Cybersecurity · Hong Kong
Cybersecurity regulation in Hong Kong (2026)
Hong Kong shaded by its cybersecurity status
Hong Kong has no economy-wide, NIS2-style cybersecurity statute; obligations are imposed on specific designated entities and sectors. Its first dedicated cybersecurity law, the Protection of Critical Infrastructures (Computer Systems) Ordinance (Cap. 653), came into force on 1 January 2026 but binds only operators formally designated by the Commissioner across eight essential-service sectors plus large 'key society' infrastructure. Financial institutions face separate regulator-driven cyber rules, while general personal-data breach notification under the PDPO remains voluntary (with a mandatory regime proposed but not yet enacted).
Key points
The Protection of Critical Infrastructures (Computer Systems) Ordinance (Cap. 653) was passed on 19 March 2025, gazetted 28 March 2025, and commenced on 1 January 2026 — Hong Kong's first standalone cybersecurity statute. It applies only to organisations once formally designated as Critical Infrastructure Operators (CIOs).
Designated operators face organisational duties (HK office, security management unit, notifying operator changes), preventive duties (security management plans, risk assessments, audits, OT measures), and incident-response duties (security drills, emergency response plans, incident notification).
CIOs must notify the Commissioner within 12 hours of becoming aware of an incident that has disrupted or is likely to disrupt the critical infrastructure's core function, and within 48 hours for other incidents adversely affecting the critical computer system's security.
OCCICS issued a Code of Practice effective 1 January 2026; non-compliance is not itself an offence, but the Commissioner can issue binding written directions. Statutory breaches carry fines from HK$300,000 up to HK$5 million, plus daily penalties for continuing offences.
The HKMA's Cybersecurity Fortification Initiative and Cyber Resilience Assessment Framework (C-RAF) require authorised institutions to assess cyber resilience and run simulated-attack testing; SFC circulars require licensed/registered intermediaries to promptly report significant cyber incidents.
Under the Personal Data (Privacy) Ordinance (Cap. 486), breach notification to the Privacy Commissioner remains voluntary/recommended rather than legally mandatory. A mandatory data-breach notification requirement has been proposed as part of PDPO reform but is not yet enacted.
Timeline - major decisions & events
Hong Kong's first dedicated cybersecurity law comes into operation, creating statutory cyber obligations (organizational, preventive, and incident-reporting) for designated critical infrastructure operators across 8 sectors. A new Commissioner's Office begins phased designation of operators from mid-2026.
Hong Kong Government (info.gov.hk) ↗The Government gazetted the commencement notice appointing 1 January 2026 as the operative date and stood up the Office of the Commissioner of Critical Infrastructure (Computer-system Security) to administer the new regime.
OCCICS (occics.gov.hk) ↗The Legislative Council enacted Hong Kong's first cybersecurity legislation, with fines up to HK$5 million for operators that fail to secure or update critical computer systems. Marks a shift from sector guidance to binding cross-sector cyber law.
South China Morning Post ↗The Government gazetted the draft Bill on 6 December 2024 and introduced it for First Reading on 11 December, covering energy, IT, banking/finance, healthcare, telecoms, and air/land/maritime transport.
Hong Kong Government (info.gov.hk) ↗The Security Bureau, OGCIO and Police opened a one-month consultation on a proposed legal framework to regulate critical infrastructure operators and critical computer systems, the precursor to the 2025 Ordinance.
Mayer Brown ↗The Privacy Commissioner updated its guidance recommending notification of the PCPD and affected individuals as soon as practicable after a breach posing real risk of harm — still voluntary, pending a proposed mandatory regime.
PCPD ↗The Hong Kong Monetary Authority upgraded its CFI framework for banks (C-RAF assessment, professional development, intelligence sharing), effective 1 January 2021, refining the cyber resilience baseline for the banking sector.
HKMA ↗Following a breach exposing personal data of ~9.4 million passengers, the Privacy Commissioner found contraventions of PDPO data-security and retention principles and ordered remedial measures — a landmark Hong Kong data-security enforcement action.
PCPD ↗After 27 reported cyber incidents and over HK$110M in unauthorised trades, the SFC (with HKMA) mandated 20 baseline controls including two-factor authentication for online brokerage logins — a key securities-sector cyber rule.
SFC / HKMA (info.gov.hk) ↗The HKMA unveiled the CFI at the Cyber Security Summit 2016, introducing the C-RAF risk assessment framework, professional development programme, and intelligence-sharing platform — the foundation of banking-sector cyber supervision.
HKMA ↗One of Asia's earliest comprehensive data protection laws took effect, establishing data-security obligations (Data Protection Principle 4) and the PCPD — the backbone of Hong Kong's data and cyber-incident enforcement before dedicated cyber law.
PCPD ↗Hong Kong - other topics
Last verified 5/23/2026 · Orientation, not legal advice - verify against the primary sources linked above. Explore the full world map →