HK passed its first Cybersecurity Bill covering Critical Infrastructure

Objectives

This bill requires institutions designated as "Critical Infrastructure Operators" to adopt appropriate measures to safeguard their computer systems, thereby reducing the risk of cyberattacks that could disrupt or damage essential services.

Scope

The bill only applies to computer systems designated as "Critical Computer Systems" under institutions classified as "Critical Infrastructure Operators." The regulated "Critical Infrastructure Operators" are primarily large institutions that are essential for the continuous provision of necessary services in Hong Kong or for maintaining key social and economic activities.

Although not mandated by law, relevant operators may contractually require their service providers to adopt similar measures.

The bill has no extraterritorial effect; regulatory authorities cannot enforce its provisions outside Hong Kong.
 

Key Requirements of the Protection of Critical Infrastructure (Computer Systems) Bill

The bill adopts an "organization-based" approach, treating each institution responsible for operating a critical infrastructure as a unit. They must comply with three categories of statutory responsibilities:

1.Structural responsibilities,
2.Preventive responsibilities,
3.Incident reporting and response responsibilities

The government will establish a dedicated office under the Security Bureau to oversee the compliance of different "Critical Infrastructure Operators" with their responsibilities under the ordinance. At this stage, the Monetary Authority has been designated to supervise operators in banking and financial services concerning the first and second categories of responsibilities. Meanwhile, the Communications Authority will supervise operators in communications and broadcasting sectors for compliance with the first and second categories of responsibilities.

In case of incidents, the Commissioner may require operators to take appropriate measures to address the incident and may intervene to assist in recovery if necessary.

However, the bill does not cover any authority to take over the entire operation of "Critical Infrastructure" during an incident.

Violators may face fines of up to HK$5 million.

Code of Practice

Regulatory authorities will issue a Code of Practice, providing recommended standards based on the legal requirements. These may include:

The Code of Practice is not part of the bill, allowing for flexible and timely updates. Regulatory authorities may incorporate guidelines targeting specific sectors.

The ordinance specifies the Monetary Authority and Communications Authority as the "Designated Authorities." In the future, the government may amend Annex 2 of the ordinance through subsidiary legislation to designate other statutory regulatory bodies as "Designated Authorities." Similarly, Annex 1 concerning sectors of essential services may also be amended through subsidiary legislation.

Regulatory authorities will provide guidance and contract templates in the Code of Practice, clearly outlining the responsibilities and roles of third-party service providers. This aims to assist operators in fulfilling their statutory obligations when employing third-party service providers.
 

Implementation

The government aims for the bill to formally take effect on January 1, 2026, alongside the establishment of the dedicated office. The office anticipates gradually designating "Critical Infrastructure Operators" and their "Critical Computer Systems" in phases starting from mid-2026. Relevant operators must prepare accordingly.

DQS HK Related Services

• Security Risk Assessment and Audit Services
• Penetration Testing Services, and
• Privacy Impact Assessment (PIA) services.
• Cyber Defense Assessment under CRAF.