Hong Kong Cybersecurity Law - Get Ready For 2026

In March 2025, Hong Kong enacted the Protection of Critical Infrastructures (Computer Systems) Bill, marking its first comprehensive cybersecurity legislation. Set to take effect in 2026, the law aims to enhance the resilience of essential services against cyber threats by imposing stringent obligations on designated operators of critical infrastructure (CIOs).

The law will cover computer systems for various sectors, including energy, information technology, banking and financial services, land transport, air transport, maritime, communications and broadcasting, and healthcare services.

It will also empower the government to seek a court warrant to connect to computer systems or install programs onto critical infrastructure systems if operators are unwilling or unable to respond to cybersecurity incidents.

Key Provisions of the Law

Scope and Coverage

The legislation targets two primary categories of infrastructure:

  1. Essential Services: This includes sectors such as energy, information technology, banking and financial services, land and air transport, maritime, healthcare services, and communications and broadcasting.

  2. Societal and Economic Activities: Facilities like major sports venues, performance centers, and research and development parks fall under this category.

Obligations for CIOs

Designated CIOs are required to:

  • Conduct Annual Risk Assessments: Evaluate and document potential cybersecurity risks to their critical systems.

  • Undergo Biennial Independent Audits: Engage third-party auditors to assess the effectiveness of their cybersecurity measures every two years.

  • Report Serious Incidents Promptly: Notify authorities of significant cybersecurity incidents within two hours of detection.

Enforcement and Penalties

Non-compliance can result in substantial fines, ranging from HK$500,000 to HK$5 million (approximately $64,000 to $640,000), with additional daily penalties for ongoing violations.

Oversight and Regulatory Framework

Commissioner's Office

A new Commissioner’s Office under the Security Bureau will be established to:

  • Designate CIOs and Critical Computer Systems (CCSs): Identify and notify organizations falling under the law's purview.

  • Issue Codes of Practice: Provide guidelines and standards for cybersecurity measures.

  • Monitor Compliance: Oversee adherence to the law and investigate non-compliance.

Sector-Specific Regulators

Authorities such as the Hong Kong Monetary Authority and the Communications Authority will regulate CIOs within their respective sectors, ensuring sector-specific compliance and coordination.

Role of External Cybersecurity Firms like Digitpol

The introduction of the Protection of Critical Infrastructures (Computer Systems) Bill opens significant opportunities and responsibilities for external cybersecurity service providers, such as Digitpol, to support both compliance and resilience for affected organizations.

Key Areas Where Firms Like Digitpol Can Add Value:

  1. Risk Assessment & Threat Modeling

    • CIOs are mandated to conduct annual cybersecurity risk assessments. Firms like Digitpol can offer in-depth threat intelligence, penetration testing, and vulnerability analysis, tailored to the specific risks of critical infrastructure systems.

    • Expertise in sector-specific threats (e.g., energy, transport, healthcare) allows external firms to simulate realistic attack scenarios and provide mitigation strategies.

  2. Independent Audit Services

    • The law requires biennial independent cybersecurity audits. Digitpol, as an accredited and independent cybersecurity auditor, can provide full compliance assessments, gap analysis, and certified audit reporting aligned with local and international standards (e.g., ISO/IEC 27001, NIST).

  3. Incident Response & Digital Forensics

    • With the obligation to report major cyber incidents within 2 hours, rapid incident response capabilities are crucial. Digitpol can:

      • Offer 24/7 Security Operations Center (SOC) services,

      • Deploy forensic investigators immediately after an incident, and

      • Liaise with regulatory authorities for reporting and legal compliance.

  4. Development of Cybersecurity Policies & Frameworks

    • Organizations may lack internal resources to build comprehensive cybersecurity policies. Digitpol can help draft:

      • Custom cybersecurity frameworks,

      • Incident response plans, and

      • Disaster recovery protocols compliant with the Commissioner's Office guidelines.

  5. Training & Awareness

    • Regular staff training is vital under the law’s risk management provisions. Digitpol can conduct:

      • Workshops for C-level executives and technical teams,

      • Phishing simulation campaigns, and

      • Compliance-oriented e-learning modules.

  6. Technology Integration & Compliance Automation

    • Implementation of SIEM tools, threat detection systems, and compliance dashboards helps maintain ongoing compliance. Digitpol can assist with:

      • Custom tool integration,

      • Real-time compliance tracking, and

      • Alerting mechanisms for breach detection.

Conclusion

Hong Kong's Protection of Critical Infrastructures (Computer Systems) Bill represents a significant step toward enhancing cybersecurity for essential services. Organizations operating within the specified sectors should proactively assess their cybersecurity frameworks to ensure compliance with the forthcoming regulations.

Read the Bill online: https://www.legco.gov.hk/yr2024/english/bills/b202412061.pdf

Are you ready for Hong Kong’s Cybersecurity law?

Contact Digitpol For Cybersecurity Testing & Training.