Legal update 21 March 2025

Securing critical infrastructures: What you need to know about Hong Kong’s first cyber legislation

Author(s): Tow Lu Lim , Jason L. F. Leung , Grace Y. Wong , Ken K. Y. Lam , Ken Tsz Lok Lam

After nearly two years of deliberation and consultation with various stakeholders, the Protection of Critical Infrastructures (Computer Systems) Bill (the “Bill”) was passed by the Legislative Council on 19 March 2025. As stated by the Secretary for Security, Chris Tang, the purpose of the law is to “establish legal requirements for organisations designated as critical infrastructure operators”. The Bill is expected to come into effect on 1 January 2026.

Last year, we published an update discussing the initial proposed legislative framework (“Proposed Framework”) and another update summarising the Security Bureau’s response to stakeholders’ feedback regarding the Proposed Framework (“Consultation Report”).

This legal update provides a brief overview of the scope as well as the main obligations under the Bill. We also discuss specific issues that entities regulated by the Bill should be mindful of.

Scope of regulation

There are three definitions essential to understanding the Bill and the scope of its regulation: (i) critical infrastructures (“CI”), (ii) CI operators (“CIOs”) and (iii) Critical Computer Systems (“CCS”).

Designations of CI and CIOs

The Bill imposes various obligations on CIOs, i.e. organisations that operate CI. The Bill provides that CI are those essential to the continuous provision in Hong Kong of an essential service in 8 designated sectors, namely: (1) energy, (2) information technology (IT), (3) banking and financial services, (4) air transport, (5) land transport, (6) maritime transport, (7) healthcare services and (8) telecommunications and broadcasting services (“Designated Sectors”).

It is worth noting that an infrastructure not within the eight Designated Sectors may still be considered as a CI if damage or loss of functionality to it may hinder or substantially affect the maintenance of critical societal or economic activities in Hong Kong. Examples may include major sports and performance venues or major technology parks.

However, the Bill does not provide definitions of the Designated Sectors. The Consultation Report acknowledged that stakeholders had called for a clearer and narrower definition of the IT sector, but the Security Bureau maintained its position and stated that it would communicate with potential CIOs before designating them as such.

Designations of CCS

The Bill provides that a CCS is one that is accessible by a CIO in or from Hong Kong and that is essential to the core function of a CI. The Bill applies to CCSs and CIs whether they are in-house or outsourced.

Extraterritorial application

The Consultation Report clarified that the Bill does not have extraterritorial effect. The Commissioner of Critical Infrastructure (Computer-system Security) (the “Commissioner”) will only request information that is accessible by CIOs with offices set up in Hong Kong. With this in mind, CIOs that operate in multiple jurisdictions should carefully consider the access granted to a CIO’s office in Hong Kong.

Obligations of CIOs

The Bill provides three main categories of obligations to be borne by CIOs:

Organisational obligations (Category 1 Obligations)	Maintain a physical office in Hong Kong for carrying on the CIO’s business (i.e. it is not merely a correspondence address) Report any change in operatorship of CIs within 1 month from when the change occurs Set up a computer-system security management unit (in-house or outsourced)
Preventive obligations (Category 2 Obligations)	Notify the following to the Commissioner’s Office within 1 month of its occurrence: material changes in design, configuration, security or operation, etc. of CCS addition / removal of CCS to the CI changes that render an existing system essential to the core function of the CIO Formulate, implement and submit a computer-system security management plan¹ within 3 months after receiving designation as CIO (unless an extension is granted) Conduct a computer-system security risk assessment at least once every 12 months and submit a report within 3 months after each assessment period (unless an extension is granted) Conduct an independent computer-system security audit at least once every 24 months and submit a report within 3 months after each audit period (unless an extension is granted)
Incident reporting and response obligations (Category 3 Obligations)	Participate in a computer-system security drill organised by the Commissioner’s Office Formulate an emergency response plan² and submit the plan within 3 months after receiving CIO designation Notify the Commissioner of computer-system security incidents: Incidents which have disrupted or are disrupting or likely to disrupt the core function of CI will need to be reported within 12 hours after CIO becoming aware of the incident Other incidents need to be reported within 48 hours after CIO becoming aware of the incident. A written report of the incident shall be submitted within 14 days from the date on which CIO first becomes aware of the incident

Non-compliance with the obligations under the Bill may constitute offences punishable with maximum fines ranging from HK$500,000 to HK$5 million. If it is a continuing offence, the daily additional maximum fine ranges from HK$50,000 to HK$100,000 for every day during which the offence continues. It is important to note that the defences of “due diligence” (i.e. the commission of the offence was due to a cause beyond the defendant’s control and the defendant has taken all reasonable precautions and exercised all due diligence to avoid committing the offence) and “reasonable excuse” (i.e. the defendant has sufficient evidence to raise an issue that it had such a reasonable excuse and contrary is not proved by the prosecution beyond reasonable doubt) are available for certain offences under the Bill.

The penalties under the Bill only apply to CIOs at the organisation level and do not extend to senior management at the individual level. However, if the violations involve criminal acts such as providing false information or fraud-related activities, then the relevant individuals may be held personally liable for those criminal acts.

Regulatory and enforcement authorities

The Bill will be enforced by the Commissioner’s Office, which is expected to be established by June this year.³

The Bill also designates regulators of certain industries as designated authorities, which now only include the Monetary Authority (to regulate the banking and financial services sector) and the Communications Authority (to regulate the telecommunications and broadcasting services sector).

Potential issues for further consideration

Being the first legislation of its kind in the city, some concepts in the Bill may require further clarification to enable effective compliance by CIOs. We highlight a few issues below which CIOs may need to consider when preparing for compliance with the Bill.

(1) What is a computer-system security incident?

CIOs have an obligation to notify and respond to computer-system security incidents (“Security Incidents”). A Security Incident is defined in the Bill to mean an event that involves unauthorised access to the CCS, or any unauthorised acts done on or through the CCS or another computer system that has an actual adverse effect on the computer-system security of the CCS.

“Adverse effect” is not defined in the Bill, and it is possible the Commissioner or designated authorities may release further codes of practice to elaborate on this term. The Secretary for Security has clarified the term can generally be understood as “compromising or undermining of the availability, integrity and confidentiality of the information or services of a CCS or its protection ability.”⁴

The Consultation Report noted the Code of Practice (“CoP”) will provide guidelines and examples on what would amount to Security Incidents. In the meantime, it may be helpful to take reference from similar legislations in other jurisdictions to understand the types of incidents that may constitute “adverse effect” to CCS.

Singapore

Singapore’s Cybersecurity Act 2018 adopts a similar definition for “cybersecurity incident”, which is defined as “an act or activity carried out without lawful authority on or through a computer or computer system that jeopardises or adversely affects its cybersecurity or the cybersecurity of another computer or computer system“.⁵

In the Explanatory Statement for Cybersecurity Act 2018, it was further explained that a cybersecurity incident is a cybersecurity threat that has been realised, with the following examples provided:⁶

The unauthorised hacking of a computer;
The accessing of a hyperlink in a phishing email that results in the installation of a malicious computer program; and
The opening of an infected document in an email that results in the execution of a malicious computer program.

The United Kingdom

The United Kingdom’s Network and Information Systems Regulations 2018 provides that essential service operators should report incident (which is defined as any event having an actual adverse effect on the security of network and information systems) which have significant impact on the continuity of the relevant essential services.⁷ While what may constitute significant impact may vary depending on the industry, the following factors are relevant in determining the significance of impact:

The number of users affected by the disruption of essential services;
The duration of the incident; and
The geographical area affected by the incident.

(2) Where do the codes of practice stand in the legislative regime?

The Bill provides that a regulating authority may issue codes of practice to provide practical guidance on how CIOs are to comply with their obligations under the Bill. The codes of practice are not part of the Bill and the failure to comply with a code of practice does not give rise to any civil or criminal liability per se. However, CIOs should note that the codes of practice are admissible evidence in legal proceedings and that proof of contravention of such may be relied on by parties to the proceedings.

(3) What are regulated organisations?

The Bill provides parallel regimes for the regulation of CIOs and regulated organisations. Regulated organisations are CIOs specified in the Bill that are regulated by specified designated authorities. All other CIOs are regulated by the Commissioner. The parallel regimes may prevent double reporting obligations by the regulated organisations.

Regulated organisations are not subject to any less obligations than other CIOs under the Bill, but the major difference being that they are regulated by different authorities and thus they have different points of contact when fulfilling their statutory obligations. It is worth noting designated authorities only regulate Category 1 and 2 Obligations. It seems the Bill intends for the Commissioner to regulate Category 3 Obligations (i.e. obligations relating to incident reporting and response) for all CIOs. Therefore, CIOs operating in banking and financial services and telecommunications and broadcasting services sectors are likely to have to notify multiple authorities if they become aware of a Security Incident.

Currently, the Bill only specifies the designated authorities and regulated organisations in the table below. It is anticipated that more may be added to the list in the future.

Relevant sector	Designated authority	Regulated organisations
Banking and financial services	Monetary Authority	Authorised institutions Licensees as defined by section 2 of Payment Systems and Stored Value Facilities Ordinance (Cap. 584) Settlement institutions of a designated system System operators of a designated system
Tele-communications and broadcasting services	Communications Authority	Holders of a unified carrier licence Holders of a space station carrier licence Domestic free television programme service licensees Licensees as defined by section 13A(1) of Telecommunications Ordinance (Cap. 106)

(4) What should a computer-system security risk assessment cover?

A CIO must conduct regular computer-system security risk assessments, which shall include, among other things, a vulnerability assessment and a penetration test.

Vulnerability assessment is defined to mean “an assessment that (a) systematically examines the system for known vulnerabilities; and (b) aims at identifying the vulnerabilities of the system for preventing any exploitation of them.”

Penetration test means “a test that (a) simulates an attack on the system by electronic means and (b) aims at identifying the vulnerabilities of the system through the simulated attack.”

(5) What are the requirements for computer-system security management plans and emergency response plans?

CIOs are required to submit a computer-system security management plan and an emergency response plan that cover matters specified in Schedule 3 of the Bill within 3 months after their designation as CIOs. Importantly, the submission of these plans is some of the earliest obligations that CIOs need to fulfil upon their designation. As the Bill imposes extensive requirements on these plans, potential CIOs should plan and start preparing them in early course. CIOs should review their upcoming budgets and ensure they allocate sufficient resources for complying with the requirements under the Bill, especially when external consultants may need to be engaged.

Requirements on computer-system security management plans

The Bill provides for general matters that a computer-system security management plan should cover, including:

and personnels responsible for the risk management of the CCS;
The process of identifying the computer systems essential to the functioning of the critical infrastructures;
Policies and guidelines for the identification of risks relating to computer-system security, detection of threats, controlling of access to systems, etc.; and
The provision of training to staff whose work relates to the computer-system security of the CCS.

A computer-system security management plan should also include an emergency response plan.

Requirements on emergency response plans

The Bill provides that emergency response plans should at a minimum cover the following matters:

The division of work in the team responsible for responding to Security Incidents.
The threshold for initiating the emergency response plan.
Procedures for reporting Security Incidents.
Procedures for investigating causes and impacts of Security Incidents.
The recovery plan for resuming the normal operation of the critical infrastructure.
The plan for communicating with stakeholders and the public regarding Security Incidents.
Post-incident measures for preventing the recurrence of Security Incidents.
Policies and guidelines for reviewing any submitted emergency response plans.

Concluding remarks

The Bill is welcomed as the designated critical infrastructures are essential to the functioning of the city. A cyber security attack on any of the designated sectors will not only bring about serious disruption but economic damage. Greater digitalisation and rising cyber threats highlight the existential risk posed by cyber incidents. The introduction of such a legal regime will result in CIOs adopting more robust cyber security measures to protect not only their own systems, but the larger network of essential services they support. And companies or vendors that interact with CIOs will be required to up their game as well (e.g. these companies will need to implement security protocols and update their cyber defences). For CIOs third-party risk management practices are fundamental.

As we highlighted above, the various planning, reporting and response obligations imposed by the Bill and the ambiguities in regulatory scope may present challenges to potential CIOs. Preparation in advance and close communication with the regulating authorities will be essential in ensuring compliance. CIOs should also stay abreast of the regulatory development in this area, particularly with regards to the release of the CoP as it will provide the detailed standards and other guidance on compliance with the Bill.

The Cybersecurity Team at JSM has extensive experience advising clients in both public and private sectors on the complex legal issues arising from high-stakes cybersecurity incidents. We also support organisations in pre-incident preparations, including the development of internal policies, procedures, playbooks and response plans, as well as offering trainings and tabletop simulation exercises to ensure that your organisation is prepared to meet the requirements of the Bill when it comes into force.

Please feel free to contact us if you have any compliance enquiry or would like to learn more on how we can help you better prepare for legal risks arising from cyber incidents.

Remarks/Footnotes

The computer-system security plan must cover all of the matters specified in Schedule 3 of the Bill.
The emergency response plan must cover all of the matters specified in Part 2 of Schedule 3 of the Bill.
According to the Secretary of Security in the Legislative Council meeting on 19 March 2025.
See letter from the Secretary for Security dated 13 January 2025, available at: https://www.legco.gov.hk/yr2024/english/bc/bc56/papers/bc5620250113cb2-36-3-e.pdf
See section 2 of Cybersecurity Act 2018.
See Cybersecurity Act – Explanatory Statement, available at: https://isomer-user-content.by.gov.sg/36/9e6a3a9e-c796-4bac-b9c8-2abf167e8909/Cybersecurity-Act—Explanatory-Statement.pdf.
See section 11 of the Network and Information Systems Regulations 2018.
Refers to a designed clearing and settlement systems or a designated retail payment system as defined under the Payment Systems and Stored Value Facilities Ordinance (Cap. 584)