Hong Kong has taken a significant step forward in protecting critical infrastructure with the passage of its first comprehensive cybersecurity legislation. The Protection of Critical Infrastructures (Computer Systems) Bill introduces well-structured mandatory cybersecurity requirements across eight crucial sectors, creating a robust framework that aligns with international best practices.

Key highlights:

• Covers infrastructure in eight industries: energy, IT, banking, communications and broadcasting, maritime, healthcare, land transport, and air transport
• Also covers important societal and economic activities: including major sports and performance venues, as well as technology zones
• Operators face fines up to HK$5M for non-compliance
• Will begin to designate the operators and its computer system starting mid-June this year
• Targets to take effect on 1 January 2026

What this means for critical infrastructure operators:

• Must maintain a Hong Kong office
• Must conduct risk assessments at least annually
• Must notify the commissioner’s office within 12 hours of becoming aware of a security incident
• Retain full accountability even when operations are outsourced

By establishing clear accountability mechanisms and mandatory reporting requirements, this legislation strengthens Hong Kong’s position as a secure, resilient business hub equipped to face evolving cyber threats.

ELLALAN welcomes these developments and stands ready to help organizations navigate these new requirements. Please feel free to contact us to ensure your cybersecurity compliance strategy is robust and future-ready!

This update is prepared by Charles To (Partner), Tiffany Li (Associate) and Alison Choy (Trainee Solicitor).