TAPA FSR & TSR 2026: What Hong Kong Operators Need to Know

DQS Hong Kong

Founded in 1985 by the German Institute for Standardisation (DIN) and the German Society for Quality (DGQ), DQS is one of the world's most established independent management system certification bodies. DQS is a founding member of the International Certification Network (IQNet) and holds accreditations from the German Accreditation Body (DAkkS) alongside over 100 international accreditations, operating across more than 60 countries and regions.

Jun 01 , 2026

A timeline-based briefing on the upcoming transition from Version 2023 to Version 2026.

Loaded European truck on motorway in beautiful sunset light. On the road transportation and cargo.

Why this notice matters now

TAPA APAC has confirmed that Version 2026 of its two flagship supply-chain security standards, the Facility Security Requirements (FSR) and the Trucking Security Requirements (TSR), will publish in English in September 2026. That announcement carries three concrete deadlines that every certified operator, prospective applicant, and procurement team in Hong Kong needs to have on their calendar.

The three dates that frame every decision

31 July 2026 is the final date to apply for training under Version 2023. After this point, no new training applications will be accepted under the existing standard. For organisations with internal auditors, security managers, or operations leads who still need formal qualification on Version 2023, this deadline is roughly six weeks away.
30 September 2026 is the final date to complete a certification or recertification audit under Version 2023. After this point, no certificates can be issued under the 2023 standard in the APAC region. Audits in progress must be closed by this date, including the resolution of any non-conformities raised during the audit.
September 2026 is when Version 2026 publishes in English and when training under the new standard begins. Certificates issued under Version 2023 before 30 September remain valid until their stated expiry date — they are not invalidated by the new release.

A fourth, less formal date is worth keeping in mind: traditional Chinese and Simplified Chinese versions of TAPA standards historically follow the English release by three to six months. Organisations that prefer to work in Chinese for internal training and audit documentation should plan around an effective working window that extends into early 2027, even though the certification deadlines themselves do not move.

What the FSR and TSR standards cover

The Facility Security Requirements set out the minimum security baseline for warehousing and in-transit storage within a supply chain. FSR covers physical security, personnel controls, process controls, and information security across three certification levels — A, B, and C — calibrated to the risk profile and value of the cargo being handled. In Hong Kong, FSR is most commonly held by operators in the airport cargo precinct, by bonded warehouses serving the Greater Bay Area, and by third-party logistics providers handling electronics, pharmaceuticals, and luxury goods.

The Trucking Security Requirements apply to road transport of cargo. TSR covers vehicle hardening, driver vetting, route planning, real-time monitoring, incident response, and the contractual relationships between consignors, primary carriers, and any sub-contracted operators. TSR is structured in three levels (1, 2, 3). For Hong Kong, TSR is most relevant to cross-boundary trucking operations connecting to Shenzhen, Dongguan, and Guangzhou, where high-value inland legs are increasingly subject to TAPA requirements written into shipper contracts.

What Version 2026 is likely to introduce

TAPA APAC has not yet released the full 2026 control text. What follows is a directional summary of where the revision is expected to move, based on the association's stated revision approach and the patterns of supply-chain risk over the past three years. Treat this as advance reading, not as final specification.

Cybersecurity expectations across physical security systems.

The 2023 version treats cybersecurity as a relatively contained module. Version 2026 is expected to embed cyber controls more broadly across access control systems, warehouse management systems, transport management platforms, telematics, and electronic locking. The driving reality is that ransomware and remote tampering have become as disruptive to cargo as physical theft, and the standard is expected to reflect that.

Intelligence-led risk assessment

The TAPA Intelligence System has accumulated substantial incident data across APAC. Version 2026 is expected to require certified sites and fleets to demonstrate that their risk assessments are informed by current threat data, not by an annual paper exercise. For Hong Kong operators, this points toward linking site and route risk to actual hijacking, pilferage, and incursion patterns reported across the GBA and major ASEAN trade lanes.

Capability-based controls

Version 2023 contains some technology-prescriptive language — for example, fixed CCTV pixel densities and retention periods. Version 2026 is expected to shift toward outcome and capability descriptions, which would credit AI-based video analytics, radar and lidar perimeter sensing, thermal imaging, and licence plate recognition where they meet or exceed the underlying intent.

Resilience and business continuity

Typhoons, extreme heat affecting cold-chain operations, port congestion, and cross-border disruption are now standing risks rather than exceptional events. Version 2026 is expected to require more substantive evidence of continuity planning, alternative routing, and recovery exercises — particularly relevant for Hong Kong operators whose operations are reshaped several times each year by Signal 8 and above.

Audit protocol formalisation

Hybrid and remote audit modalities, used heavily during the pandemic, are expected to be formalised with clearer rules on when they are permissible and how evidence must be captured. Auditor competence and internal auditor expectations are also expected to rise.

People controls extending into the contractor and short-term labour layer

The use of sub-contracted drivers and short-term workers in Hong Kong's cross-border trucking and last-mile networks creates well-documented vetting gaps. Version 2026 is expected to tighten requirements for screening, training, and accountability across the full labour chain rather than only direct employees.

The practical takeaway: the 2026 revision should be approached as a step-change in expected maturity, not as a light refresh of 2023.

Pilot's hand on the plane engine control stick

What to consider, by situation

Different organisations face different decisions in the months ahead. The following is a sorting guide, not advice.

If you currently hold a Version 2023 certificate that expires after 2027

You have natural runway. The decision in front of you is whether to send your security team to Version 2023 training before 31 July, or wait for Version 2026 training in September. If your internal auditors are not yet qualified on the version your management system is built around, the July window is worth considering. If they are already qualified, waiting for the new training is reasonable.

If your Version 2023 certificate expires in late 2026 or in 2027

You face a genuine choice. You can pursue a Version 2023 recertification audit before 30 September, which extends your runway and gives your team time to absorb the new standard before the next cycle. Or you can let the certificate lapse and recertify under Version 2026 when the new programme is ready. Audit-slot availability in Q3 2026 is expected to tighten significantly; if a 2023 recertification is your preferred path, booking the audit window early matters.

If you do not yet hold TAPA certification

Starting a new Version 2023 certification in June with a 30 September audit deadline is, realistically, very tight. A typical first-time FSR or TSR certification takes three to six months for a single site, and longer for multi-site or fleet scopes — and that is before allowing time to close audit findings. For most new applicants, the more practical path is to use the months between now and September for gap analysis, to build the security management system, to plan any infrastructure investment, and to certify under Version 2026 once it publishes. Organisations that prepare during the gap will be in a position to certify months ahead of those who wait until September to begin.

If you are a shipper or buyer who specifies TAPA in supplier contracts

Two things are worth doing this quarter. Review your standard contract language to confirm whether it references "the current version" of FSR and TSR or specifically Version 2023, and decide how you want to handle the transition period. Inform your key suppliers of your expectations regarding Version 2026 adoption so they can plan their own audit calendars accordingly.

Hong Kong–specific considerations

Several elements of the Hong Kong regulatory landscape interact with TAPA compliance in ways that are easy to miss if you treat the standard as a standalone exercise.

The Personal Data (Privacy) Ordinance governs how CCTV footage, visitor logs, employee background screening, and biometric access data are collected, retained, and accessed. Version 2026's expected expansion of biometric and analytics-based controls makes a parallel Privacy Impact Assessment worthwhile. Designed together, the two assessments produce a coherent control set; designed separately, they tend to surface conflicts at audit.

The Protection of Critical Infrastructure (Computer Systems) Ordinance, passed in 2025 and entering operation in phases, designates transport and logistics among its in-scope sectors. For larger logistics operators, particularly those embedded in airport and port operations, the cyber elements of TAPA 2026 and the obligations of the new ordinance overlap meaningfully. A single integrated cyber security programme that addresses both will generally be more efficient than two parallel compliance tracks.

The Hong Kong Customs Authorized Economic Operator (AEO) programme shares substantial common ground with FSR in physical security, personnel security, and business-partner due diligence. With mutual recognition arrangements in place between Hong Kong and several major trading partners, alignment of TAPA and AEO documentation creates real downstream benefits in clearance speed and supplier credibility.

Greater Bay Area cross-border trucking arrangements, including the expanded cross-boundary cargo channels and the integration of Heung Yuen Wai, Liantang–Heung Yuen Wai, and Shenzhen Bay control points, have changed the operating reality for TSR-certified fleets. Version 2026 is expected to tighten requirements on continuous GPS visibility across the boundary, electronic locking integrity, driver authentication, and incident response across two jurisdictions. Telematics specifications being finalised this year should be checked against both the anticipated TSR direction and the Mainland's road transport and personal information rules.

The Occupational Safety and Health Ordinance sets boundaries on how restricted access zones, segregation of high-value areas, and after-hours operations can be implemented without compromising fire egress and worker safety. This rarely surfaces as a TAPA finding directly, but a poorly designed restricted area can create labour-side liability that outweighs the cargo-loss risk it was meant to prevent.

Sunset sky on the lake. View from the kayak.The image was downloaded from Depositphotos under a lice

A short checklist for the next 90 days

Confirm the expiry date of every TAPA certificate your organisation holds, and map them against the 30 September 2026 deadline.

Identify every team member who needs Version 2023 training and submit applications before 31 July if that path is the right one for your organisation.

Begin a gap review against the anticipated 2026 changes — particularly cybersecurity, intelligence-led risk assessment, and resilience — so that any infrastructure or process work can be scoped now rather than after the standard publishes.

Check that any TAPA-related contractual language with customers or suppliers accommodates the transition period and the new version.

Align the gap review with adjacent obligations under PDPO, AEO, and the new critical-infrastructure regime where applicable.

If you intend to recertify under Version 2023, book the audit slot well ahead of Q3 2026 congestion. If you intend to transition directly to Version 2026, mark September in your calendar for the release of the English standard and the opening of the new training programme.

A ship's engine telegraph set to “full speed ahead”

Practical Next Steps

The TAPA 2026 transition is one of the more substantial changes the standard has seen in recent cycles, and the calendar between now and September leaves less room than it appears. The most useful thing most organisations can do this month is simply to map their own situation against the three dates above and decide which path applies.

Plan Your TAPA 2026 Transition with DQS

DQS is an internationally accredited certification body with over 35 years of audit experience across more than 60 countries, and an accredited TAPA provider in the APAC region. Our TAPA-qualified auditors have supported logistics operators, cross-border trucking companies, bonded warehouse providers, and high-value-cargo handlers across Hong Kong's airport cargo precinct, port hinterland, and the Greater Bay Area corridor — covering gap analysis, internal-auditor training, and formal FSR and TSR certification audits. Learn more at DQS TAPA Certification

Explore our TAPA Certification

Get in Touch

Strengthen your supply chain security with globally recognized TAPA Certification.

Author

DQS Hong Kong

DQS Hong Kong specialises in certification auditing and training services across core disciplines including Information Security (ISO 27001), Quality Management (ISO 9001), and the Automotive Industry (IATF 16949). Our auditors bring deep sector-specific expertise, working closely with clients' operational realities to deliver actionable management insights and lasting commercial value — well beyond the boundaries of compliance alone.