Hong Kong’s First Comprehensive Cybersecurity Law: Key Requirements for Businesses

Posted by Written by Arendse Huld Reading Time: 10 minutes

The passage of the Protection of Critical Infrastructures (Computer Systems) Ordinance marks a significant milestone in Hong Kong cybersecurity, establishing a new legal framework to protect essential services from cyber threats. The law imposes strict compliance obligations on designated critical infrastructure operators, with enforcement set to begin in 2026. Organizations in key sectors are urged to assess their potential obligations under this transformative regulatory regime.

On March 19, 2025, Hong Kong took a major step forward in strengthening its cybersecurity landscape with the passage of the Protection of Critical Infrastructures (Computer Systems) Bill, a landmark piece of legislation aimed at safeguarding the city’s essential services from cyber threats. The resulting Protection of Critical Infrastructures (Computer Systems) Ordinance (the “Ordinance”) was published in the Gazette on March 28, 2025, marking the start of a new regulatory era for operators of critical infrastructure.

This Ordinance introduces a comprehensive statutory framework requiring designated critical infrastructure operators (CIOs) to implement robust measures for protecting their computer systems. By setting out clear compliance obligations across three key categories, the law aims to reduce the risk of disruptions caused by cyberattacks and ensure the continued delivery of vital services that keep Hong Kong running. 

Although the Ordinance will officially come into force on January 1, 2026, organizations will only be bound by its obligations once they are formally designated as CIOs. The responsibility for these designations lies with the newly established Office of the Commissioner of Critical Infrastructure (CCI), which will be set up under the Security Bureau within one year of the Bill’s passage, according to a background brief released by the LegCo. Once operational, the CCI will begin the designation process in phases within six months. 

Given the significant compliance duties – and the potential for steep penalties – companies operating in any of the eight specified sectors should proactively assess whether they may be subject to the new requirements. 

DOING BUSINESS IN CHINA EXPLORE IN-DEPTH INVESTMENT AND BUSINESS GUIDES.
Explore vital economic, geographic, and regulatory insights for business investors, managers, or expats to navigate China’s business landscape. Our Online Business Guides offer explainer articles, news, useful tools, and videos from on-the-ground advisors who contribute to the Doing Business in China knowledge. Start exploring

Designation of a CIO, critical infrastructure, and critical computer systems 

As the Ordinance only applies to companies that have been designated as a CIO, it is important to understand what the authorities are considering when making the designation. 

Broadly, a company can be designated as a CIO if it is found to be operating critical infrastructure and is operating within one of the eight designated sectors. 

Critical infrastructure is defined in the Ordinance as: 

  1. Any infrastructure that is essential to the continuous provision in Hong Kong of an essential service in the following sectors:
    1. Energy
    2. Information technology
    3. Banking and financial services
    4. Air transport  
    5. Land transport  
    6. Maritime transport  
    7. Healthcare services  
    8. Telecommunications and broadcasting services 
  2. Any other infrastructure the damage, loss of functionality or data leakage of which may hinder or otherwise substantially affect the maintenance of critical societal or economic activities in Hong Kong. 

The responsibility to designate an organization as a CIO falls to the “regulating authority”. Which regulating authority oversees the designation of a CIO depends on the industry the organization is operating in, and can be either a “designated authority” or the CCI. The “designated authority” for the banking and financial services sector is the Hong Kong Monetary Authority, while for telecommunications and broadcasting services, it is the Communications Authority. For all other sectors, the regulating authority is the CCI. 

When ascertaining whether the new critical infrastructure rules apply, the regulating authority will consider: 

  1. What kind of service is provided by the infrastructure;
  2. What implications there can be if the infrastructure is damaged, loses functionality or suffers any data leakage;
  3. Any information required by the regulating authority from the organization in order to ascertain critical infrastructure; and
  4. Any other matters the authority considers relevant. 

When ascertaining whether to designate an organization as a CIO (or revoke the designation of an organization as a CIO), the regulating authority will take into account the following: 

  1. How dependent the core function of the critical infrastructure concerned is on computer systems;
  2. The sensitivity of the digital data controlled by the organization in respect of the infrastructure;
  3. The extent of control that the organization has over the operation and management of the infrastructure;
  4. Any information requested by the regulating authority from the organization in order to ascertain critical infrastructure; and
  5. Any other matters the authority considers relevant. 

Note that more than one CIO can be designated for a single critical infrastructure system. Similarly, a single organization may serve as CIO for multiple critical infrastructure systems.

Find Business Support
Get help conducting compliance audits, penetration tests, and computer security and impact assessments to ensure compliance with China's cybersecurity regulations.

In addition to ascertaining what constitutes critical infrastructure and whether to designate an organization as a CIO, the regulating authority will also closely examine critical computer systems related to critical infrastructure. Critical computer systems are subject to additional security compliance requirements, such as mandatory reporting of any incidents implicating the system. 

Broadly, a computer system that is critical for the infrastructure in question will be designated as such if it is accessible by the CIO in or from Hong Kong and is essential to the core function of a critical infrastructure system. 

In the process of designating a critical infrastructure system, a CIO, or a critical computer system, the regulating authority can request an organization to provide “any information the authority reasonably considers necessary”. Failure to comply with such a request for information could lead to initial fines of HK$300,000 to HK$5 million, plus an additional daily fine of HK$30,000 to HK$100,000 for continuing offences. 

Obligations of CIOs 

Being designated a CIO kicks into gear a wide range of new obligations to ensure the security of critical infrastructure. These obligations range from being required to maintain an office in Hong Kong, conducting regular risk assessments and security audits, and reporting security incidents to the authorities.

Complying with these obligations is crucial, as failing to do so carries penalties of up to HK$5 million for initial offences, and an additional daily fine of up to HK$100,000 for continuing offences. 

The obligations can generally be split into two categories: Initial obligations that companies must comply with once they have been designated a CIO, and ongoing reporting and compliance requirements. 

Initial obligations 

Some initial obligations must be met within one month of being designated a CIO. These are:

  • Maintaining or establishing an office in Hong Kong and notifying the regulating authority of the office address.
  • Maintaining or establishing a computer-system security management unit notifying the regulating authority of the appointment of an employee to supervise this unit. 

Meanwhile, in the first three months, CIOs are required to submit a computer-system security management plan to the regulating authority and submit an emergency response plan to the CCI. CIOs are also legally required to implement emergency response plans.

Find Business Support
Our IS team can help you deploy ERP or localize your global system for your Asia business.

The contents of the computer-system security management plan are outlined in Schedule 3 of the Ordinance, and must cover a range of information related to the persons responsible for managing cybersecurity, how critical systems are identified, and how risks such as threats, vulnerabilities, and incidents are detected and addressed. 

The emergency response plan, meanwhile, must describe the structure and responsibilities of the team that handles cybersecurity incidents, define when the response protocol should be activated, and set out how incidents are reported, investigated, and assessed, among other matters. 

In the first 12 months, CIOs are also required to conduct a computer-system security risk assessment, and submit a report of this assessment within three months of the end of the initial 12-month period to the regulating authority. 

Finally, in the first 24 months, CIOs must carry out a computer-system security audit and submit a report of the audit to the regulating authority within three months of the end of the 24-month period. 

Below is a summary of the initial obligations placed on companies once they are designated a CIO. Note that the relevant authority for the first two divisions is either the designated authority or the CCI, depending on the CIO’s sector, whereas Division 3 obligations are exclusively under the purview of the CCI.

Initial Obligations Upon Designation as CIO
Obligation Time limit Overseeing authority Legal liabilities
General operational obligations (Division 1)
Maintain or establish an office in Hong Kong Within 1 month of designation (if no office exists when designated) NA NA
Notify the regulating authority of the address of the office  Within 1 month of designation Designated authority or CCI HK$300,000 – HK$500,000 fine for initial offence

HK$30,000 – HK$50,000/day fine for continuing offences
Maintain or establish a computer-system security management unit Within 1 month of designation (if no unit exists when designated) NA NA
Notify the regulating authority of appointment of  an employee with adequate professional knowledge in relation to computer-system security to supervise the computer-system security management unit Within 1 month of designation (extensions can be granted if no unit existed when designated) Designated authority or CCI HK$300,000 – HK$500,000 fine for initial offence

HK$30,000 – HK$50,000/day fine for continuing offences
Obligations to prevent threats and incidents (Division 2)
Submit a computer-system security management plan to the regulating authority Within 3 months of designation Designated authority or CCI HK$300,000 – HK$500,000 fine for initial offence

HK$30,000 – HK$50,000/day fine for continuing offences
Conduct a computer-system security risk assessment Within 12 months of designation NA HK$300,000 – HK$500,000 fine for initial offence

HK$30,000 – HK$50,000/day fine for continuing offences
Submit a report for the computer-system security risk assessment to the regulating authority  Within 3 months of the expiry of the period in which the assessment must be completed  Designated authority or CCI HK$300,000 – HK$500,000 fine for initial offence

HK$30,000 – HK$50,000/day fine for continuing offences
Carry out a computer-system security audit Within 24 months of designation NA HK$300,000 – HK$500,000 fine for initial offence

HK$30,000 – HK$50,000/day fine for continuing offences
Submit a report of the computer-system security audit to the regulating authority Within 3 months of the expiry of the period in which the audit must be completed  Designated authority or CCI HK$300,000 – HK$500,000 fine for initial offence

HK$30,000 – HK$50,000/day fine for continuing offences
Obligations to respond to and report incidents (Division 3)
Submit an emergency response plan to the CCI Within 3 months of designation CCI HK$300,000 – HK$500,000 fine for initial offence

HK$30,000 – HK$50,000/day fine for continuing offences

Ongoing obligations 

Ongoing obligations of CIOs include notifying the regulating authority of any changes to the CIOs general operating conditions within one month of the change occurring. This includes changes in the CIO’s address, any operator or operational change related to a critical infrastructure, any change to the appointment of the employee supervising the computer-system security management unit, and any revisions to the computer-system security management plan. 

CIOs are also required to notify the relevant regulating authority within one month of certain non-emergency “events” related to its computer systems, including: 

  1. Material changes to the design, configuration, security or operation of a critical computer system of the critical infrastructure;
  2. The removal of a critical computer system of the infrastructure;
  3. The addition of a computer system to the infrastructure that is accessible by the operator in or from Hong Kong and Is essential to the core function of the infrastructure; and
  4. A change occurs to a computer system that is an existing computer system of the infrastructure and is accessible by the operator in or from Hong Kong, such that the system becomes essential to the core function of the infrastructure. 

There are also a range of ongoing obligations relating to the prevention of threats and incidents, and to notify the authorities if any incidents occur: 

  • First, to prevent threats and incidents, CIOs must continue to conduct regular risk assessments and security audits (at least every 12 months and 24 months, respectively, following the initial mandatory assessment and audit period).
  • Second, CIOs are required to participate in a computer-system security drill upon the request of the CCI. The CIO will be given “reasonable notice” in writing of the drill from the CCI.
  • Finally, if a CIO becomes aware that a computer-system security incident has occurred implicating a critical computer system of its critical infrastructure, it must notify the CCI of the incident as soon as is practicable, or 48 hours after the CIO becomes aware of the incident. If, however, an incident has disrupted, is disrupting, or is likely to disrupt the core function of the critical infrastructure concerned, the CIO must inform the CCI 12 hours after the it becomes aware of the incident.  

The last two obligations carry significant penalties if not fulfilled, with fines ranging from HK$3 million to HK$5 million depending on the severity of the case. 

Ongoing Obligations of CIOs
Obligation  Time limit  Overseeing authority  Legal liabilities 
General operational obligations (Division 1) 
Notify the regulating authority of a change in the address of the office   Within 1 month of change occurring  Designated authority or CCI  HK$300,000 – HK$500,000 fine for initial offence 

 

HK$30,000 – HK$50,000/day fine for continuing offences 
Notify the regulating authority of any change of the organization that operates the infrastructure  Within 1 month of change occurring  Designated authority or CCI  HK$3 million – HK$5 million fine for initial offence 

 

HK$60,000 – HK$100,000/day fine for continuing offences 
Notify the regulating authority of any change to the appointment of an employee supervising the computer-system security management unit   Within 1 month of the change occurring  Designated authority or CCI  HK$300,000 – HK$500,000 fine for initial offence 

 

HK$30,000 – HK$50,000/day fine for continuing offences 
Obligations to prevent threats and incidents (Division 2) 
Notify of certain “events”, including materials changes to certain computer systems  Within 1 month of the event occurring  Designated authority or CCI  HK$300,000 – HK$500,000 fine for initial offence 

 

HK$30,000 – HK$50,000/day fine for continuing offences 
Submit any revisions to the computer-system security management plan to the regulating authority  Within 1 month of the revision occurring  Designated authority or CCI  HK$300,000 – HK$500,000 fine for initial offence 

 

HK$30,000 – HK$50,000/day fine for continuing offences 
Conduct subsequent computer-system security risk assessments  At least once every 12 months after the first 12 months  Designated authority or CCI  HK$300,000 – HK$500,000 fine for initial offence 

 

HK$30,000 – HK$50,000/day fine for continuing offences 
Conduct subsequent computer-system security audits  At least once every 24 months after the first 24 months  Designated authority or CCI  HK$300,000 – HK$500,000 fine for initial offence 

 

HK$30,000 – HK$50,000/day fine for continuing offences 
Obligations to respond to and report incidents (Division 3) 
Participate in a computer-system security drill upon the request of the Commissioner of Critical Infrastructure  Upon request  CCI  HK$3 million – HK$5 million fine 
Submit any revisions to the emergency response plan  Within 1 month of the revision occurring  CCI  HK$300,000 – HK$500,000 fine for initial offence 

 

HK$30,000 – HK$50,000/day fine for continuing offences 
Notify the Commissioner of Critical Infrastructure of any computer-system security incidents that occur in a critical computer system of a critical infrastructure  As soon as practicable, or 12 to 48 hours after the operator becomes aware of the incident.  CCI  HK$3 million – HK$5 million 

Impact on companies in Hong Kong 

Related Reading
China’s Cybersecurity Law Amendments: Key Changes in the Second Draft

The enactment of the Ordinance represents a major shift in Hong Kong’s approach to cybersecurity regulation, and will have far-reaching implications for companies operating in the city. For those designated as CIOs, meeting the obligations of the Ordinance will require a substantial allocation of resources, including both financial investment and enhanced internal capacity to manage ongoing cybersecurity risks. Non-compliance should not be taken lightly, given the steep penalties stipulated in the law.

In light of this, companies should begin to prepare by assessing whether they operate infrastructure that could be deemed “critical” under the Ordinance, and whether that operation would make them likely to be designated as a CIO. They should then consider what that designation could mean for their business operations, resourcing, and risk exposure. 

To stay ahead of the requirements, businesses should begin preparing by allocating resources for compliance, which may include establishing a presence in Hong Kong, setting up a dedicated computer-system security management unit, developing comprehensive cybersecurity and emergency response plans, and conducting regular security risk assessments, audits, and incident response drills. Training personnel involved in these processes will also be essential to building the capabilities required under the new law.

About Us

China Briefing is one of five regional Asia Briefing publications, supported by Dezan Shira & Associates. For a complimentary subscription to China Briefing’s content products, please click here.

Dezan Shira & Associates assists foreign investors into China and has done so since 1992 through offices in Beijing, Tianjin, Dalian, Qingdao, Shanghai, Hangzhou, Ningbo, Suzhou, Guangzhou, Haikou, Zhongshan, Shenzhen, and Hong Kong. We also have offices in Vietnam, Indonesia, Singapore, United States, Germany, Italy, India, and Dubai (UAE) and partner firms assisting foreign investors in The Philippines, Malaysia, Thailand, Bangladesh, and Australia. For assistance in China, please contact the firm at china@dezshira.com or visit our website at www.dezshira.com.