On 19 March 2025, the Hong Kong Legislative Council passed the Protection of Critical Infrastructure (Computer System) Ordinance, which is set to come into effect on 1 January 2026. This ordinance marks a significant step in Hong Kong’s alignment with the global trend of enhancing cybersecurity and operational resilience. As businesses brace for its implementation, it’s crucial to understand the potential challenges and how to navigate them.​

1. Definition of Critical Infrastructure (CI)​ 

CI encompasses systems, facilities, and assets vital for society and the economy, categorized into two groups. Category 1 includes essential service sectors such as energy, IT, banking, transport, and healthcare. Category 2 covers any other infrastructure whose damage, loss of functionality, or data leakage could significantly impact critical societal or economic activities. The ordinance excludes certain government–operated essential infrastructure, like water supply and emergency relief.​ 

2. Designation of Critical Infrastructure Operators (CIO) and Critical Computer Systems (CCS)​ 

CIOs are entities operating specified critical infrastructure. Determining CIO status involves factors such as the infrastructure’s dependence on computer systems, data sensitivity, and the organization’s level of control. CCS are designated computer systems essential to an essential service or a CIO’s core functions. The Commissioner or Designated Authorities will designate CIOs and CCSs, and this information will not be made public.​ 

3. Obligations for CIOs​ 

• Organizational Obligations:

  CIOs must maintain a physical office in Hong Kong, report office address changes, establish a dedicated security management unit (in–house or outsourced), and participate in security drills every two years.​

• Preventative Obligations:

  Inform the Commissioner of material changes to CCS, formulate a security management plan, conduct annual security assessments and biennial independent audits, and ensure CCS compliance even with third–party involvement.​

• Incident Reporting and Response Obligations:

  Have an emergency response plan, notify the Commissioner of security incidents within 12 hours for serious cases and 48 hours for others, and cooperate fully with investigations.​

1. Resource Allocation Challenges​ 

Establishing a dedicated computer system security management unit, whether in–house or outsourced, requires significant financial and human resources. Small–scale CIOs may struggle to allocate the necessary funds, particularly when required to conduct regular security assessments and audits.​ 

Participating in security drills every two years may disrupt normal business operations, leading to potential productivity losses.​ 

2. Compliance Complexity​ 

Keeping track of all the requirements, from reporting changes in CCS to formulating and updating security management plans, can be complex. The need to map current cybersecurity practices against the ordinance and fill any gaps adds another layer of complexity.​

For businesses that rely heavily on third–party service providers, ensuring compliance becomes even more challenging, as they may be held liable for the actions or omissions of these providers.​

3. Penalties for non-compliance​ 

The financial penalties for breaching the ordinance are substantial, ranging from HKD500,000 to HKD5,000,000, with additional daily fines for continuing breaches. This can have a severe impact on a company’s financial health, especially for smaller enterprises.

As a trusted Managed Security Service Provider (MSSP), SUPERHUB delivers deep cybersecurity expertise and proactive managed support. We recognize that compliance is more than meeting legal requirements—it’s about building resilience, safeguarding data, and ensuring business continuity. 

SUPERHUB is committed to guiding businesses through their cybersecurity journey by offering expert consultation, tailored awareness training, regular security reviews, and strategic support to strengthen their overall security posture. 

Contact our Cloud Account Managers today to ensure your business is secure, compliant, and ready for the future.

Source:

• The Government of the Hong Kong Special Administrative RegionPress Releases 
• Protection of Critical Infrastructures (Computer Systems) Ordinance 
• Security BureauThe Government of the Hong Kong Special Administrative Regionof the People’s Republic of China – Frequently Asked Questions