On 1 January 2026, Hong Kong’s Protection of Critical Infrastructures (Computer Systems) Ordinance (Cap. 653) (the “Ordinance“) came into force, ushering in a new statutory regime for cyber resilience and operational continuity across essential sectors. This landmark legislation represents the city’s first comprehensive cybersecurity law tailored to safeguard critical digital infrastructure — a response to escalating threats and global regulatory developments in cyber risk management.
Designated critical infrastructure (“CI”) operators have organizational, preventive and incident reporting and response obligations under the Ordinance. Penalties consist of fines ranging from HKD 300,000 up to HKD 5 million plus a daily penalty for a continuing offence. For a recap of the highlights of the Ordinance, please read our previous client alerts: Hong Kong: The first draft of the new critical infrastructures cybersecurity law is here and Hong Kong: The city’s first cybersecurity law is expected to take effect on 1 January 2026.
The new regulator – the Office of the Commissioner of Critical Infrastructure (Computer-system Security) (the “Commissioner“) – has also issued a Code of Practice (“CoP“) that translates the Ordinance’s high-level obligations into practicable guidance for designated CI operators. At a sector specific level, the Communications Authority, the designated authority for the telecommunications and broadcasting services sector, has already adopted the CoP in respect of CI operators in its sector. It is also expected that the banking and financial services sector specific CoP will be provided in due course.
Why does it matter?
The Ordinance introduces statutory obligations for CI operators designated as such by the Commissioner. Unlike past guidance or voluntary standards, the Ordinance is backed by enforcement powers and potential penalties for non-compliance. Organisations in key sectors including energy, banking and financial services, information technology, transport (air, land and maritime), healthcare, telecommunications and broadcast services, and any other infrastructures the damage of the functionality of which may substantially affect the maintenance of critical societal or economic activities in Hong Kong, should prepare for regulatory scrutiny.
Relevantly, organizations collaborating with CI operators are also likely to be held to the same standard of cybersecurity as the CI operators are expected to contractually flow down security obligations to them as appropriate.
The Code of Practice: Turning Principles into Practice
The Ordinance imposes three categories of obligations on CI operators, namely: Category 1 obligations (organisational measures), Category 2 obligations (preventive measures) and Category 3 obligations (incident reporting and response).
On the other hand, the CoP operationalizes the Ordinance’s requirements and offers practical steps for compliance. Key elements of the CoP include:
- Scope of “critical computer system”: The CoP sets out expectations on measures to be taken on operational technology (“OT”) systems (e.g., supervisory control and data acquisition systems) underlying IT infrastructures. This aligns with the actual practice — both OT and information technology systems could be critical to the functioning of CI operators.
- Computer-system security management unit : In determining whether an employee of a CI operator possesses “adequate knowledge”, the CoP suggests that the Commissioner could consider both the individual’s professional experience in managing systems with risk exposure commensurate with the relevant critical computer system and professional qualifications such as CISP, CISA, CISM and CISSP.
- Security drills: The CoP clarifies that cybersecurity drills set by the Commissioner — the participation in which is a statutory requirement for CI operators — will be structured so as not to disrupt normal business operations. It also stresses the importance of involving senior management in emergency-response exercises.
- Threshold for notification requirements: The CoP provides greater detail and examples as to what “operator changes” or “computer systems changes” would trigger the requirements to notify the regulator. Template forms have also been provided to enable CI operators to make such notifications.
- Incident reporting and response: The CoP provides some examples of what constitutes a notifiable incident such as overrun of maximum tolerable downtime and leakage of a material volume of customer data.
- Sample Contract Clauses: Sample clauses are set out in an Annex to the CoP for reference as a baseline contractual framework for engaging external service providers who support CI operators.
Governance Imperatives for Boards and Senior Leaders
With the Ordinance and CoP now operational:
- Designation Assessment: Organisations should consider whether they are likely to be designated as CI operators and begin early engagement with authorities where appropriate.
- System Mapping and Risk Prioritisation: Enterprises must identify and categorise their critical computer systems, understand dependencies, and undertake objective risk evaluations.
- Policy and Contract Review: Boards should ensure that internal cybersecurity policies, incident response plans, and third-party contracts are aligned with both the Ordinance and the CoP.
- Executive Accountability: Leadership must be able to demonstrate governance oversight — from board risk committees to technology and operational management — to regulators and stakeholders alike.
The Ordinance and the CoP mark a defining moment in Hong Kong’s regulatory evolution on cybersecurity and operational resilience. For organizations subject to or likely to be caught by this regime, the time to act is now.
