Hong Kong: Cybersecurity regulation in Protection of Critical Infrastructures (Computer Systems) Ordinance (Ordinance No. 4 of 2025)

Progress

Current status

in grace period

01 Jan 2026 in force

28 Mar 2025 in grace period

19 Mar 2025 adopted

06 Dec 2024 under deliberation

Scope

Implementers

Hong Kong

Policy Area

Data governance

Policy Instrument

Cybersecurity regulation

Regulated Economic Activity

infrastructure provider: internet and telecom services

infrastructure provider: cloud computing, storage and databases

infrastructure provider: network hardware and equipment

infrastructure provider: other

Government Branch

executive

legislature

Government Body

central government

parliament

Implementation Level

national

Timeline of events

01 Jan 2026

in force

Legislative Council's Protection of Critical Infrastructures (Computer Systems) Ordinance including cybersecurity regulation enters into force

On 1 January 2026, the Legislative Council's Protection of Critical Infrastructures (Computer Systems) Ordinance (Ordinance No. 4 of 2025) including cybersecurity regulation enters into force following designation by the Secretary for Security. The …

Source

Event type law

Action type implementation

Government branch executive

Government body central government

28 Mar 2025

in grace period

Legislative Council's Protection of Critical Infrastructures (Computer Systems) Ordinance including cybersecurity regulation entered into force with grace period

On 28 March 2025, the Legislative Council's Protection of Critical Infrastructures (Computer Systems) Ordinance (Ordinance No. 4 of 2025) including cybersecurity regulation entered into force with a grace period. With its publication in the gazette,…

Source

Event type law

Action type in force with grace period

Government branch legislature

Government body parliament

19 Mar 2025

adopted

Protection of Critical Infrastructures (Computer Systems) Ordinance including cybersecurity regulation adopted by Legislative Council

On 19 March 2025, Protection of Critical Infrastructures (Computer Systems) Ordinance (Ordinance No. 4 of 2025) including cybersecurity regulation was adopted by the Legislative Council. The Ordinance establishes cybersecurity obligations for operat…

Source

Event type law

Action type adoption

Government branch legislature

Government body parliament

06 Dec 2024

under deliberation

Protection of Critical Infrastructures (Computer Systems) Ordinance including cybersecurity regulation introduced to Legislative Council

On 6 December 2024, Protection of Critical Infrastructures (Computer Systems) Ordinance (Ordinance No. 4 of 2025) including cybersecurity regulation was introduced to the Legislative Council. The Ordinance would establish cybersecurity obligations f…

Source

Event type law

Action type introduction

Government branch legislature

Government body parliament

Progress

Scope

Timeline of events

Legislative Council's Protection of Critical Infrastructures (Computer Systems) Ordinance including cybersecurity regulation enters into force

Legislative Council's Protection of Critical Infrastructures (Computer Systems) Ordinance including cybersecurity regulation entered into force with grace period

Protection of Critical Infrastructures (Computer Systems) Ordinance including cybersecurity regulation adopted by Legislative Council

Protection of Critical Infrastructures (Computer Systems) Ordinance including cybersecurity regulation introduced to Legislative Council

Related changes

related intervention is part of the same original policy

Hong Kong: Local operations requirement in Protection of Critical Infrastructures (Computer Systems) Ordinance (Ordinance No. 4 of 2025)