On 1 January 2026, Hong Kong’s Protection of Critical Infrastructures (Computer Systems) Ordinance (Cap. 653) (the “Ordinance“) came into force, ushering in a new statutory regime for cyber resilience and operational continuity across essential sectors. This landmark legislation represents the city’s first comprehensive cybersecurity law tailored to safeguard critical digital infrastructure — a response to escalating threats and global regulatory developments in cyber risk management.
The new regulator – the Office of the Commissioner of Critical Infrastructure (Computer-system Security) (the “Commissioner“) – has also issued a Code of Practice (“CoP“) that translates the Ordinance’s high-level obligations into practicable guidance for designated Critical Infrastructure (“CI”) operators. At a sector specific level, the Communications Authority, the designated authority for the telecommunications and broadcasting services sector, has already adopted the CoP in respect of CI operators in its sector. It is also expected that the banking and financial services sector specific CoP will be provided in due course.
Why does it matter?
The Ordinance introduces statutory obligations for CI operators as designated as such by the Commissioner. Unlike past guidance or voluntary standards, the Ordinance is backed by enforcement powers and potential penalties for non-compliance. Organisations in key sectors including energy, banking and financial services, information technology, transport (air, land and maritime), healthcare, telecommunications and broadcast services, and any other infrastructures the damage of their functionality may substantially affect the maintenance of critical societal or economic activities in Hong Kong, should prepare for regulatory scrutiny.
Relevantly, organisations collaborating with CI operators are also likely to be held to the same standard of cybersecurity as the CI operators are expected to contractually flow down security obligations to them as appropriate.
The Code of Practice: Turning Principles into Practice
The Ordinance imposes three categories of obligations on CI operators, namely: Category 1 obligations (organisational measures), Category 2 obligations (preventive measures) and Category 3 obligations (incident reporting and response).
On the other hand, the CoP operationalises the Ordinance’s requirements and offers practical steps for compliance. Key elements of the CoP include:
- Scope of “critical computer system”: The CoP sets out expectations on measures to be taken on operational technology (“OT”) systems (e.g., supervisory control and data acquisition systems) underlying IT infrastructures. This aligns with the actual practice — both OT and information technology systems could be critical to the functioning of CI operators.
- Computer-system security management unit : In determining whether an employee of CI operator possesses “adequate knowledge”, the CoP suggests that the Commissioner could consider both the individual’s professional experience in managing systems with risk exposure commensurate with the relevant critical computer system and professional qualifications such as CISP, CISA, CISM, CISSP.
- Security drills: The CoP clarifies that cybersecurity drills set by the Commissioner — the participation in which is a statutory requirement for CI operators — will be structured so as not to disrupt normal business operations. It also stresses the importance of involving senior management in emergency-response exercises.
- Threshold for notification requirements: The CoP provides greater detail and examples as to what “operator changes” or “computer systems changes” would trigger the requirements to notify the regulator. Template forms have also been provided to enable CI operators to make such notifications.
- Incident reporting and response: The CoP provides some examples of what constitutes a notifiable incident such as overrun of maximum tolerable downtime, leakage of a material volume of customer data.
Governance Imperatives for Boards and Senior Leaders
With the Ordinance and CoP now operational:
- Designation Assessment: Organisations should consider whether they are likely to be designated as CI operators and begin early engagement with authorities where appropriate.
- System Mapping and Risk Prioritisation: Enterprises must identify and categorise their critical computer systems, understand dependencies, and undertake objective risk evaluations.
- Policy and Contract Review: Boards should ensure that internal cybersecurity policies, incident response plans, and third-party contracts are aligned with both the Ordinance and the CoP.
- Executive Accountability: Leadership must be able to demonstrate governance oversight — from board risk committees to technology and operational management — to regulators and stakeholders alike.
The Ordinance and the CoP mark a defining moment in Hong Kong’s regulatory evolution on cybersecurity and operational resilience. For organizations subject to or likely to be caught by this regime, the time to act is now.
