we have completed the rectification work. However, given the continuously changing regulatory environment of China, we cannot assure you that we will be able to fully rectify all non-compliance incidents in a timely manner or fully satisfy the regulatory requirements, or we will not be subject to any future regulatory reviews and inspections where other non-compliance incidents might be identified, which might materially and adversely affect our business, financial condition, results of operations and prospects. In addition, any assertions of alleged security breaches or systems failure made against us, whether true or not, could harm our reputation, cause us to incur substantial legal fees, divert management's attention and have a material adverse effect on our business, reputation, financial condition and results of operations.

Our data centers, power supplies and network are vulnerable to disruptions and failure of infrastructure. Problems with the cooling equipment, generators, backup batteries, routers, switches, or other equipment, whether or not within our control, could result in service interruptions or data losses for our customers as well as equipment damage. Our customers locate their computing and networking equipment in our data centers, and any significant or prolonged failure in our infrastructure or services could significantly disrupt the normal business operations of our customers and harm our reputation and reduce our revenue. While we offer data backup services and disaster recovery services, which could mitigate the adverse effects of such a failure, most of our customers do not subscribe for these services. Accordingly, any failure or downtime in any of our data centers could affect many of our customers. The total destruction or severe impairment of any of our data centers could result in significant downtime of our services and loss of customer data. Since our ability to attract and retain customers depends on our ability to provide highly reliable services, even minor interruptions of our services could harm our reputation. While we have not experienced any material interruptions in the past, service interruptions continue to be a significant risk for us and could materially impact our business. Any service interruptions could: - require us to waive fees or provide free services;- cause our customers to seek damages for losses incurred;- require us to replace existing equipment or add redundant facilities;- cause existing customers to cancel or elect to not renew their contracts;- adversely affect our brand and reputation as a reliable provider of data center service; or - make it more difficult for us to attract new customers or cause us to lose market share. Any of these events could materially increase our expenses or reduce our revenue, which would have material adverse effect on our business, financial condition and results of operations.