The new law introduces strict security measures and rapid incident reporting for critical infrastructure operators but raises concern about the government's broad investigatory powers and possible threats to free speech.
Shutterstock.com/Song_about_summer
Hong Kong’s Legislative Council passed the Protection of Critical Infrastructures (Computer Systems) Bill 2025 (PCIB 2025) on 20 March 2025. PCIB 2025 – expected to take effect in 2026 – aims to regulate critical infrastructure operators (CIO) and safeguard “critical” computer systems (CCS).
Under PCIB 2025, designated critical operators across eight sectors from information technology to financial services are required to have plans in place for responding to computer system threats and reporting serious cybersecurity incidents within twelve hours, among other obligations.
It follows a spate of cybersecurity incidents that caused disruption in Hong Kong last year, impacting universities, NGOs, and hospitals.
A new Commissioner’s Office will be established to oversee PCIB 2025. While some existing regulators, including the Monetary and Communication authorities, will be designated to carry out certain statuary functions in the sectors they already oversee.
CIOs that breach their new security obligations could be fined up to HK$5 million (US$640,000) under PCIB 2025, with additional daily penalties in some circumstances.
Chris Tang, the security chief of the Asian financial hub asserted that PCIB 2025 is "definitely not to target personal information or commercial secrets." However, human rights and free speech organisations have warned of the broad investigatory powers it grants to the government and argue it may be used to supress free speech, particularly if messaging platforms or internet exchanges are designated. Government systems are exempt from PCIB 2025.
Under PCIB 2025, authorities may seek a court warrant to connect to systems or require CIOs to submit to certain requirements, such as installing programmes onto CCS. The Commissioner’s Office may also demand that CIOs hand over unspecified “relevant information” if it suspects that an offence has occurred, without requiring a warrant.
Who does PCIB 2025 apply to?
PCIB 2025 will only apply to expressly designated “critical infrastructure” (CI), CIOs and CCSs. Critical infrastructure is defined as that which is essential to the continuous provision in Hong Kong of an essential service in any of the following eight sectors:
- energy;
- information technology;
- banking and financial services;
- air transport;
- land transport;
- maritime transport;
- healthcare services; and
- telecommunications and broadcasting services.
In addition, the law will apply to any other infrastructure that if damaged, loses functionality or experiences a data leakage could hinder or otherwise substantially affect the maintenance of critical societal or economic activities.
When designating CIOs, authorities will consider factors such as:
- the CI’s dependency on computer systems;
- the sensitivity of digital data controlled by the organisation regarding the CI it provides; and
- the extent of control the organisation has over the operation and management of the CI.
Key provisions
PCIB 2025 imposes a host of obligations on designated CIOs aimed at safeguarding computer systems and minimising the likelihood of essential services being disrupted or compromised by cyberattacks.
Organisational obligations
PCIB 2025 requires all CIOs to maintain an office in Hong Kong. They must also notify the regulating authority of any changes related to the CI they operate as soon as possible and within 1 month of the change occurring.
CIOs must ensure they have in place a “unit” for managing the security of their CCS. They may establish and operate the security management unit (SMU) in-house or enlist the services of a third party. In either case, CIOs are required to designate an employee with “adequate professional knowledge in relation to computer system security” to oversee the SMU and notify the regulator of that employee’s identity.
Preventative obligations
PCIB 2025 obliges CIOs to notify the regulator within one month of material changes to their CCS, including material alterations to its design, configuration, security or operation, or if a CCS is removed.
CIOs must also have a plan in place for protecting the security of CCS and submit those plans to the regulating authority. Among other requirements, the plan must include measures for:
- detecting security threats and incidents;
- controlling access to the computer system; and
- protecting the information stored, transmitted or processed by the computer system.
CIOs are required to conduct a computer system security risk assessment at least once a year and arrange for an independent computer system security audit to be carried out at least once every two years.
Incident reporting and response obligations
CIOs must participate in computer system security drills organised by the Commissioner.
They must also prepare and submit emergency response plans for handling computer system security incidents, including:
- the structure, roles and responsibilities of the team responsible for responding to computer system security incidents;
- the procedures for reporting computer system security incidents; and
- the procedures for investigating the cause and assessing the impact of computer system security incidents.
Finally, CIOs must notify the Commissioner of any security incidents that impact their CCS within the timeframes specified under PCIB 2025. Notifications must be made as soon as possible and no later than 12 hours following serious incidents or 48 hours for other incidents.
A further written report must be submitted within 14 days of the date on which the incident was detected.