Hong Kong: Critical infrastructure cybersecurity law – Government's latest updates

03 Dec 2024    6 minute read
Critical Information Infrastructure Cybersecurity

In brief

**Important Update**

While this article was published, the Security Bureau of the Hong Kong Government announced that the Protection of Critical Infrastructure (Computer System) Bill will be gazetted on Friday, 6 December 2024, and will be introduced into the Legislative Council for First Reading and Second Reading on 11 December 2024. We will provide an update on further developments.

Contents

Following our client alert on 29 July 2024 regarding the upcoming Protection of Critical Infrastructure (Computer System) Bill ("Bill"), the Hong Kong Government has reported on its findings from the public consultation exercise. 

To recap, the Bill would impose organisational, preventive and incident reporting and response obligations on critical infrastructure operators (CIOs), being operators of infrastructures for delivering essential services in Hong Kong or other infrastructures for maintaining important societal and economic activities, and establish a new Commissioner's Office to administer the legislative regime.

The Security Bureau (SB) issued a consultation report on 8 October 2024 ("Consultation Report"), clarifying the legislative proposals and highlighting possible key changes to the proposed regime in view of the comments and suggestions received. In the 2024 Policy Address delivered on 16 October 2024, the Chief Executive reiterated that CIOs must undertake obligations to protect their computer systems to combat cybersecurity challenges. The Office of the Privacy Commissioner for Personal Data (PCPD) also supports these initiatives. 

The Government aims to finalise the Bill for Legislative Council (LegCo) scrutiny within 2024 and establish the new Commissioner's Office within a year of the Bill's passage, as well as designating CIOs in phases based on risk and readiness.

In more detail

1. Public consultation

The public consultation for the Bill was launched on 2 July 2024 and ended on 1 August 2024. Written submissions were mainly made by organisations that may be designated as CIOs, LegCo members, sectoral professional bodies and institutions, associations and chambers of commerce, and cybersecurity service providers. 

The SB reported broad support in principle for the Government's legislation to protect Hong Kong's critical infrastructures (CIs), along with constructive suggestions to enhance the Bill. 

2. What changes may be expected?

In the Consultation Report, the SB clarified the legislative proposals and provided that it would consider certain key changes to them, which include:

  • Clarifying the criteria for designating a critical computer system (CCS).
  • Clarifying the statement that the Bill will not have extraterritorial effect, such that the Commissioner's Office will only request information that is accessible to CIOs with offices set up in Hong Kong.
  • Removing the requirement for CIOs to report changes in ownership of their CIs.
  • Relaxing the time frame for reporting serious security incidents from 2 to 12 hours, and for that of other incidents from 24 to 48 hours.
  • Statutory obligations such as risk assessment and independent audits will have their time frames calculated from the time of designation, reportedly allowing ample preparation time for potential CIOs.

The SB and the Commissioner's Office will maintain close communication with potential operators, designating CIOs and CCSs in phases based on risk and readiness, while developing the Code of Practice (COP) for CIOs. 

3. The Government's responses to major concerns raised

A. Scope of application

  • Definition of CIs: Addressing concerns that all individual operators providing some sort of IT service may be deemed as falling within the "information technology" (IT) sector as a category of CIs, the Government in a press release dated 20 August 2024 clarified that only individual organisations, instead of the entire IT sector, will be designated as CIOs, taking into account the implications on essential services in a cybersecurity incident, the level of dependence on IT, the importance of the data controlled, and the operator's degree of control over the CIs. 
  • Definition of CCSs: The definition will be further revised to provide clarity, with the Government considering deleting the term "interconnected" from the factors of consideration in designating a CCS on the basis of comments from some stakeholders that such coverage would be too broad.
  • Designation of CIOs and CCSs: They will be designated on the basis of the definitions set out in the legislation, but the Commissioner's Office will, after communicating with the CIOs and taking other relevant factors into account, determine whether a designation is suitable. 
  • Extraterritoriality: The Bill will have no extraterritorial effect. The Commissioner's Office will only request information that is accessible by operators with offices set up in Hong Kong.

B. Obligations of CIOs

  • Notification of change in ownership of CIs: Following comments that it would be difficult for organisations (in particular listed companies) to report frequently to the Commissioner's Office about changes in ownership of their CIs, the Government is seriously considering removing such requirement.
  • Incident reporting: The SB acknowledges the challenges that CIOs are facing in incident reporting and is contemplating relaxing the reporting timeframe for serious computer system security incidents from 2 hours to 12 hours, and that for other incidents from 24 hours to 48 hours. On the other hand, the SB proposes that the Commissioner's Office be empowered to proactively investigate the cause of the incident with the operator directly, when a CCS necessary for the operator's provision of essential services has been or is likely to be disrupted, or when its services are interrupted, to determine whether they have been caused by an attack.

C. The Commissioner's Office

  • Overlapping reporting and compliance obligations: The Government considers that there is no overlap or duplication of organisations' incident reporting efforts, as the report to the PCPD concerns the protection of personal data, whereas the Commissioner's Office focuses more on identifying the reasons for data leakage and plugging loopholes.
  • Investigation powers: Only when a CIO is unwilling or unable to respond to a serious incident on its own would the Commissioner's Office consider more draconian measures, such as connecting equipment to or installing programs in CCSs, which may only be exercised upon a Magistrate's warrant and after considering necessity, appropriateness, proportionality and public interest.

4. What to expect next?

We are expecting to see a first draft of the Bill by the end of this year, while the SB is said to continue working with stakeholders to develop a Code of Practice (COP) that is applicable to the designated sectors with practical requirements and specific guidelines aligned with prevailing international standards. Upon the passage of the Bill, the Government's goal is to establish the Commissioner's Office within one year of the Bill's passage and to bring the Bill into force within six months after the establishment of the Commissioner's Office. This implies that potential CIOs will likely have a buffer period of around 18 months from the passage of the Bill to enhance their organisational and operational systems up to the standards expected by the Bill and the COP. 

CIOs will be designated in phases based on risk and readiness, and more information on the precise timeline of designation is expected after the draft Bill is presented to the LegCo. 

The SB announced on 4 December 2025 that the Bill will be gazetted on 6 December 2024. It will be possible to submit comments on the Bill once it is introduced into the LegCo and we are able to assist with formulating comments. Once the COP is published, we will be in a position to advise individual operators on their specific compliance requirements.

* * * * *

Jacqueline Wong, Knowledge Lawyer, has contributed to this legal update.

Contact Information
Isabella Liu
Partner
Hong Kong
Read my Bio
isabella.liu@bakermckenzie.com
Dominic Edmondson
Special Counsel
Hong Kong
Read my Bio
dominic.edmondson@bakermckenzie.com

Copyright © 2024 Baker & McKenzie. All rights reserved. Ownership: This documentation and content (Content) is a proprietary resource owned exclusively by Baker McKenzie (meaning Baker & McKenzie International and its member firms). The Content is protected under international copyright conventions. Use of this Content does not of itself create a contractual relationship, nor any attorney/client relationship, between Baker McKenzie and any person. Non-reliance and exclusion: All Content is for informational purposes only and may not reflect the most current legal and regulatory developments. All summaries of the laws, regulations and practice are subject to change. The Content is not offered as legal or professional advice for any specific matter. It is not intended to be a substitute for reference to (and compliance with) the detailed provisions of applicable laws, rules, regulations or forms. Legal advice should always be sought before taking any action or refraining from taking any action based on any Content. Baker McKenzie and the editors and the contributing authors do not guarantee the accuracy of the Content and expressly disclaim any and all liability to any person in respect of the consequences of anything done or permitted to be done or omitted to be done wholly or partly in reliance upon the whole or any part of the Content. The Content may contain links to external websites and external websites may link to the Content. Baker McKenzie is not responsible for the content or operation of any such external sites and disclaims all liability, howsoever occurring, in respect of the content or operation of any such external websites. Attorney Advertising: This Content may qualify as “Attorney Advertising” requiring notice in some jurisdictions. To the extent that this Content may qualify as Attorney Advertising, PRIOR RESULTS DO NOT GUARANTEE A SIMILAR OUTCOME. Reproduction: Reproduction of reasonable portions of the Content is permitted provided that (i) such reproductions are made available free of charge and for non-commercial purposes, (ii) such reproductions are properly attributed to Baker McKenzie, (iii) the portion of the Content being reproduced is not altered or made available in a manner that modifies the Content or presents the Content being reproduced in a false light and (iv) notice is made to the disclaimers included on the Content. The permission to re-copy does not allow for incorporation of any substantial portion of the Content in any work or publication, whether in hard copy, electronic or any other form or for commercial purposes.