Skip to content

Something urgent? Call us now! (852) 3416 1711

First cybersecurity bill becomes law

By Claire Chow

Hong Kong, 7 April 2025: A new law designed to enhance the protection of computer systems deemed essential to the smooth running of Hong Kong has been passed by the Legislative Council on 19 March 2025. It is expected to come into effect on 1 January next year.

The Protection of Critical Infrastructures (Computer Systems) Bill, which we flagged last July ahead of a public consultation, is this city’s first cybersecurity law and aims to enhance cybersecurity and minimise disruptions caused by cybersecurity incidents to Hong Kong’s essential services. Hence, it covers eight sectors viewed as crucial to the normal functioning of society: energy; information technology; banking; communications; healthcare; and land, air and maritime transport.

Other infrastructure operators responsible for important social and economic activities, such as managing major sports and performance venues, as well as research and development parks, are also included.

The legislation requires so-called Critical Infrastructure Operators (CIOs) to take appropriate measures to protect any of their networks that are designated as Critical Computer Systems (CCSs), thus reducing the impact of their operations on society and citizens’ daily lives in the event of a cyberattack. CIOs are ultimately responsible for compliance, even if they employ contractors to run the infrastructure.

A Commissioner’s Office will be set up under the Security Bureau to oversee the new regime, including drawing up the list of CIOs. For their part, CIOs will face three categories of obligations:

Organisational: maintain an office in Hong Kong and report any changes in ownership to the Commissioner’s Office; set up a dedicated management unit to oversee the cybersecurity of CCSs; take part in a CCS security drill organised by the Commissioner’s Office after being given written notice.

Preventative: inform the Commissioner’s Office of material changes to CCSs, such as amendments to design, configuration, security or operation; formulate a CCS security plan and submit it to the Commissioner’s Office; conduct a CCS security assessment at least once a year.

Incident reporting: formulate an emergency response plan and submit it to the Commissioner’s Office; notify the Commissioner’s Office of serious incidents within 12 hours, or 48 hours for other incidents; co-operate with the Commissioner’s Office in responding to and investigating such incidents, and complying with any written directions or requests.

The government aims to begin setting up the Commissioner’s Office and shortlisting CIOs by June. However, companies affected by the legislation will not be publicly identified to reduce the risk of them becoming potential terrorist targets. Fines for non-compliance with any aspect of the new regime range up to HK$5 million, with additional daily fines in the event of continuing breaches.

The government has consistently stressed that the legislation covers only computer systems at large organisations and that it does not target SMEs, personal data or commercial secrets. Further, it does not cover essential services provided by the government, such as water supply and drainage relief, which are already regulated via internal guidelines.

Organisations and businesses are urged to assess whether they are likely to be designated as a CIO under the new legislation, to review their existing cybersecurity arrangements for any deficiencies and to update practices accordingly, including establishing clear protocols, conducting regular drills and to educate and train staff within your organisation.

Claire Chow is an Associate with BC&C, having joined the firm in 2019. She covers a broad range of practice areas including Civil and Commercial Litigation, and Judicial Review. She can be contacted at Claire@boasecohencollins.com.

40+ years of legal experience is just a click away.

Friendly and approachable, we are ready to answer your questions and offer you sound advice.

Contact us now

BC&C-contact-us

News & Knowledge

Learn more about what we do and what we say. Subscribe to our newsletter to ensure you receive our updates.

  • This field is for validation purposes and should be left unchanged.

First cybersecurity bill becomes law

By Claire Chow Hong Kong, 7 April 2025: A new law designed to enhance the protection of computer systems deemed essential to the smooth running of Hong Kong has been passed by the Legislative Council on 19 March 2025. It is expected to come into effect on 1 January next year. The Protection of Critical […]

Read more

Pádraig Seif reflects on his HK journey

Hong Kong, 3 April 2025: BC&C’s Foreign Legal Consultant Pádraig Seif was delighted to share his experiences as a Hong Kong citizen, business leader and lawyer in a keynote address at a seminar organised by Our Hong Kong Foundation. Born and raised in Germany with Irish roots, Pádraig’s Asian odyssey took him first to Japan […]

Read more

Law & More: Episode 51 – Mohan Bharwaney SC

Hong Kong, 2 April 2025: In this episode, we are joined by Mohan Bharwaney SC, a retired justice of the High Court who has authored a significant number of landmark judgments in the field of personal injury and medical negligence. Mohan reflects on his upbringing in Hong Kong, early days as a barrister and some […]

Read more

Key factors in heat stroke liability

By Stephanie Lai Hong Kong, 1 April 2025: The current legal landscape in Hong Kong establishes a carefully balanced approach to heat-related compensation claims, providing meaningful worker protection while maintaining reasonable boundaries on employer liability. Two recent judgments – in Wong Yun Wa v Surplus Link Limited [2024] HKDC 1145 and Yu Kwok Wa v […]

Read more

Major step for court broadcasting

By Arthur Chan Hong Kong, 24 March 2025: In a significant move, the Judiciary is to launch a two-year pilot scheme for the live broadcasting of hearings in the Court of Final Appeal. The scheme will begin on 1 April and involve “substantive appellate proceedings”. The development comes after the Judiciary conducted four trial runs […]

Read more