By Claire Chow
Hong Kong, 7 April 2025: A new law designed to enhance the protection of computer systems deemed essential to the smooth running of Hong Kong has been passed by the Legislative Council on 19 March 2025. It is expected to come into effect on 1 January next year.
The Protection of Critical Infrastructures (Computer Systems) Bill, which we flagged last July ahead of a public consultation, is this city’s first cybersecurity law and aims to enhance cybersecurity and minimise disruptions caused by cybersecurity incidents to Hong Kong’s essential services. Hence, it covers eight sectors viewed as crucial to the normal functioning of society: energy; information technology; banking; communications; healthcare; and land, air and maritime transport.
Other infrastructure operators responsible for important social and economic activities, such as managing major sports and performance venues, as well as research and development parks, are also included.
The legislation requires so-called Critical Infrastructure Operators (CIOs) to take appropriate measures to protect any of their networks that are designated as Critical Computer Systems (CCSs), thus reducing the impact of their operations on society and citizens’ daily lives in the event of a cyberattack. CIOs are ultimately responsible for compliance, even if they employ contractors to run the infrastructure.
A Commissioner’s Office will be set up under the Security Bureau to oversee the new regime, including drawing up the list of CIOs. For their part, CIOs will face three categories of obligations:
Organisational: maintain an office in Hong Kong and report any changes in ownership to the Commissioner’s Office; set up a dedicated management unit to oversee the cybersecurity of CCSs; take part in a CCS security drill organised by the Commissioner’s Office after being given written notice.
Preventative: inform the Commissioner’s Office of material changes to CCSs, such as amendments to design, configuration, security or operation; formulate a CCS security plan and submit it to the Commissioner’s Office; conduct a CCS security assessment at least once a year.
Incident reporting: formulate an emergency response plan and submit it to the Commissioner’s Office; notify the Commissioner’s Office of serious incidents within 12 hours, or 48 hours for other incidents; co-operate with the Commissioner’s Office in responding to and investigating such incidents, and complying with any written directions or requests.
The government aims to begin setting up the Commissioner’s Office and shortlisting CIOs by June. However, companies affected by the legislation will not be publicly identified to reduce the risk of them becoming potential terrorist targets. Fines for non-compliance with any aspect of the new regime range up to HK$5 million, with additional daily fines in the event of continuing breaches.
The government has consistently stressed that the legislation covers only computer systems at large organisations and that it does not target SMEs, personal data or commercial secrets. Further, it does not cover essential services provided by the government, such as water supply and drainage relief, which are already regulated via internal guidelines.
Organisations and businesses are urged to assess whether they are likely to be designated as a CIO under the new legislation, to review their existing cybersecurity arrangements for any deficiencies and to update practices accordingly, including establishing clear protocols, conducting regular drills and to educate and train staff within your organisation.
Claire Chow is an Associate with BC&C, having joined the firm in 2019. She covers a broad range of practice areas including Civil and Commercial Litigation, and Judicial Review. She can be contacted at Claire@boasecohencollins.com.
