Article

Hong Kong passes its first Cybersecurity Law to safeguard critical infrastructure

Hong Kong passes its first Cybersecurity Law to safeguard critical infrastructure
Published Date
Mar 25 2025

Hong Kong’s Legislative Council passed the Protection of Critical Infrastructures (Computer Systems) Bill (the “CI Bill”) on March 19, 2025. This landmark legislation aims to enhance cybersecurity and minimize disruptions caused by cybersecurity incidents to Hong Kong’s critical and essential services. The CI Bill is set to take effect on January 1, 2026.

The key provisions of the CI Bill and our recommendations for organizations are set out below.

Key provisions

The CI Bill was passed without substantive amendments to the original bill (see original bill and amendments passed).

For a detailed analysis of the CI Bill, please refer to our previous article. To recap, the key obligations imposed on CI operators are:

1. Organization of CI operators (“Category 1 obligations”)

  • Maintain an office in Hong Kong.
  • Notify the authority of operator changes.
  • Set up and maintain a computer-system security management unit.

2. Prevention of threats and incidents (“Category 2 obligations”)

  • Notify the authority of significant changes to certain systems.
  • Submit and implement security management plans (details in Schedule 3 of the CI Bill).
  • Conduct security risk assessments (details in Schedule 4 of the CI Bill).
  • Arrange security audits (details in Schedule 5 of the CI Bill).

3. Incident reporting and response (“Category 3 obligations”)

  • Participate in security drills.
  • Submit and implement emergency response plans.
  • Notify the Commissioner of incidents within the specified timeframe:
  1. Within 12 hours after becoming aware of the incident for serious computer-system security incidents (defined as incidents that have disrupted, are disrupting, or are likely to disrupt the core function of the critical infrastructure concerned); and
  2. Within 48 hours after becoming aware of the incident for other computer-system security incidents.
  • Submit a written report of the incident within 14 days after the date on which the CI operator becomes aware of the incident.

Non-compliance with any of these obligations or failure to comply with the Commissioner’s written direction constitutes an offence, with fines of up to HKD5 million.

What should you do now?

Step one: assess potential status as CI operators

  • Determine if your organization qualifies as a critical infrastructure operator under the CI Bill. The Government has announced that designated operators will be shortlisted by June 2025 and designated in phases.
  • Engage legal experts to understand the criteria and obligations associated with CI operator status.

Step two: allocate budget and resources for compliance

  • If determined that your organization would likely be qualified as a critical infrastructure operator, allocate resources to implement organizational changes required to meet the CI Bill’s obligations.

Step three: conduct a gap analysis

  • Engage legal and cybersecurity experts to perform a thorough gap analysis to identify any deficiencies in your current cybersecurity posture and practices against the requirements of the CI Bill.
  • As part of the technical analysis, conduct security audits and penetration testing.

Step four: take actions to enhance the cyber-resilience of your critical infrastructure

  • Based on the gap analysis, implement measures to comply with the requirements of the CI Bill, which may include but are not limited to:
  • Develop or update security management plans and emergency response plans to ensure these internal policies and procedures are aligned with the new requirements.
  • Establish clear reporting protocols for incidents to address various legal requirements, including those under privacy laws and regulations from Hong Kong and other jurisdictions.
  • Conduct regular drills and training sessions, such as tabletop exercises, to ensure preparedness.
  • Consider the impact of the CI Bill on existing and future contracts, especially with third-party service providers, to ensure they reflect the necessary security obligations and responsibilities. CI operators remain legally responsible for compliance with the CI Bill.
  • Review system architecture and make necessary changes (e.g., segregation, access controls).

Get in touch with us

As the clock is now ticking for the new legislation to come into effect and as cyber risks continue to evolve, it is crucial for businesses operating in Hong Kong to take timely and proactive measures to comply with the requirements and enhance the resilience of their operations.

To understand the full implications of the CI bill for your organization and to receive tailored advice on compliance, please contact our team.

Related capabilities