Key insights on the Protection of Critical Infrastructures (Computer Systems) Bill
Introduction
On 19 March 2025, Hong Kong passed the Protection of Critical Infrastructures (Computer Systems) Bill (the “Ordinance”) which aimed at enhancing the city’s resilience against cyber threats and safeguarding critical infrastructure (“CIs”). This new legislation establishes a framework for the regulation of cybersecurity practices, mandating critical infrastructure operators (“CIOs”) to implement robust measures to protect their computer systems and ensure the continuous provision of essential services. It is therefore crucial for businesses and institutions to understand its implications, compliance requirements, and the potential impact on their operations. This newsletter will provide an overview of the key provisions of the cybersecurity law.
Key provisions
1. What are the scope and targets of the Ordinance?
Only CIs, CIOs and critical computer systems (“CCSs”) designated under the Ordinance are subject to the statutory obligations.
CIs: The following two categories of CIs are expressly designated under the Ordinance:
a. Infrastructures for continuous provision of essential services in Hong Kong in 8 sectors including energy, information technology, banking and financial services, land transport, air transport, maritime transport, healthcare services and telecommunications and broadcasting services, which, if disrupted, compromised or rendered unavailable for an extended period, will significantly impact the everyday life and functioning of society; and
b. Infrastructures for maintaining critical societal and economic activities (e.g. major sports and performance venues, major technology parks, etc.) the damage, loss of functionality or data leakage of which may hinder or otherwise substantially affect maintenance of critical societal and economic activities in Hong Kong.
CIOs: The Ordinance provides that an organization may be designated as a CIO if it operates a CI and the infrastructure is a specified CI for the regulating authority under section 12. In considering whether to designate an organization as a CIO or to revoke such a designation, the regulating authority may take into account (a) how dependent the core function of the CI concerned is on computer systems; (b) the sensitivity of the digital data controlled by the organization in respect of the infrastructure; (c) the extent of control that the organization has over the operation and management of the infrastructure; (d) any information provided in respect of the infrastructure for compliance with information requirement; and (e) any other matters the authority considers relevant.
To prevent CIs and CIOs from becoming targets of attack, the regulating authority will not disclose the list of CIs and CIOs. The Ordinance provides that the regulating authority and other parties have a duty of confidentiality to keep such and other information secret.
CCSs: While CIOs may have many computer systems, to enable the CIOs to focus their resources to protect the most important systems, the Ordinance only imposes obligations with respect to computer systems that are accessible by the operator in or from Hong Kong and are essential to the core functions of CI operated by the operator under section 13. The regulating authority may consider factors including (a) the role of the subject system in respect of the core function of the CI concerned; (b) how such a core function would be impacted if the subject system is disrupted or destroyed; (c) the extent to which the subject system is related to any other computer systems of the CIO concerned; (d) the extent to which the subject system and any other computer systems of the operator are related to those of other CIO; (e) any information provided in respect of the infrastructure for compliance with the information requirement; and (f) any other matters the authority considers relevant.
2. What are the obligations of the CIOs?
There are mainly three types of obligations imposed on CIOs in order to ensure that CIOs will establish a sound management structure to implement the necessary measures in protecting the security of their CCSs, and promptly respond to and recover the affected systems when they are attacked.
|
Types of obligations |
|
|
1. Organizational obligations |
· maintain an office in Hong Kong and notify the Commissioner of Critical Infrastructure (Computer-system Security) (the “Commissioner”) or the designated authorities (“DA”) of the address (and report any subsequent changes); · notify the Commissioner or DA of operator changes in relation to the CIs; · maintain a computer-system security management unit (in-house or outsourced) which has to be supervised by an employee of the CIO who possesses adequate professional knowledge. |
|
2. Preventive obligations |
· notify the Commissioner or DA of material changes to their computer systems, including changes to design, configuration, security, operation, etc., of their CCSs; · prepare and implement a computer-system security management plan and submit the plan to the Commissioner or DA; · conduct a computer-system security risk assessment at least once every year and submit a report to the Commissioner or DA; · arrange for an independent computer-system security audit to be carried out at least once every two years and submit a report to the Commissioner or DA. |
|
3. Incident reporting and response obligation |
· participate in a computer-system security drill organized by the Commissioner; · prepare and implement an emergency response plan and submit it to the Commissioner; · notify the Commissioner of the occurrence of computer-system security incidents (i.e. any event that involves access to the CCSs or any other act done on or through the CCS or another computer system without lawful authority, which has an actual adverse effect on the computer-system security of the CCSs) in respect of CCSs. Serious incidents which have disrupted, are disrupting or will likely disrupt the core function of CIs must be reported within 12 hours after the CIO becomes aware of the incidents, while other incidents must be reported within 48 hours. |
The DA includes:
· the Hong Kong Monetary Authority for regulating the sector of banking and financial services; and
· the Communications Authority for regulating the sector of telecommunications and broadcasting services.
3. What are the offences and penalties for non-compliance under the Ordinance?
The penalties under the Ordinance will only include fines and against the organizations, with the maximum level ranging from HK$500,000 to HK$5 million, and additional daily fines for persistent non-compliance for certain continuing offences, the maximum of which range from HK$50,000 to HK$100,000. Such fines, in case of non-compliance of the Ordinance, will only be imposed at the organizational level, but not their staff at individual level.
4. Will personal data or any sensitive data be targeted under the Ordinance?
If any computer-system security incident involving leakage of personal data takes place, CIOs might have to report the incident to the Commissioner. However, it is emphasized by the government that the Commissioner’s duty is to identify the cause of such incident and plug the loopholes in an incident. Personal data or any sensitive data such as trade secrets is not targeted or focused by the Ordinance but the CIOs might still need to consider reporting the incident to the Privacy Commissioner for Personal Data. Moreover, the Commissioner, DAs and all personnel employed or appointed in connection with the performance of functions under the Ordinance will be subject to statutory obligations to preserve secrecy, and unauthorized disclosure may render them liable on conviction to imprisonment.
Takeaway
The Ordinance introduces vital regulations to enhance cybersecurity for essential services in Hong Kong. CIOs must take immediate steps to understand and comply with their new obligations, including but not limited to putting in place effective security measures and maintaining timely incident reporting. Non-compliance can lead to significant financial penalties, and hence CIOs should stay informed and be prepared as they navigate this evolving regulatory landscape. If in doubt, it is advisable to seek legal advice.
For enquiries, please feel free to contact us at: |
|
E: technology@onc.hk T: (852) 2810 1212 19th Floor, Three Exchange Square, 8 Connaught Place, Central, Hong Kong |
|
Important: The law and procedure on this subject are very specialised and complicated. This article is just a very general outline for reference and cannot be relied upon as legal advice in any individual case. If any advice or assistance is needed, please contact our solicitors. |
|
Published by ONC Lawyers © 2025 |
