Hong Kong's new cybersecurity law – what you need to know
19 December 2024
On 6 December 2024 the Hong Kong Government gazetted the Protection of Critical Infrastructure (Computer System) Bill (the "Bill").
Hong Kong does not currently have any statutory requirements for protecting critical infrastructure operators' computer systems. This Bill, once passed, will impose obligations on operators of critical infrastructure and establish a Commissioner's Office to oversee and enforce the new regime – and will bring Hong Kong in line with the global trend of increasing regulatory scrutiny of and requirements for cybersecurity and operational resilience, as seen in other jurisdictions such as Australia, the EU, and the UK.
The Bill went through its first and second readings in the Legislative Council of Hong Kong ("LegCo") on 11 December 2024. It is expected to pass (verbatim with or substantially in its current form) upon the third reading, the date of which has yet to be announced. This article sets out further details regarding the Bill, and how you can prepare for its likely introduction.
Recently the Hong Kong Government has stated its aim of introducing a cybersecurity law for the protection of critical infrastructure. In particular, the Chief Executive (in his 2023 Policy Address) announced:
"To address the increasing risks of cyber-attacks globally, the Government is working to enhance the cybersecurity of our critical infrastructure, including energy, telecommunications, transportation, financial institutions, etc. We will introduce a bill into the Legislative Council for this purpose in 2024."
Such an aim is consistent with global regulatory developments, especially given the emergence of artificial intelligence and its potential for increasing the volume and heightening the impact of cyber-attacks.
A discussion draft of the Bill was prepared by the Security Bureau (the "SB") and introduced to the LegCo Panel on Security in June 2024. A subsequent consultation period held by the SB regarding that discussion draft received 53 written submissions from various stakeholders, mostly in support of the legislation or with positive suggestions. The SB also organised five consultation sessions (that were attended by nearly 200 stakeholders – including potential CIOs and cybersecurity service suppliers) during the consultation period.
The SB then presented a revised discussion draft to the LegCo Panel on Security in October 2024 ("Consultation Report") – leading to the Bill being gazetted.
It is anticipated that, once the Bill is passed, the Commissioner's Office will be established within 12 months and that the Bill will then take effect within 6 months after such establishment. The designation of the CIOs and the CCSs will be carried out in a phased manner, with prior consultation and communication with the operators.
Throughout the process the Security Bureau has clearly stated that the Bill is only aimed at critical infrastructure, and is not aimed at SMEs or the general public.
The Bill covers two major categories of critical infrastructure (with express exclusions):
Category 1 |
Infrastructure for delivering essential services in Hong Kong - e.g. banks, financial institutions, telecommunications service providers, electricity supply facilities, railway systems. |
Category 2 |
Other infrastructure for maintaining important societal and economic activities - e.g. major sports and performance venues, research and development parks. |
Category 3 |
The Bill does not apply to certain essential services that are operated by the government, such as water supply, drainage and emergency relief, on the basis that the government has already implemented internal policy guidelines that are comparable to the proposed requirements. |
The Bill will apply to the following, as expressly designated by the Commissioner's Office: Organisations that are expressly designated by the Commissioner's Office as Critical Infrastructure Operators ("CIOs"):
Designations from the Commissioner's Office will take into account various factors, such as the impact on essential services if the infrastructure is damaged, the level of dependence on information technology, the importance of data controlled by the infrastructure, the degree of control of the organisation over the infrastructure, and the potential cross-border implications. The Commissioner's Office will also consult with CIOs on what systems are essential and seek their assistance in determining the scope of the CCSs. The list of CIOs and CCSs will not be disclosed to the public.
The Bill imposes three categories of obligations on CIOs.
Obligation |
Key requirements |
Organisational obligations |
|
Preventative obligations |
|
Incident reporting and response obligations |
Note – the original discussion draft of the Bill had proposed requiring organisations to conduct a timely investigation into the nature and cause of a serious computer system security incident and notify the Commissioner's Office within two hours after becoming aware of the incident (or within 24 hours after the occurrence of other incidents. These requirements have been relaxed following the consultation period – where various respondents noted that it will be difficult for organizations to meet the original timing requirements. We note however that the Singapore Cybersecurity (Critical Information Infrastructure) Regulations does have a the 2 hour notice period for notifying relevant regulator.
|
The Bill will establish a Commissioner's Office under the Security Bureau, headed by a Commissioner appointed by the Chief Executive. The Commissioner's Office will be responsible for:
The Bill also provides for the designation of certain existing regulators as designated authorities for some sectors, such as the Hong Kong Monetary Authority for the banking and financial services sector and the Communications Authority for the communications and broadcasting sector. The designated authorities will be responsible for monitoring the compliance of the CIOs in their respective sectors with the organisational and preventive obligations, while the Commissioner's Office will retain the oversight of the incident reporting and response obligations. An area that we will continue to monitor (both in the eventual Code of Practice and on an ongoing basis) is how relevant regulators will conduct such monitoring, given various sectors have their own sector-specific cybersecurity requirements (e.g. the HKMA has (on 29 Nov) released a new supervisory policy module TM-C-1 on “Supervisory Approach on Cyber Risk Management", setting out its policy and expectations re: how banks should consider and manage cyber risks).
The Bill will create offences for non-compliance with the statutory obligations, written directions or requests from the Commissioner's Office, or any investigation by the Commissioner's Office. The offences will only apply to organisations and not to individuals, unless they are involved in aiding, abetting, counselling or procuring the commission of the offences.
The penalties will comprise monetary penalties, ranging from HK$100,000 to HK$5,000,000, depending on the type of the offence. For some offences, there will be additional daily fines for continuing non-compliance. Whilst the lower range of these penalties aligns with the PRC, the maximum penalty significantly exceeds the range set out in the PRC Cybersecurity Law.
The Bill will establish an appeal board to allow CIOs to appeal against the designation of a CIO or a CCS or any written directions issued by the Commissioner's Office. The appeal board will consist of about 15 experts from the industry, cybersecurity and legal profession, appointed by the Chief Executive. The appeal board will be independent of the Commissioner's Office and will conduct hearings by three board members, who will be required to declare any conflict of interest and sign a non-disclosure agreement.
The Bill will also empower the Secretary for Security to specify certain matters by way of subsidiary legislation, such as the types of essential services, the designated authorities, the types of reportable incidents and the reporting timeframes (note that any subsidiary legislation will require LegCo approval).
Annex III of the Consultation Report included details on what the Code of Practice will include. Such Code will set out how the Bill will be enforced and how CIOs can comply with its obligations.
Key details set out in this Annex III include:
A key question that we have received is how the Hong Kong, Singapore and mainland China laws cybersecurity laws differ. To recap – the key cybersecurity laws in:
We set out below a high level comparison of various positions under the key Hong Kong, Singapore and PRC cybersecurity laws.
Topic |
HK |
SG |
PRC |
Scope and Definition of CI |
Covers two categories: (1) Infrastructure for delivering essential services in Hong Kong; and (2) other infrastructure for maintaining important societal and economic activities. |
Covers 11 sectors of essential services: government, security and emergency, healthcare, telecommunications, banking and finance, energy, water, media, land, transport, maritime, and aviation. |
Covers key network facilities and information systems in important industries (including public telecoms, energy, transport, water conservancy, finance, public services, and e-government) which, if compromised, will seriously endanger national security, economy, people's livelihood, or public welfare. |
Designation of Critical Infrastructure and Critical Computer Systems |
Only expressly designated CIOs and CCSs: Will be regulated. The list of CIOs will not be disclosed. |
Only expressly designated CIOs and CCSs will be regulated. The list of CIOs will not be disclosed. |
Only expressly designated CI and CIOs will be regulated. The list of CI will not be disclosed. |
Obligations of Critical Infrastructure Operators |
CIOs must fulfil three categories of obligations: organizational, preventive, and incident reporting and response. |
CIOs must fulfil four categories of obligations: compliance, audit, incident reporting and response, and participation in cybersecurity exercise. |
CIOs must fulfil obligations including maintaining independent and specialized security management institutions, conducting cybersecurity detection and risk assessments at least once a year, and formulating internal security management systems, including background checks on key personnel and conducting training and skills assessments for employees. |
Delegation of Regulatory Powers to Sector Regulators |
Certain sector regulators will be designated as authorities to monitor the discharging of organizational and preventive obligations by CIOs in their respective sectors. The Commissioner's Office will take full charge of monitoring the incident reporting and response obligations by all CIOs. |
The Commissioner of Cybersecurity may appoint sector regulators as assistant commissioners to exercise certain powers and functions under the legislation in relation to CIOs in their respective sectors. |
The Cyberspace Administration of China (CAC) is the key authority, supported by public security departments and relevant departments of important industries. |
Issuance of Code of Practice and Subsidiary Legislation |
The Commissioner's Office will issue a code of practice to set out the proposed standards based on statutory obligations. The Secretary for Security will specify or amend certain details relating to the powers of the Commissioner's Office or the statutory obligations of CIOs by way of subsidiary legislation. |
The Commissioner of Cybersecurity will issue codes of practice and standards of performance to provide guidance on the measures to be taken by CIOs. The Minister for Communications and Information will make regulations for the purposes of the legislation. |
The CAC issues regulations, guidelines, and national standards for the implementation of cybersecurity measures. |
Investigation Powers |
The Commissioner's Office will have powers to question, request information, enter premises, access and check the relevant computer systems, etc., for the purpose of investigating security incidents or offences under the legislation. |
The Commissioner of Cybersecurity and the assistant commissioners will have powers to question, request information, enter premises, access and check the relevant computer systems, etc., for the purpose of investigating security incidents or offences under the legislation. |
The CAC and other relevant authorities have powers to conduct inspections, request information and take necessary measures to investigate and address security incidents or offences under the legislation. |
Appeal Mechanism |
An appeal board will be established to allow CIOs to appeal against a designation as a CIO or CCS, or a written direction issued by the Commissioner's Office. |
An appeal tribunal will be established to allow CIOs to appeal against a designation of CIO or CCS, or a direction or decision issued by the Commissioner of Cybersecurity or the assistant commissioners. |
CIOs can apply for administrative reconsideration by a higher administrative authority. If they are not satisfied with the outcome of the administrative reconsideration, they can file an administrative law suite with the People's Court. |
Offences and Penalties |
Violations under the legislation without reasonable excuse may result in fines ranging from HK$100,000 to HK$5 million. The offences and penalties will only be applicable to organizations, unless the relevant violations involve breach of some existing criminal legislation. |
Violations under the legislation without reasonable excuse may result in fines ranging from S$5,000 to S$100,000, or imprisonment for up to 10 years, or both. The offences and penalties may be applicable to both organizations and individuals, depending on the nature of the offence. |
Penalties for non-compliance typically range between RMB 100,000 to RMB 1,000,000, depending on the offence in question. |
Extraterritorial Application |
The Cybersecurity Bill includes provisions for extraterritorial application, allowing the Commissioner's Office to take action against individuals and entities outside the jurisdiction if their actions have a significant impact on the cybersecurity of Hong Kong. It also applies to computer systems located outside Hong Kong if they affect the security of critical infrastructure within Hong Kong. |
The Act has extraterritorial reach, enabling the Commissioner to take action against foreign entities and individuals whose activities threaten the cybersecurity of Singapore's critical information infrastructure. It applies to computer systems outside the jurisdiction if they impact the security of CIIs within Singapore. |
The PRC cybersecurity laws have extraterritorial application, applying to foreign entities and individuals whose activities pose a threat to Chinese CI, and to computer systems located outside of China if they are seen to affect the security of China CI. |
The Bill will have significant implications for the operators of critical infrastructure and essential services in Hong Kong, as well as their suppliers, customers and partners. The Bill will introduce new and stringent requirements for cybersecurity and operational resilience, as well as new regulatory oversight and enforcement mechanisms.
As the Consultation Report has indicated requirements may be phased in, relevant operators should prepare for the Bill by:
Operators can also learn from the international experience and best practices of other jurisdictions that have similar or more advanced cybersecurity and critical infrastructure laws, such as Australia, the EU and the UK. These jurisdictions have adopted different approaches and standards for defining and regulating critical infrastructure and computer systems, imposing obligations and penalties, establishing regulatory authorities and functions, and providing guidance and support for the operators. Such examples and benchmarks can be used to anticipate and address the potential challenges and issues that may arise under the Hong Kong Bill.
Third-party providers which do not fall directly within the ambit of the Bill should also be aware of any trickle down consequences, as companies that may be designated as CIOs review their cybersecurity policies. The Consultation Report noted that certain respondents indicated concerns that liability for the actions of third-party providers would be imposed on them. The Bill imposes obligations on CIOs to conduct due diligence on their third-party providers, include contractual obligations for cybersecurity standards, and monitor and audit the cybersecurity practices of third parties. Additionally, third-party providers to CIOs will be obligated to report cybersecurity incidents to CIOs. Third-party providers who may be contracting with CIOs should also review their own cybersecurity practices and how they can comply with the Bill.
The Bill aims to enhance Hong Kong's cybersecurity framework, and aligns with global standards. We recommend that any entity that may be impacted by the Bill should review their position, both with reference to the Bill, future guidelines (including the Code of Practice) and alignment with global practices (to the extent relevant). We will continue to closely monitor the Bill's development and provide further details as they arise.
With thanks to Alice Beveridge (Trainee) for her contribution to this article.
The information provided is not intended to be a comprehensive review of all developments in the law and practice, or to cover all aspects of those referred to.
Readers should take legal advice before applying it to specific issues or transactions.