Proposed legislative framework to enhance protection of the computer systems of critical infrastructure
FAQs
Question 1:What is the purpose of the proposed legislation? What are the benefits?
The purpose of the proposed legislation is to strengthen the security of the computer systems of critical infrastructure and minimise the chance of essential services being disrupted or compromised due to cyberattacks, thereby enhancing the overall computer system security in Hong Kong.
The proposed legislation is conducive to promoting the establishment of good preventive management systems by operators of CI and securing the operation of their computer systems, enabling the smooth operation of essential services and consolidating Hong Kong’s favourable business environment and status as an international financial centre.
Question 2:What is regulated by the proposed legislation? Does it affect me?
The proposed legislation seeks to regulate operators of critical infrastructure that are necessary for (i) the continuous delivery of essential services or (ii) maintaining important societal and economic activities in Hong Kong.
Operators to be regulated will mostly be large organisations. Small and medium enterprises and the general public will not be affected.
Question 3:Will the Government obtain my personal information through operators of critical infrastructure?
The proposed legislation will only require operators of critical infrastructure to bear the responsibility for securing their critical computer systems, not targeting personal data nor commercial secret therein.
Question 4:What is critical infrastructure?
There are two categories of critical infrastructure under the proposed legislation: (i) Infrastructures for delivering essential services in Hong Kong, covering the following eight sectors: (a) Energy; (b) Information Technology; (c) Banking and Financial Services; (d) Air Transport; (e) Land Transport; (f) Maritime Transport; (g) Healthcare Services; and (h) Telecommunications and Broadcasting Services; or
(ii) Other infrastructures for maintaining important societal and economic activities (such as major sports and performance venues, research and development parks, etc.).
It does not cover the Government: The Government has already put in place a set of detailed internal Government Information Technology Security Policy and Guidelines ("Policy and Guidelines"), which are reviewed and updated regularly with reference to the latest international standards and industry best practices. As the level of requirements in the Policy and Guidelines is comparable to the statutory requirements under the proposed legislation, we propose to continue to regulate Government departments with the existing administrative approach.
Question 5:What are the obligations of operators of critical infrastructure under the proposed legislation?
Designated operators of critical infrastructure ("CIO") will need to fulfill three types of obligations as set out below: I. Organisational
- maintain an address and office in Hong Kong
- report changes in the ownership and operatorship of critical infrastructure
- set up a computer system security management unit with professional knowledge (may be outsourced) supervised by a dedicated supervisor of the CIO
II. Preventive
- inform the Commissioner’s Office of material changes to their critical computer systems (e.g. design, configuration, security, operation)
- formulate and implement a computer system security management plan
- conduct a computer system security risk assessment (at least once every year)
- conduct a computer system security audit (at least once every two years)
- adopt measures to ensure that their third party services providers are in compliance with the relevant statutory obligations
III. Incident Reporting and Response
- participate in a computer system security drill (at least once every two years)
- formulate an emergency response plan
- notify the Commissioner’s Office of the occurrence of computer system security incidents in respect of critical computer systems
Question 6:What kind of incidents do operators of critical infrastructure need to report? What is the time frame?
Under the proposed legislation, operators of critical infrastructure will need to report to the Commissioner’s Office computer system security incidents (i.e. activities carried out without lawful authority on or through a computer system that jeopardises or adversely affects its computer system security) so that the Commissioner may instruct timely response as needed. The relevant reporting categories and time frame are as follows -
Serious computer system security incidents (referring to incidents that have or about to have a major impact on the continuity of essential services and normal operating of CIs, or lead to a large-scale leakage of personal information and other data): report shall be made within 12 hours after becoming aware of the incident;
Other computer system security incidents: report shall be made within 48 hours after becoming aware of the incident.
Question 7:What is the consequences if an operator of critical infrastructure violates the law?
The legislative intent is to cause operators of critical infrastructure to enhance protection of the security of their computer systems, not to punish them. Organisations will be fined for violations, with maximum fines ranging from HK$500,000 to HK$5 million.
However, if the relevant violations involve breach of some existing criminal legislation, such as making false statements, using false instruments or other fraud-related offences, as is the current situation, the officers involved may be held personally criminally responsible.
Question 8:Why certain statutory regulators are to be designated to be responsible for specific sectors?
Some of the essential service sectors to be regulated are already comprehensively regulated by statutory sector regulators. We propose to designate certain sector regulators as designated authorities to monitor the discharging of organisational and preventive obligations by these essential services sectors.
This approach allows the designated authorities to establish sets of standards and requirements, on organisational and preventive obligations, under their existing regulatory regimes that best suit the sectors’ needs. Operators of critical infrastructure in these sectors will not need to fulfill additional requirements of the Commissioner’s Office in relation to these two types of obligations.
At this stage, we propose to designate (1) the Monetary Authority as the authority responsible for regulating some service providers in the banking and financial services sector, and (2) the Communications Authority as the authority responsible for regulating some service providers in the telecommunications and broadcasting sector.
Question 9:Have reference been made to relevant legislation in other jurisdictions?
In recent years, laws and regulations protecting the security of computer systems of critical infrastructures have become increasingly common in other jurisdictions.
We have made reference to the legislative direction of other jurisdictions (including Chinese Mainland, Macao Special Administrative Region, Australia, the European Union, Singapore, the United Kingdom and the United States) in formulating a regulatory regime that is suitable for Hong Kong.
Question 10:Is there a consultation?
Since 2023, we have consulted over 110 stakeholders, including organisations that may be designated as CIOs, cybersecurity service providers and audit companies, sector regulators, etc., on the preliminary proposed framework of the legislation.
The stakeholders unanimously agreed that it is the responsibility of all sectors of the community to safeguard the security of computer systems and supported the legislation in principle.
