Legal development

Hong Kong's new cybersecurity law – what you need to know

computer screens

    On 6 December 2024 the Hong Kong Government gazetted the Protection of Critical Infrastructure (Computer System) Bill (the "Bill").

    Hong Kong does not currently have any statutory requirements for protecting critical infrastructure operators' computer systems. This Bill, once passed, will impose obligations on operators of critical infrastructure and establish a Commissioner's Office to oversee and enforce the new regime – and will bring Hong Kong in line with the global trend of increasing regulatory scrutiny of and requirements for cybersecurity and operational resilience, as seen in other jurisdictions such as Australia, the EU, and the UK.

    The Bill went through its first and second readings in the Legislative Council of Hong Kong ("LegCo") on 11 December 2024. It is expected to pass (verbatim with or substantially in its current form) upon the third reading, the date of which has yet to be announced. This article sets out further details regarding the Bill, and how you can prepare for its likely introduction. 

    Background

    Recently the Hong Kong Government has stated its aim of introducing a cybersecurity law for the protection of critical infrastructure. In particular, the Chief Executive (in his 2023 Policy Address) announced:

     

    "To address the increasing risks of cyber-attacks globally, the Government is working to enhance the cybersecurity of our critical infrastructure, including energy, telecommunications, transportation, financial institutions, etc. We will introduce a bill into the Legislative Council for this purpose in 2024."

     

    Such an aim is consistent with global regulatory developments, especially given the emergence of artificial intelligence and its potential for increasing the volume and heightening the impact of cyber-attacks. 

    A discussion draft of the Bill was prepared by the Security Bureau (the "SB") and introduced to the LegCo Panel on Security in June 2024. A subsequent consultation period held by the SB regarding that discussion draft received 53 written submissions from various stakeholders, mostly in support of the legislation or with positive suggestions.  The SB also organised five consultation sessions (that were attended by nearly 200 stakeholders – including potential CIOs and cybersecurity service suppliers) during the consultation period.

    The SB then presented a revised discussion draft to the LegCo Panel on Security in October 2024 ("Consultation Report") – leading to the Bill being gazetted.

    It is anticipated that, once the Bill is passed, the Commissioner's Office will be established within 12 months and that the Bill will then take effect within 6 months after such establishment.  The designation of the CIOs and the CCSs will be carried out in a phased manner, with prior consultation and communication with the operators.

    Throughout the process the Security Bureau has clearly stated that the Bill is only aimed at critical infrastructure, and is not aimed at SMEs or the general public.

    Scope and Definition of Critical Infrastructure Operators and Critical Computer Systems

    The Bill covers two major categories of critical infrastructure (with express exclusions): 

    Category 1

    Infrastructure for delivering essential services in Hong Kong - e.g. banks, financial institutions, telecommunications service providers, electricity supply facilities, railway systems.

    Category 2

    Other infrastructure for maintaining important societal and economic activities - e.g. major sports and performance venues, research and development parks. 

    Category 3

    The Bill does not apply to certain essential services that are operated by the government, such as water supply, drainage and emergency relief, on the basis that the government has already implemented internal policy guidelines that are comparable to the proposed requirements. 

     

    The Bill will apply to the following, as expressly designated by the Commissioner's Office: Organisations that are expressly designated by the Commissioner's Office as Critical Infrastructure Operators ("CIOs"):

    • Computer systems that are designated as Critical Computer Systems ("CCSs") – defined as a computer system that is essential to the provision of an essential service or the core functions of a CIO, and if interrupted or damaged, would impact the normal functioning of the essential service or the CIO. A CCS may include hardware, software, data, networks and cloud services, and may be physically located in Hong Kong or outside Hong Kong.  
    • The Commissioner can also designate infrastructure (other than in the above two categories) as critical, if (in their view) such infrastructure's compromise may affect critical societal or economic activity in Hong Kong (note: this is consistent with the equivalent positions in Singapore and the PRC, and was inserted following the Consultation Report). 

    Designations from the Commissioner's Office will take into account various factors, such as the impact on essential services if the infrastructure is damaged, the level of dependence on information technology, the importance of data controlled by the infrastructure, the degree of control of the organisation over the infrastructure, and the potential cross-border implications.  The Commissioner's Office will also consult with CIOs on what systems are essential and seek their assistance in determining the scope of the CCSs. The list of CIOs and CCSs will not be disclosed to the public.

    Key Obligations of CIOs

    The Bill imposes three categories of obligations on CIOs. 

    Obligation

    Key requirements

    Organisational obligations

    • Providing and maintaining an address and office in Hong Kong and reporting any changes in ownership to the Commissioner's Office.
    • Setting up a dedicated computer system security management unit, which can be in-house or outsourced, to oversee the cybersecurity of the CCSs (Note: this requirement is similar to the requirements under the PRC Cybersecurity Law). 
    • Participating in a computer system security drill organised by the Commissioner's Office at least once every two years. 

    Preventative obligations

    • Informing the Commissioner's Office of material changes to the CCSs, such as changes to design, configuration, security or operation. 
    • Formulating a computer system security management plan and submitting it to the Commissioner's Office. 
    • Conducting a computer system security assessment at least once every year and an independent computer system security audit at least once every two years, and submitting the reports to the Commissioner's Office. 
    • Adopting measures to ensure that the CCSs comply with the statutory obligations even when third-party services or products are involved or engaged. 

    Incident reporting and response obligations

    • Having in place an emergency response plan and submitting it to the Commissioner's Office. 
    • Notifying the Commissioner's Office of computer system security incidents within certain timeframes: 12 hours for serious incidents and 48 hours for other incidents. 

    Note – the original discussion draft of the Bill had proposed requiring organisations to conduct a timely investigation into the nature and cause of a serious computer system security incident and notify the Commissioner's Office within two hours after becoming aware of the incident (or within 24 hours after the occurrence of other incidents. These requirements have been relaxed following the consultation period – where various respondents noted that it will be difficult for organizations to meet the original timing requirements. We note however that the Singapore Cybersecurity (Critical Information Infrastructure) Regulations does have a the 2 hour notice period for notifying relevant regulator. 

    • Cooperating with the Commissioner's Office in responding to and investigating the incidents, and complying with any written directions or requests issued by the Commissioner's Office. 

    Establishment and Functions of the Commissioner's Office

    The Bill will establish a Commissioner's Office under the Security Bureau, headed by a Commissioner appointed by the Chief Executive. The Commissioner's Office will be responsible for:

    • Designating the CIOs and the CCSs and maintaining a register of them.
    • Monitoring and enforcing the compliance of the CIOs with the statutory obligations and issuing written directions or requests.
    • Assisting and advising the CIOs on the implementation of the computer system security management plan and the emergency response plan.
    • Organising and conducting computer system security drills and audits.
    • Responding to and investigating computer system security incidents and taking necessary actions to protect the CCSs.
    • Coordinating with other government departments, such as the Hong Kong Police Force and the Hong Kong Computer Emergency Response Team Coordination Centre, on cybersecurity matters.
    • Issuing a code of practice to provide operational guidance and standards for the CIOs.

    The Bill also provides for the designation of certain existing regulators as designated authorities for some sectors, such as the Hong Kong Monetary Authority for the banking and financial services sector and the Communications Authority for the communications and broadcasting sector. The designated authorities will be responsible for monitoring the compliance of the CIOs in their respective sectors with the organisational and preventive obligations, while the Commissioner's Office will retain the oversight of the incident reporting and response obligations. An area that we will continue to monitor (both in the eventual Code of Practice and on an ongoing basis) is how relevant regulators will conduct such monitoring, given various sectors have their own sector-specific cybersecurity requirements (e.g. the HKMA has (on 29 Nov) released a new supervisory policy module TM-C-1 on “Supervisory Approach on Cyber Risk Management", setting out its policy and expectations re: how banks should consider and manage cyber risks).

    Offences and Penalties

    The Bill will create offences for non-compliance with the statutory obligations, written directions or requests from the Commissioner's Office, or any investigation by the Commissioner's Office.  The offences will only apply to organisations and not to individuals, unless they are involved in aiding, abetting, counselling or procuring the commission of the offences. 

    The penalties will comprise monetary penalties, ranging from HK$100,000 to HK$5,000,000, depending on the type of the offence.  For some offences, there will be additional daily fines for continuing non-compliance. Whilst the lower range of these penalties aligns with the PRC, the maximum penalty significantly exceeds the range set out in the PRC Cybersecurity Law. 

    Appeal Mechanism and Subsidiary Legislation

    The Bill will establish an appeal board to allow CIOs to appeal against the designation of a CIO or a CCS or any written directions issued by the Commissioner's Office.  The appeal board will consist of about 15 experts from the industry, cybersecurity and legal profession, appointed by the Chief Executive.  The appeal board will be independent of the Commissioner's Office and will conduct hearings by three board members, who will be required to declare any conflict of interest and sign a non-disclosure agreement. 

    The Bill will also empower the Secretary for Security to specify certain matters by way of subsidiary legislation, such as the types of essential services, the designated authorities, the types of reportable incidents and the reporting timeframes (note that any subsidiary legislation will require LegCo approval). 

    Code of Practice

    Annex III of the Consultation Report included details on what the Code of Practice will include. Such Code will set out how the Bill will be enforced and how CIOs can comply with its obligations.

    Key details set out in this Annex III include:

    • Qualification requirements for appointing suitable personnel (including audit staff), with reference to international standards. 
    • Recommended standards for computer system security risk assessments and audits, with reference to technology and international standards.
    • Further details regarding incidents required to be reported.
    • Further details regarding how CIOs should contract with third party vendors, in order to satisfy their relevant obligations under the Bill.  
    • Internationally recognised standards and methodologies that are applicable to how CIOs can satisfy their relevant obligations under the Bill.
    • Requirements and scope of computer system security training. 

    How does the Bill compare with similar laws in Singapore and mainland China? 

    A key question that we have received is how the Hong Kong, Singapore and mainland China laws cybersecurity laws differ. To recap – the key cybersecurity laws in:

    • Singapore – is the Cybersecurity Act.
    • PRC – is the Cybersecurity Law and Regulation for Safe Protection of Critical Information Infrastructure. 

    We set out below a high level comparison of various positions under the key Hong Kong, Singapore and PRC cybersecurity laws. 

    Topic

    HK

    SG

    PRC

    Scope and Definition of CI

    Covers two categories: (1) Infrastructure for delivering essential services in Hong Kong; and (2) other infrastructure for maintaining important societal and economic activities.

    Covers 11 sectors of essential services: government, security and emergency, healthcare, telecommunications, banking and finance, energy, water, media, land, transport, maritime, and aviation. 

    Covers key network facilities and information systems in important industries (including public telecoms, energy, transport, water conservancy, finance, public services, and e-government) which, if compromised, will seriously endanger national security, economy, people's livelihood, or public welfare.

    Designation of Critical Infrastructure and Critical Computer Systems

    Only expressly designated CIOs and CCSs: Will be regulated.  The list of CIOs will not be disclosed.

    Only expressly designated CIOs and CCSs will be regulated. The list of CIOs will not be disclosed.

    Only expressly designated CI and CIOs will be regulated.  The list of CI will not be disclosed.

    Obligations of Critical Infrastructure Operators

    CIOs must fulfil three categories of obligations: organizational, preventive, and incident reporting and response.

    CIOs must fulfil four categories of obligations: compliance, audit, incident reporting and response, and participation in cybersecurity exercise.

    CIOs must fulfil obligations including maintaining independent and specialized security management institutions, conducting cybersecurity detection and risk assessments at least once a year, and formulating internal security management systems, including background checks on key personnel and conducting training and skills assessments for employees. 

    Delegation of Regulatory Powers to Sector Regulators

    Certain sector regulators will be designated as authorities to monitor the discharging of organizational and preventive obligations by CIOs in their respective sectors.  The Commissioner's Office will take full charge of monitoring the incident reporting and response obligations by all CIOs. 

    The Commissioner of Cybersecurity may appoint sector regulators as assistant commissioners to exercise certain powers and functions under the legislation in relation to CIOs in their respective sectors. 

    The Cyberspace Administration of China (CAC) is the key authority, supported by public security departments and relevant departments of important industries.

    Issuance of Code of Practice and Subsidiary Legislation

    The Commissioner's Office will issue a code of practice to set out the proposed standards based on statutory obligations.  The Secretary for Security will specify or amend certain details relating to the powers of the Commissioner's Office or the statutory obligations of CIOs by way of subsidiary legislation.

    The Commissioner of Cybersecurity will issue codes of practice and standards of performance to provide guidance on the measures to be taken by CIOs.  The Minister for Communications and Information will make regulations for the purposes of the legislation. 

    The CAC issues regulations, guidelines, and national standards for the implementation of cybersecurity measures.

    Investigation Powers

    The Commissioner's Office will have powers to question, request information, enter premises, access and check the relevant computer systems, etc., for the purpose of investigating security incidents or offences under the legislation. 

    The Commissioner of Cybersecurity and the assistant commissioners will have powers to question, request information, enter premises, access and check the relevant computer systems, etc., for the purpose of investigating security incidents or offences under the legislation. 

    The CAC and other relevant authorities have powers to conduct inspections, request information and take necessary measures to investigate and address security incidents or offences under the legislation.

    Appeal Mechanism

    An appeal board will be established to allow CIOs to appeal against a designation as a CIO or CCS, or a written direction issued by the Commissioner's Office.

    An appeal tribunal will be established to allow CIOs to appeal against a designation of CIO or CCS, or a direction or decision issued by the Commissioner of Cybersecurity or the assistant commissioners. 

    CIOs can apply for administrative reconsideration by a higher administrative authority. If they are not satisfied with the outcome of the administrative reconsideration, they can file an administrative law suite with the People's Court.

    Offences and Penalties

    Violations under the legislation without reasonable excuse may result in fines ranging from HK$100,000 to HK$5 million.  The offences and penalties will only be applicable to organizations, unless the relevant violations involve breach of some existing criminal legislation.

    Violations under the legislation without reasonable excuse may result in fines ranging from S$5,000 to S$100,000, or imprisonment for up to 10 years, or both.  The offences and penalties may be applicable to both organizations and individuals, depending on the nature of the offence. 

    Penalties for non-compliance typically range between RMB 100,000 to RMB 1,000,000, depending on the offence in question.

    Extraterritorial Application

    The Cybersecurity Bill includes provisions for extraterritorial application, allowing the Commissioner's Office to take action against individuals and entities outside the jurisdiction if their actions have a significant impact on the cybersecurity of Hong Kong. It also applies to computer systems located outside Hong Kong if they affect the security of critical infrastructure within Hong Kong. 

    The Act has extraterritorial reach, enabling the Commissioner to take action against foreign entities and individuals whose activities threaten the cybersecurity of Singapore's critical information infrastructure. It applies to computer systems outside the jurisdiction if they impact the security of CIIs within Singapore.

    The PRC cybersecurity laws have extraterritorial application, applying to foreign entities and individuals whose activities pose a threat to Chinese CI, and to computer systems located outside of China if they are seen to affect the security of China CI.

    Conclusion and our recommendations 

    The Bill will have significant implications for the operators of critical infrastructure and essential services in Hong Kong, as well as their suppliers, customers and partners. The Bill will introduce new and stringent requirements for cybersecurity and operational resilience, as well as new regulatory oversight and enforcement mechanisms.

    As the Consultation Report has indicated requirements may be phased in, relevant operators should prepare for the Bill by:  

    • Assessing the Bill's applicability to their operations – including whether they are likely to be designated as CIOs and which of their systems are essential to their core functions and services. This is particularly the case if the operator is in the eight essential services sector. 
    • Review their systems architecture and infrastructure, their existing cybersecurity measures and policies, their contractual arrangements with third-party providers, and their incident reporting and response processes.  Such a review should reference the three categories of obligations imposed by the Cybersecurity Bill, as well as the details set out in the potential Code of Practice (see above).
    • Allocate sufficient resources and budget for compliance internally, and seek professional advice where necessary. 

    Operators can also learn from the international experience and best practices of other jurisdictions that have similar or more advanced cybersecurity and critical infrastructure laws, such as Australia, the EU and the UK.  These jurisdictions have adopted different approaches and standards for defining and regulating critical infrastructure and computer systems, imposing obligations and penalties, establishing regulatory authorities and functions, and providing guidance and support for the operators.  Such examples and benchmarks can be used to anticipate and address the potential challenges and issues that may arise under the Hong Kong Bill.

    Third-party providers which do not fall directly within the ambit of the Bill should also be aware of any trickle down consequences, as companies that may be designated as CIOs review their cybersecurity policies. The Consultation Report noted that certain respondents indicated concerns that liability for the actions of third-party providers would be imposed on them.  The Bill imposes obligations on CIOs to conduct due diligence on their third-party providers, include contractual obligations for cybersecurity standards, and monitor and audit the cybersecurity practices of third parties. Additionally, third-party providers to CIOs will be obligated to report cybersecurity incidents to CIOs.  Third-party providers who may be contracting with CIOs should also review their own cybersecurity practices and how they can comply with the Bill. 

    The Bill aims to enhance Hong Kong's cybersecurity framework, and aligns with global standards. We recommend that any entity that may be impacted by the Bill should review their position, both with reference to the Bill, future guidelines (including the Code of Practice) and alignment with global practices (to the extent relevant). We will continue to closely monitor the Bill's development and provide further details as they arise. 

    With thanks to Alice Beveridge (Trainee) for her contribution to this article. 

    The information provided is not intended to be a comprehensive review of all developments in the law and practice, or to cover all aspects of those referred to.
    Readers should take legal advice before applying it to specific issues or transactions.