News & Insights

Hong Kong’s new cybersecurity law gazetted

View PDF

Authored by: Catherine Zheng, Eliza Siew

Did you know?

Hong Kong’s new cybersecurity law (proposed on 25 June 2024) was gazetted on 6 December 2024. The Protection of Critical Infrastructures (Computer Systems) Bill is intended to enhance the protection of the computer system of Critical Infrastructures (CIs) and sets out the legal obligations of Critical Infrastructure Operators (CIOs). The Bill was introduced into the Legislative Council for the first and second readings on 11 December 2024. The new law is expected to be fully implemented around mid-2026.

With over 9000 cybersecurity incidents reported in the territory from June 2023 to May 2024, Hong Kong joins the global trend to enact cybersecurity legislation, following countries such as Australia, the UK, EU, US and Canada. Closer to home, mainland China passed its Cybersecurity Law in 2016.

What is a “critical infrastructure”?

CIs are infrastructures that are necessary for the maintenance of normal functioning of society and the normal life of people. The Bill imposes statutory requirements on designated CIOs to ensure that they take appropriate measures to protect their computer systems and minimise the chance of essential services being disrupted or compromised due to cyberattacks. There are three categories of statutory obligations: organisational, preventive, and incident reporting and response.

The Bill focuses on large-scale organisations in 8 “essential services” sectors: energy, information technology, banking, telecommunication and broadcasting, maritime, healthcare, land and air transport, as well as other infrastructure crucial for “maintaining important societal and economic activities”: major sports and performance venues, and research and development parks. However, as with many other jurisdictions, the list of designated CIOs will be kept confidential for security reasons.

Why does this matter to you?

The Bill is much less strict than the Cybersecurity Law in China but businesses have been concerned to clarify certain aspects and terms in the proposed legislation. The Security Bureau concluded its month-long consultation exercise at the beginning of August with stakeholders. Those consulted included potential CIOs, professional bodies, and chambers of commerce, as well as the Hong Kong Monetary Authority and the Communications Authority.

Changes following consultation

Some of the concerns raised by stakeholders have been addressed in the Bill, including:

  • Removing the requirement for CIOs to report changes in ownership of CIs. Stakeholders made submissions regarding the practical difficulties of organisations, particularly listed companies, to make timely reports of changes on ownership.
  • Relaxation of the incident reporting time frame. Stakeholders said that it could be difficult for organisations to conduct a timely investigation into a serious security breach within 2 hours of becoming aware of the incident. CIOs will now have 12 hours rather than 2 hours to report serious cybersecurity incidents, and 48 hours rather than 24 to report less serious security lapses.

Reporting “material changes”

Some issues raised during the consultation have been answered by the Government but are not necessarily addressed in the Bill. In particular, the proposed legislation requires CIOs to report material changes concerning the design, configuration, security or operation of Critical Computer Systems (CCSs). There were views that the information reported should not involve sensitive or confidential information. During the consultation, the Government stated that the law “is not targeted at the personal data or commercial confidential information in the CIOs’ computer systems.” The Bill provides examples as to what amounts to material changes, which include a change that affects the system-security or the CIO’s ability to respond to security threats or incidents. These examples align with the legislative intention that the Bill is not targeting at personal data or confidential commercial information.

Extraterritorial reach

Another issue is the potential extraterritorial reach of the legislation. Under Hong Kong common law, criminal jurisdiction will apply only when the whole, or part of, a criminal act takes place within the territory. Also, a criminal statute does not have extra-territorial effect unless the statute expressly provides otherwise. The Bill is silent on its extra-territorial effect or its jurisdictional application, but it should only apply to CIOs with a local presence in Hong Kong. However, it provides that a computer system can be designated as a “critical computer system” (CCSs), if it is “accessible by the operator in or from Hong Kong”. This would mean that if a company with a local presence in Hong Kong is designated as a CIO, as long as a computer system located overseas is accessible by the CIO in, or from Hong Kong, such a computer system could be designated by the Commissioner as a CCS and would be subject to the relevant requirements of the Bill.

Investigative powers

The Bill also grants extensive investigative powers to the Commissioner’s Office, including requiring a CIO to produce information relevant, or likely to be relevant, to the inquiries which is in the possession, or under the control of, the operator, “or otherwise accessible in or from Hong Kong” by the CIO. The Consultation Report makes clear that the proposed legislation does not have extraterritorial effect, and that the Commissioner’s Office will only request information “accessible by operators with offices set up in Hong Kong, and will allow them reasonable time for preparation.” It remains to be seen how the legislation will operate in practice.

Queries were also raised with regard to the power of the Commissioner’s Office to directly intervene in a company’s operations by connecting equipment or installing programs on regulated systems deemed critical. The Security Bureau has said it would only link devices or install programs on the operator’s systems in “exceptional circumstances”. In the Consultation Report, the Government states that the Commissioner’s Office will only consider applying for a warrant when a CIO is unwilling or unable to respond to a serious incident on its own, pointing out that relevant regulators in other jurisdictions (such as Australia and Singapore) also have similar powers.

Definition of “information technology”

The consultation highlighted the concern that the “information technology sector” should be clearly defined. Since information technology will be involved in the operation of CIs in other sectors, clearer criteria will help to determine whether individual operators may be subject to the law. However, the Security Bureau maintains that it is appropriate to categorise “information technology” as one of the CI sectors. In the Bill, there is no further definition or elaboration on the scope of the “information technology” sector. Whether an individual organisation and a computer system operator will fall within the law will be decided by the Security Bureau in close communication with the potential operators to be designated.

Although the current legislation is aimed at large organizations, and small and medium enterprises and the general public are not affected, the management of cybersecurity risks is a global challenge. The regulation of CIs and CIOs is only part of a wider trend to improve protection of computer systems and information handling, and organisations need to consider the possible implications as part of their long-term digital strategy.

Key Contacts

Catherine Zheng

Partner | Intellectual Property

Email or call +852 2825 9617

Charmaine Koo

Consultant | Intellectual Property

Email or call +852 2825 9300

Eliza Siew

Counsel | Intellectual Property

Email or call +852 2826 5345

Portfolio Builder

Select the legal services that you would like to download or add to the portfolio

Download    Add to portfolio   
Portfolio
Title Type CV Email

Remove All

Download


Click here to share this shortlist.
(It will expire after 30 days.)