New cybersecurity obligations for critical infrastructure in Hong Kong SAR

The Hong Kong Emergency Response Team Coordination Centre handled over more than 19,000 cybersecurity incidents in 2024 alone, a 35% increase compared to the previous year. 

Despite this increase, Hong Kong SAR had no statutory requirements for the protection of computer systems within its critical infrastructure (CI). The growing dependence on digital technologies has become deeply integrated into society, making the safeguarding of this infrastructure essential for the security and functionality of vital services. 

The Protection of Critical Infrastructure (Computer Systems) Bill was passed by legislators on 19 March, after being released for public consultation in July 2024. The bill aims to establish a comprehensive regulatory framework to strengthen cybersecurity across Hong Kong SAR's critical infrastructure, by designating critical infrastructure operators and critical computer systems to comply with mandatory security obligations.

The Commissioner’s Office and designated authorities were designed as the regulating bodies by the bill, complementing the existing regulatory regime where specialised authorities already oversee certain essential services sectors.

For example, the Hong Kong Monetary Authority oversees banking and financial services, while the Communications Authority regulates telecommunications and broadcasting services. The establishment of the Commissioner’s Office will further streamline the regulation and protection of critical infrastructure. 

The bill is expected to take effect on 1 January 2026, marking a crucial development in Hong Kong SAR's cybersecurity landscape. The aim is to establish the Commissioner’s Office by the first quarter of 2026 and designate CI operators within six months thereafter. 

Defining critical infrastructure 

Critical infrastructure refers to systems and assets, whether physical or virtual, that are vital to the security, economy, public health, and safety of Hong Kong SAR. This infrastructure is crucial for maintaining the continuous provision of essential services and ensuring the stability of societal and economic activities. 

Under the bill, there are two types of critical infrastructure: 

• Type 1 CI: Infrastructure essential to the continuous provision of an essential service in one of eight specified sectors. These are energy, information technology, banking and financial services, air transport, land transport, maritime transport, health services, and telecommunications and broadcasting services. 
• Type 2 CI: Infrastructure that if damaged, loses functionality, or experiences a data leakage may hinder or substantially affect the maintenance of critical societal or economic activities in Hong Kong SAR. Examples include major sports venues, performance venues, and technology parks. 

The essential service sectors classified as Type 1 CI are considered critical because they underpin the essential services that keep day to day life in Hong Kong SAR functioning smoothly. Energy grids, banking systems and healthcare services are all fundamental to the city's security and economic stability. Any disruption to these services can have immediate and far-reaching consequences, affecting everything from financial transactions and transportation to medical care and communication.  

Type 2 CI supports broader societal and economic activities. For example, the disruption of a major technology park could stall innovation and economic growth. Protecting Type 2 infrastructure is also essential in maintaining Hong Kong SAR's development.  

The bill outlines factors that authorities must consider when determining whether infrastructure qualifies as CI, such as the type of service provided by the infrastructure and the potential implications if it is damaged, loses functionality, or suffers data leakage.  

What are CI operators? 

CI operators are any organisation operating critical infrastructure in Hong Kong SAR. When designating CI operators, regulating authorities must consider factors such as the dependency of the core function on computer systems, the sensitivity of digital data controlled by the organisation, and the extent of control over the operation and management of the infrastructure.

For Type 1 CI, the core function refers to the service or function of the essential service concerned. For example, the core function of a hospital is to provide healthcare services to the public, relying heavily on computer systems for managing medical records.

For Type 2 CI, the core function refers to any function essential to maintaining critical societal or economic activities in Hong Kong. 

What are critical computer systems? 

The obligations in the Bill are imposed only on designated critical computer systems (CCS), defined as those accessible by the CI operator in or from Hong Kong SAR that are essential to the core function of the infrastructure. 

Consideration should be given to the CCS’s importance to the infrastructure's main functions, the impact of disruptions, its links to other systems used by the operator, and connections to systems of other operators to ensure that the most crucial systems receive the necessary protection against cyber threats to maintain their integrity. 

Obligations and penalties 

Following several rounds of deliberations and consultation, the final bill imposes three main categories of obligations on CI operators that, if not met, may result in criminal offences.

Category one

Category one obligations focus on the organisational aspects of CI operators, including maintaining an office and physical presence in Hong Kong SAR, notifying the regulating authority of any changes to the operator, and establishing and maintaining a computer system security management unit. By adopting these measures, CI operators will have a structured approach to protecting their systems and facilitating effective communication with the commissioner or designated authorities. 

Category two

Category two obligations are preventative – CI operators must notify the regulating authority of material changes to CCS that could impact security within one month. This includes alterations in design, configuration, security or operation, as well as any addition or removal of CCS from the CI. Any modifications that make an existing system essential to the core function of the operator must be reported.  

CI operators are required to implement and submit a computer system security management plan within three months of being designated, and must conduct a computer system security risk assessment at least once every 12 months and submit an assessment report within three months of each assessment. The CI operator must carry out a computer system security audit at least once every 24 months, with a report submitted within three months of each audit period. 

Regular risk assessments and audits identify vulnerabilities to ensure CI operators have robust security policies to proactively address potential threats.

Category three

Category three obligations relate to timely responses to cybersecurity incidents. To prepare for potential breaches, the commissioner may conduct a computer system security drill in which CI operators must participate. Typically, organisations will conduct their own drills, but the drills conducted by the commissioner will simulate extensive attacks. The main purpose of the drills is not to punish organisations, but to help operators make improvements in their CCS security. 

CI operators must also submit an emergency response plan within three months of receiving their CI operator designation. In the event of a security incident, CI operators are required to report to the relevant authorities within 12 hours of detection if the incident disrupts the CI core function or within 48 hours of detection for other incidents. Within 14 days, the CI operator must submit a written report of the incident in a specified form as requested by the regulating authorities. 

These measures help to better equip CI operators to respond swiftly to cybersecurity threats and to minimise its impacts. 

The obligations under the bill are mandatory, and non-compliance from organisations can result in criminal liability. The offences are of strict liability, meaning that the intention behind the non-compliance is irrelevant. Penalties for failing to meet these obligations are severe, with fines ranging from HK$500,000 (approx. US$64,250) to HK$5,000,000 and additional daily fines ranging from HK$50,000 to HK$100,000 for continuing offences. These penalties are imposed at the organisational level and not at the individual level. 

Moving forward 

The relevant regulator will start identifying CIs and designating CI operators and CCSs in a phased manner to facilitate a smooth transition to the new regulatory framework. This process will be guided by risk assessments and the readiness of organisations. 

In the meantime, before the bill takes effect and organisations are designated as CI operators, they should take the necessary steps to prepare for these changes, ensuring compliance and safeguarding their operations.

Organisations should assess whether they operate CI, especially Type 2 which has a broader definition, and review existing cybersecurity protocols to ensure compliance with industry standards. 

Additionally, organisations should assess and audit their existing data practices and establish incident response plans to ensure timely reporting of security incidents to the commissioner, mitigating the impact of cyber threats. In-house counsel should be aware of what measures they can take to ensure their organisation’s compliance and to maintain operational resilience.

Co-written by Cherie Chung of Pinsent Masons.