Hong Kong extends critical infrastructure protections

Hong Kong has a rich and complex history. As the fourth most densely populated region in the world, visitors are often overwhelmed by the tightly packed residential and office towers that fill the skyline.

A hub for financial services and global trade, the island and peninsula area is home to enormous wealth and a network of systems that support residents, businesses and export-sector activities.

A former British territory, Hong Kong is now a special administrative region of the People's Republic of China. Over the last five years, China has pressed ahead with significant legislation to protect networks, data, cybersecurity and CNI assets.

Government activity in Hong Kong is regulated by detailed security policies and control baselines. In March this year, these efforts were strengthened by the passing of the first Cybersecurity Law to safeguard critical infrastructure.

The Protection of Critical Infrastructures (Computer Systems) Bill aims to enhance cybersecurity and minimise disruptions caused by incidents to Hong Kong’s critical and essential services. The CI Bill will take effect on January 1, 2026 and the government is shortlisting designated CNI operators by June 2025.

Sector coverage and compliance requirements

Similar to other countries, Hong Kong has prioritised a number of sectors for increased protection, split out into two groupings:

1. Any infrastructure that is essential to the continuous provision in Hong Kong of an essential service in a specified sector (Type 1 CI).
2. Any other infrastructure the damage, loss of functionality or data leakage of which may hinder or otherwise substantially affect the maintenance of critical societal or economic activities in Hong Kong (Type 2 CI).

Type 1 sectors are energy, information technology, banking and financial services, air transport, land transport, maritime transport, health services, and telecommunications and broadcasting services. Type 2 examples include physical premises such as major sports venues, research and development parks and technology parks where organisations may cluster.

Resulting obligations for companies in scope of the legislation are detailed in the Schedules and non-compliance or failure to follow the Commissioner of Critical Infrastructure's written direction constitutes an offence, with fines of up to $5m HKD or approximately $640,000 USD.

Category 1 obligations (Organisational):

• Maintain an office in Hong Kong
• Notify the authority of operator changes
• Set up and maintain a computer-system security management unit

Category 2 obligations (Preventive):

• Notify the authority of significant changes to certain systems
• Submit and implement security management plans
• Conduct security risk assessments
• Arrange security audits

Category 3 obligations (Incident Reporting and Response):

• Participate in security drills.
• Submit and implement emergency response plans.
• Notify the Commissioner of incidents:
• - within 12 hours for serious security incidents
• - within 48 hours for other incidents
• Submit a written report within 14 days of becoming aware of the incident.

Financial sector organisations covered by the Hong Kong Monetary Authority’s (HKMA) Supervisory Policy Manual will already be up to speed with these incident notification requirements.

Other organisations may not be as well prepared, so are advised to do the following:

1. Confirm business status as a CI Operator (from June 2025)
2. Allocate budget and resources to address any required changes
3. Conduct a gap analysis to discover deficiencies in current security posture
4. Enhance organisational resilience

Overcyte can assist Hong Kong businesses to determine their current readiness and map out a path to remediate. Get in touch to learn how.