Cybersecurity widens scope

Jamie Liu

The Legislative Council yesterday endorsed a bill to boost the cybersecurity of critical infrastructure in Hong Kong such as banks, railway networks, electricity providers and technology parks

The government expects the new legislation to take effect on January 1, 2026.

The Protection of Critical Infrastructures (Computer Systems) Bill passed on third reading with the support of over half of the lawmakers.

The new law identifies two types of critical infrastructure - the first delivers "essential services" across eight sectors including energy, information technology, banking and finance, land and air transport, maritime, healthcare and communications; another type covers facilities maintaining important societal and economic activities, including major sports and performance venues, as well as technology zones.

These operators are required to set up a computer-system security management unit, formulate cybersecurity plans, conduct regular risk assessments at least once a year, take part in drills and report any security incident to the government.

For serious breaches that "disrupt core function of the critical infrastructure," the operators must notify the government within 12 hours after they become aware of the incident. In other cases, they should report within 48 hours.

The penalties will only include fines, with maximum levels ranging from HK$500,000 to HK$5 million, and extra daily fines for persistent non-compliance for certain offenses.

Speaking at Legco, Secretary for Security Chris Tang Ping-keung said the legislation will maintain the normal functioning of society and the everyday lives of Hongkongers in the face of cyberattacks, and enhance the city's overall cybersecurity.

A commissioner's office will be established to monitor operators of critical infrastructure and follow up on non-compliance, Tang said. The government will begin to designate the operators and its computer system starting mid-June.

Lawmaker Elizabeth Quat Pei-fan welcomed the passage of the bill. She said critical infrastructure has emerged as a new battleground in national security due to escalating geopolitical risks, underscoring the pressing need for such legislation.

However, legal sector lawmaker Ambrose Lam San-keung said there is room to improve the bill, such as expanding its scope to cover vehicle smart systems and empowering authorities to take over compromised systems.

Lawmaker Carmen Kan Wai-mun, chair of the bill committee for the legislation, pointed out that the new law does not apply to the government, therefore she called on authorities to safeguard their cybersecurity through administrative measures.

jamie.liu@singtaonewscorp.com