In response to a growing number of cybersecurity incidents where over 9,000 cases were reported between June 2023 and May 2024, the Hong Kong Government has taken a major step to introduce the Protection of Critical Infrastructures (Computer Systems) Bill (the “Bill”) around June 2024. The Bill is Hong Kong’s first dedicated statutory framework aimed at enhancing the cybersecurity of critical infrastructures (“CIs”) and establishing robust compliance standards for Critical Infrastructure Operators (“CIOs”) and Critical Computer Systems (“CCs”). Under the proposed framework, only specifically assigned CIOs and CCs will be regulated.
The Bill was first gazetted on 6 December 2024, and introduced to Legislative Council for the First and Second Readings on 11 December 2024. It is expected to be fully implemented in around mid-2026.
Legislative Objectives
The Bill aims to enhance the protection of computer systems that support critical infrastructures, ensure the continuity of essential services and minimise serious consequences caused by cyberattacks. The Bill imposes statutory obligations on CIOs across eight key sectors including :-
The Bill also regulates CIOs that are necessary for maintaining important social and economic activities (such as major sports and performance venues, research and development parks, etc.)
Statutory Obligations
The Bill introduces a three-tier structure of obligations for CIOs, including organisational, preventive and incident reporting and response obligations.
CIOs are required to maintain an office in Hong Kong and notify the Commissioner’s Office or designated authorities (“DA”) of the address and report any subsequent changes, report any ownership and operatorship changes in relation to the CIs, and maintain a computer-system security management unit supervised by an employee of the CIO who possesses adequate professional knowledge.
CIOs must implement robust cybersecurity measures to protect computer systems from cyber threats, these include :-
(a) Notifying the Commissioner’s Office or DA of material changes to their computer systems, including CCs (e.g. changes in the design, configuration, security, operation etc.);
(b) Conducting regular security risk assessments;
(c) Implementing security management plans and undergoing periodic security audits; and
(d) Conducting and submitting an independent computer-system security audit at least once every two years.
The Bill mandates the reporting of cybersecurity incidents within specified timeframes and respond effectively. In the event of a cybersecurity incident, CIOs must report serious incidents – those that could disrupt core functions of CIs – within 12 hours of awareness, and less critical incidents within 48 hours. CIOs must also submit detailed written reports within 14 days and develop and continuously update emergency response plans that outline procedures for mitigating the impact of cyberattacks as well as participate in a computer-system security drill.
Commissioner’s Office
A Commissioner’s Office will be established under the Security Bureau to oversee the implementation of the legislative regime. This office will be responsible for designating CIOs and CCs, monitoring their compliance with statutory obligations, and ensuring adherence to the framework. The office will be led by a Commissioner appointed by the Chief Executive. The Commissioner’s key duties and functions include identifying CIs and designating CIOs and CCs, issuing codes of practice in respect of CIO obligations, monitoring and supervising compliance with the Ordinance, regulating CIOs in respect of the computer-system security of CCs, investigating and responding to computer-system security threats and incidents and coordinating the Ordinance’s implementation.
The investigation powers of the Commissioner include access to the computer systems of CIOs and potential access to sensitive data. If a CIO is unable or unwilling to assist in an investigation or respond to a threat or incident independently, the Commissioner may seek a warrant to access CCSs. The Commissioner will be bound by statutory obligations to maintain data confidentiality. Unauthorised disclosure of such data may result in criminal liability, including potential imprisonment upon conviction.
Penalties and Extraterritorial Reach
Non-compliance and breaches of the obligations and requirements under the bill may lead to offences and penalties, applying solely to CIOs at the organisational level and are not intended to target individual staff members. Penalties under the Bill will be limited to fines, with the maximum fines ranging from HK$500,000 to HK$5 million. The maximum daily fines for continuing offences will range from HK$50,000 to HK$100,000. These stringent measures underscore the Bill’s aim to incentivise robust cybersecurity practices among critical infrastructure operators.
The Bill does not explicitly address extraterritoriality, but it includes provisions that could extend its reach. For instance, the Bill provides that a computer system located overseas but accessible by a CIO in or from Hong Kong can be designated as a CCS, subjecting it to the Bill’s requirements. Moreover, the Commissioner’s Office can request information accessible by CIOs with a local presence in Hong Kong, but the Bill is not intended to have extraterritorial effect and is in line with the principle of territorial jurisdiction.
Implications for Businesses
While the Bill primarily targets large organisations, its implementation underscores the growing importance of cybersecurity risk management. Businesses, especially those in the designated sectors, should assess their cybersecurity frameworks by conducting self-assessments and gauging current cybersecurity measures. They should also prepare for compliance with the new obligations, update existing cybersecurity frameworks to incorporate the obligations under the Bill, and remain informed about the progression of the Bill and its implementation timeline.
Conclusion
The Bill represents an approach in line with global trends on digital resilience to protect Hong Kong’s critical infrastructures against cyber threats. While it addresses key concerns raised during consultations, its practical implementation and enforcement remain to be seen. If you have any questions about the above eNews or require legal assistance regarding media and technology law, data protection and intellectual property law etc., our experienced lawyers in our Intellectual Property team will be happy to assist you.