Hong Kong passes new cybersecurity law – what you need to know
11 April 2025
On 19 March 2025, the Hong Kong Legislative Council passed the Protection of Critical Infrastructure (Computer System) Ordinance, which is set to come into effect on 1 January 2026.
The Ordinance focuses on protecting critical infrastructure, and will bring Hong Kong in line with the global trend of increasing regulatory scrutiny of and requirements for cybersecurity and operational resilience, as seen in other jurisdictions such as Australia, the EU, and the UK. We set out key provisions from this Ordinance, and what you can do to prepare for its introduction.
The Protection of Critical Infrastructure (Computer System) Ordinance was passed by the Hong Kong Legislative Council on 19 March 2025. It is expected to take effect on 1 January 2026.
The Ordinance focuses on protecting critical infrastructure, and will bring Hong Kong in line with the global trend of increasing regulatory scrutiny of and requirements for cybersecurity and operational resilience, as seen in other jurisdictions such as Australia, the EU, and the UK.
The Ordinance will regulate designated Critical Infrastructure Operators and their computer systems that have been designated as Critical Computer Systems. It will also establish a Commissioner's Office to oversee and enforce the new regime (expected within the first quarter of 2026).
The Ordinance was passed without substantial amendments to the original Ordinance. Our detailed analysis of the original Ordinance is set out here. This article recaps sets out a recap of the Ordinance's provisions, and sets out our recommendations for what you should do next.
We would be delighted to discuss how the Ordinance may affect your organisation.
Key defined terms for the Ordinance
Critical Infrastructure ("CI") – systems, facilities, and assets that are vital for the functioning of society and the economy, in the following two categories (with exclusions).
| Category | What they cover |
Category 1 | Infrastructure for delivering essential services in Hong Kong in the following specified sectors: – i.e. energy, information technology, banking and financial services, air transport, land transport, maritime transport, health services, and telecommunications and broadcasting services. |
| Category 2 | Any other infrastructure, the damage, loss of functionality or data leakage of which may hinder or otherwise substantially affect the maintenance of critical societal or economic activities in Hong Kong. The Government has stated major sports and performance venues, research and development parks as being examples of infrastructure in this category. |
| Excluded | The Ordinance does not apply to certain essential infrastructure / services that are operated by the government – e.g. water supply, drainage and emergency relief. |
In determining whether an infrastructure is a CI, the Commissioner or Designated Authorities will consider:
what kind of service is provided by the infrastructure;
- what implications there can be if the infrastructure is damaged, loses functionality or suffers any data leakage;
- any information provided in respect of the infrastructure (as required under the Ordinance); and
- any other matters the Commissioner or Designated Authorities considers relevant.
Critical Infrastructure Operators ("CIO") – designated entities which operate specified critical infrastructure. In determining whether an organisation is a CIO, the Commissioner or Designated Authorities will consider:
- how dependent the infrastructure's core function is on computer systems;
- the sensitivity of the digital data controlled by the organisation in respect of the infrastructure;
- the extent of control that the organisation has over the operation and management of the infrastructure;
- any information provided in respect of the infrastructure (as required under the Ordinance); and
- any other matters the Commissioner or Designated Authorities considers relevant.
Critical Computer Systems ("CCS") – a designated computer system that is essential to the provision of an essential service or the core functions of a CIO, and if interrupted or damaged, would impact the normal functioning of the essential service or the CIO. A CCS may include hardware, software, data, networks and cloud services, and may be physically located within or outside of Hong Kong. In determining whether a computer system is a CCS, the Commissioner or Designated Authorities will consider:
- the role of the system in respect of the CI's core function;
- how such a core function would be impacted if the system is disrupted or destroyed;
- the extent to which the subject system is related to any other computer systems of the CIO;
- the extent to which the system (and any other of the operators' systems) are related to those of other CIOs;
- any information provided in respect of the infrastructure (as required under the Ordinance); and
- any other matters the Commissioner or Designated Authorities considers relevant.
CIO and CCS will be designated by the Commissioner or Designated Authorities. They will not be disclosed to the public.
At this stage, two Designated Authorities have been designated under the Ordinance – the Hong Kong Monetary Authority and the Office of the Communications Authority (and the Government has stated that, at this stage, no other authorities will be Designated Authorities). The Government expects to commence designation of CI and CCS from mid-2026, in a phased manner.
What are obligations for the CIO?
A CIO will have three key categories of obligations:
| Category | Obligations |
| Category 1 - Organisation |
|
| Category 2 - Preventative |
|
| Category 3 - Incident reporting and response |
|
Penalties
As discussed in our previous article, the offences and penalties for breaching the Ordinance (ranging from HKD500,000 to HKD5,000,000, in addition to daily fines for continuing breaches) will be imposed at the organisational level, and are not designed for individuals.
What should you do next?
| Step | Description |
Assess potential CIO status | Determine if your organisation may be designated as a CIO under the Ordinance. |
Consider resources for compliance | If your organisation may be designated is likely to qualify as a CIO, allocate resources to implement the necessary organisational changes to meet the Ordinance's obligations. |
Analyse for gaps | Map your current cybersecurity practices against the Ordinance (including technical analysis/audits). |
Implement measures | Implement measures to comply with the Ordinance. This may include:
For third party service providers – we expect to see organisations increasingly try to flow down prescriptive requirements on a back-to-back basis, given the Government has commented that designated CIOs may be liable for the acts or omissions of third party service providers. |
Leverage existing resources / expertise | Leverage any resources or expertise you may have in complying with similar laws overseas, given the Ordinance has been influenced by global developments. For example:
|
Continue to monitor developments | In particular, we expect that the Codes of Practice under the Ordinance (to be issued by the Commissioner or designated authorities) will contain significant details regarding how the Ordinance will be enforced / applied in practice. The Government has stated that the Codes will reflect the following, in addition to the details we set out in our previous update:
Note that such Codes will not have the force of law (given they are not subsidiary legislation), but they may be admissible as evidence in determining relevant matters before a court. |
Extraterritoriality | The Government has stated that the Ordinance will not have extraterritorial effect in its enforcement, and is focused on regulating CIOs located in Hong Kong. However, CIOs are required to produce information to which it has access to within Hong Kong, even if such information is located outside Hong Kong. |
