Hong Kong's critical infrastructure cybersecurity regime: How the ordinance and Code of Practice impact CIOs, suppliers, and beyond

Hong Kong’s long-anticipated Protection of Critical Infrastructures (Computer Systems) Ordinance (Cap. 653) (Ordinance) came into effect on 1 January 2026, with the simultaneous establishment of the Office of the Commissioner of Critical Infrastructure (Computer-system Security) (Commissioner), marking a pivotal advancement in Hong Kong’s cybersecurity regime.

It is accompanied by the Commissioner’s Code of Practice (Code), which serves as an important benchmark for assessing compliance with the Ordinance.

While the Ordinance and the Code primarily target critical infrastructure operators (CIOs), their impact is far-reaching. CIOs have to enforce similar standards on their suppliers for supply chain management. Sectors and organisations that do not fall within the ambit of the Ordinance should still refer to the Code as guidance for best practice.

The Ordinance

The Ordinance targets critical infrastructure relating to services that are vital for Hong Kong’s everyday life, including energy, information technology, transport (air, land, and maritime), finance, healthcare and telecommunications and broadcasting services.

In addition, major sports and performance venues and research and development parks are also regarded as critical infrastructures under the Ordinance.

CIOs are subject to three types of statutory obligations:

	Statutory Obligations
Category 1 (Organizational)	Maintain a Hong Kong office. Notify operator changes (e.g. change of ownership) to the Commissioner. Set up and maintain a computer-system security management unit (Security Management Unit).
Category 2 (Preventive)	Notify material changes to their Critical Computer Systems (CCSs). Implement a security management plan (Management Plan). Conduct annual security risk assessments. Arrange biennial system security audits.
Category 3 (Incident Reporting and Response)	Participate in security drills. Implement emergency response plans (ERP).  Report security incidents to the Commissioner.

Non-compliance with the statutory obligations or the Commissioner’s requests/directions constitutes a criminal offence. CIOs could be subject to a fine ranging from HK$300,000 to HK$5 million, with daily fines applicable for continuing offences. 

The Code of Practice

CCSs and Organisational Requirements

The key purpose of the Ordinance is to regulate CCSs managed by CIOs. These CIOs have to determine whether a computer system constitutes CCS, factoring into consideration the role and core function of the system, the extent of relatedness with other computer systems, and the extent of relatedness with other CIOs.

The Code also provides some examples - CCSs may include systems that: 

• Store or process sensitive digital data used directly in the provision of banking or medical services.
• Directly protect the security or strengthen the resilience of other CCSs (e.g. security gateway or firewalls and backup facilities in high-availability systems). 

Under the Code, operational technology systems, such as data acquisition systems, distribution control system, or programmable logic controllers are computer systems, and may therefore be regarded as CCSs. This is important as the Commissioner may consider the IT systems of the CIOs holistically in determining whether a system constitute a CCS.

Further, the supervising employee of the Security Management Unit, responsible for maintaining the CCSs, should possess appropriate professional qualifications (e.g. CISP, CISA, CISM or CISSP) and relevant experience.

In the event there are material changes to a CCS, the CIO is required to notify the Commissioner, e.g. where the CIO embarks on platform migration, server virtualisation, major version upgrades, or application re-design.

Management Plan and ERP

CIOs need to implement a Management Plan that is approved by the CIO’s Board, and reviewed at least biennially or after major changes, to ensure its effectiveness and validity.

The Code sets out numerous areas that the Management Plan should address. Given the breadth and technicalities in relation to these, seeking legal advice and input is strongly encouraged to assist in the formulation of the Management Plan, especially in relation to:-

• Policies, standards and guidelines: CIOs are required to establish enforceable computer-system security policies, standards, and guidelines which align with business needs, statutory requirements and international standards.
• Supply Chain Management: CIOs should ensure all suppliers adhere to a defined set of security requirements, e.g. by contractual terms incorporating standards required by the Code. Further, CIOs should enter into confidentiality and non-disclosure agreements with its suppliers to protect sensitive data. 
• Cloud Computing Security: CIOs should treat external cloud services for CCSs as part of the supply chain and require service providers to comply with the relevant standards of the Code by contractual terms. CIOs should define the shared responsibilities for security of CCSs between CIOs and the cloud service suppliers.
• Training: CIOs are required to formulate regular security awareness training for personnel handling CCSs, covering policies, incident reporting, and role-specific responsibilities. The training programme should be reviewed and updated regularly to reflect changing regulations and compliance requirements. 

CIOs will also need to implement an ERP that is endorsed by their board of directors and which addresses:

• Incident management: CIOs are required to set out the processes adopted to manage an incident, including detection, triage and classification, containment, eradication, recovery, communications, evidence preservation, and post‑incident review.
• Business continuity management and disaster recovery: CIOs are required to set out the arrangements adopted to maintain business continuity, such as use and regular testing of backups, use of alternative sites for data resumption, and staff training. 

Assessments, Audits and Drills

CIOs are expected to carry out security risk assessments and security audits, and participate in security drills that satisfy these basic requirements set out in the Code:

	Security Risk Assessment	Security Audit	Security Drill
Nature/ purpose	Identify weaknesses; prioritize   risks and mitigation.	Assess Management Plan and overall security health.	Assess ERP and readiness in responding to incidents.
Timing	Annually, report within 3 months	Every 2 years, report within 3 months	On the Commissioner’s written notice; no more than every 2 years.
Requirements	Vulnerability scans and penetration tests or alternative vulnerability identification activities.	Verification of the proper performance of existing protections and production of an opinion on the security condition.	Assess validity and effectiveness of the ERP and assess CIOs’ knowledge in managing and responding to the incidents.
Conducted by whom	Professionals with credentials such as CREST or Open Source Security Testing Methodology Manual certification.	External auditors with relevant experience and qualifications (e.g. CISA, CISM, and CISSP), or sufficiently independent internal audit team.	Organized by the Commissioner; could involve multiple CIOs in same or different sectors.

Incident Reporting and Response 

If any of the CCSs are compromised in a cybersecurity incident, CIOs must notify this to the Commissioner within the requisite timeframes:

• For a serious incident, which is an incident that has disrupted, is disrupting or is likely to disrupt the core function of the CI, within 12 hours after becoming aware of the incident. 
• For other incidents, within 48 hours after becoming aware of the incident. 

In determining whether a cybersecurity incident is a serious incident, CIOs should consider the downtime, impact on service level, volume of impacted data, and likelihood of mass customer enquiries/complaints.

The CIO is deemed to be aware of the incident when it has a reasonable degree of certainty that an incident has occurred. Legal and technical support is therefore crucial for responding to an incident, preparing incident notifications and communications with the Commission, and any other regulators and stakeholders.

The Code clarifies that an event arising from pure technical failure, natural disaster, mass power outage, a threat detected and timely removed or quarantined, or personal data leakage arising from human mistake, does not constitute a notifiable incident.

Practical steps 

Given the far-reaching effect of the Ordinance and the Code, all organisations should:

• If they are designated as CIOs, ensure compliance with the Ordinance and Code. Even if they are not a CIO, they should still refer to the Code to improve their cybersecurity posture and build resilience, particularly if they provide services to a CIO.
• Evaluate and advance their cybersecurity measures. A good starting point would be the organisation has a robust Management Plan and ERP.
• Ensure there are sufficient resources to ensure ongoing compliance with the requirements of the Ordinance.
• Obtain assistance from cybersecurity consultants and experts, such as the Innovation and Technology Commission of Hong Kong, as well as the Hong Kong Internet Registration Corporation.

As Hong Kong strengthens its cybersecurity resilience, organisations should prioritize robust implementation of the new statutory obligations. If in doubt, always seek independent legal or expert advice to ensure full compliance.