Following almost two years of deliberations, amendments and clarifications, against a global backdrop of escalating cyberattacks, Hong Kong SAR has enacted its first cybersecurity law. It requires compliance in three areas: internal organisational structure, preventive system testing and incident response.
Modelled on frameworks implemented in the UK, the US and the European Union, the Protection of Critical Infrastructures (Computer Systems) Ordinance is set to take effect on 1 January 2026. It imposes statutory requirements on designated organisations in eight sectors identified as key infrastructure systems crucial to the normal functioning of society: energy; information technology; banking/financial services; healthcare; communications; and maritime, land and air transport. The law also includes infrastructure where the loss of functionality or data leakage could have an impact on the Hong Kong economy – for example, major sports and performance venues.
With fines of up to HK$5m (US$640,000) for failing to maintain cybersecurity safeguards, plus daily penalties for a continuing offence, financial penalties will be imposed at the organisational level rather than an individual level. To oversee compliance, a new commissioner’s office will be established alongside designated authorities such as the Hong Kong Monetary Authority to regulate organisations deemed to be critical infrastructure operators.
The list of critical infrastructure operators will not be made public
To keep pace with cybersecurity threats, the regulating authorities may issue compliance directions to organisations under their remit. As they play a key role in assisting their organisations with incident prevention and response efforts, accountants – particularly accountants working in audit firms and critical infrastructure organisations – could be subject to the new law.
Requirements
Organisations that come under the scope of the new law are required to set up a computer-system security management unit, formulate cybersecurity plans, conduct risk assessments at least once a year and report any security incident to the government. Critical infrastructure operators must notify the government within 12 hours of becoming aware of a serious breach that ‘disrupts core function of the critical infrastructure’, and report less serious incidents within 48 hours.
While Hong Kong government departments and systems are excluded from the new law, grey areas surround which organisations in the eight sectors will be designated as critical infrastructure operators. The list of designated operators will not be made public to protect them from potentially being targeted by cybercriminals.
According to a recent survey conducted by Hong Kong’s Office of the Privacy Commissioner for Personal Data, nearly 70% of the surveyed enterprises had experienced at least one type of cyberattack in the past 12 months. Phishing was the most common type of attack among those organisations that reported cyberattacks.
Professional services was rated second-lowest for cybersecurity readiness
In terms of cybersecurity readiness – based on policy and risk assessment, technology and process control, and ‘human awareness building’ – the financial services sector (68.3 points) met the criteria for the ‘managed’ level of cybersecurity. Retail and tourism (45.3 points) and professional services (46.0 points) were the lowest-rated business sectors (both below the ‘basic’ level’s 50-point threshold). With the overall index rating for human awareness building currently at just 30.9 points after registering just a 5.7-point year-on-year improvement, the human factor remains a pivotal element in determining the success or failure of cybersecurity strategies and defences.
