Hong Kong Government releases critical infrastructure Cybersecurity Bill

We highlight below the key provisions of the CI Bill and the implications for organizations.

Key provisions and obligations

The content of the CI Bill is substantially similar to the Government’s proposal outlined in the brief to the Legislative Council and its consultation report (details of the brief and consultation here), incorporating several key changes based on stakeholder feedback.

The key provisions and obligations in the CI Bill are as follows:

1. Scope and targets

The proposed meaning of “critical infrastructure” under the bill is the same as previously proposed and is defined under the CI Bill as:

• Any infrastructure that is essential to the continuous provision in Hong Kong of an essential service in a specified sector (Type 1 CI), or
• Any other infrastructure the damage, loss of functionality or data leakage of which may hinder or otherwise substantially affect the maintenance of critical societal or economic activities in Hong Kong (Type 2 CI).

Type 1 CI sectors (specified in Schedule 1 to the Bill) are energy, information technology, banking and financial services, air transport, land transport, maritime transport, health services, and telecommunications and broadcasting services. Examples of Type 2 CI, such as major sports and performance venues, were included in the brief.

2. Regulatory authorities

The Chief Executive will appoint a new Commissioner of Computer-system Security (the Commissioner), who, along with the designated authorities in Schedule 2 of the CI Bill for specific sectors (currently the Monetary Authority and the Communications Authority), (“Designated Authorities”), will serve as the regulating authorities ("Regulating Authorities").

The Regulating Authorities' functions include identifying critical infrastructures (CIs), designating CI operators and issuing codes of practice. The powers of the Regulating Authorities are:

• A Regulating Authority can ascertain if an infrastructure is a specified CI by considering the service provided and potential damage implications.
• The Commissioner or a Designated Authority can designate an organization or a regulated organization of the authority, respectively, as a CI operator based on its dependency on computer systems and data sensitivity.
• A Regulating Authority can designate a computer system as critical for infrastructure by giving written notice to a CI operator. This includes systems (i) accessible by the operator in or from Hong Kong and (ii) essential to the core function of a CI, based on factors like the system’s role in the CI’s core function.

Regulating Authorities can require any organizations or CI operators to provide information for identifying CIs, designating CI operators, or critical computer systems. Such information includes any information needed to determine if infrastructure is a specified CI, if an organization should be designated a CI operator, or if a computer system should be designated as critical. Failing to comply with requirements to provide information without reasonable excuse could result in financial penalties of up to HKD5 million with additional daily fines of up to HKD100,000.

3. Obligations of critical infrastructure operators

The CI Bill imposes the following obligations on CI operators:

• Organization of CI operators ("category 1 obligations"):
  • Maintain an office in Hong Kong.
  • Notify the authority of operator changes.
  • Set up and maintain a computer-system security management unit.

• Prevention of threats and incidents ("category 2 obligations"):
  • Notify the authority of significant changes to certain systems.
  • Submit and implement security management plans (details in Schedule 3 of the CI Bill).
  • Conduct security risk assessments (details in Schedule 4 of the CI Bill).
  • Arrange security audits (details in Schedule 5 of the CI Bill).

• Incident reporting and response ("category 3 obligations"):
  • Participate in security drills.
  • Submit and implement emergency response plans.
  • Notify the Commissioner of incidents within the specified timeframe which shall be made:

• for serious computer-system security incidents (defined as incidents
  that have disrupted, are disrupting or will be likely disrupt the core
  function of the critical infrastructure concerned), within 12 hours after becoming aware of the incident, and
• for other computer-system security incidents, within 48 hours after becoming aware of the incident.
  • Submit a written report of incident within 14 days after the date on which the CI operator becomes aware of the incident.

Non-compliance with any of these obligations or failure to comply with the Commissioner’s written direction constitutes an offence, with fines of up to HKD5m.

4. Powers of Authorized officers and Regulating Authorities

Authorized officers are empowered to investigate computer-system security threats in critical systems. If the Commissioner suspects an adverse event or threat, they can direct officers to identify the cause and respond accordingly. The CI Bill grants the following enforcement powers to authorized officers:

• Requiring CI operators to produce relevant documents and provide explanations.
• Entering premises to search for relevant documents (if specified conditions are met).
• Restricting the use of investigated systems and applying for warrants to preserve the system's state (if specified conditions are met).

The CI Bill also grants investigation powers to Regulating Authorities for proposed offences. A Regulating Authority can direct an authorized officer to investigate suspected offences, including requiring written answers from organizations. An authorized officer is permitted to apply for a magistrate's warrant to enter premises or inspect electronic devices if specified conditions are met.

5. Appeal mechanism

The CI Bill proposes that an organization aggrieved by a Regulating Authority’s decision can lodge an appeal against such decision. An appeal board appointed for an appeal may confirm, vary or reverse any decision to which the appeal relates and such decision would be final.

Additional requirements and details

The CI Bill raises a number of other issues and requirements:

• Extraterritorial jurisdiction considerations: the CI Bill imposes obligations with respect to computer systems that are accessible by the CI operators in or from Hong Kong. The Government has stated that the CI Bill does not have extra-territorial effect, as it does not seek to enforce jurisdiction over areas outside Hong Kong. However, if certain information is controlled and possessed by an overseas entity and is accessible by the CI operator in or from Hong Kong, it appears that the system is in scope and information regarding such system must be submitted to the Commissioner if requested.
• Use of code of practice in legal proceedings: the CI Bill states that non-compliance with a code of practice does not by itself make an organization liable to any civil or criminal proceedings. However, if a court or appeal board finds a code of practice relevant in a legal case, the code can be used as evidence. Proof of whether an organization complies with the code can help establish or disprove an issue.
• Defenses of “due diligence” and “reasonable excuse”: for certain offences, “due diligence” and “reasonable excuse” defenses might be available. For a “due diligence” defense, an organization must provide sufficient evidence that the offence was beyond its control and it has taken all reasonable steps to prevent the offence, and the prosecution must not disprove this beyond a reasonable doubt. For a “reasonable excuse” defense, an organization must provide sufficient evidence to raise an issue that the defendant had such a reasonable excuse, and the prosecution must not disprove this beyond a reasonable doubt.
• Nature of penalties: penalties for non-compliance with the obligations under the CI Bill include financial penalties ranging from HKD500,000 to HKD5m and will be imposed on an organization basis. However, if the violations involve breaching criminal laws (such as making false statements, using false instruments, or committing other fraud-related offences), the involved officers may be held personally criminally liable.

Considerations for multinational companies

Multinational companies operating potentially critical computer system in or from Hong Kong that are subject to other critical infrastructure cybersecurity legal requirements, such as the Digital Operational Resilience Act (DORA) in the European Union (effective from January 17, 2025) and the Hong Kong Monetary Authority’s (HKMA) Supervisory Policy Manual, should compare the potentially overlapping requirements.

Take incident reporting requirement as an example: a global financial institution is subject to various regulations.

• European Union (DORA): Under DORA, the time limits for reporting are as follows: the initial notification must be made within 4 hours after classification and 24 hours after detection of the incident, an intermediate report is required within 72 hours, and a final report must be submitted within 1 month.
• Hong Kong (HKMA): On the other hand, the HKMA stresses in its Supervisory Policy Manual for Technology Risk Management and its circular on Incident Response Management Procedures that once an authorized institution (AI) becomes aware of a "significant incident," "IT-related fraud," or a "major security breach," it "should notify the HKMA immediately and provide [the HKMA] with whatever information is available at the time." The HKMA is clear that AIs must not wait until they have rectified the problem before reporting the incident to the HKMA. This is a more immediate requirement compared to other regulatory bodies.
• The CI Bill: The CI Bill requires that for serious computer-system security incidents, the report must be made within 12 hours after becoming aware of the incident. For other computer-system security incidents, the report must be made within 48 hours after becoming aware of the incident. Additionally, CI operators are required to submit a written report of the incident within 14 days after the date on which the CI operator becomes aware of the incident.

Organizations should understand all these different requirements and consider whether they should meet the most stringent requirement to ensure compliance across all applicable jurisdictions. This comparison will help identify overlapping requirements and areas of deviation, ensuring that the organization remains compliant with all applicable regulations across different jurisdictions.

Recommendations

With the release of the CI Bill, we now have more clarity with respect to the specific requirements and expectations on organizations. We recommend that organizations and businesses with operations in Hong Kong:

• Assess potential status as CI operators: evaluate their potential designation as CI operators and the applicability of the CI Bill to their operations, particularly for those in the eight essential services sectors.
• Strengthen cybersecurity measures: enhance cybersecurity measures to meet the statutory requirements and the detailed requirements set out in the CI Bill.
• Review contracts: consider the implications of the CI Bill on both existing and future contracts, particularly with third-party service providers who may have systems designated as critical computer systems.
• Prepare for organizational changes: allocate a budget and prepare for the organizational changes required to meet the CI Bill's obligations, such as establishing a security management unit and formulating security management plans.

The Hong Kong Government’s plan remains to establish the Commissioner’s Office within a year after the passage of the CI Bill, with the legislation coming into force six months thereafter.

The resumption of Second Reading debate, committee stage and Third Reading of the Bill will be notified by the Government to the Legislative Council. We will closely monitor the developments and provide further updates as they become available.