On March 19, 2025, the Protection of Critical Infrastructures (Computer Systems) Bill was passed in LegCo, aiming to protect Hong Kong's critical infrastructures from cyberattacks.
This article was generated using SAMS, an AI technology by Timothy Loh LLP.
SPOTLIGHT ON
FAMILY OFFICES
On March 19, 2025, the Protection of Critical Infrastructures (Computer Systems) Bill was passed in LegCo. The bill aims to ensure that critical infrastructures ("CIs") in Hong Kong have adequate measures in place to protect their computer systems, thereby maintaining the normal functioning of society and the economy.
This legislation is designed to address the increasing vulnerability of CIs to cyberattacks, which can have significant consequences for public safety and economic stability.
The bill is about setting up a regulatory framework for CIs in Hong Kong, specifically focusing on their computer systems. It identifies two categories of CIs: infrastructures for continuous provision of essential services and those for maintaining critical societal and economic activities.
The bill mandates that operators of these infrastructures, known as Critical Infrastructure Operators ("CIOs"), establish management units to oversee computer-system security, conduct risk assessments, and implement incident response plans. Additionally, CIOs are required to report security incidents to the Commissioner, who will oversee the implementation of this regulatory framework.
To enhance compliance and enforcement, the bill outlines specific obligations and penalties for non-compliance. These include fines ranging from HK$500,000 to HK$5 million, with additional daily fines for persistent non-compliance.
The Commissioner, assisted by designated authorities ("DAs") for certain sectors, will have broad powers to investigate and respond to security incidents and ensure compliance with the legislation. The bill also provides for an independent appeal mechanism, allowing CIOs to contest designations or directives.
Finally, the bill empowers the Secretary for Security to specify and amend subsidiary legislation as needed for the bill’s implementation. This comprehensive approach aligns with international standards and best practices in safeguarding critical infrastructure computer systems.
View the full article:Source
