Hong Kong’s Critical Infrastructure (Computer Systems) Protection Bill Passed

Purpose

The ordinance requires organizations designated as “Critical Infrastructure Operators” to take appropriate measures to protect their computer systems, reducing the likelihood of essential services being disrupted or destroyed by cyberattacks.

Scope

Only organizations designated as “Critical Infrastructure Operators” and their designated “Critical Computer Systems” will be regulated. These operators provide essential services to Hong Kong’s continued operations or are necessary to maintain critical social and economic activities — most are large organizations.

Although not legally required, operators may contractually require their service providers to adopt similar measures.
The ordinance has no extraterritorial effect, and regulatory authorities cannot enforce its provisions outside Hong Kong.

Key Requirements of the Ordinance

The ordinance adopts an “organization-based” approach, treating each operator responsible for its own critical infrastructure as a single unit. Operators must comply with three main categories of statutory responsibilities:

1. Structural responsibilities
2. Preventive responsibilities
3. Incident reporting and response responsibilities

A dedicated office under the Security Bureau will be established to oversee compliance, working alongside two designated authorities. Currently, the Monetary Authority is responsible for monitoring compliance among banking and financial services operators, while the Communications Authority oversees operators in telecommunications and broadcasting.

In the event of an incident, the Commissioner can require operators to take appropriate response measures and may intervene to assist in recovery if necessary. However, the ordinance does not grant power to take over an entire critical infrastructure operation during an incident.
Violators may face fines up to HKD 5 million.

Code of Practice

Regulatory authorities will issue a Code of Practice outlining recommended standards based on legal requirements. This includes professional qualifications for heads of IT security management units, examples of “major changes” that need to be reported, contents and standards for security management plans, risk assessments and reviews, staff training, and how to determine if an incident has occurred.

The Code of Practice is not legislation and can be updated flexibly. Authorities may include sector-specific guidelines in the Code.
The ordinance specifies the Monetary Authority and the Communications Authority as “designated authorities.” In the future, the government may amend Schedule 2 through subsidiary legislation to appoint other appropriate statutory industry regulators as designated authorities, or revise the necessary service sectors listed in the schedule.

Regulatory authorities will also provide guidance and contract templates in the Code of Practice, clarifying the roles and responsibilities of third-party service providers. This helps ensure operators can continue to fulfill statutory responsibilities when engaging external providers.

Effective Date

The government aims to formally implement the ordinance on January 1, 2026, and establish the dedicated office at the same time. The office expects to begin designating critical infrastructure operators and their critical computer systems in phases starting around mid-2026. Operators should prepare accordingly.

Related Services by DQS HK

• Security Risk Assessment and Audit Services
• Penetration Testing Services
• Privacy Impact Assessment (PIA) service
• Cyber Defense Assessment in line with CRAF