Strengthening cyber supply chain security, implementing effective preventative measures, and ensuring necessary licensing are some key considerations for businesses seeking to strengthen cybersecurity laws in APAC.
Shutterstock.com/Andrey_Popov
Cybersecurity remains one of the most significant challenges businesses face. According to the Logicalis 2025 Chief Information Officer Report 2025, which surveyed 1,000 global IT leaders, 91% of Asia-Pacific (APAC) organisations experienced a cybersecurity incident, while 53% encountered multiple breaches in the past 12 months. The report underscores the persistent threat of cyberattacks across the region. In March 2025, Malaysia’s Kuala Lumpur International Airport became the latest target of a cyberattack that disrupted its computer systems and demanded a US$10 million ransom.
In response to heightened cyberthreats, regulators in the APAC region are taking steps to enhance cybersecurity protections. For example, China has proposed expanded responsibilities for critical information infrastructure security providers, Hong Kong has mandated cybersecurity obligations in crucial sectors like energy, IT, and banking, and Japan has planned strengthened information sharing about cyber incidents.
Lexology PRO takes a look at recent regulatory changes and key considerations for businesses.
How do cybersecurity requirements compare across the region?
Japan was among the early movers with developing cybersecurity legislation with the Cybersecurity Basic Act 2014. Some nations, like Vietnam, approach cybersecurity through data localisation requirements, while others, like Singapore, take a “light-touch approach” in licensing framework for cybersecurity service providers. The licensing framework aims to ensure providers are “fit and proper” to reduce safety and security risks, with future plans to introduce a code of ethics and baseline competency requirements. More recently, other jurisdictions have implemented more stringent cybersecurity obligations for businesses, such as Hong Kong’s first cybersecurity law, Australia’s Cyber Security Act 2024, and Malaysia’s Cyber Security Act 2024.
Japan takes a two-pronged approach, which would allow regulators to take pre-emptive actions against cyber threats. In April 2025, the House of Representatives passed two legislative bills, coined the Active Cyber Defence initiative. The first bill intends to establish an oversight committee to enhance information gathering and threat analysis. The second bill seeks to empower Japan’s military and law enforcement authorities (Japanese languages only) to take preventive measures against cyber threats.
In China, the Cyberspace Administration released the draft amendment (simplified Chinese language only) to the Cybersecurity Law 2016, which consultation ended on 27 April 2025. Key proposed changes include expanding the legal responsibilities for critical infrastructure operators to ensure the security of their network operations, information systems, and the protection of personal and important data. The draft law increases the penalties for general offences, increasing the maximum amount from one million yuan (US$138,468) to ten million yuan (US$1.38 million).
Hong Kong gazetted the Protection of Critical Infrastructure (Computer Systems) Ordinance on 27 March 2025. Set to take effect on 1 January 2026, the law outlines cybersecurity standards for eight critical sectors, including transport, healthcare, telecommunications and so on. The government targets to establish a new Commissioner of Critical Infrastructure by Q1 2026. Under the law, critical infrastructure operators must establish a security management unit to oversee cybersecurity, conduct security risk assessments and audits, and report serious security incidents within 12 hours.
On 4 March 2025, the Australian government published three rules under the Cyber Security Act 2024. The rules establish mandatory security standards for smart devices, which will take effect on 4 March 2026. The other two rules, including ransomware payment reporting and creating a cyber incident review board, will enter into force on 30 May 2025. The law is the country’s first standalone cybersecurity legislation, which came into force on 29 November 2024. Under the law, businesses must report any cybersecurity incident where they paid an extortion demand. The reporting obligation covers a broad range of attacks beyond just ransomware, such as “denial of service” or malware attacks.
The Indonesian government is drafting a bill on cybersecurity and cyber resilience to strengthen cyberspace protection, Deputy Minister of Communications and Digital Nezar Patria said in March 2025. The draft bill, if enacted, would introduce cybersecurity obligations to services like telecommunications, data centres, digital services, and other infrastructure. Such obligations include establishing governance, implementing security standards, and conducting a security assessment. However, the bill has been in the pipeline since 2019.
Is your business ready for a cyberattack?
Strengthen cyber supply chain security
Regulators have increased their scrutiny and oversight of cyber products and services, especially since the global CrowdStrike outage incident in July 2024, where an internal faulty software update affected up to 8.5 million systems around the world. Businesses should prioritise ensuring the security and reliability of their technology supply chains to prevent similar network security risks. For instance, China’s draft amendment focuses on regulating the sale and use of key network equipment and security products. Companies operating in sectors such as finance, healthcare, energy, and telecommunications should conduct thorough reassessments of their processes and protocols for procuring, developing, using and managing any network equipment or services to mitigate potential vulnerabilities.
Implement effective preventative measures
Regulators in APAC are also placing a heightened emphasis on the implementation of robust preventative cybersecurity measures by businesses. For instance, Hong Kong’s Cybersecurity Ordinance mandates critical infrastructure operators to implement preventative measures. Such rules highlight the need for a comprehensive computer system security management plan. The plan should include processes like computer system security assessment, technical measures for computer viruses, and disaster recovery backups. Additionally, companies should maintain comprehensive documentation of their systems’ vulnerabilities and conduct regular security testing to fortify their security networks.
Ensure necessary licensing for cybersecurity service providers
As companies increasingly rely on third-party providers for their computer systems, both physical and virtual, businesses should ensure that service providers comply with the relevant cybersecurity regulations and obtain necessary licensing. For example, Singapore’s amended Cybersecurity Act, which parliament passed in May 2024, now covers a broader scope of computer systems, including those that handle temporary cybersecurity concerns, sensitive information impacting national interests, and essential services for citizens’ day-to-day needs. Companies should conduct thorough due diligence on their third-party cybersecurity service providers, including verifying their licensing status, reviewing their security controls and incident response protocols, and assessing their compliance with cybersecurity regulations.