Hong Kong is moving closer to releasing an omnibus cybersecurity legislation for critical infrastructure operators (CIO). Based on recent proposals it looks as though businesses operating in critical sectors such as information technology, banking and financial services, transport, healthcare, telecoms and energy will be faced with a series of significant cybersecurity-related obligations.
The road so far
Cybersecurity has been designated as a priority area in the several policy addresses and the Hong Kong Government has been carrying out preparatory work since 2021. The Government has recently proposed a new framework aimed at enhancing the protection of critical computer systems and the cybersecurity obligations of Hong Kong’s critical infrastructure companies, and outlined key elements of the proposed Protection of Critical Infrastructure (Computer System) Bill.
This represents a step closer to an omnibus cybersecurity legislation which focuses on critical infrastructure delivering essential services. The emphasis on critical infrastructure and its cybersecurity requirements reflects trends observed in the APAC region and underscores Hong Kong’s commitment to aligning with international standards and practices.
Scope and Critical Infrastructure designation
The new framework proposes designating CIOs under two categories. Those so designated will be required to secure their critical computer system(s) located locally and abroad.
- Category 1: Infrastructures for delivering essential services in Hong Kong – within eight sectors: Energy; Information Technology; Banking and Financial Services; Land Transport; Air Transport; Maritime; Healthcare Services; and Communications and Broadcasting.
- Category 2: Other infrastructures for maintaining important societal and economic activities – where their damage, loss of functionality or data leakage may have serious implications on important societal and economic activities in Hong Kong (e.g. major sports, performance venues, and research and development parks).
To prevent CIOs from becoming targets of cyberattacks, the list of CIOs will not be publicly available and given the ambiguously broad drafting of Category 2, there will be a level of uncertainty as to the designation of some mid-sized organisations.
Either way, an organisation may still be caught indirectly as an intermediary in the chain of services employed by a CIO.
Key obligations for CIOs
The framework outlines three main categories of obligations that CIOs must adhere to:
- Organisational requirements
- Preventative measures
- Reporting of incidents
Failure to comply with the new regime could lead to serious fines in the range of HK$500,000 to HK$5 million (circa USD 65,000 – USD 650,000).
Looking ahead
Over the next month the Government will consult relevant sectors, and the Protection of Critical Infrastructure (Computer System) Bill - incorporating collated stakeholders’ views - is expected to be introduced to the Legislative Council Panel on Security by the end of 2024.
Organisations in focus, should proactively start reviewing their existing security measures and compliance protocols, mapping out areas needing improvement to meet the new regulatory standards. Please reach out if you would like to discuss!
Read more in our deeper dive: Understanding Hong Kong SAR’s new proposed laws for Cybersecurity and Critical Infrastructure