Skip to content

有緊急法律疑難?請立即致電 (852) 3416 1711 與本行聯繫。

First cybersecurity bill becomes law

By Claire Chow

Hong Kong, 7 April 2025: A new law designed to enhance the protection of computer systems deemed essential to the smooth running of Hong Kong has been passed by the Legislative Council on 19 March 2025. It is expected to come into effect on 1 January next year.

The Protection of Critical Infrastructures (Computer Systems) Bill, which we flagged last July ahead of a public consultation, is this city’s first cybersecurity law and aims to enhance cybersecurity and minimise disruptions caused by cybersecurity incidents to Hong Kong’s essential services. Hence, it covers eight sectors viewed as crucial to the normal functioning of society: energy; information technology; banking; communications; healthcare; and land, air and maritime transport.

Other infrastructure operators responsible for important social and economic activities, such as managing major sports and performance venues, as well as research and development parks, are also included.

The legislation requires so-called Critical Infrastructure Operators (CIOs) to take appropriate measures to protect any of their networks that are designated as Critical Computer Systems (CCSs), thus reducing the impact of their operations on society and citizens’ daily lives in the event of a cyberattack. CIOs are ultimately responsible for compliance, even if they employ contractors to run the infrastructure.

A Commissioner’s Office will be set up under the Security Bureau to oversee the new regime, including drawing up the list of CIOs. For their part, CIOs will face three categories of obligations:

Organisational: maintain an office in Hong Kong and report any changes in ownership to the Commissioner’s Office; set up a dedicated management unit to oversee the cybersecurity of CCSs; take part in a CCS security drill organised by the Commissioner’s Office after being given written notice.

Preventative: inform the Commissioner’s Office of material changes to CCSs, such as amendments to design, configuration, security or operation; formulate a CCS security plan and submit it to the Commissioner’s Office; conduct a CCS security assessment at least once a year.

Incident reporting: formulate an emergency response plan and submit it to the Commissioner’s Office; notify the Commissioner’s Office of serious incidents within 12 hours, or 48 hours for other incidents; co-operate with the Commissioner’s Office in responding to and investigating such incidents, and complying with any written directions or requests.

The government aims to begin setting up the Commissioner’s Office and shortlisting CIOs by June. However, companies affected by the legislation will not be publicly identified to reduce the risk of them becoming potential terrorist targets. Fines for non-compliance with any aspect of the new regime range up to HK$5 million, with additional daily fines in the event of continuing breaches.

The government has consistently stressed that the legislation covers only computer systems at large organisations and that it does not target SMEs, personal data or commercial secrets. Further, it does not cover essential services provided by the government, such as water supply and drainage relief, which are already regulated via internal guidelines.

Organisations and businesses are urged to assess whether they are likely to be designated as a CIO under the new legislation, to review their existing cybersecurity arrangements for any deficiencies and to update practices accordingly, including establishing clear protocols, conducting regular drills and to educate and train staff within your organisation.

Claire Chow is an Associate with BC&C, having joined the firm in 2019. She covers a broad range of practice areas including Civil and Commercial Litigation, and Judicial Review. She can be contacted at Claire@boasecohencollins.com.

按此了解本行逾40年的專業法律經驗。

本行的律師團隊友好親切、平易近人,樂於解答您的疑問,並為您提供合理的建議。

聯繫我們

BC&C-contact-us

新聞及知識

了解更多關於本行的工作和其他資訊。訂閱本行的企業通訊,以確保您收到我們的最新消息。

  • This field is for validation purposes and should be left unchanged.

First cybersecurity bill becomes law

By Claire Chow Hong Kong, 7 April 2025: A new law desig […]

Read more

Pádraig Seif reflects on his HK journey

Hong Kong, 3 April 2025: BC&C’s Foreign Legal Consu […]

Read more

Law & More: Episode 51 – Mohan Bharwaney SC

Hong Kong, 2 April 2025: In this episode, we are joined […]

Read more

Key factors in heat stroke liability

By Stephanie Lai Hong Kong, 1 April 2025: The current l […]

Read more

Major step for court broadcasting

By Arthur Chan Hong Kong, 24 March 2025: In a significa […]

Read more