Hong Kong’s new cybersecurity laws for critical infrastructure comes closer to reality

We previously reported on Hong Kong’s proposed implementation of a new omnibus cybersecurity legislation for critical infrastructure operators (CIOs). The Hong Kong government has now finalised the Protection of Critical Infrastructures (Computer Systems) Bill (CI Cyber Bill), which is widely expected to be passed by the Hong Kong Legislative Council before end of this year. 

Organisations providing critical infrastructure services in Hong Kong which may be designated as CIOs should proactively review the adequacy of their internal IT and cybersecurity processes and policies in light of potential designation of their critical IT systems and corresponding obligations. Organisations which fall outside CI Cyber Bill’s net, but who may support or provide critical services for designated CIOs should anticipate that certain new or additional cybersecurity obligations may flow down to them through CIO’s contractual requests in the supply chain. 

We summarise the key aspects of the CI Cyber Bill:

Scope and designation process

The CI Cyber Bill is largely consistent with the consultation findings report dated 8 October 2024 (Consultation Report), which include the following: 

• Key obligations: The CI Cyber Bill requires organisations classified as CIOs to comply with three types of obligations: (i) organisational, (ii) preventive, and (iii) incident reporting and response obligations. These will only apply to CIOs to the extent that it relates to their “critical computer systems” (CCSs).
• Definition of “critical infrastructure”: is substantially the same as before, except that the “communications and broadcasting” category (which is one of the eight explicitly specified categories) has been replaced with “telecommunications and broadcasting”, ensuring that this includes telecommunications companies, mobile network operators, and tower operators.
• Definition of critical computer systems: is substantially the same, capturing CCSs (as long as it is accessible by the CIO in or from Hong Kong) which are essential to the core function of a critical infrastructure operated by the CIO. This may capture CCSs which are based overseas but accessible from Hong Kong.
• Oversight: the ‘Commissioner’ referred to in the Consultation Report will now be known as the ‘Commissioner of Critical Infrastructure (Computer-System Security)’ and is primarily responsible for designating and regulating CIO. However, the two designated authorities already prescribed under the CI Cyber Bill for the banking and financial services sector and telecommunications and broadcasting sectors will be the Hong Kong Monetary Authority and Communications Authority respectively, who may also designate and regulate CIOs under their domains and monitor compliance for (i) organisational and (ii) preventive cybersecurity obligations.
• CIO designations: must be made by written notice and there will be an appeal process for aggrieved organisations to appeal to the appeal board. 

Obligations and enforcement 

• Reporting timeline: Following the Consultation Report and addressing concerns from stakeholders of the challenges in complying with the incident reporting timeline, the CI Cyber Bill extends the reporting timeline for serious computer system security incidents (which disrupts the core function of the critical infrastructure) from 2 hours to 12 hours after the CIO becomes aware of the incident, and from 24 hours to 48 hours for other incidents after the CIO becomes aware of the incident. 
• No extra-territorial effect: As per the Government’s statements in the consultation reports the CI Cyber Bill also confirms that it is unlikely to have extra-territorial effect given that the CIO is required to maintain an office in Hong Kong. 
• Fines for breach: The key obligations remain largely the same and a breach will amount to a criminal offence, subject to a maximum fine up to HKD 5 million. The CI Cyber Bill has reduced the lower end fines from that mentioned in the Consultation Report. 
• Investigation powers: The Commissioner’s office will have wide ranging powers to investigate offences, request the production of documents, enter into premises and search electronic devices with a court warrant. 

Defences and third-party services

Following industry feedback, the Government has clarified the possible defences to an offence under the CI Cyber Bill: 

• “Due diligence” defence: is available for an offence relating to the cybersecurity obligations.  The defendant must prove that: (i) the commission of the offence was due to a cause beyond the defendant’s control; and (ii) it took all reasonable precautions and exercised all due diligence to avoid the commission of the offence.
• “Reasonable excuse” defence: is available for offences concerning a failure to comply with the Commissioner’s investigatory powers. Sufficient evidence must be adduced, though the parameters of what constitutes “sufficient evidence” remains unclear.

A notable omission in the CI Cyber Bill is the explicit obligation to comply with statutory obligations when enlisting third-party service providers. However, the CIO’s obligations vis-à-vis third-party service providers are likely covered by its other obligations. 

This is evidenced by the due diligence defence, which expressly contemplates the possibility of shifting blame to a third-party for the CIO’s non-compliance. It provides that if such an argument was to be made, the alleged defendant must issue a notice identifying that third-party, provide this notice to the person bringing legal proceedings and prove that they took all reasonable steps to secure the cooperation of that third-party in complying with the provisions. 

Next steps

According to a spokesperson for the Security Bureau the CI Cyber Bill will be submitted to the Legislative Council for a first and second reading on 11 December 2024. If passed, the Government has previously outlined plans to set up the new Commissioner’s Office within one year and the CIO cybersecurity obligations will come into force 6 months after that. 

Organisations who may be designated as a CIO or who may indirectly be impacted by providing critical services to a CIO should assess the applicability and impact of the CI Cyber Bill, conduct a gap analysis of their compliance levels and uplift their processes and artifacts in preparation. We will closely monitor the legislative process and conduct a deep dive analysis once the CI Cyber Bill is passed.