Hong Kong proposes critical infrastructure cybersecurity law

Rossana Chu • 4 November 2024
Rossana Chu

Partner, Hong Kong

Download PDF

Hong Kong proposes critical infrastructure cybersecurity law

Hong Kong does not have statutory requirements on critical infrastructure cybersecurity. However, critical infrastructure around the world is at risk of cyberattacks and the repercussions of such malevolent action can be extremely severe.


In recent years, legislation to protect the security of computer systems of critical infrastructure has been enacted in mainland China, Australia, the UK and the EU. Following in these footsteps, Hong Kong proposes to enact a new legislation tentatively titled the Protection of Critical Infrastructure (Computer System) Bill.
Regulation targets


The proposed legislation seeks to regulate the operators of critical infrastructure that are necessary for:


  1. The continuous delivery of essential services in Hong Kong across eight sectors (energy, information technology, banking and financial services, land transport, air transport, maritime, healthcare services, and communications and broadcasting);

  2. Maintaining important societal and economic activities in Hong Kong, like major sports and performance venues, and research and development parks.


The new law will regulate only computer systems that are related to the normal functioning of critical infrastructure, regardless of their physical location, but not the operators’ other systems.


The legislation will not apply to essential services operated by the government – like water supply, drainage and emergency relief – as the government already has comprehensive internal information technology security policies and guidelines. Consequently, government departments will continue to be regulated by the existing administrative framework.


Administration


A new commissioner’s office will be established under the Security Bureau, to implement the proposed legislation.


Designation


Whether a piece of infrastructure is designated as a critical infrastructure will depend on factors such as whether it provides essential services or maintains important societal and economic activities in Hong Kong, its reliance on information technology, and the severity of societal impact in the event of damage, loss of functionality or data leakage.


Operators


The commissioner’s office will expressly designate certain operators as critical infrastructure operators (CIOs). These operators will mostly be large organisations but the list of designated CIOs will not be made public to protect their critical infrastructure from potential cyberattacks.


Designated CIOs will be required to fulfil three types of obligations:


  1. Organisational. To maintain an address and office in Hong Kong; to report changes in the ownership and operation of the critical infrastructure; to set up a computer system security management unit with professional knowledge (may be outsourced) supervised by a dedicated supervisor of the CIO.

  2. Preventive. To inform the commissioner’s office of material changes to their critical computer systems like design, configuration, security and operation; to formulate and implement a computer system security management plan; to conduct a computer system security risk assessment at least once every year; to conduct a computer system security audit at least once every two years; to adopt measures to ensure that third-party service providers comply with relevant statutory obligations.

  3. Incident reporting and response. To participate in a computer system security drill at least once every two years; to formulate an emergency response plan; to notify the commissioner’s office about computer system security incidents (activities carried out without lawful authority on or through a computer system that jeopardise or adversely affect its computer system security) : (a) within two hours of becoming aware of a serious computer system security incident (one that has a major impact on the continuity of essential services, large-scale leakages of personal information), and (b) within 24 hours of becoming aware of other computer system security incidents.


Sector regulators


Certain essential service sectors are already comprehensively regulated by statutory sector regulators. These regulators can monitor the discharging of CIOs’ organisational and preventive obligations. At this stage, it is proposed that:


  1. The Hong Kong Monetary Authority will be the designated authority to regulate service providers in the banking and financial services sector; and

  2. The Communications Authority will be the authority responsible for regulating service providers in the communications and broadcasting sector.


Nevertheless, the commissioner’s office will fully grasp any incident and the response arrangements of all CIOs to co-ordinate, investigate and prevent incidents from spreading to other CIOs.


Code of practice


The commissioner’s office will issue a code of practice with requirements such as:

  • reporting of material changes to critical computer systems;
  • independent computer system security audits;
  • computer system security risk assessments;
  • computer system security management plans; and
  • incident response obligations.


Way forward


The government plans to present the proposed legislation to the Legislative Council by the end of 2024. After the bill is passed, the commissioner’s office will be established within a year. The legislation will come into effect within the following six months.


The proposed legislation will require CIOs alone to bear responsibility for securing their critical computer systems. It does not permit the government to obtain personal data or business information from such systems.


Organisations that are potential CIOs should evaluate and enhance the cybersecurity of their critical computer systems, understand legal requirements including the proposed code of practice, and allocate a budget for compliance. It is essential for them to collaborate with their outsourced contractors to effectively comply with the forthcoming statutory obligations.


However, a challenge ahead is the recruitment of competent cybersecurity experts, supervisors and other required personnel. This issue deserves careful consideration by both the CIOs and their outsourced contractors.



YYC Legal LLP is in Association with East & Concord Partners (Hong Kong) Law Firm.

First published in October 2024 YYC Legal - legal trends of China Business Law Journal.

This material has been prepared for general informational purposes only and is not intended to be relied upon as professional advice. Please contact us for specific advice.

Recent articles

Chambers Global Practice Guides: Equity Finance 2024 – Hong Kong Chapter

by YYC Legal 18 November 2024
Our partners Rossana Chu, Dennis Yeung, and Sam Wu, together with associate Beverly Fu, of our leading corporate practice team, have co-authored the Hong Kong Chapter of the Chambers Global Practice Guides: Equity Finance 2024.

Background for signing Amendment Agreement II on Trade in Services under CEPA

by Roy Chiang 25 October 2024
The Amendment Agreement II introduces new liberalisation measures across several service sectors where Hong Kong enjoys competitive advantages.
Stablecoin & Cryptocurrency

Proposed Regulatory Regime for Stablecoin Issuers in Hong Kong: An Overview

by Sam Wu 24 September 2024
This article summarises the key aspects of the legislative proposal, including the scope and coverage of the proposed regulatory regime, the licensing criteria and conditions and the powers granted to the HKMA.

Hong Kong opens doors to foreign company redomiciliation

by Rossana Chu 19 September 2024
The Hong Kong government has announced that it will make a law to enable non-Hong Kong companies to redomicile in Hong Kong.

SEHK revises Corporate Governance Code

by Rossana Chu 28 August 2024
The revised code and listing rules are expected to take effect on 1 January 2025, with transition periods for certain proposals.

HKCA: No “Issued Share Capital” for UK LLP for Stamp Duty Relief Purpose

by Beverly Fu 23 August 2024
To fulfil the relief condition, the test for “associated”, which is “beneficial owner of not less than 90 per cent of the issued share capital of the other”, has to be satisfied.
More articles

Recent News

YYC Legal is recognised at the China Business Law Awards (Regional Awards) 2024

by YYC Legal 15 October 2024
YYC Legal LLP is recognised as one of the “Best Overall Law Firms (Hong Kong)” at the China Business Law Awards (Regional Awards) 2024.

Rossana Chu won 2024 asialaw Hong Kong SAR Female Lawyer of the Year Award

by YYC Legal 4 October 2024
Rossana Chu received the “Hong Kong SAR Female Lawyer of the Year” Award at the 2024 asialaw Awards Ceremony held at the JW Marriott Hotel in Kuala Lumpur of Malaysia.

YYC Legal is recognised in ALB Asia M&A Rankings 2024

by YYC Legal 26 September 2024
YYC Legal LLP is recognised as a “Notable Firm” for Hong Kong in ALB Asia M&A Rankings 2024.

YYC Legal is recognised in IFLR1000 2024 Rankings

by YYC Legal 13 September 2024
YYC Legal LLP and our lawyers have been recognised by IFLR1000 2024 Rankings in six categories.

YYC Legal is recognised in asialaw 2024 rankings

by YYC Legal 13 September 2024
YYC Legal LLP and our lawyer have been recommended by asialaw as one of the top-performing legal firms and lawyers in Asia in four categories.

“An interview with Jason Lin” featured in ALB China Regional Report 2024

by YYC Legal 10 September 2024
Jason pointed out that Hong Kong has always been an irreplaceable choice for Chinese enterprises to set up "Go Global" holding platforms.
More News
Share by: