Hong Kong Passes First Cybersecurity Legislation for Regulating Critical Infrastructures

Introduction

The Protection of Critical Infrastructures (Computer Systems) Bill (the "Bill"), as the first law in Hong Kong to deal with cybersecurity was passed on 19 March 2025, and will come into force on 1 January 2026. This Bill was introduced amidst a rising trend of cyberattacks in recent years, with 61 reported data breach incidents involving hacking in 2024 according to the Privacy Commissioner for Personal Data (“PCPD”). We set out below the key compliance requirements of the Bill and discuss their implications on companies which operate computer systems which fall under the ambit of the Bill.

Background

In July 2024, the Security Bureau, Office of the Government Chief Information Officer and the Hong Kong Police Force issued a proposal for a legal framework to regulate critical infrastructure operators (“CIOs”) and Critical Computer Systems (“CCS”) (the “Proposed Framework”), which was presented to Legislative Council Panel on Security for discussion (see our previous Legal Update on Hong Kong Proposes the Introduction of a Legal Framework for Regulating Critical Infrastructures).

In October 2024, after public consultation, the Security Bureau reported its findings to the Legislative Council Panel on Security, along with a proposal for implementing the Proposed Framework (“Consultation Report”). (See our previous Legal Update on Hong Kong Security Bureau's Response to Stakeholder Submissions on Proposed Legal Framework for Regulating Critical Infrastructure).

In December 2024, the Bill was gazetted and introduced to the Legislative Council for its First Reading. After deliberations in the Legislative Council, the Bill was passed on 19 March 2025 with amendments moved by the Government. The aim of the Bill is to strengthen the security of the computer systems of critical infrastructure, minimise disruption of essential services due to cyberattacks, and eventually enhance the overall computer system resilience in Hong Kong against cyberattacks.

Scope of Application

There are two categories of Critical Infrastructures (i.e. "CI") defined under the Bill. The first category refers to any infrastructure that is essential to the continuous provision in Hong Kong of an essential service in any one of the 8 designated sectors, which include energy, information technology, banking and financial services, air transport, land transport, maritime transport, healthcare services, and telecommunications and broadcasting services (“Designated Sectors”).

The second category of CIOs is to be designated by the government at a later stage and will include any other infrastructure the damage, loss of functionality or data leakage of which may hinder or otherwise substantially affect the maintenance of critical societal or economic activities in Hong Kong (e.g. major sports and performance venues, research and development parks, etc.). According to the Secretary for Security, the government is expected to start shortlisting designated CIOs by June 2025, although the list of designated CIOs will not be made public to avoid them being targeted by threat actors.

The new laws also capture critical computer systems (i.e. “CCS”) which are computer systems that are accessible by the CIO in or from Hong Kong, and are essential to the core function of a CI operated by the CIO.

The Security Bureau clarified that the Bill does not have extraterritorial effect “as Hong Kong does not purport to exercise long-arm enforcement jurisdiction over places outside Hong Kong”.  However, there are certain sections under the Bill that may require a CIO to provide information that is accessible by them in or from Hong Kong (whether such information is located in or outside Hong Kong). If a computer system is essential to the core function of the CI and such computer system is accessible by the CIO in or from Hong Kong, the addition of such computer system to the CI must be reported to the relevant Regulating Authority (as defined below) within 1 month after the date on which the addition took place.

Some uncertainties remain in the finalised Bill. The definition of information technology sector (“IT Sector”) (as one of the Designated Sectors) could potentially include data processors, data centres and cloud providers. During the consultation, there were views that called for clearer criteria for a determination of whether individual operators fall into the IT Sector.  So far, the Security Bureau has only added that they will maintain communication with the potential operators to be designated before a designation is actually made.

Regulating Authorities

A Commissioner’s Office to be led by the Commissioner of Critical Infrastructure (Computer-system Security) (the “Commissioner”) will be established by the Security Bureau. Under the Bill, the Commissioner is responsible for:

1. identifying CI and designating CIOs and CCS;
2. issuing, revising and maintaining codes of practice in respect of obligations of CIOs;
3. monitoring and supervising compliance with the provisions of the Bill;
4. regulating CIOs with regard to the computer-system security of the CCS;
5. monitoring, investigating and responding to computer-system security threats and computer-system security incidents in respect of the CCS;
6. coordinating the implementation of the Bill with Designated Authorities (as defined below) and government departments; and
7. performing any other functions imposed or conferred on the Commissioner under this Bill or any other ordinance.

The Commissioner’s Office will have the power to investigate computer-system security threats and computer-system security incidents, and to seek a warrant from a magistrate to compel the cooperation of CIOs or service providers or to allow access to premises, or inspection or collection of evidence that is relevant to the investigation.

The Bill also designates certain sector regulators as designated authorities (“Designated Authorities”, together with the “Commissioner’s Office”, the “Regulating Authorities”) to monitor the compliance of and put in place “organisational” and “preventive” obligations (i.e. Category 1 and Category 2 obligations, which are further discussed below) by these essential services sectors. The Designated Authorities currently include the Monetary Authority (for banking and financial services sector) and the Communications Authority (for telecommunications and broadcasting services sector). These Designated Authorities may issue Codes of Practice (CoPs) to  provide bespoke guidance on compliance with the statutory obligations under the Bill by taking into account the appropriate trade standards applicable to that sector.

Obligations for CIOs

The Bill sets out three main categories of obligations for designated CIOs: (a) Organisational; (b) Preventive; and (c) Incident Reporting and Response.

Category 1: Organisational Obligations

A designated CIO is required to maintain an office in Hong Kong for carrying on its business, and notify the relevant Regulating Authority in writing of any change of operator (e.g. transfer, expiration or termination of operating contract) of a CI as soon as practicable and in any event within 1 month after the date on which the change occurs. The Bill does not expressly require CIOs to report changes in ownership, given that changes in shareholding of CIOs (which are often large corporations or listed companies) can be frequent.

A dedicated computer-system security management unit is also required to be established and maintained (either by the CIO itself or by a service provider engaged by the CIO) to manage the security of the CCS operated by the CIO, and ensure compliance with the requirements under the Bill. The CIOs are required to designate a person with adequate professional knowledge in relation to computer-system security to supervise the computer-system security management unit. The appointment has to be notified to the relevant Regulating Authority within a prescribed period.

Category 2: Preventive Obligations

The Bill imposes the following preventive obligations on CIOs: 

1. Notification of material changes to computer systems

CIOs shall update the relevant Regulating Authority of any of the following events within one month of the date on which the event occurs:

• a material change to the design, configuration, security or operation of a CCS;
• a CCS of the CI is removed;
• a computer system (whether under the control of the CIO or not) that (a) is accessible by the CIO in or from Hong Kong, and (b) is essential to the core function of the CI, is added to the CI; and
• a change occurs to a computer system (whether under the control of the CIO or not) that (a) is an existing computer system of the CI, and (b) is accessible by the CIO in or from Hong Kong, such that the system becomes essential to the core function of the CI.

2. Computer-system security management plan

CIOs shall implement and submit to the relevant Regulating Authority a computer-system security management plan, for protecting the computer-system security of the CCS of the CI within 3 months after being designated as a CIO.

3. Computer-system security risk assessment

CIOs shall conduct a computer-system security risk assessment within 12 months after the designation date of the CIO and at least once every 12 months for subsequent computer-system security risk assessments, and submit an assessment report to the relevant Regulating Authority within 3 months after the expiry of each required assessment period.

4. Computer-system security audit

CIOs shall conduct a computer-system security audit within 24 months of the date they have been designated as a CIO and at least once every 24 months thereafter, and submit an audit report to the relevant Regulating Authority within 3 months of the expiry of each required audit period.

The relevant Regulating Authority may also, by written notice require CIOs to carry out a computer-system security audit in respect of all of their CCS, or any part of such systems specified in the notice, and to submit to the authority a report for the audit within the prescribed time.

CIOs may apply for an extension of time for the submission of plans or reports (as the case may be) under point 2, 3, and 4 above, although the Bill has not provided specific details for this procedure, such as the maximum period allowed of extension, and the reasonable grounds for applying for such extension.

Category 3: Incident Reporting and Response

1. Participate in computer-system security drill

The Commissioner may, after giving reasonable notice in writing, require a CIO to participate in a computer-system security drill conducted by the Commissioner for testing the state of readiness of CIOs in responding to computer-system security incidents in respect of CCS.

2. Submit and implement emergency response plan

Furthermore, CIOs should implement and submit an emergency response plan detailing the protocol for the response to computer-system security incidents, which should cover the specified matters (e.g., the responsible team, the procedures for reporting and investigating a security incident, recovery plan for resuming the provision of essential services or normal operation, plan for communicating with stakeholders and the general public, post-incident mitigating and preventive measures etc.) to the Commissioner within 3 months (or longer if extension is granted) after being designated as a CIO.

3. Notification of computer-system security incidents

A computer-system security incident refers to an event that involves (1) unauthorised access to the CCS, or (2) any unauthorised acts done on or through the CCS or another computer system, that has an actual adverse effect on the computer-system security of the CCS. CIOs are required to report a computer-system security incident to the Commissioner as soon as practicable and in any event within the specified time. The reporting timeframe for a more serious computer-system security incident (which has disrupted, is disrupting or is likely to disrupt the core function of the CI)  is 12 hours after the CIO becomes aware of the incident. For other incidents, the required timeframe is 48 hours after the CIO becomes aware of the incident. CIOs are also required to further submit a written report of the incident to the Commissioner within 14 days after the date on which the CIO becomes aware of the computer-system security incident.

However, there are still outstanding questions, such as what are the specific triggers for the incident reporting obligations, and in particular, what constitutes “actual adverse effect on the computer-system security”. We expect that Codes of Practice (CoP) will be issued in due course and that they will  provide clarification on what type of security incidents are required to be reported. The Security Bureau also clarified the incident notification obligation under the Bill as being separate from any obligation to make a notification of a personal data breach to the Privacy Commissioner for Personal Data (PCPD).  While the Commissioner’s Office is focused on identifying the cause of the computer-system security incident and closing loopholes, the PCPD focuses on the protection of personal data and compliance with the requirements under the Personal Data (Privacy) Ordinance (Cap. 486).

Penalties

Organisations which fail to comply with the obligations under the Bill commit an offence and will be liable to maximum fines ranging from HK$500,000 to HK$5 million (and daily additional fines for continuing violations). Directors and Officers of companies bear no liability under the Bill.

What’s Next?

As the Bill will come into force on 1 January 2026, organisations which may be regarded as CIOs should take the following actions to prepare for compliance with the relevant requirements under the Bill:

Review and Assessment. Conduct an internal assessment to make an initial evaluation and assessment on whether they may be regarded as a CIO and review their existing computer systems and identify those that are essential for the core functions and may fall within the scope of CCS. Organisations which may be regarded as CIOs (including those that are in one of the Designated Sectors) should also assess the potential impact of any security incidents on their operations, reputation, and legal liabilities, and document their findings and update their records in case of system changes.

Develop internal policies. Start formulating a computer-system security management plan and emergency response plan in accordance with the requirements under the Bill, which should cover the appointment of responsible teams and officers, as well as the policies and procedures for safeguarding the security of their CCS and responding to security threats and incidents.

Manage relationship with third party service providers. Put in place contractual safeguards and monitoring measures to ensure that external service providers comply with (and assist the organisation to comply with) relevant requirements under the Bill. CIOs often engage external service providers to develop and maintain their computer systems. However, CIOs should ensure ongoing compliance of their obligations under the Bill by maintaining clear communication with their service providers, setting expectations through robust contracts, and regularly monitoring their service providers’ performance in order to ensure compliance with the organisation’s security policies, regulatory requirements, and industry best practices.

Keep alert. Stay informed about the latest developments of the legislation and the upcoming Codes of Practice (CoP) (including those to be issued by the Commissioner’s Office and the relevant Designated Authorities) and conduct necessary staff training.

The authors would like to thank Roslie Liu, Intellectual Property Officer at Mayer Brown Hong Kong LLP, for her assistance with this article.

Mayer Brown’s Cybersecurity & Data Privacy practice addresses the full range of legal, business and reputational risks posed by cyber threats and data privacy obligations. We help clients prioritize and manage these risks in a proactive and coordinated manner across their enterprises. We assist clients in the development of written information security plans and incident response plans, and evaluate those plans through tabletops and other exercises. We also counsel clients as members of incident response teams, including by guiding investigations, liaising with law enforcement, advising on notification obligations, preserving privilege and managing crisis communications.

If you would like to learn more about the Bill and how the recent regulatory developments may affect you, please do not hesitate to get in touch with us.