How Hong Kong’s first cybersecurity law reshapes the protection of essential digital systems
Hong Kong has taken a major step toward strengthening its cybersecurity posture with the enactment of the Protection of Critical Infrastructures (Computer Systems) Ordinance (PCICSO). This landmark legislation, the first of its kind in the region, creates a regulatory framework to safeguard the computer systems that power essential services. The ordinance came into full operation on 1st January 2026.
In this blog, we break down what the Ordinance covers, why it matters, and what critical infrastructure (CI) operators must do to comply.
1. Why This Ordinance Matters
Hong Kong’s essential services, transport, healthcare, finance, telecommunications, and more, rely heavily on interconnected digital systems. This dependence increases vulnerability to cyberattacks, which could lead to severe disruptions to daily life, economic loss, and public safety impacts.
The Ordinance aims to:
- Prevent disruptions to essential services caused by attacks on digital systems.
- Strengthen citywide resilience against cyber threats.
- Ensure CI operators implement consistent, robust cybersecurity measures.
By embedding these obligations in law, Hong Kong aligns itself with global cybersecurity trends and international standards.
2. Legislative Background
The Protection of Critical Infrastructures (Computer Systems) Ordinance was developed through:
- Public consultations (2024).
- Legislative deliberations leading to passage on 19 March 2025.
- Commencement notice gazetted on 27 June 2025.
The law is part of a broader government response to rising cyber incidents, including 61 hacking-related data breaches reported in Hong Kong in 2024.
3. What Counts as “Critical Infrastructure”?
Under the Ordinance, critical infrastructure includes two main categories:
Category A: Essential Service Providers in 8 Designated Sectors
These sectors include:
- Energy
- Information technology
- Banking and financial services
- Land transport
- Air transport
- Maritime transport
- Healthcare services
- Telecommunications and broadcasting
The disruption of any of these sectors would significantly impact society.
Category B: Infrastructure Supporting Societal & Economic Activities
Examples include:
- Major sports and performance venues.
- Major technology parks.
Damage or data leakage in such systems may hinder Hong Kong’s critical societal and economic functions.
4. Who Are “CI Operators”?
A CI operator (CIO) is an organization designated by the regulating authority based on factors such as:
- Dependence of core operations on computer systems.
- The sensitivity of controlled data.
- The level of operational and management control over the infrastructure.
- Information supplied for compliance.
Importantly, the government will not publicly disclose the list of designated CI operators, to reduce the risk of targeted cyberattacks.
5. Regulatory Authorities
The Ordinance empowers:
1. The Commissioner of Critical Infrastructure (Computer system Security).
Responsible for issuing directions, enforcing obligations, and overseeing CI security.
2. Designated Authorities.
Depending on the infrastructure sector, different government bodies may regulate specific CI operators and systems.
These authorities may issue codes of practice, require information disclosure, or conduct security inspections.
6. Key Obligations for CI Operators
The PCICSO imposes three major categories of statutory obligations.
Category 1: Organizational Obligations
CI Operators must:
- Maintain an office in Hong Kong.
- Notify authorities of operator changes.
- Establish and maintain a computer system security management unit, supervised by an appropriate employee.
Category 2: Preventive Obligations
CI Operators must
- Notify material changes in critical computer systems.
- Submit and implement a computer system security management plan.
- Conduct regular risk assessments.
- Arrange security audits of their critical systems.
This ensures that vulnerabilities are addressed proactively, not reactively.
Category 3: Incident Reporting & Response
If an incident occurs, CIOs must:
- Participate in security drills.
- Submit and implement an emergency response plan.
- Report computer system security incidents to the Commissioner within a designated time-frame.
This framework ensures rapid containment, recovery, and transparency.
7. Offenses and Penalties
The Ordinance imposes penalties strictly at the organizational level, not on individual employees. Offenses may relate to:
- Failure to provide required information.
- Failure to fulfill designated duties.
- Non-compliance with official directions or codes of practice.
The objective is compliance and systemic protection, not punishment of individuals.
8. Implications for Businesses
The Ordinance represents a major compliance shift. Businesses operating within designated sectors must ensure:
- Mature cybersecurity governance.
- Adequate staffing and expertise.
- Ongoing monitoring and audits.
- Clear incident response structures.
Even companies not explicitly designated should assess whether they may fall under future CI categories as digital dependencies evolve.
9. Conclusion
Hong Kong’s Protection of Critical Infrastructures (Computer Systems) Ordinance marks a turning point in the city’s cybersecurity landscape. By establishing legally enforced standards for safeguarding essential digital systems, the legislation enhances societal resilience and ensures that critical services remain secure and uninterrupted.
Whether you are a CI operator, a technology provider, or part of a supporting supply chain, understanding and preparing for the Ordinance’s requirements is vital.
We provide managed cyber security services and compliance services designed specifically to help organizations meet Hong Kong’s critical infrastructure cybersecurity requirements — efficiently, securely, and defensibly.