Introducing JSM
Homegrown.
Global outlook.
Our story is more than 160 years old. It is a story that demonstrates the resilience, spirit and strength the people of Hong Kong are renowned for, as our city grew from the small provincial port in Southern China to become the leading global financial and legal centre that it is today.
When the world has changed so has our firm – always taking the initiative to find the best course through unchartered territory for our clients, the community and our people.
Our story is more than 160 years old. It is a story that demonstrates the resilience, spirit and strength the people of Hong Kong are renowned for, as our city grew from the small provincial port in Southern China to become the leading global financial and legal centre that it is today.
When the world has changed so has our firm – always taking the initiative to find the best course through unchartered territory for our clients, the community and our people.
Insights
Latest publications
In today’s digital era, critical infrastructure – from power and public utilities to transport and communications – has become a frequent target of malevolent hackers, threatening unimaginable chaos to a city like Hong Kong. The frontline is no longer bounded by geographical boundaries.
To defend society’s functioning, economy and public safety against this constant threat of severe disruption, Hong Kong’s new Protection of Critical Infrastructures (Computer Systems) Ordinance (Cap.653) (Ordinance), together with its Code of Practice (CoP) guidelines for gatekeepers at the front line of defence, came into effect on 1 January 2026.
For an overview of the Ordinance and key practical implications, please refer to our previous legal update.
The newly published CoP meanwhile provides practical, actionable guidance for Critical Infrastructure Operators (CI Operators), clarifying their statutory obligations and introducing new standards for the designation, management, and protection of Critical Computer Systems (CCSs).
This legal update provides an overview of the CoP, highlighting some practical implications for CI Operators.
Purpose and nature of the Code of Practice
Published by the Commissioner of Critical Infrastructure (Computer-system Security) (Commissioner) in consultation with designated authorities, the CoP provides CI Operators with practical guidance on how to comply with their obligations under the Ordinance.
While the CoP is not subsidiary legislation – meaning non-compliance itself does not automatically constitute an offence – the Commissioner may issue directions requiring CI Operators to take appropriate action in relation to compliance, with failure to comply an offence under the Ordinance.
Relevantly, the CoP sets out baseline requirements for protecting CCSs, clarifying that it is not intended to target personal data or trade secrets of CI Operators.
It should also be noted that the CoP is not related to any specific sector. CI Operators need to be aware that subsequent sectoral Codes of Practice may be issued by designated authorities, such as the Hong Kong Monetary Authority, and these should be referred to where applicable.
Overview of the CoP
The CoP is organised into sections covering the following areas:
Designation of CCSs and information required for designation (Section 3 – 4 of CoP).
Obligations of CI Operators, namely:
Category 1 obligations to: maintain office in Hong Kong; notify operator changes; and set up and maintain a computer-system security management unit (Section 5 of CoP);
Category 2 obligations to: notify material changes to certain computer systems; submit and implement computer-system security management plan; conduct computer-system security risk assessments; arrange to carry out computer-system security audits; and security measures for operational technology (Section 6 of CoP); and
Category 3 obligations to: participate in computer-system security drills; submit and implement an emergency response plan; and notify authorities of computer-system security incidents within strict time frames (Section 7 of CoP).
Annexures with template forms for notifications and compliance:
Notifying office address
Notifying changes of CI Operators
Notifying appointment of employee supervising CSS Management Unit
Notifying material changes to certain computer systems
Notifying computer-system security incident
Written report for computer-system security incidents
Outline methodology for computer-system security audit required under section 25 of the Ordinance
Sample contract clauses for external service providers
Practical implications for CI Operators
While CI Operators should observe all applicable requirements under the CoP, some key observations and practical implications include:
Expanded and clarified criteria for CCS designation (sections 3.1.3-3.1.4 of CoP): Systems that play a material role in core CI function, storage or processing of sensitive digital data used directly in provision of essential services, or closely linked to other CCSs or CI Operators, are likely to be designated. The CoP specifies it is irrelevant whether a system is isolated from the internet or whether its core function could be switched to manual processing as a standby solution. This is particularly relevant to CI Operators of operational technology (OT) hardware and software. Importantly, the CoP makes clear that CCS security systems such as firewalls, security gateways, and intrusion prevention systems, as well as backup facilities and high-availability systems, are also included within the scope of designation.
Why this matters: This expanded criteria is particularly significant for CI Operators utilising OT for critical functions, as this now falls under the scope of the CoP, which explicitly affirms that industrial control systems — including Supervisory Control and Data Acquisition (SCADA) systems, Distributed Control Systems (DCS) and Programmable Logic Controllers (PLC) — are considered “computer systems” under the Ordinance. Historically, industrial control systems relied on “air-gapping” or effective isolation from external networks as a natural security barrier. However, as industries embrace digital transformation, the convergence of OT and IT has become essential for monitoring operations and driving efficiency.
This increased connectivity introduces new vulnerabilities, which the CoP acknowledges by removing internet isolation as a defence against designation.
CI Operators must therefore recognise that legacy “air-gapped” environments or SCADA platforms are now squarely within the regulatory scope if they fulfil the critical functions defined in the Ordinance.
Clarifying requirements of computer-system security management unit (sections 5.3 and 6.2 of CoP): CI Operators are required to set up and maintain a computer-system security management unit under the Ordinance.
Although most organisations already have such a function, the CoP clarifies the necessity for a clear management structure in place for computer-system security, with lines of authority, roles and responsibilities of relevant personnel clearly set out.
The CoP makes clear that such units need not be based in Hong Kong.
The Ordinance also requires employees appointed to supervise the computer-system security management units to have “adequate professional knowledge in relation to computer-system security”. Examples of professional qualifications deemed appropriate include: Certified Information Security Professional (CISP), Certified Information Systems Auditor (CISA), Certified Information Security Manager (CISM), Certified Information Systems Security Professional (CISSP). The CoP also provides a template form under Annex C for CI Operators to notify the Commissioner of such appointments.
Why this matters: Beyond the administrative setup, the Computer-System Security Management Plan is of critical significance as it places duty on the Board of Directors (or a delegated sub-committee or senior management). This document is the linchpin for ensuring CI Operators fulfil their statutory obligations under Schedule 3 of the Ordinance. It serves as the operational roadmap for compliance, covering areas frequently identified as high-risk in cybersecurity cases (which is consistent with our experience), including:
Risk Management Approach (Section 6.2.7 of CoP);
Security by Design (Section 6.2.8 of CoP);
Privileged Access Management (Section 6.2.11 of CoP);
Patch Management (Section 6.2.17 of CoP); and
Supply Chain Management (Section 6.2.25 of CoP).
This plan must be endorsed by the Board of Directors (or a delegated sub-committee or senior management). This requirement is substantial as it places responsibility for the CI Operator’s security posture squarely at the feet of the Board, ensuring that cybersecurity is treated not just as an IT issue – but critical governance priority.
Clarifying scope of computer-system security incidents (sections 7.3.2 – 7.3.4 of CoP): Usefully, the CoP clarifies that computer-system security incidents must involve access or acts without lawful authority that have an actual adverse impact on affected CCSs. This does not include incidents arising from pure technical failure, natural disasters, mass power outage, computer-system security threats that are promptly detected and removed or quarantined, or personal data breaches arising from human error.
In addition, the CoP lists computer-system security incidents to include large-scale Distributed Denial of Service (DDoS) attacks causing degradation of an essential services, ransom DDoS attacks, ransomware attacks that causes suspension of an essential service or shows signs of data compromise and unintended external connection to a CCS caused by malware infection or by an adversary exploiting a vulnerability.
Why this matters: It is critical for CI Operators to recognise the thresholds for when notification is to be triggered. A specific threat to launch an attack at a specified time, if likely to cause disruption or data leakage, is considered a “serious computer-system security incident”. This means the obligation to notify could be triggered even before an attack is executed.
This has significant operational implications: Such threats must be notified to the Commissioner within 12 hours of the CI Operator becoming aware of them. CI Operators must therefore ensure their incident response protocols are sensitive enough to detect and escalate credible threats immediately, rather than waiting for the attack to materialise.
Detailed obligation to submit and implement security management plans: CI Operators are required to develop, implement, and maintain comprehensive plans to protect the security of CCSs in accordance with Schedule 3 Part 1 of the Ordinance. Compliance should be ensured by fulfilling requirements stated under section 6.2.5-6.2.27, 6.3 to 6.5 of the CoP.
Key operational requirements include:
Logging and retention: Logs of certain CCS activities such as log-on attempts, privileged access and changes to access rights must be retained for a minimum of six months.
Assessment and audit: The plans must also provide for regular risk assessments and biennial audits, conducted by qualified professionals with appropriate certifications.
Governance and training: The organisational structure, roles and responsibilities of personnel involved in CCS operations must be clearly defined, with ongoing training programmes established to ensure that all staff are aware of their security responsibilities.
Supply chain management: CI Operators should ensure responsibility allocation with its suppliers is clearly defined and agreed in writing. The CoP provides some sample contract clauses for use with external service providers regarding liability for complying with the Ordinance (Annex H of the CoP). These clauses require the service providers / contractors to comply with the Ordinance, all applicable laws, and relevant codes of practice.
Why this matters:
“Living documentation”: Security management plans (and their related policies) should be considered as ‘living documents’. They need to be reviewed frequently and continually updated to reflect constantly evolving cybersecurity risks and even operational changes.
Ripple effect on contractors: Contractors are made responsible for actions of their personnel and subcontractors, and contracts should clearly set out deliverables, service levels, and compliance expectations. Although the Ordinance only applies to designated CI Operators, it will have a ripple effect as there are consequences for third parties doing business with them.
Clarifying participation in computer-system security drills (Section 7.1 of CoP): CI Operators will receive notification from the Commissioner to participate in computer-system drill assessing the validity and effectiveness of their emergency response plan, as well as participating personnel’s knowledge of their roles and responsibilities in security incident response. Drills will be required no more than once every two years. They may be in the form of tabletop exercise, functional exercise, simulated attack or by other means deemed appropriate by the Commissioner. The CoP states that CI Operator personnel required to participate include: management personnel, computer-system security management unit, emergency response team, public relations or corporate communications personnel and other personnel deemed necessary by drill scenario and CI Operator, such as cybersecurity insurer. CI Operators are also encouraged to include their nominated breach counsel in the drill.
Why this matters:
Compliance and institutional readiness: This requirement formalises the testing of incident readiness, shifting it from internal best practice to regulatory obligation. Beyond satisfying the statutory requirement, these drills are essential for building institutional muscle memory. By mandating the involvement of non-technical stakeholders, the CoP reinforces the reality that cyber incident response is not solely an IT function but a critical business continuity issue involving reputation management and high-level decision making.
Strengthening cohesion with external advisors: While the CoP lists cybersecurity insurers as potential participants, CI Operators are strongly encouraged to also include their nominated breach counsel or external legal advisors in these drills. Integrating legal counsel into the exercise is vital for practising how to establish and maintain legal professional privilege, manage liability exposure in real-time, and advise on legal issues arising from a breach. These are critical reflexes that must be honed in a simulated environment before a real crisis occurs to ensure the team is aligned on legal risks.
Incident response and business continuity planning are also emphasised (Section 7.2 of CoP): The CoP places significant emphasis on preparedness, mandating that CI Operators maintain robust emergency response plans. These plans must set out clear protocols for responding to computer-system security incidents, specifically covering three key areas:
Incident management: Procedures for detecting, analysing and containing incidents.
Business continuity: Strategies to maintain essential functions during a disruption.
Disaster recovery: Protocols for restoring data and systems to normal operation.
Crucially, these plans should be endorsed by senior management. As with security management plans, they should also be reviewed regularly – particularly following material changes to CCSs – and in any case at least once every two years.
Why this matters:
Tailored response is critical: There is no “one-size-fits-all” solution. Every emergency response plan must be carefully bespoke, dedicated specifically to ab organisation’s unique operational realities and risks. These plans also need to be tested through practising. From experience, incidents seldom unfold how the playbook expects. An unpractised plan is just a document; a practised plan is capability.
Ready-to-Go communications: A critical component is the communications plan, mandated by the CoP for communicating with internal and external stakeholders. To ensure speed and accuracy during a crisis, this should include pre-approved, “ready-to-go” internal and external communication templates.
Addressing the “Unwritten” gaps: While the CoP provides a baseline, prudent operators should go further. For example, the CoP does not explicitly mandate an out-of-band communications network, but having an alternative channel is vital if your primary infrastructure (such as the Active Directory) is compromised. Similarly, organisations should proactively develop their own internal ransom policy to guide decision making under pressure.
Key takeaways
The CoP introduces detailed operational standards that impact the governance, risk management and contractual arrangements of CI Operators. Beyond mere checklist compliance, the “practical implications” discussed here highlight several critical shifts in responsibility and strategy including:
Board-level accountability: Cybersecurity is no longer solely an IT issue. The requirement for Board endorsement of the Computer-System Security Management Plan places responsibility for the CI’s security posture directly on senior leadership.
Proactive threat reporting: The threshold for notification has lowered significantly. Credible threats must be reported within 12 hours, meaning operators must constantly monitor and escalate risks immediately, rather than waiting for an attack to materialise.
Institutional readiness: Security drills are now a regulatory obligation, not just a best practice. These exercises should build “institutional muscle memory” and include non-technical stakeholders, including external breach/legal counsel to manage privilege and liability.
Supply chain ripple effects: Security management plans must be treated as “living documents”, necessitating frequent updates that will inevitably impact third-party contractors through stricter contractual deliverables and liability clauses.
Given the complexity and potential legal exposure, CI Operators are strongly encouraged to consult with relevant professionals to ensure they comply with the Ordinance and CoP.
Early engagement with legal and technical advisors will help organisations navigate the new regulatory landscape, mitigate risks, and build resilience in the face of evolving cyber threats.
It is expected there will also be sectoral codes published subsequently, so compliance will not always be limited to the CoP.
JSM is well-placed to assist clients in their compliance journey with the Ordinance and CoP, leveraging our deep practical experience helping critical infrastructures navigate cybersecurity incidents and their legal exposure. We have a strong track record in conducting extensive incident response plan reviews and executive tabletop incident response workshops.
Legal updates
19 January 2026
Legal updates
13 January 2026
1. Background
Virtual assets (VA) related activities are subject to regulatory regime under the Securities and Futures Ordinance, Cap. 571 Laws of Hong Kong (SFO) and/or the Anti-Money Laundering and Counter-Terrorist Financing Ordinance, Cap. 615 Laws of Hong Kong (AMLO).
The SFO regime applies to activities relating to VA that falls in the definition of “securities” or “futures contracts” under the SFO (Securities VA). The AMLO regime applies to VA not caught by those definitions (Non-securities VA).
The SFO regime is more comprehensive, covering dealing, advisory, asset management and custody activities relating to Securities VA. At present, the AMLO regime only covers operating VA exchange but not the other activities relating to Non-securities VA.
The Financial Services and the Treasury Bureau (FSTB) and the Securities and Futures Commission (SFC) jointly launched public consultations in June 2025 on proposed changes to the AMLO for establishing a licensing regime for dealing and custodian services relating to Non-securities VA.
Consultation conclusions were published on 24 December 2025, along with the launch of further public consultation on proposed changes to the AMLO for establishing the licensing regime for advisory and management services relating to Non-securities VA.11 The target is to introduce a bill to the Legislative Council in 2026.
2. Key takeaways
Alignment of AMLO regime and SFO regime
The expanded licensing regime for Non-securities VA will align with the licensing regime for Securities VA. Both regimes adopt an activity-based approach. This demonstrates the regulatory philosophy and policy of “same activity, same risks, same regulation” principle. Under the SFO, Type 122 licence is required for dealing, Type 433 licence is required for advisory, Type 944 licence is required for portfolio management, and Type 1355 licence is required for custodian services relating to Securities VA. Corresponding licence types are now expected to be established under the AMLO for Non-securities VA.
No transition or deeming arrangements
The FSTB and SFC do not plan to provide transition or deeming arrangements to existing Non-securities VA service providers. This is intended to offer optimal investor protection and avoid creating confusion over licensing status. Accordingly, the licensing regime will take full effect on commencement date(s) to be designated in due course. To alleviate practical difficulties arising from a “hard” commencement date, the Government and the SFC will take into account the time that market participants need to adjust their business models in deciding the appropriate commencement date(s). Existing service providers are strongly encouraged to initiate pre-application processes and early engagement with the SFC or (where the service provider is an authorized institution under the Banking Ordinance, Cap. 155 Laws of Hong Kong) the HKMA.
Expedited licensing and registration process for existing regulated entities
For entities licensed by the SFC under the present regulatory regime for VA-related activities and already engaged in the relevant licensed activities, the SFC will introduce an expedited licensing and registration process for them under the expanded AMLO regime.
Advancing market access and regulatory clarity
Under Pillar A (Access) of its ASPIRe roadmap66, the SFC aims to integrate Hong Kong with global liquidity to foster the continued growth of Hong Kong’s digital asset ecosystem and advance Hong Kong as a global hub for innovation. The enhanced VA regulatory framework offers comprehensive, integrated regulation across the full VA value chain and regulatory clarity.
3. High-level summary of proposed licensing requirements and criteria
(i) VA dealing
What amounts to dealing in Non-securities VA?
The proposed scope aligns with Type 1 licence for dealing in Securities VA under the SFO regime and covers any person, by way of business:
Making or offering to make an agreement with another person, or
Inducing or attempting to induce another person
to enter into or offer to enter into an agreement, with a view to acquiring, disposing of, subscribing for or underwriting Non-securities VAs.
Activities within scope may include payment service providers offering to buy or sell Non-securities VA to facilitate transactions, margin trading in Non-securities VA, Non-securities VA staking, Non-securities VA borrowing and lending, and possibly peer-to-peer transactions, or provision of decentralised or technological services if the activities fall within the scope of the licensing requirements having regard to their nature and substance.
Exemptions
Exemptions being considered by the FSTB and SFC include: transactions conducted through SFC-regulated VA dealers, transactions conducted as principal, intra-group transactions, use of Non-securities VA by purchasers of goods/services as payment for goods/services and stablecoin activities conducted by HKMA-licensed stablecoin issuers, as well as activities relating to Non-securities VA generated as rewards for ledger maintenance, or minted through SFC-regulated intermediaries.
(ii) VA custodian
What amounts to custody services for Non-securities VA?
The proposed scope aligns with the relevant scope of Type 13 licence for providing depositary services for relevant collective investment schemes under the SFO regime and covers:
Custodians which, by way of business, safekeep private keys or similar instruments enabling the transfer of Non-securities VA
Entities within scope may include associated entities of SFC-licensed VATPs, entities holding Type 13 licence under the SFO, and entities holding Type 9 licence under the SFO – if they provide VA custodian services by way of safekeeping the private keys (or similar instruments).
Exemptions
Exemptions being considered by the FSTB and SFC include top-layer trustees or fund managers delegating Non-securities VA custody to third-party custodians and HKMA-licensed stablecoin issuers only providing custody of stablecoins issued by them to clients.
Pending publication of the legislative bill setting out details of amendments to the AMLO, below is a high-level summary of some potential eligibility requirements and minimum criteria for obtaining licences for conducting Non-securities VA activities under the expanded AMLO regime.
VA dealing
VA custodian
Corporation
An applicant must either be:
(i) a locally incorporated company with a permanent place of business in Hong Kong, or (ii) a company incorporated elsewhere but registered in Hong Kong under the Companies Ordinance, Cap. 622 Laws of Hong Kong
Same as dealer
Financial resources
Except for banks which are subject to HKMA’s capital requirements, a dealer should have adequate financial resources for operating its Non-securities VA business. These include baseline financial resources of a minimum paid-up share capital of HK$5 million and a minimum required liquid capital of up to HK$3 million (depending on business model). The SFC will also retain flexibility to impose additional financial resources requirements where necessary (e.g. excess liquid capital equivalent to at least 12 months of its actual operating expenses)
Except for banks which are subject to HKMA’s capital requirements, a custodian should have adequate financial resources for operating its Non-securities VA business. These include baseline financial resources of a minimum paid-up share capital of HK$10 million and a minimum required liquid capital up to HK$3 million (depending on the business model). The SFC will also retain flexibility to impose additional financial resources requirements where necessary (e.g. additional requirements calibrated with reference to scale of business)
Fit and proper tests
The applicant, its substantial shareholders, ultimate owners, directors and personnel carrying out the dealing functions are required to satisfy the fit and proper tests prescribed by the SFC
Same as dealer
Responsible officers
At least two responsible officers approved by the SFC or two executive officers approved by the HKMA (as the case may be) to be generally responsible for ensuring compliance with anti-money laundering/counter-financing of terrorism requirements and other regulatory requirements, and be held personally accountable in case of non-compliance
Same as dealer
Knowledge, experience and risk management
A dealer is required to have proper corporate governance structure with suitable personnel having necessary knowledge and experience to discharge their responsibilities effectively, and to put in place appropriate risk management policies and procedures for managing money laundering/terrorist financing and other risks
Same as dealer
Conduct of business
A dealer is required to act honestly, fairly, with due skill, care and diligence, in the best interests of its clients and integrity of the market, as well as comply with all statutory and regulatory requirements applicable to the conduct of its business activities
Same as dealer
Financial reporting and disclosure
A dealer should observe prescribed auditing and disclosure requirements and submit audited accounts
Same as dealer
Record keeping
A dealer is required to maintain proper records in relation to its business activities, with the SFC/HKMA having right of access as part of the regulator’s ongoing supervision
Same as dealer
Investor protection
A dealer should put in place measures to ensure investor protection and suitability of its services and products, such as client VA knowledge assessment, client risk assessment and risk profiling, and prevent and disclose actual or potential conflicts of interest
The SFC is still formulating regulatory requirements for mitigating the risks associated with VA custodian services. The SFC will build upon the regulations established for VATPs and use the VATP Guidelines77 (particularly Chapter X on Custody of Client Assets) as baseline reference. The SFC will also actively engage the industry as part of its early engagement process in setting regulatory requirements
Use of SFC-regulated custodians
In the early stage, the SFC will require a dealer to custody client Non-securities VA with SFC-regulated VA custodian service providers to ensure proper asset segregation and reduce insolvency, fraud and cyberattack risks
N/A
Information and notification
A dealer will be required to submit a wide range of information (for example, details in respect of wallet addresses used in the course of business, scope and nature of business, types of services offered to clients)
Same as dealer
4. Further consultations on Non-securities VA advisory and management
Further consultation by the FSTB and SFC on establishing the licensing regime for advisory and management services relating to Non-securities VA is scheduled to end on 23 January 2026.
(i) VA advisory
What amounts to advising on Non-securities VA?
The proposed scope aligns with Type 4 licence for advising on Securities VA under the SFO regime and covers:
Giving advice on whether, which, the time at which, or the terms or conditions on which Non-securities VA should be acquired or disposed of, or issuing analyses or reports to facilitate such decisions
Other proposals
Financial resources: Minimum paid-up share capital of HK$5 million; and minimum required liquid capital of HK$100,000 (for not holding client assets) or HK$3 million (in any other case)
Exemptions: Similar exemptions to Type 4 licence under the SFO regime. These may include solely advising wholly-owned group companies, acts wholly incidental to licensed VA dealing or VA fund management, advice of solicitors/counsels/CPAs wholly incidental to their professional practice, acts wholly incidental to registered trust companies’ discharge of duties, etc.
(ii) VA management
What amounts to managing Non-securities VA?
The proposed scope aligns with Type 9 licence for portfolio management of Securities VA under the SFO regime and covers:
Providing a service of managing a portfolio of Non-securities VA for another person
Other proposals
Financial resources: Minimum paid-up share capital of HK$5 million; and minimum required liquid capital of HK$100,000 (not holding client assets) or HK$3 million (in any other case)
Custody requirements: The SFC is considering whether VA management service providers should safekeep the Non-securities VA of private funds they manage only with SFC-regulated VA custodians, or whether they should have the flexibility to appoint any custodian
Exemption: The SFC is considering whether to exempt self-custody by private fund/venture capital fund managers of Non-securities VA up to a limited threshold
5. Further reading
FSTB and SFC conclude consultations on virtual asset dealer and custodian regimes, further consult on two new regimes
Further Public Consultation on Legislative Proposal to Regulate Virtual Asset Advisory Service Providers and Virtual Asset Management Service Providers
Public Consultation on Legislative Proposal to Regulate Dealing in Virtual Assets
Consultation Conclusions Legislative Proposal to Regulate Dealing in Virtual Assets and Further Public Consultation Legislative Proposal to Regulate Virtual Asset Advisory Service Providers and Virtual Asset Management Service Providers
Public Consultation on Legislative Proposal to Regulate Virtual Asset Custodian Services
Consultation Conclusions Legislative Proposal to Regulate Virtual Asset Custodian Services
Legal updates
8 January 2026
The People’s Bank of China (PBOC) has unveiled The Action Plan for Further Strengthening the Digital Yuan Management Service System and Related Financial Infrastructure Construction (the “Action Plan”) (《关于进一步加强数字人民币管理服务体系和相关金融基础设施建设的行动方案》), which took effect on 1 January 2026.
The Action Plan lays down a new generation of digital yuan measurement framework, management system, operational mechanism and ecosystem.
Based on announcements by The State Council of the People’s Republic of China and various news agency reports, key take-aways compiled from the Action Plan are as follows:
1. Transition from digital cash to digital deposit currency
The Action Plan marks the transition of digital yuan from the digital cash era (数字现金时代) to the digital deposit currency era (数字存款货币时代).
This builds on experience accumulated from extensive domestic and cross-border trials of adopting digital yuan across a wide range of daily uses.
The digital yuan pilot programme covered use cases in retail transactions, dining, tourism, education, healthcare, public services and cross-border settlements.
The pilot established a reliable and scalable model for digital currency in both online and offline scenarios. As of the end of November 2025, China recorded 3.48 billion cumulative digital yuan transactions worth 16.7 trillion yuan (approximately USD2.37 trillion).
2. Objective of the upgraded framework
The enhanced system aims at providing technical support and regulatory framework for future development of digital yuan.
The new generation digital yuan will be account-based bank deposit liabilities of commercial banks – protected by deposit insurance and compatible with distributed ledger technology.
Issued within the financial system and commonly used as digital payment currency, it will be valuated and stored as a currency and perform cross-border payment and settlement.
The account system + coin string/chain + smart contract (账户体系+币串+智能合约) digitalisation plan aims at upgrading the existing bank account system, incorporating digital yuan wallets with emerging technology applications.
The objective is to:
Enhance digitalisation of RMB issuance, circulation, payment and other smart initiatives
Upgrade the digital yuan smart contract service platform and ecosystem to support construction of an open-source smart contract ecosystem
3. Cash-based digital currency 1.0 to deposit-based digital currency 2.0 (数字人民币现金型1.0版 → 存款货币型2.0版)
The Action Plan establishes the operational basis for classifying digital yuan held in commercial bank wallets as bank deposit liabilities.
Under the enhanced system, commercial banks are required to pay interest on real-name digital yuan wallet balances in accordance with deposit rate regulations. These balances are integrated into the regular asset-liability management practices of banks and protected by deposit insurance, in the same way as ordinary bank deposits.
4. Reserve requirement
Digital yuan operations are subject to the reserve requirement framework of the PBOC.
Wallet balances held by authorised commercial banks will be counted in the reserve requirement calculation, while non-bank payment institutions must deposit 100% reserves against the digital yuan under their management.
5. Digital yuan governance
To achieve the set objectives, it is crucial to maintain a stable and secure environment with an ongoing risk management framework.
On regulatory and management, the PBOC has established the Digital Yuan Management Committee (数字人民币管理委员会) to coordinate and supervise the relevant business lines collectively.
On implementation, operational security and continuity, a “two-wing” structure supporting domestic and international dual circulation is put in place. Under the management of the Digital Currency Research Institute (数字货币研究所), the Digital Yuan Operations Management Centre (数字人民币运营管理中心) and the Digital Yuan International Operations Centre (数字人民币国际运营中心) will be respectively responsible for the construction, operation and security safeguarding of the central bank’s digital yuan system and cross-border business system.
Sources:
China to enhance digital yuan management with deposit features starting 2026
数字人民币迎来重大调整__中国政府网
事关数字人民币,央行行动方案出炉,明年1月1日正式实施
央行:新一代数字人民币运行机制将于2026年1月1日正式启动实施–经济·科技–人民网 https://finance.people.com.cn/n1/2025/1229/c1004-40634653.html
数字人民币新方案元旦实施 余额可收息
2026年起数字人民币钱包余额可计息(政策速递)http://gs.people.com.cn/BIG5/n2/2025/1231/c183342-41459775.html
Legal updates
2 January 2026
The Hong Kong Monetary Authority (HKMA) launched the Intellectual Property (IP) Financing Sandbox in collaboration with the Commerce and Economic Development Bureau (CEDB) and the Intellectual Property Department (IPD) on 22 December 2025.
The initiative which was announced in the Chief Executive’s 2025 Policy Address11 aims to provide a collaborative and risk-controlled environment for banks to pilot IP financing arrangements with the support of the insurance, valuation, legal and other professions.
It was launched following engagement by the HKMA, CEDB and IPD with The Hong Kong Association of Banks, Chinese Banking Association of Hong Kong and relevant stakeholders in the IP financing ecosystem.
The IP Financing Sandbox seeks to explore ways to address the unique challenges of using IP assets such as patents, trademarks and copyrights to secure bank financing. These challenges include difficulties in valuating IP assets, the absence of a liquid and transparent secondary market, and the lack of a solid understanding of IP by many lenders and investors.
IP financing and ultimate objective
IP financing serves the unique needs of innovative enterprises – especially small and medium-sized enterprises (SMEs) – that are rich in IP assets but often lack tangible assets to secure bank financing.
The IP Financing Sandbox allows Authorized Institutions (AIs) to test the full lifecycle of an IP financing transaction and accumulate practical experience through real financing transactions.
With support from the other participating stakeholders and feedback from the HKMA, AIs can gain insights on crucial aspects of IP financing – including verifying the validity and enforceability of IP rights, obtaining independent valuation of the IP assets, performing credit risk assessment and credit approval, creating a charge or security interest over the IP assets where appropriate, and fulfilling loan drawdown requests from clients.
The initiative aims to improve access to financing for innovative enterprises with IP assets through promoting awareness of IP assets as a valuable asset class along with collaboration amongst AIs and other stakeholders.
The ultimate objective is to enhance development of an IP trading ecosystem in Hong Kong.
The government and the HKMA will oversee the implementation of the IP Financing Sandbox. The government, through CEDB and IPD, will assess the need for developing a set of local IP valuation guidelines incorporating standards that are acceptable to all stakeholders.
The HKMA will share good practices and consider the need for developing further supervisory guidance on the credit risk management aspect of IP financing.
Hong Kong’s three note-issuing banks are the inaugural participants of the IP Financing Sandbox. They have solicited interest from clients from the biotechnology, electronics and technology sectors to conduct pilot trials through the initiative.
Operating principles of the IP Financing Sandbox
Recognition of IP value: Participating AIs will take into account the value of IP assets owned by the borrowing enterprises, including but not limited to the fair value as defined in the International Financial Reporting Standards22, market value, equitable value/investment value and liquidation value, alongside a host of other relevant factors such as the borrower’s credit demand, overall financial position and repayment ability, in the credit underwriting process.
Independent IP valuation: IP valuation is expected to be conducted by independent IP valuation service providers who are members of reputable local or overseas professional organisations such as the Hong Kong Institute of Surveyors, the Hong Kong Institute of Certified Public Accountants, CFA Society Hong Kong and the Royal Institute of Chartered Surveyors. These IP valuation service providers are expected to use standardised methodologies for IP valuation such as the income, market or cost approach.
Risk management: Participating AIs should comply with applicable supervisory requirements on credit risk management and other risk areas, while participating enterprises should comply with the legal and regulatory requirements in respect of maintaining and developing the IP assets concerned.
Links to HKMA press release and circular
Hong Kong Monetary Authority – HKMA, CEDB and IPD launch IP Financing Sandbox
Intellectual Property Financing Sandbox (Annex)
People
Find a lawyer
Learn more about our lawyers and the work they do for clients in Hong Kong, across the region and globally.
View all
Responsible business
Explore
Careers
At Johnson Stokes & Master, we provide a pathway for your professional growth and advancement. With our deep-rooted and extensive history, we invite you to explore current opportunities to join us, thrive in a supportive environment, and make a meaningful impact for our clients.
View more
