
Trump Administration Executive Order (EO) Tracker
On 19 March 2025, the Legislative Council (the “LegCo”) passed the Protection of Critical Infrastructure (Computer System) Bill (the “Bill”), which is due to come into effect on 1 January 2026. This is a significant step in Hong Kong’s cybersecurity legislation, and is providing clarity and a framework around the protection of critical infrastructure and to mitigate any impact of service disruption pursuant to cyberattacks.
As a recap, the Security Bureau of the Hong Kong SAR Government (the “Government”) first released a proposal for public consultation in July 2024 (the “Proposal”) (see our Previous Alert in August 2024), and gazetted the Bill on 6 December 2024. The Bill was then introduced to the LegCo for its First Reading on 11 December 2024, and a Bills Committee was subsequently formed to further study and scrutinise the Bill. The Bill was eventually passed on 19 March 2025 after the Second and Third Readings, with several amendments moved by the Government.
The purpose of the enacted Bill (the “Enacted Bill”) is to enhance the security of computer systems of critical infrastructure (“CI”), prevent the disruption of essential services due to cyberattacks and enable smooth operation of essential services. As stated previously in the Proposal, only expressly designated CI operators (“CIOs”) will be subject to the proposed legislation and Government systems are explicitly excluded from the operation of the Enacted Bill.
The Enacted Bill aims to protect two major categories of CIs:
Type 1 CIs |
Infrastructures for delivering essential services in the following eight sectors:
|
Type 2 CIs |
Other infrastructures for maintaining important societal and economic activities, such as major sports and performance venues, research and development parks, and technology parks, etc. |
The Security Bureau will set up a new Commissioner’s Office, headed by a Commissioner of CI (“Commissioner”) to be appointed by the Chief Executive. The Commissioner will be supported by designated sector-specific authorities (together with the Commissioner, “Regulating Authorities” and each a “Regulating Authority”), which at this stage are:
The list of DAs will be reviewed by the Government from time to time, and the Secretary for Security may amend Schedule 2 to the Enacted Bill by notice published in the Gazette to specify other statutory sectoral regulators as DAs as appropriate.
The Enacted Bill introduces the concept of “Specified CI”, which is infrastructure: (i) within a specified sector and operated by a regulated organisation of a DA; or (ii) otherwise determined by the Commissioner to be a Specified CI in accordance with the Enacted Bill.
The Regulating Authorities are empowered under the Enacted Bill to identify CIs, designate CIOs and a computer system as critical computer systems (“CCSs”), as well as to revoke such designations; the Regulating Authorities may also require a CIO to provide any information they reasonably consider necessary for ascertaining whether the infrastructure is a specified CI. Only designated CIOs and CCSs of specified CIs are subject to the Enacted Bill.
When ascertaining Specified CIs, or designating CIOs or CCSs, the Regulating Authority must consider a range of factors prescribed in the Enacted Bill. For example, in ascertaining whether an infrastructure is a CI, a Regulating Authority must take into account the kind of service provided by the infrastructure and the potential implications if the infrastructure is damaged, functionality is lost or data leakage is suffered. This is a departure from the position in the Proposal, under which a Regulating Authority may, but was not mandated, to consider these factors.
Since the Proposal in July 2024, various clarifications have been made in the gazetted Bill; following the deliberations of the Bills Committee and the wider LegCo, further textual and substantive amendments were proposed and moved, to allow for a more practical implementation of the requirements and protections envisaged under the Bill. The final position of the Enacted Bill regarding the three types of obligations imposed on CIOs is summarised as follows:
There is no longer a standalone obligation on CIOs to adopt contractual terms or other measures with third-party service providers to ensure compliance with the relevant statutory obligations, as previously suggested in the Proposal. CIOs are now required to incorporate into their CSSM Plan policies and guidelines for managing contracts and communications with third party suppliers to ensure compliance with the Enacted Bill.
Under the Enacted Bill, the offences and penalties arising from non-compliance (which range from HK$500,000 to HK$5 million, plus daily fines for continuing breaches) will be imposed at the organisational level and are not designed to target personnel at an individual level. However, if the relevant violations involve breach of some other existing criminal legislations, it may be possible for the individuals involved to be held criminally liable for those acts.
Each Regulating Authority is empowered under the Enacted Bill to issue a code of practice (“CoP”) to set out a framework of recommended standards as revised from time to time for CIOs to comply with their statutory obligations.
A CIO’s failure to observe a provision in a CoP does not by itself make it liable to any civil or criminal proceedings as the CoPs are not subsidiary legislation, and the LegCo had made it clear that so long as the objectives of the statutory obligations are met, it is open for CIOs to fulfil their statutory obligations by similar ways other than those set out in CoPs. However, a CoP will be admissible in evidence where it is relevant to determining a matter that is in issue in the proceedings.
The Enacted Bill is expected to take effect on 1 January 2026.
The LegCo advised on 10 March 2025 that the Regulating Authorities will begin the process of ascertaining CIs and designating CIOs and CCSs progressively and in a phased manner, having regard to risk assessment and the level of readiness of the organisations. Specifically, the Government aims to establish the Commissioner’s Office by the first quarter of 2026 (within one year after the passage of the Bill) to designate CIOs in phases within six months after the establishment of the Commissioner’s Office.
The Commissioner’s Office will issue guidelines to enable organisations to have a clearer understanding of the processes of ascertainment and designation, giving potential CIOs ample time to be prepared.
Organisations which operate in the sectors specified under Type 1 CIs, and those which have been consulted on the Proposal as potential CIOs, are recommended to start reviewing their existing cybersecurity measures to evaluate whether their existing cybersecurity programs are aligned with industry standards and best practices. Many of the obligations under the Enacted Bill (such as establishing a CSSM Unit, formulating and implementing a CSSM Plan and an emergency response plan, conducting computer system security assessments and audits) should be carried out as a matter of good practice, especially when operating data-intensive essential services. It is also advisable for such organisations to design and implement appropriate cybersecurity training programs for staff and align their internal controls and policies with the requirements under the Enacted Bill.
The Government has stressed that the Enacted Bill does not have extraterritorial effect in its enforcement, and the targets which the Enacted Bill regulate and impose obligations on are CIOs in Hong Kong. However, CIOs are required to produce information to which it has access in or from Hong Kong, even if such information is located outside Hong Kong.
Whilst the Enacted Bill does not impose statutory obligations on CI owners or third-party service providers, the Commissioner does have wide powers to apply for a magistrate’s warrant to investigate or mandate the assistance of CI owners or third-party service providers in its investigation or response to computer system security threats or incidents in the event they are unwilling or unable to respond.
We also recommend keeping an eye out for any CoP or guidance the Regulating Authorities may issue in the future, which may bring further clarity on how the Enacted Bill is to be implemented in practice.
Please reach out to Tommy Liu at tommy.liu@hoganlovells.com or Kenneth Cheung at kenneth.cheung@hoganlovells.com if you have any questions on the Enacted Bill. Our team here is well positioned to provide you with advice and guidance to help you navigate the new regulatory developments.
Authored by Tommy Liu and Kenneth Cheung.