Cybersecurity - Hong Kong

The Protection of Critical Infrastructures (Computer Systems) Ordinance (Cap. 653) was passed on 19 March 2025, gazetted 28 March 2025, and commenced on 1 January 2026 — Hong Kong's first standalone cybersecurity statute. It applies only to organisations once formally designated as Critical Infrastructure Operators (CIOs).

Designated operators face organisational duties (HK office, security management unit, notifying operator changes), preventive duties (security management plans, risk assessments, audits, OT measures), and incident-response duties (security drills, emergency response plans, incident notification).

CIOs must notify the Commissioner within 12 hours of becoming aware of an incident that has disrupted or is likely to disrupt the critical infrastructure's core function, and within 48 hours for other incidents adversely affecting the critical computer system's security.

OCCICS issued a Code of Practice effective 1 January 2026; non-compliance is not itself an offence, but the Commissioner can issue binding written directions. Statutory breaches carry fines from HK$300,000 up to HK$5 million, plus daily penalties for continuing offences.

The HKMA's Cybersecurity Fortification Initiative and Cyber Resilience Assessment Framework (C-RAF) require authorised institutions to assess cyber resilience and run simulated-attack testing; SFC circulars require licensed/registered intermediaries to promptly report significant cyber incidents.

Under the Personal Data (Privacy) Ordinance (Cap. 486), breach notification to the Privacy Commissioner remains voluntary/recommended rather than legally mandatory. A mandatory data-breach notification requirement has been proposed as part of PDPO reform but is not yet enacted.