In June 2024, the Hong Kong SAR Government proposed the Protection of Critical Infrastructure (Computer System) Bill to bolster the cybersecurity of essential services. The bill targets operators of critical infrastructure (CI) to ensure their computer systems are protected from cyberattacks, minimizing disruptions to societal and economic activities. A new Commissioner’s Office under the Security Bureau will be established to implement the proposed legislation and oversee compliance.
The bill focuses on two categories of infrastructure: those delivering essential services such as energy, transport, and healthcare, and those supporting societal and economic activities, like research parks and performance venues. Operators designated by the Commissioner’s Office will be subject to strict cybersecurity obligations, including securing critical computer systems (CCS), conducting risk assessments, and reporting incidents. The general public and small businesses are excluded from the scope.
CIOs must fulfill three key obligations: organizational, preventive, and incident reporting. They are required to establish security management units, submit security plans, conduct regular audits, and notify authorities within set time frames after security incidents. Non-compliance can result in fines ranging from HK$500,000 to HK$5 million, with criminal liability for serious violations.
The bill is expected to be introduced to the Legislative Council by the end of 2024. Once passed, the government plans to set up the Commissioner’s Office within a year and implement the legislation in stages. Organizations likely to be designated as CIOs are advised to align their cybersecurity practices with international standards in preparation for compliance.
Reference:
