Hong Kong: The first draft of the new critical infrastructures cybersecurity law is here

06 Jan 2025    2 minute read
Critical Information Infrastructure Cybersecurity Cyber Security Cyber Data Privacy Cybersecurity & Data Privacy CI Featured Content

In brief

The Hong Kong Government has published on 6 December 2024 a draft of the Protection of Critical Infrastructures (Computer Systems) Bill ("Bill"), marking a significant step towards enhancing cybersecurity standards in relation to essential services and critical societal or economic activities in Hong Kong. This Bill aims to protect the security of the critical computer systems (CCSs) of critical infrastructures (CIs), to regulate operators of CIs (i.e., critical infrastructure operators (CIOs)) and to provide for the investigation into, and response to, computer-system security threats and incidents. This article considers the key provisions of the Bill, compares the differences between the original legislative proposal and the Bill, and discusses areas of uncertainty with some key takeaways as things stand now. 

Contents

With significant obligations and penalties (from HKD 300,000 up to HKD 5 million plus daily penalty for a continuing offence), potential CIOs and service providers should watch this space closely for further developments and undertake suitable preparatory work, such as assessing the likelihood of designation, readiness of its existing cybersecurity framework and organizational structure for compliance and contractual provisions for risk allocation and mitigation.

Key takeaways

The draft provides much-needed clarity on various aspects of the legislative framework, particularly regarding the process of designation of CIOs and CSSs, as well as compliance standards. Organizations are recommended to conduct self-assessments to determine the likelihood of being designated by the Regulating Authorities. We are able to assist with assessments of the likelihood of an individual infrastructure or operator being regarded as a CI or a CIO, respectively.

For organizations with a higher likelihood of being designated, it is advisable to consider their existing cybersecurity framework in order to ensure compliance with the three categories of obligations, and to start formulating the required CCS management plans and/or emergency response plans in accordance with the requirements outlined in Schedule 3 of the Bill. This is especially important for multi-nationals facing competing obligations under different legal regimes (e.g., the EU’s NIS2 Directive) and organizations subject to additional sector-specific regulations. We are able to assist with drafting such plans and revising them once the COPs are available.

Potential CIOs and customers that rely on CIs should review existing supplier contracts in light of the Bill to ensure sufficient protection, especially for provisions relating to compensation, audit rights, service levels and termination. Third party service providers (e.g., cloud providers) may expect that their CIO customers would attempt to flow down certain obligations under the Bill, given the liability of CIOs in relation to CIs.

Particularly for companies with interconnected computer systems located outside of Hong Kong, it is important to consider whether computer system accessibility limitations need to be imposed, as much of the Bill’s obligations depend on accessibility rather than geographical location or control.

Click here to access the full alert.

* * * * *

Jacqueline Wong, Knowledge Lawyer, has contributed to this legal update.

Contact Information
Isabella Liu
Partner
Hong Kong
Read my Bio
isabella.liu@bakermckenzie.com
Dominic Edmondson
Special Counsel
Hong Kong
Read my Bio
dominic.edmondson@bakermckenzie.com

Copyright © 2024 Baker & McKenzie. All rights reserved. Ownership: This documentation and content (Content) is a proprietary resource owned exclusively by Baker McKenzie (meaning Baker & McKenzie International and its member firms). The Content is protected under international copyright conventions. Use of this Content does not of itself create a contractual relationship, nor any attorney/client relationship, between Baker McKenzie and any person. Non-reliance and exclusion: All Content is for informational purposes only and may not reflect the most current legal and regulatory developments. All summaries of the laws, regulations and practice are subject to change. The Content is not offered as legal or professional advice for any specific matter. It is not intended to be a substitute for reference to (and compliance with) the detailed provisions of applicable laws, rules, regulations or forms. Legal advice should always be sought before taking any action or refraining from taking any action based on any Content. Baker McKenzie and the editors and the contributing authors do not guarantee the accuracy of the Content and expressly disclaim any and all liability to any person in respect of the consequences of anything done or permitted to be done or omitted to be done wholly or partly in reliance upon the whole or any part of the Content. The Content may contain links to external websites and external websites may link to the Content. Baker McKenzie is not responsible for the content or operation of any such external sites and disclaims all liability, howsoever occurring, in respect of the content or operation of any such external websites. Attorney Advertising: This Content may qualify as “Attorney Advertising” requiring notice in some jurisdictions. To the extent that this Content may qualify as Attorney Advertising, PRIOR RESULTS DO NOT GUARANTEE A SIMILAR OUTCOME. Reproduction: Reproduction of reasonable portions of the Content is permitted provided that (i) such reproductions are made available free of charge and for non-commercial purposes, (ii) such reproductions are properly attributed to Baker McKenzie, (iii) the portion of the Content being reproduced is not altered or made available in a manner that modifies the Content or presents the Content being reproduced in a false light and (iv) notice is made to the disclaimers included on the Content. The permission to re-copy does not allow for incorporation of any substantial portion of the Content in any work or publication, whether in hard copy, electronic or any other form or for commercial purposes.