Are you ready for the Protection of Critical Infrastructure (Computer Systems) Ordinance?

Hong Kong’s new data and infrastructure protection law, the Protection of Critical Infrastructure (Computer Systems) Ordinance (Cap. 653) came into force on 1 January 2026, after nearly a year long consultation spearheaded by Hong Kong’s Security Bureau with experts from the cybersecurity sector along with those entities (initially in the finance and communications sector) who are required to comply with the new law.

The law sets in place mandatory protection of 'critical infrastructures' in Hong Kong. A 'Critical Infrastructure' as defined in the new Ordinance is 'any infrastructure that is essential to the continuous provision in Hong Kong of an essential service in a specified sector' or any 'other infrastructure the damage, loss of functionality or data leakage of which may hinder or otherwise substantially affect the maintenance of critical societal or economic activities in Hong Kong'.

The law appoints a new Commissioner of Critical Infrastructure as regulator and allows for the designation of 'regulating authorities' who have powers to supervise and enforce the law. The first two such designated authorities to be appointed are the Hong Kong Monetary Authority and the Communications Authority. These together can designate an operator as a 'Critical Infrastructure Operator' and therefore require them to ensure they are compliant with all aspects of the new law.

The law requires Critical Infrastructure Operators to put in place adequate security, notify in the event of changes to critical systems, conduct risk assessments, and take part in drills. Data breaches and security incidents must be reported in as little as 12 hours after becoming aware of an incident. Failure to comply with the law could result in maximum fines up to HK$5million as well as daily fines for as long as a non-compliance with the law continues.

As well as the banking and communications sectors, which have been covered by the new law since it came into force, the new law will in due course cover the operation of critical infrastructure operators in the maritime, land transport, air transport, energy, IT, and healthcare sectors. Compliance with the law requires ensuring that critical computer systems and their operators have adequate security, monitoring, personnel and procedures in place to prevent and mitigate against harm to systems and loss of data and may need significant investment by operators as well as the hiring of skilled cybersecurity professionals.

Our team has been advising on compliance with the Protection of Critical Infrastructure (Computer Systems) Ordinance since its inception and work with cybersecurity specialists. If you would like to learn more, please get in contact.