Hong Kong: Protection of Critical Infrastructures (Computer Systems) Ordinance including cybersecurity regulation introduced to Legislative Council

On 6 December 2024, Protection of Critical Infrastructures (Computer Systems) Ordinance (Ordinance No. 4 of 2025) including cybersecurity regulation was introduced to the Legislative Council. The Ordinance would establish cybersecurity obligations for operators of critical infrastructures, including infrastructure that is essential to the continuous provision of certain essential services or which, if damaged, would hinder or substantially affect critical societal or economic activities in Hong Kong. Critical infrastructure operators would be required to set up a computer-system security management unit, conduct systemic risk assessments and security audits, participate in security drills, and implement an emergency response plan. Further, operators would need to notify security incidents within 48 hours of becoming aware of them in general, and within 12 hours if the incident entails disruptions to the core functions of the critical infrastructure. Operators who fail to do so can be liable for HKD 3 million on summary conviction and HKD 5 million on conviction on indictment.