Bilibili 6K Management’s Discussion and Analysis of Financial Condition and Results of Operations | BILI 18 Nov 21

Exhibit 99.3

Supplemental Disclosure

Recent Regulatory Developments

Recently, the General Office of the Central Committee of the Communist Party of China and the General Office of the State Council jointly issued the Opinions on Strictly Scrutinizing Illegal Securities Activities in Accordance with the Law, or the Opinions, which were made available to the public on July 6, 2021. The Opinions emphasized the need to strengthen the administration over illegal securities activities, and the need to strengthen the supervision over overseas listings by Chinese companies, and effective measures, such as promoting the construction of relevant regulatory systems, will be taken to deal with the risks and incidents of China-based overseas listed companies. As of the date of this offering memorandum, we have not received any inquiry, notice, warning, or sanctions from PRC governmental authorities in connection with the above contents of Opinions. Based on the foregoing and the currently effective PRC laws, our PRC legal counsel is of the view that, as of the date of this offering memorandum, the Opinions do not materially and adversely affect our disclosure, including PRC counsel’s opinions, taken as a whole, as stated in “Risk Factors — Risks Related to Doing Business in China — If the PRC government finds that the agreements that establish the structure for operating our businesses in China do not comply with PRC regulations on foreign investment in internet and other related businesses, or if these regulations or their interpretation change in the future, we could be subject to severe penalties or be forced to relinquish our interests in those operations” and “Risk Factors — Risks Related to Doing Business in China — Uncertainties in the interpretation and enforcement of PRC laws and regulations could limit the legal protections available to you and us.”

On June 10, 2021, for purpose of further regulating data processing activities, safeguarding data security, promoting data development and utilization, protecting the lawful rights and interests of individuals and organizations, and maintaining national sovereignty, security, and development interests, the Standing Committee of the PRC National People’s Congress published the Data Security Law of the People’s Republic of China (the “Data Security Law”), which took effect on September 1, 2021. The Data Security Law requires data processing, which includes the collection, storage, use, processing, transmission, provision and publication of data, to be conducted in a legitimate and proper manner. The Data Security Law provides for data security and privacy obligations on entities and individuals carrying out data processing activities. The Data Security Law also introduces a data classification and hierarchical protection system based on the importance of data in economic and social development, and the degree of harm it may cause to national security, public interests, or legitimate rights and interests of individuals or organizations if such data are tampered with, destroyed, leaked, illegally acquired or illegally used. The appropriate level of protection measures is required to be taken for each respective category of data. For example, a processor of important data is required to designate the personnel and the management body responsible for data security, carry out risk assessments of its data processing activities and file the risk assessment reports with the competent authorities. State core data, i.e., data having a bearing on national security, the lifelines of national economy, people’s key livelihood and major public interests, shall be subject to stricter management system. Moreover, the Data Security Law provides a national security review procedure for those data processing activities which affect or may affect national security and imposes export restrictions on certain data and information. In addition, the Data Security Law also provides that any organization or individual within the territory of the PRC shall not provide any foreign judicial body and law enforcement body with any data stored in the territory of the PRC without the approval of the competent PRC governmental authorities.

On August 20, 2021, the Standing Committee of the National People’s Congress of the PRC promulgated the Personal Information Protection Law, which integrates the scattered rules with respect to personal information rights and privacy protection and took effect on November 1, 2021. The Personal Information Protection Law raises the protection requirements for processing personal information, and many specific requirements of the Personal Information Protection Law remain to be clarified by the CAC, other regulatory authorities, and PRC courts in practice. We may be required to make further adjustments to our business practices to comply with the personal information protection laws and regulations including the Personal Information Protection Law.

On July 10, 2021, the CAC published the Measures for Cybersecurity Review (Revised Draft for Comments), which will replace the current Measures for Cybersecurity Review after it is adopted and becomes effective. Under the current Measures for Cybersecurity Review and other PRC cybersecurity laws and regulations, as well as the draft measures, critical information infrastructure operators that intend to purchase internet products and services that affect or may affect national security must be subject to a cybersecurity review by the CAC. In addition, the draft measures stipulate that any data processor carrying out data processing activities that affect or may affect national security should also be subject to a cybersecurity review. The draft measures further stipulate that if an operator has personal information of over one million users and intends to be listed in a foreign country, it must be subject to a cybersecurity review. As advised by our PRC legal counsel, the draft measures were released for public comment only, and its provisions and anticipated adoption or effective date may be subject to change and thus its interpretation and implementation remain substantially uncertain. The draft measures remain unclear on whether the relevant requirements will be applicable to further equity or debt offerings by companies that have completed the initial public offering in the United States. We cannot predict the impact of the draft measures at this stage, and we will closely monitor and assess the statutory developments in this regard. As of the date of this offering memorandum, we have not been involved in any investigations on cybersecurity review initiated by the CAC on such basis, and we have not received any inquiry, notice, warning, or sanctions in such respect.

On August 17, 2021, the State Council promulgated the Regulations on Security Protection of Critical Information Infrastructure, which became effective on September 1, 2021. Pursuant to the Regulations on Protection of Critical Information Infrastructure, critical information infrastructure refers to any important network facilities and information systems of an important industry and field such as public communication and information service, energy, transport, water conservation, finance, public services, e-government affairs and national defense related science and technology industry, and other industries and fields that may seriously endanger national security, people’s livelihood and public interest in case of damage, function loss or data leakage. In addition, relevant administration departments of each important industry and field are responsible for formulating eligibility criteria and determining the critical information infrastructure in the respective industry or field. The operators will be informed by the relevant regulatory authority about the final determination as to whether they are categorized as “critical information infrastructure operators,” or “CIIOs.” As of the date of this offering memorandum, no detailed rules or interpretation has been issued and we have not been informed as a “CIIO” by any governmental authorities. Furthermore, the exact scope of “critical information infrastructure operators,” under the current regulatory regime remains unclear, and, as advised by our PRC legal counsel, the PRC governmental authorities may have discretion in the interpretation and enforcement of these laws and regulations. Therefore, although as of the date of this offering memorandum, we have not yet received any notice or indication from the PRC government authorities that identifies us as a “CIIO,” it still remains uncertain whether we would be deemed as a CIIO under PRC law.

On August 27, 2021, the CAC published the Administrative Provisions on Internet Information Service Algorithm Recommendation (Draft for Comments), which implements classification and hierarchical management for algorithm recommendation service providers based on various criteria, and stipulates that algorithm recommendation service providers with public opinion attributes or social mobilization capabilities shall file with the CAC within ten business days from the date of providing such services. As of the date of this offering memorandum, the draft administrative provisions have not been formally adopted. On September 17, 2021, the CAC, the Ministry of Industry and Information Technology of the PRC, or the MIIT, and other governmental authorities issued Guidance on Strengthening the Comprehensive Governance of Internet Information Service Algorithms, which propose improving algorithm security governance mechanism and promoting algorithm filing.

On August 30, 2021, the National Press and Publication Administration, promulgated the Notice on Further Strict Management to Effectively Prevent Minors from Being Addicted to Online Games, which became effective on September 1, 2021. The notice requires that all online games enterprises including platforms providing online game services only provide online game services to minors for one hour from 8:00 p.m. to 9:00 p.m. each day on Fridays, Saturdays, Sundays and national holidays, and not provide online game services to minors in any form at any other time. All online games must be connected to the real-name verification system of the National Press and Publication Administration for online games to prevent addiction, all online game users must use real and valid identity information to register their game accounts and log in to online games, and online games enterprises must not provide online game services in any form (including visitor experience mode) to users who have not registered and logged in with their real names.

On September 30, 2021, the MIIT published the Data Security Management Measures in the Field of Industry and Information Technology (For Trial Implementation) (Draft for Comments), which requires the industrial and telecom data processors to further implement data classification and hierarchical management, take necessary measures to ensure that data remains effectively protected and being lawfully applied and conduct data security risk monitoring. As of the date of this offering memorandum, the draft measures have not been formally adopted.

On October 29, 2021, the CAC published the Safety Assessment Measures for Data Outbound Transfer (Draft for Comments), which require that the data processors who propose to provide important data and personal information which are subject to security assessment that are collected and generated in the operation within the territory of the PRC overseas be subject to security assessment. The draft measures further stipulate the process and requirements for the security assessment. As of the date of this offering memorandum, the draft measures have been released for public comment only and have not been formally adopted. The final provisions and the timeline for its adoption are subject to changes and uncertainties.

On November 14, 2021, the CAC published the Regulations of Internet Data Security Management (Draft for Comments), which further regulate the internet data processing activities and emphasize the supervision and management of network data security, and further stipulate the obligations of internet platform operators, such as to establish a system for disclosure of platform rules, privacy policies and algorithmic strategies related to data. Specifically, the draft regulations require data processors to, among others, (1) adopt immediate remediation measures when finding that network products and services they use or provide have security defects and vulnerabilities, or threaten national security or endanger public interest, and (2) follow a series of detailed requirements with respect to processing of personal information, management of important data and proposed overseas transfer of data. In addition, such draft regulations require data processors handling important data or the data processors to be listed overseas to complete an annual data security assessment and file a data security assessment report to applicable regulators. Such annual assessment, as required by the draft regulations, would encompass areas including but not limited to the status of important data processing, data security risks identified and the measures adopted, the effectiveness of data protection measures, the implementation of national data security laws and regulations, data security incidents that occurred and their handling, and a security assessment with respect to sharing and provision of important data overseas. As of the date of this offering memorandum, the draft regulations have been released for public comment only and have not been formally adopted. The final provisions and the timeline for its adoption are subject to changes and uncertainties.

The interpretation, application and enforcement of these newly enacted and drafted laws and regulations are subject to substantial uncertainties. See “Risk Factors—Risks Related to Our Business and Industry—Our business is subject to complex and evolving Chinese and international laws and regulations, including those regarding data privacy and cybersecurity. Many of these laws and regulations are subject to change and uncertain interpretation, and could result in claims, penalties, changes to our business practices, increased cost of operations, damages to our reputation and brand, or declines in user growth or engagement, or otherwise harm our business” and “The PRC government has taken steps to limit online game playing time for all minors and to otherwise control the content and operation of online games. Such restrictions on online games may materially and adversely impact our business and results of operations.”

Our business is subject to complex and evolving Chinese and international laws and regulations, including those regarding data privacy and cybersecurity. Many of these laws and regulations are subject to change and uncertain interpretation, and could result in claims, penalties, changes to our business practices, increased cost of operations, damages to our reputation and brand, or declines in user growth or engagement, or otherwise harm our business.

We collect personal data from our users in order to better understand our users and their needs for the purpose of our content feeds recommendation and to help our advertisement customers target specific demographic groups. Concerns about the collection, use, disclosure or security of personal information or other privacy-related matters, even if unfounded, could damage our reputation, cause us to lose users and other customers and adversely affect our results of operations.

Many jurisdictions, including China and the U.S., continue to consider the need for greater regulation or reform to the existing regulatory framework. In the U.S., all 50 states have now passed laws to regulate the actions that a business must take in the event of a data breach, such as prompt disclosure and notification to affected users and regulatory authorities. In addition to the data breach notification laws, some states have also enacted statutes and rules requiring businesses to reasonably protect certain types of personal information they hold or to otherwise comply with certain specified data security requirements for personal information. The U.S. federal and state governments will likely continue to consider the need for greater regulation aimed at restricting certain uses of personal data for targeted advertising. California enacted the California Consumer Privacy Act, or CCPA, which creates new individual privacy rights for consumers (as that word is broadly defined in the law) and places increased privacy and security obligations on entities handling personal data of consumers or households. The CCPA, which went into effect on January 1, 2020, requires covered companies to provide new disclosures to California consumers, and provides such consumers new ways to opt-out of certain sales of personal information. The CCPA provides for civil penalties for violations, as well as a private right of action for data breaches that is expected to increase data breach litigation. The CCPA may increase our compliance costs and potential liability. Some observers have noted that the CCPA could mark the beginning of a trend toward more stringent privacy legislation in the U.S., which could increase our potential liability and adversely affect our business.

In the European Union, or EU, the General Data Protection Regulation, or GDPR, which came into effect on May 25, 2018, could increase our burden of regulatory compliance. The GDPR implements more stringent operational requirements for processors and controllers of personal data, including, for example, requiring expanded disclosures about how personal information is to be used, limitations on retention of information, mandatory data breach notification requirements, and higher standards for data controllers to demonstrate that they have obtained either valid consent or have another legal basis in place to justify their data processing activities. The GDPR further provides that EU member states may make their own additional laws and regulations in relation to certain data processing activities, which could further limit our ability to use and share personal data and could require localized changes to our operating model. Under the GDPR, fines of up to €20 million or up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher, may be assessed for noncompliance, which significantly increases our potential financial exposure for non-compliance. However, with limited precedence on the interpretation and application of GDPR and limited guidance from EU regulators, the application of GDPR to the provision of internet services remains unsettled.

In China, the PRC Cyber Security Law, which became effective in June 2017, leaves substantial uncertainty as to the circumstances and standard under which this law would apply and violations would be found. The Notice on Special Governance of Illegal Collection and Use of Personal Information via Apps issued in January 2019 restates the requirement of legal collection and usage of personal information, and encourages the app operators to conduct security certifications. On August 22, 2019, the CAC issued the Regulation on Cyber Protection of Children’s Personal Information, effective on October 1, 2019, pursuant to which network operators are required to establish special policies and user agreements to protect children’s personal information, and to appoint special personnel to be in charge of protecting children’s personal information. On November 28, 2019, the Measures to Identify Illegal Collection and Usage of Personal Information by Apps was promulgated, listing six types of illegal collection and usage of personal information, including “not publishing rules on the collection and usage of personal information” and “not providing privacy rules.” According to the Law of the PRC on the Protection of Minors (2020 Revision), which took effect on June 1, 2021, information processors must follow the principles of legality, legitimacy and necessity when processing personal information of minors via internet, and must obtain consent from minors’ parents or other guardians when processing personal information of minors under age of 14. Internet service providers must also promptly alert upon the discovery of publishing private information by minors via the internet and take necessary protective measures. For more information, see “Regulation—Regulations Related to Internet Information Security and Privacy Protection.”

To further regulate data processing activities and safeguard data security, on June 10, 2021, the Standing Committee of the PRC National People’s Congress published the Data Security Law, which took effect on September 1, 2021. On July 6, 2021, the relevant PRC governmental authorities made public the Opinions on Strictly Scrutinizing Illegal Securities Activities in Accordance with the Law, which, among other, require improving the laws and regulations relating to data security, cross-border data flow, and management of confidential information in the context of overseas issuance and listing of securities. On August 17, 2021, the state council promulgated the Regulations on Security Protection of Critical Information Infrastructure, which became effective on September 1, 2021. On August 20, 2021, the Standing Committee of the National People’s Congress of the PRC promulgated the Personal Information Protection Law, which took effect on November 1, 2021, and on September 17, 2021, the CAC, the MIIT and other governmental authorities issued Guidance on Strengthening the Comprehensive Governance of Internet Information Service Algorithms. For more information about these laws and regulations, see “Regulation—Regulations Related to Internet Information Security and Privacy Protection.”

In addition, regulatory requirements on cybersecurity and data privacy are constantly evolving. On July 10, 2021, the CAC published the Measures for Cybersecurity Review (Revised Draft for Comments). On August 27, 2021, the CAC published the Administrative Provisions on Internet Information Service Algorithm Recommendation (Draft for Comments). On September 30, 2021, the MIIT published the Data Security Management Measures in the Field of Industry and Information Technology (Draft for Comments), and on October 29, 2021, the CAC published the Safety Assessment Measures for Data Outbound Transfer (Draft for Comments). On November 14, 2021, the CAC published the Regulations of Internet Data Security Management (Draft for Comments). For more information about the drafts, see “Regulations—Regulations Related to Internet Information Security and Privacy Protection.”

Furthermore, the above mentioned laws, regulations and policies can be subject to varying interpretations or significant changes, resulting in uncertainties about the scope of our responsibilities in that regard. For example, the scope of “core data” and “important data,” two important concepts in the Data Security Law, are yet to be clearly determined. It is uncertain whether and when the Measures for Cybersecurity Review (Revised Draft for Comments) and the Regulations of Internet Data Security Management (Draft for Comments) will be adopted, and if the adopted version will contain the same provisions as those draft measures. If the adopted version of the draft measures mandate clearance of cybersecurity review and other specific actions to be completed by CIIOs, data processors or other companies as proposed in the draft measures, we face uncertainties as to whether we should obtain such clearance as a listed company in the United States and whether such clearance can be timely obtained, or at all. We cannot predict the impact of the draft measures, if any, at this stage, and we will closely monitor and assess the statutory developments in this regard.

It is also uncertain whether we would be deemed as a “critical information infrastructure operator” pursuant to the Regulations on Security Protection of Critical Information Infrastructure, effective September 1, 2021. As advised by our PRC legal counsel, the PRC governmental authorities may have discretion in the interpretation of CIIO and in the enforcement of these laws and regulations. Should we be deemed as a CIIO, we would be required to fulfill certain obligations under the PRC cybersecurity and data privacy laws and regulations, including, among others, storing personal information and important data collected and produced within the PRC territory during our operations in China. If a final version of the Measures for Cybersecurity Review (Revised Draft for Comments) is adopted, we may be subject to review when conducting data processing activities, and may face challenges in addressing its requirements and make necessary changes to our internal policies and practices in data processing. As of the date of this offering memorandum, we have not been involved in any investigations on cybersecurity review made by the CAC on such basis, and we have not received any inquiry, notice, warning, or sanctions in such respect.

In early July 2021, regulatory authorities in China launched cybersecurity investigations with regard to several China-based companies that are listed in the United States. The relevant regulatory authorities in China continue to monitor the websites and apps in relation to the protection of personal data, privacy and information security, and may impose additional requirements from time to time. The relevant regulatory authorities also publicize, from time to time, their monitoring results and require relevant enterprises listed in such notices to rectify non-compliance. If any of our mobile apps is found not in compliance with these regulations, we could be subject to penalties, including revocation of our business licenses and permits.

While we strive to comply with applicable data protection laws and regulations, as well as our privacy policies pursuant to our user terms and other obligations we may have with respect to privacy and data protection, any failure or perceived failure to comply with these laws, regulations or policies may result in inquiries and other proceedings or actions against us by government agencies or others, as well as negative publicity and damage to our reputation and brand, each of which could cause us to lose users and customers and have an adverse effect on our business and results of operations. See “Regulation—Regulations Related to Internet Information Security and Privacy Protection.”

Any systems failure or compromise of our security that results in the unauthorized access to or release of our users’ or other customers’ data could significantly limit the adoption of our products and services, as well as harm our reputation and brand and, therefore, our business. We expect to expend significant resources to protect against security breaches. The risk that these types of events could seriously harm our business is likely to increase as we expand the number of services we offer and increase the size of our user base.

Our practices may become inconsistent with new laws or regulations concerning data protection, or the interpretation and application of existing consumer and data protection laws or regulations, which is often uncertain and in flux. If so, in addition to the possibility of fines, this could result in an order requiring that we change our practices, which could have an adverse effect on our business and operating results. Complying with new laws and regulations could cause us to incur substantial costs or require us to change our business practices in a manner materially adverse to our business. Failure or perceived failure to comply with applicable laws and regulations related to the collection, use, or sharing of personal information or other privacy-related and security matters could result in a loss of confidence in us by customers and users, which could adversely affect our business, financial condition and results of operations.

The approval of the CSRC or other PRC government authorities may be required in connection with our offshore offerings under PRC law, and, if required, we cannot predict whether or for how long we will be able to obtain such approval.

The Regulations on Mergers and Acquisitions of Domestic Enterprises by Foreign Investors, or the M&A Rules, adopted by six PRC regulatory agencies in 2006 and amended in 2009, requires an overseas special purpose vehicle formed for listing purposes through acquisitions of PRC domestic companies and controlled by PRC persons or entities to obtain the approval of the CSRC prior to the listing and trading of such special purpose vehicle’s securities on an overseas stock exchange. The interpretation and application of the regulations remain unclear, and our offshore offerings may ultimately require approval of the CSRC. If the CSRC approval is required, it is uncertain whether we can or how long it will take us to obtain the approval and, even if we obtain such CSRC approval, the approval could be rescinded. Any failure to obtain or delay in obtaining the CSRC approval for any of our offshore offerings, or a rescission of such approval if obtained by us, would subject us to sanctions imposed by the CSRC or other PRC regulatory authorities, which could include fines and penalties on our operations in China, restrictions or limitations on our ability to pay dividends outside of China, and other forms of sanctions that may materially and adversely affect our business, financial condition, and results of operations.

On July 6, 2021, the relevant PRC government authorities issued Opinions on Strictly Scrutinizing Illegal Securities Activities in Accordance with the Law. These opinions emphasized the need to strengthen the administration over illegal securities activities and the supervision on overseas listings by China-based companies and proposed to take effective measures, such as promoting the construction of relevant regulatory systems to deal with the risks and incidents faced by China-based overseas-listed companies. As these opinions are recently issued, official guidance and related implementation rules have not been issued yet and the interpretation of these opinions remains unclear at this stage. We cannot assure you that any new rules or regulations promulgated in the future will not impose additional requirements on us. If it is determined in the future that approval from the CSRC or other regulatory authorities or other procedures, including the cybersecurity review under the enacted version of the Measures for Cybersecurity Review (Revised Draft for Comments), are required for our offshore offerings, it is uncertain whether we can or how long it will take us to obtain such approval or complete such procedures and any such approval could be rescinded. Any failure to obtain or delay in obtaining such approval or completing such procedures for our offshore offerings, or a rescission of any such approval if obtained by us, would subject us to sanctions by the CSRC or other PRC regulatory authorities for failure to seek CSRC approval or other government authorization for our offshore offerings. These regulatory authorities may impose fines and penalties on our operations in China, limit our ability to pay dividends outside of China, limit our operating privileges in China, delay or restrict the repatriation of the proceeds from our offshore offerings into China or take other actions that could materially and adversely affect our business, financial condition, results of operations, and prospects, as well as the trading price of our shares. The CSRC or other PRC regulatory authorities also may take actions requiring us, or making it advisable for us, to halt our offshore offerings before settlement and delivery of the shares offered. Consequently, if investors engage in market trading or other activities in anticipation of and prior to settlement and delivery, they do so at the risk that settlement and delivery may not occur. In addition, if the CSRC or other regulatory authorities later promulgate new rules or explanations requiring that we obtain their approvals or accomplish the required filing or other regulatory procedures for our prior offshore offerings, we may be unable to obtain a waiver of such approval requirements, if and when procedures are established to obtain such a waiver. Any uncertainties or negative publicity regarding such approval requirement could materially and adversely affect our business, prospects, financial condition, reputation, and the trading price of the shares.

Bilibili (BILI) 6-KManagement’s Discussion and Analysis of Financial Condition and Results of Operations