Insights and Analysis

Fortifying the Future: Hong Kong’s new cybersecurity laws to protect critical infrastructure

""
""

On 19 March 2025, the Legislative Council (the “LegCo”) passed the Protection of Critical Infrastructure (Computer System) Bill (the “Bill”), which is due to come into effect on 1 January 2026. This is a significant step in Hong Kong’s cybersecurity legislation, and is providing clarity and a framework around the protection of critical infrastructure and to mitigate any impact of service disruption pursuant to cyberattacks. 

As a recap, the Security Bureau of the Hong Kong SAR Government (the “Government”) first released a proposal for public consultation in July 2024 (the “Proposal”) (see our Previous Alert in August 2024), and gazetted the Bill on 6 December 2024. The Bill was then introduced to the LegCo for its First Reading on 11 December 2024, and a Bills Committee was subsequently formed to further study and scrutinise the Bill. The Bill was eventually passed on 19 March 2025 after the Second and Third Readings, with several amendments moved by the Government. 

The purpose of the enacted Bill (the “Enacted Bill”) is to enhance the security of computer systems of critical infrastructure (“CI”), prevent the disruption of essential services due to cyberattacks and enable smooth operation of essential services. As stated previously in the Proposal, only expressly designated CI operators (“CIOs”) will be subject to the proposed legislation and Government systems are explicitly excluded from the operation of the Enacted Bill. 

Types of infrastructure covered under the Enacted Bill

The Enacted Bill aims to protect two major categories of CIs:

Type 1 CIs

Infrastructures for delivering essential services in the following eight sectors:

  1. energy;
  2. information technology;
  3. banking and financial services;
  4. air transport;
  5. land transport;
  6. maritime transport;
  7. healthcare services; and
  8. telecommunications and broadcasting services.

Type 2 CIs

Other infrastructures for maintaining important societal and economic activities, such as major sports and performance venues, research and development parks, and technology parks, etc.

Designated sector-specific authorities

The Security Bureau will set up a new Commissioner’s Office, headed by a Commissioner of CI (“Commissioner”) to be appointed by the Chief Executive. The Commissioner will be supported by designated sector-specific authorities (together with the Commissioner, “Regulating Authorities” and each a “Regulating Authority”), which at this stage are: 

  • the Monetary Authority for regulating the banking and financial services sector; and 
  • the Communications Authority for regulatory for regulating the communications and broadcasting sector, (each, a “Designated Authority” or “DA”). 

The list of DAs will be reviewed by the Government from time to time, and the Secretary for Security may amend Schedule 2 to the Enacted Bill by notice published in the Gazette to specify other statutory sectoral regulators as DAs as appropriate. 

Scope of the Enacted Bill 

The Enacted Bill introduces the concept of “Specified CI”, which is infrastructure: (i) within a specified sector and operated by a regulated organisation of a DA; or (ii) otherwise determined by the Commissioner to be a Specified CI in accordance with the Enacted Bill. 

The Regulating Authorities are empowered under the Enacted Bill to identify CIs, designate CIOs and a computer system as critical computer systems (“CCSs”), as well as to revoke such designations; the Regulating Authorities may also require a CIO to provide any information they reasonably consider necessary for ascertaining whether the infrastructure is a specified CI. Only designated CIOs and CCSs of specified CIs are subject to the Enacted Bill. 

When ascertaining Specified CIs, or designating CIOs or CCSs, the Regulating Authority must consider a range of factors prescribed in the Enacted Bill. For example, in ascertaining whether an infrastructure is a CI, a Regulating Authority must take into account the kind of service provided by the infrastructure and the potential implications if the infrastructure is damaged, functionality is lost or data leakage is suffered. This is a departure from the position in the Proposal, under which a Regulating Authority may, but was not mandated, to consider these factors. 

Main obligations of CIOs 

Since the Proposal in July 2024, various clarifications have been made in the gazetted Bill; following the deliberations of the Bills Committee and the wider LegCo, further textual and substantive amendments were proposed and moved, to allow for a more practical implementation of the requirements and protections envisaged under the Bill. The final position of the Enacted Bill regarding the three types of obligations imposed on CIOs is summarised as follows: 

  • Category 1 obligations - Organisational. CIOs must: 
    • maintain an office in Hong Kong for carrying on its business; maintaining an office merely for correspondence purposes would not suffice; 
    • report any operator change in relation to CIs within one month of such change, such as sale or transfer of operatorship of facilities, termination of operating contract and cessation of existing operator. Change of ownership (e.g. stock transfers) of CIOs or staff movements (e.g. director replacement) are excluded from this notification requirement. Further examples are expected to be provided in CoPs (as defined below); and 
    • set up and maintain a computer system security management unit (“CSSM Unit”), which must be supervised by a dedicated supervisor of the CIO with adequate professional knowledge. The relevant Regulating Authority must be notified of the appointment of such supervisor or of any change in such appointment within the specified period. 
  • Category 2 obligations - Preventive. CIOs must: 
    • inform the Commissioner’s Office of material changes to their CCS (in relation to its design, configuration, security, operation, removal, etc.); 
    • submit a computer system security management plan (“CSSM Plan”) to the Commissioner’s Office (covering all matters specified in Part 1 Schedule 3 of the Enacted Bill), and implement such CSSM Plan; 
    • conduct a computer system security risk assessment at least once every year, and submit a report to the Commissioner’s Office within three months after the expiry of the period within which the assessment is required to be conducted; and 
    • conduct an independent computer system security audit at least once every two years, and submit a report to the Commissioner’s Office within three months after the expiry of the period within which the audit is required to be conducted. The audit could be carried out by a third-party auditor or the CIO’s internal auditing department, as long as the auditor is sufficiently independent – we expect CoPs to further specify and clarify requirements on “independence”. 

There is no longer a standalone obligation on CIOs to adopt contractual terms or other measures with third-party service providers to ensure compliance with the relevant statutory obligations, as previously suggested in the Proposal. CIOs are now required to incorporate into their CSSM Plan policies and guidelines for managing contracts and communications with third party suppliers to ensure compliance with the Enacted Bill.

  • Category 3 obligations - Incident Reporting and Response. CIOs must: 
    • participate in a computer system security drill organised by the Commissioner’s Office whenever required by the Commissioner (instead of at least once every two years suggested in the Proposal); 
    • formulate and submit an emergency response plan to the Commissioner’s Office (covering all matters specified in Part 2 Schedule 3 of the Enacted Bill), and implement the same; and 
    • notify the Commissioner’s Office of any computer system security incidents in respect of CCS in a specified form within the following time frames: 
      • within 12 hours (instead of two hours as suggested in the Proposal) after becoming aware of serious computer system security incidents, such as incidents that have or are about to have a major impact on the continuity of essential services and normal operating of CIs; and 
      • within 48 hours (instead of 24 hours as suggested in the Proposal) after becoming aware of other computer system security incidents. 

Consequences for contravention 

Under the Enacted Bill, the offences and penalties arising from non-compliance (which range from HK$500,000 to HK$5 million, plus daily fines for continuing breaches) will be imposed at the organisational level and are not designed to target personnel at an individual level. However, if the relevant violations involve breach of some other existing criminal legislations, it may be possible for the individuals involved to be held criminally liable for those acts. 

Code of practice and other sector-specific guidelines

Each Regulating Authority is empowered under the Enacted Bill to issue a code of practice (“CoP”) to set out a framework of recommended standards as revised from time to time for CIOs to comply with their statutory obligations. 

A CIO’s failure to observe a provision in a CoP does not by itself make it liable to any civil or criminal proceedings as the CoPs are not subsidiary legislation, and the LegCo had made it clear that so long as the objectives of the statutory obligations are met, it is open for CIOs to fulfil their statutory obligations by similar ways other than those set out in CoPs. However, a CoP will be admissible in evidence where it is relevant to determining a matter that is in issue in the proceedings. 

Moving forward 

The Enacted Bill is expected to take effect on 1 January 2026. 

The LegCo advised on 10 March 2025 that the Regulating Authorities will begin the process of ascertaining CIs and designating CIOs and CCSs progressively and in a phased manner, having regard to risk assessment and the level of readiness of the organisations. Specifically, the Government aims to establish the Commissioner’s Office by the first quarter of 2026 (within one year after the passage of the Bill) to designate CIOs in phases within six months after the establishment of the Commissioner’s Office. 

The Commissioner’s Office will issue guidelines to enable organisations to have a clearer understanding of the processes of ascertainment and designation, giving potential CIOs ample time to be prepared. 

Key takeaways

Organisations which operate in the sectors specified under Type 1 CIs, and those which have been consulted on the Proposal as potential CIOs, are recommended to start reviewing their existing cybersecurity measures to evaluate whether their existing cybersecurity programs are aligned with industry standards and best practices. Many of the obligations under the Enacted Bill (such as establishing a CSSM Unit, formulating and implementing a CSSM Plan and an emergency response plan, conducting computer system security assessments and audits) should be carried out as a matter of good practice, especially when operating data-intensive essential services. It is also advisable for such organisations to design and implement appropriate cybersecurity training programs for staff and align their internal controls and policies with the requirements under the Enacted Bill.

The Government has stressed that the Enacted Bill does not have extraterritorial effect in its enforcement, and the targets which the Enacted Bill regulate and impose obligations on are CIOs in Hong Kong. However, CIOs are required to produce information to which it has access in or from Hong Kong, even if such information is located outside Hong Kong.

Whilst the Enacted Bill does not impose statutory obligations on CI owners or third-party service providers, the Commissioner does have wide powers to apply for a magistrate’s warrant to investigate or mandate the assistance of CI owners or third-party service providers in its investigation or response to computer system security threats or incidents in the event they are unwilling or unable to respond.

We also recommend keeping an eye out for any CoP or guidance the Regulating Authorities may issue in the future, which may bring further clarity on how the Enacted Bill is to be implemented in practice.

Please reach out to Tommy Liu at tommy.liu@hoganlovells.com or Kenneth Cheung at kenneth.cheung@hoganlovells.com if you have any questions on the Enacted Bill. Our team here is well positioned to provide you with advice and guidance to help you navigate the new regulatory developments.

Authored by Tommy Liu and Kenneth Cheung.

View more insights and analysis

Register now to receive personalized content and more!