New cybersecurity obligations take effect in Hong Kong in January. Industry experts at the Hong Kong Cyber Security Summit shared tips on how to comply ahead of the deadline.
Key takeaways
- Hong Kong’s Protection of Critical Infrastructure (Computer Systems) Ordinance 2025 takes effect on 1 January 2026.
- In-scope sectors should invest in resources, integrate AI tools, and engage with regulators to strengthen cyber defences.
- While re-examining cyber strategies, businesses should harness human-AI collaboration to boost efficiency.
Shutterstock.com/MR SOCCER
From 1 January 2026, operators in sectors such as energy, healthcare, and financial services, must comply with new cybersecurity obligations under the Protection of Critical Infrastructures (Computer Systems) Ordinance 2025. Non-compliance could result in potential fines of up to HK$5 million (US$640,000).
As the deadline approaches, cybersecurity experts and government officials shared tips for compliance at the Hong Kong Cyber Security Summit, held on 6 and 7 November 2025.
Key features of the Ordinance
The Ordinance, passed on 19 March 2025 and effective from 1 January 2026, applies to designated critical infrastructure operators (CIOs). Key obligations include responding to computer system threats and reporting serious cybersecurity incidents within 12 hours to the Commissioner’s Office. Lexology PRO examined the Ordinance’s key provisions here.
The Ordinance aims to “turn cybersecurity best practices into legally binding requirements,” according to keynote speaker Francis Chan, assistant director of the Commissioner’s Office under the Hong Kong Security Bureau.
He also stressed the importance of “early-stage preparations” and health checks as key to strengthening cybersecurity resilience.
Since May 2025, the government has collaborated with “major stakeholders” to develop a Code of Practice for CIOs, Chan shared with delegates. The final draft was completed on 4 November 2025 and will be released on 1 January 2026.
Chan explored the two "types” of critical infrastructure required to comply with the new law; the first being the eight essential sectors, including IT, transport, and telecoms. The second includes “infrastructures maintaining societal and economic activities that are critical”. He clarified that “systems like HR are not included.”
Chan outlined three categories of obligations that CIOs must follow under the new ordinance. Each group of obligations are overseen by different authorities, depending on the sector. Banking and financial services institutions are monitored by the Hong Kong Monetary Authority, whilst telecoms and broadcasting companies will be overseen by the Communications Authority.
For companies outside these sectors, implementation of the Ordinance will be overseen by the Commissioner’s Office. Implementation of the third category, namely incident reporting and response, will "be the solely responsibility of the Commissioner’s Office” for all companies covered by the Ordinance.
How are companies responding?
During a panel discussion, cybersecurity experts from the finance, energy, and healthcare sectors shared practical insights on meeting the security obligations.
Re-examining cybersecurity strategies
CIOs are actively refining their cybersecurity strategies to meet the legal requirements. “Classifying and protecting critical data is one of the key focuses,” remarked Tony Ma, chief information security officer at the Hospital Authority of Hong Kong. He added that the company is also formalising its compliance processes by establishing clear timelines for reviews and implementing a structured response mechanism for cyber incidents.
Investing in cybersecurity resources
Businesses are advocating for greater resources and management support.
“Previously, proposals for best practices or increased investment might have been deprioritised, but now, we can use this opportunity to fight for different resources within the company and [from] the top management,” said Michael Cheung, director of cyber security operations at CLP Holdings.
Integrating AI technology
CIOs are incorporating AI technology into cybersecurity strategies. The Hospital Authority’s Ma noted that using AI tools to filter threat intelligence boosts efficiency, while generating realistic phishing scenarios for staff training raise employee awareness.
Financial institutions are advancing from signature-based detection to behaviour-based and predictive analysis. “Instead of looking for a pattern, we can learn the behaviour and see if there are any variations,” said Ricky Woo, executive director and chief information security at DBS Hong Kong.
Cybersecurity software tools like user and entity behaviour analytics can help flag unusual patterns, such as abnormal access times or geographic anomalies, that may signal internal threats, added Woo.
Key takeaways for CIOs
Maximise human-AI collaboration
Acknowledging the challenges CIOs may face ahead of the January compliance deadline, Chan urged the use of AI tools to help “monitor network traffic, user behaviour, and system logs to detect anomalies in real time.” He stressed the importance of human supervision in code reviews and strong defence mechanisms against phishing attacks.
DBS' Woo further reinforced this point, saying: “Even with AI in place, it’s essential to have human oversight to ensure decisions and analysis outcomes make sense. If something goes wrong, the responsibility ultimately lies with the bank, not the AI model."
Chan also noted the challenges posed by legacy systems. “We know it may not be feasible to apply the security by design principle when the ordinance comes into effect”, but organisations should eventually overhaul these systems so that “when they replace the system or have [made] further developments, this principle has to be taken into account.”
Raise awareness around the importance of cybersecurity
The Ordinance should be a catalyst to raise managerial awareness: "Cybersecurity is no longer a good-to-have. It is a must-have," said Chan, urging companies to “explain to senior management how important this piece of legislation is and the kind of resources and support you need in meeting the obligations."
Beyond senior management, non-critical infrastructure stakeholders within companies must also understand the need for robust cybersecurity.
"Now is a good time for everybody to meet the baseline and then align our efforts. It also gives a clear target for service providers what the prospects may be, how you can work to help CIOs providing services and solutions to make Hong Kong safer," he concluded.
Maintain open communication with regulators
Effective dialogue with regulators is vital. Ma pointed out that "the most important part is the communication with the regulators. The key challenge lies in defining what qualifies as critical."
The Security Bureau’s Chan echoed that organisations should "use whatever international or national standards that is applicable to your sector or your organisation, but it has to come up with comparable results in meeting the obligations."