Hong Kong: Legislative Council's Protection of Critical Infrastructures (Computer Systems) Ordinance including cybersecurity regulation entered into force with grace period

On 28 March 2025, the Legislative Council's Protection of Critical Infrastructures (Computer Systems) Ordinance (Ordinance No. 4 of 2025) including cybersecurity regulation entered into force with a grace period. With its publication in the gazette, the Ordinance was officially promulgated, but it will enter into full effect on a day designated by the Secretary for Security. The Ordinance establishes cybersecurity obligations for operators of critical infrastructures, including infrastructure that is essential to the continuous provision of certain essential services or which, if damaged, would hinder or substantially affect critical societal or economic activities in Hong Kong. Critical infrastructure operators will be required to set up a computer-system security management unit, conduct systemic risk assessments and security audits, participate in security drills, and implement an emergency response plan. Further, operators will need to notify security incidents within 48 hours of becoming aware of them in general, and within 12 hours if the incident entails disruptions to the core functions of the critical infrastructure. Operators who fail to do so can be liable for HKD 3 million on summary conviction and HKD 5 million on conviction on indictment.