Hong Kong proposes critical infrastructure cybersecurity law

Rossana Chu, Beverly Fu • 26 November 2024
Rossana Chu

Partner, Hong Kong

Beverly Fu

Associate, Hong Kong

Download PDF

Hong Kong proposes critical infrastructure cybersecurity law

Hong Kong does not have statutory requirements on critical infrastructure cybersecurity. However, critical infrastructure around the world is at risk of cyberattacks and the repercussions of such malevolent actions can be extremely severe.


In recent years, legislation to protect the security of computer systems of critical infrastructure has been enacted in mainland China, Australia, the UK and the EU. Following in these footsteps, Hong Kong proposes to enact a new legislation tentatively titled the Protection of Critical Infrastructure (Computer System) Bill.
Regulation targets


The proposed legislation seeks to regulate the operators of critical infrastructure that are necessary for:


  1. the continuous delivery of essential services in Hong Kong across eight sectors (energy, information technology, banking and financial services, land transport, air transport, maritime, healthcare services, and communications and broadcasting); or

  2. maintaining important societal and economic activities in Hong Kong, like major sports and performance venues, and research and development parks.


The new law will regulate only computer systems that are related to the normal functioning of critical infrastructure, regardless of their physical location, but not the operators’ other systems.


The legislation will not apply to essential services operated by the government – like water supply, drainage and emergency relief – as the government already has comprehensive internal information technology security policies and guidelines. Consequently, government departments will continue to be regulated by the existing administrative framework.


Administration


A new commissioner’s office will be established under the Security Bureau, to implement the proposed legislation, including the performance of the following duties: designating critical infrastructure operators (CIOs) and critical computer systems (CCSs); establishing code of practice and giving advice on the measures to be adopted by CIOs; monitoring security threats against CCSs; assisting CIOs in responding to computer system security incidents; investigating and following up on non-compliance and offences committed by the CIOs; coordinating with various government departments in formulating policies and guidelines and handling incidents; and issuing written instructions to CIOs addressing potential security loopholes.


Designation


Whether a piece of infrastructure is designated as a critical infrastructure will depend on factors such as whether it provides essential services or maintains important societal and economic activities in Hong Kong, its reliance on information technology, and the severity of societal impact in the event of damage, loss of functionality or data leakage.


Operators


The commissioner’s office will expressly designate certain operators as CIOs. These operators will mostly be large organisations but the list of designated CIOs will not be made public to protect their critical infrastructure from potential cyberattacks.


CIOs’ obligations


Designated CIOs will be required to fulfil three types of obligations:


  1. Organisational. To maintain an address and office in Hong Kong; to report changes in the ownership and operation of the critical infrastructure; and to set up a computer system security management unit with professional knowledge (may be outsourced) supervised by a dedicated supervisor of the CIO.

  2. Preventive. To inform the commissioner’s office of material changes to their CCSs like design, configuration, security and operation; to formulate and implement a computer system security management plan; to conduct a computer system security risk assessment at least once every year; to conduct a computer system security audit at least once every two years; and to adopt measures to ensure that third-party service providers comply with relevant statutory obligations.

  3. Incident reporting and response. To participate in a computer system security drill at least once every two years; to formulate an emergency response plan; and to notify the commissioner’s office about computer system security incidents (activities carried out without lawful authority on or through a computer system that jeopardise or adversely affect its computer system security) : (a) within two hours of becoming aware of a serious computer system security incident (one that has a major impact on the continuity of essential services, large-scale leakages of personal information), and (b) within 24 hours of becoming aware of other computer system security incidents.


Upon request by the commissioner’s office in the course of investigating an incident or offence related to the three types of obligations above, CIOs must submit relevant information available to the commissioner’s office, even if such information is located outside Hong Kong.


Sector regulators


Certain essential service sectors are already comprehensively regulated by statutory sector regulators. These regulators can monitor the discharging of CIOs’ organisational and preventive obligations. At this stage, it is proposed that:


  1. the Hong Kong Monetary Authority will be the designated authority to regulate service providers in the banking and financial services sector; and

  2. the Communications Authority will be the authority responsible for regulating service providers in the communications and broadcasting sector.


Nevertheless, the commissioner’s office will fully grasp any incident and the response arrangements of all CIOs to co-ordinate, investigate and prevent incidents from spreading to other CIOs.


Penalties for non-compliance


CIOs are expected to adhere to the statutory obligations under the proposed legislation and written directions and requests issued by the commissioner’s office. Failure to do so may constitute an offence and result in fines ranging from HK$500,000 to HK$5 million. If an organisation continues to disregard certain compliance obligations, additional daily fines may be imposed.


CIOs will also be held accountable for non-compliance even if it stems from the actions (or inactions) of third-party service providers. This emphasises the need for CIOs to thoroughly vet and manage their external partners to mitigate risks of non-compliance.


The proposed legislation adopts an organisation-focused approach in terms of the bearing of statutory obligations, and thus generally individual officers or staff members involved will not face personal penalties under the proposed legislation. That said, if certain non-compliance scenarios intersect with existing criminal laws in Hong Kong, for example, involving fraudulent activities or making false statements to the commissioner’s office, the individuals involved may face personal criminal liability.


An appeal mechanism will be established to allow CIOs to appeal against designations of CIOs or CCSs or directions issued by the commissioner's office.


Code of practice


The commissioner’s office will issue a code of practice with requirements such as:

  • reporting of material changes to CCSs;
  • independent computer system security audits;
  • computer system security risk assessments;
  • computer system security management plans; and
  • incident response obligations.


Way forward


The government plans to present the proposed legislation to the Legislative Council by the end of 2024. After the bill is passed, the commissioner’s office will be established within a year. The legislation will come into effect within the following six months.


Impact on operators


The proposed legislation will require CIOs alone to bear responsibility for securing their CCSs. It does not permit the government to obtain personal data or business information from such systems.


Organisations that are potential CIOs should evaluate and enhance the cybersecurity of their CCSs, understand legal requirements including the proposed code of practice, and allocate a budget for compliance. It is essential for them to collaborate with their outsourced contractors to effectively comply with the forthcoming statutory obligations.


However, a challenge ahead is the recruitment of competent cybersecurity experts, supervisors and other required personnel. This issue deserves careful consideration by both the CIOs and their outsourced contractors.


YYC Legal LLP is in Association with East & Concord Partners (Hong Kong) Law Firm.

This material has been prepared for general informational purposes only and is not intended to be relied upon as professional advice. Please contact us for specific advice.

Recent articles

HKEX’s review of issuers’ annual reports for FY2023

by Rossana Chu 20 February 2025
Hong Kong Exchanges and Clearing Limited published on 10 December 2024 a report on its annual review (with the aid of artificial intelligence) of listed issuers’ annual reports for the financial year ended 2023.

LexisNexis International Corporate Procedures, Issue 139 – Hong Kong Chapter

by Roy Chiang 14 February 2025
Our partner Roy Chiang has contributed to LexisNexis International Corporate Procedures, Issue 139, Hong Kong Chapter and published for subscription on 22 January 2025.

DAOs in Hong Kong: legal framework and recent developments

by Sam Wu, Beverly Fu 3 February 2025
With a growing prominence of virtual assets, decentralised autonomous organisations are becoming a critical component of the digital economy.

Lexology In-Depth: International Capital Markets – Hong Kong, Edition 14

by Rossana Chu 24 December 2024
Our partner Rossana Chu has contributed to Lexology In-Depth: International Capital Markets, Edition 14, Hong Kong Chapter and published on 17 December 2024.

Facilitating cross-border data flow in the GBA

by Sam Wu, Beverly Fu 9 December 2024
Introduction of the Standard Contract for the Cross-boundary Flow of Personal Information within the GBA (GBA SCC) marks a new milestone for cross-border data transfer.

Chambers Global Practice Guides: Equity Finance 2024 – Hong Kong Chapter

by Rossana Chu, Dennis Yeung, Sam Wu, Beverly Fu 18 November 2024
Our partners Rossana Chu, Dennis Yeung, and Sam Wu, together with associate Beverly Fu, of our leading corporate practice team, have co-authored the Hong Kong Chapter of the Chambers Global Practice Guides: Equity Finance 2024.
More articles

Recent News

YYC Legal is ranked in Chambers Greater China Region Guide 2025

by YYC Legal 17 January 2025
YYC Legal is recognised as a Leading Firm and our partner Rossana Chu is named as a Leading Individual in Chambers Greater China Region Guide 2025.

Rossana Chu is named as a Visionary in China Business Law Journal A-List 2024-25

by YYC Legal 18 December 2024
Rossana Chu is ranked by China Business Law Journal as one of The A-List 2024-25: Visionaries (International) and is recognised as amongst the most highly recommended lawyers in the market.

Rossana Chu shared insights in “Roads less travelled” by CBLJ

by YYC Legal 29 November 2024
Our Partner Rossana Chu is featured in the China Business Law Journal special report titled “Roads less travelled” published on 18 October 2024.

YYC Legal ranked in Legal 500 Asia Pacific Greater China 2025

by YYC Legal 28 November 2024
YYC Legal is recognised as a Leading Firm and our partner Rossana Chu is named as a Leading Partner in Legal 500 Asia Pacific Greater China 2025.

Sam Wu is recognised in ALB Hong Kong Rising Stars 2024

by YYC Legal 27 November 2024
Our Partner, Sam Wu, has been recognised by Asian Legal Business (ALB) as one of ALB Hong Kong Rising Stars 2024.

Sam Wu is recognised in the LexisNexis® 40 UNDER 40 2024 – Greater China List

by YYC Legal 21 November 2024
Our partner, Sam Wu, has been recognised as one of the winners in the prestigious LexisNexis® 40 UNDER 40 2024 – Greater China List.
More News
Share by: