Insight,

LegCo Panel Considers Legislative Framework to Enhance Computer Systems of Critical Infrastructure

24 July 2024

Our People
HK | EN
Current site :    HK   |   EN
Australia
EN |
China
JP | ZH | EN |
China Hong Kong SAR
ZH | EN |
Japan
JP | ZH | EN |
Singapore
ZH | EN |
United States
EN |
Global
ZH | EN |

Background

On 2 July 2024, the Hong Kong Legislative Council’s Panel on Security discussed a paper put forward by the Security Bureau in relation to a proposed legislative framework tentatively titled the “Protection of Critical Infrastructure (Computer System) Bill” (Proposed Legislation) [1}.

Before putting forward the Proposed Legislation, the Security Bureau has consulted over 110 stakeholders, including organisations that may be designated as critical infrastructure operators, cybersecurity service providers, audit companies and sector regulators since 2023.

This initiative is part of a broader effort to ensure the resilience and security of critical infrastructure in the face of evolving threats, particularly in the digital domain. The Proposed Legislation is intended to bolster the cybersecurity of the network or computer systems of critical infrastructure to minimise the impact of a cyberattack and disruptions to essential public services.

While the Proposed Legislation is still in its consultation phase, the LegCo Panel plans to introduce the bill for consideration by the end of 2024 and aims to bring it into force within 18 months of that date (mid-2026). As such, it is prudent for organisations that may be caught by the Proposed Legislation to start preparing.

Key takeaways:

  • Who does the Proposed Legislation apply to? The Proposed Legislation seeks to regulate Critical Infrastructure Operators (CIOs). CIOs are organisations that host critical infrastructure that is necessary for the continuous delivery of essential services or societal and economic activity. This includes organisations in sectors including energy, IT, transport, communications, broadcasting, banking, finance or healthcare. Regulated CIOs should mostly be large organisations, whilst small and medium enterprises and the general public are generally not intended to be regulated under the Proposed Legislation.
  • How will I know if my organisation qualifies as a CIO? Organisations are expected to be expressly designated as CIOs by the Commissioner’s Office (see further below). A CIO designation is not expected to be made public but will be disclosed to the organisation.
  • If my organisation is a CIO, will the Proposed Legislation apply to all of my organisation’s information technology infrastructure? The Proposed Legislation is expected to only apply to Critical Computer Systems that relate to the normal functioning of the critical infrastructure, but not other functions. It is intended that the Commissioner’s Office will consult the CIO on the systems essential to their operations and seek that organisation’s assistance in considering whether any designation should be made. 
  • What will CIOs be required to do? The Proposed Legislation establishes statutory obligations for CIOs to comply with. The obligations are categorised into organisational, preventative and incident reporting and response obligations. The organisational obligations include establishing a computer systems security management unit (in-house or outsourced) that will be supervised by a dedicated supervisor of the CIO. Preventative obligations include informing the Commissioner's office of material changes to the Critical Computer system (including changes to design, configuration and operation), conducting a computer systems risk assessment annually and an independent computer system audit biennially and formulating a computer system security management plan. Incident reporting and response obligations include formulating emergency response plans in the event of a cybersecurity incident, and actively reporting security incidents to the Commissioner's office within a designated timeframe.
  • Which is the primary government authority to enforce the Proposed Legislation? A Commissioner’s Office, proposed to be set up under the Security Bureau, is expected to be established. The Office will be headed by a commissioner appointed by the Chief Executive. The duties of the Commissioner’s Office include monitoring threats, designating CIOs and Critical Computer Systems, establishing a Code of Practice, and investigating non-compliance. The Commissioner’s Office will also be given statutory investigatory powers, including powers to question, request information, enter premises and check relevant computer systems.
  • What happens if my organisation’s sector is already governed by a computer systems security regulatory regime? As  the banking and financial services sector and communications and broadcasting sector are already comprehensively regulated by statutory sector regulators under mature regulatory regimes , it is proposed  that:
    • for the banking and financial sector, the Monetary Authority be the responsible authority for regulating service providers; and
    • for the communications and broadcasting sector, the Communications Authority will be the responsible authority. 

However, if a computer security incident occurs in the banking or communications sector, the impacted CIOs must report to both the Commissioner’s Office and the designated responsible authority.  

  • Does the Proposed Legislation establish offences? Offences under the Proposed Legislation are established and are imposed on an organisational (rather than personal) basis. Offences include non-compliance with the statutory obligations, written directions or requests from the Commissioner. Notwithstanding that offences are imposed on an organisational basis, if a violation involves infringement of existing criminal legislation (including making false statements, using false instruments, or fraud-related crimes), officers of the CIO may be held personally liable under existing criminal legislation.
  • What can my organisation do to get ready? We encourage organisations that think they may be captured by the Proposed Legislation to review their current cybersecurity practices. In particular, we suggest that organisations ascertain the frequency of internal and independent audits occurring on any Critical Computer Systems, and whether the security for those systems is already supervised by a security management unit. 

Notable components of the Proposed Legislation

CIOs are the focal point

The Proposed Legislation makes clear that specific CIOs are to be the subject of the regulation, as opposed to individuals or the general public. It is expected that the Commissioner’s Office will designate organisations as CIOs following an analysis of whether the organisations host critical infrastructure, and the degree of control the organisation has over the critical infrastructure concerned.

Critical infrastructure potentially has a broad meaning

Critical infrastructure is defined in the Proposed Legislation to include two categories:

  • Category 1: Infrastructure for delivering essential services in Hong Kong; and
  • Category 2: Other infrastructures for maintaining important societal and economic activities.

Category 1 is proposed to include the following eight sectors:

  • Energy;
  • Information technology;
  • Banking and financial services;
  • Land transport;
  • Air transport;
  • Maritime;
  • Healthcare Services; and
  • Communications and Broadcasting.

Category 2 is proposed to include infrastructures where damage, loss of functionality or data leakage may have serious implications on important social or economic activities in Hong Kong. This may include, for example, research and development parks or major sports venues.

The Proposed Legislation intends to apply to Critical Computer Systems within a CIO

Where an organisation has been designated a CIO, the Proposed Legislation will only regulate designated Critical Computer Systems, being systems that are:

  • Relevant to the provision of essential services or core functions of the computer system; or
  • If interrupted or damaged, would seriously impact the normal functioning of critical infrastructure.

It is expected that the Commissioner’s Office will consult with the CIO on the systems that are essential to their operations and seek their assistance in determining whether a designation should be made.

An appeal board is also proposed to be established, allowing operators who disagree with a designation as a CIO, or a direction issued by a Commissioner, to appeal. The appeal board is expected to be staffed by information security professionals and legal professionals.

The Proposed Legislation seeks to establish a range of organisational, preventative and incident-reporting obligations

The Proposed Legislation suggests that obligations should be imposed on CIOs with respect to three categories: organisational, preventative, and incident reporting and responses.

Organisational obligations include:

  • Ensuring that the Commissioner’s Office can maintain communication with the CIO;
  • Keeping the Commissioner’s Office up to date with details of ownership and operation of the critical infrastructure; and
  • Setting up a computer system security management unit with professional knowledge (whether in-house or by outsourcing) which is to be supervised by the dedicated supervisor of the CIO.

Preventative obligations include:

  • Informing the Commissioner’s Office of material changes to the Critical Computer System, including changes to design, configuration, security, and operation;
  • Formulating and implementing computer system security management plans to be submitted to the Commissioner’s Office;
  • Conducting a computer risk assessment at least once a year and submitting that report to the Commissioner’s Office;
  • Conducting an independent computer system security audit at least once every two years and submitting a report to the Commissioner’s Office;
  • Adopting measures to ensure that Critical Computer Systems comply with statutory obligations even when third-party service providers are employed.

Incident reporting and response obligations include:

  • Participating in a computer systems security drill organised by the Commissioner’s Office at least once every two years;
  • Formulating an emergency response plan in the event of a cybersecurity incident and submitting it to the Commissioner’s Office;
  • Actively reporting Critical Computer Systems security incidents to the Commissioner’s Office within 2 hours of becoming aware of incidents that have or are about to have a major impact on the critical infrastructure’s normal operation or lead to large-scale leakage of data, or 24 hours after being aware of any other security incident.

To supplement the statutory obligations, the Proposed Legislation recommends that the Commissioner’s Office issues a Code of Practice to assist CIOs in meeting their statutory obligations. The Commissioner’s Officer should also communicate with CIOs of different sectors and include sector-specific guidance within the Code of Practice where necessary. Failure to comply with the Code of Practice is not expected to be an offence, however, compliance may be used as evidence to support that there has been no breach of a statutory obligation.

The Proposed Legislation also seeks to empower the Commissioner’s Office with statutory investigation powers, including powers to question, request information, enter premises and access relevant computer systems.

The Proposed Legislation seeks to establish organisational offences. Individual offences may also apply if violations touch on existing criminal legislation

Offences under the Proposed Legislation include a CIO’s non-compliance with:

  • Statutory obligations;
  • Written directions issued by the Commissioner’s Office;
  • Requests of the Commissioner’s Office under the statutory power of investigation; and
  • Requests of the Commissioner’s Office to provide relevant information relating to critical infrastructure.

It is proposed that penalties will only include fines, with maximum fines ranging from HK$500,000 to HK$5 million.

Additionally, where a violation of the Proposed Legislation involves infringement of existing criminal legislation (such as making false statements, using false instruments or other fraud-related crimes), CIO officers may be held personally liable.

Looking ahead

The Proposed Legislation will bring Hong Kong into line with other developed jurisdictions in terms of cyber response for critical infrastructure, such as Mainland China, Australia, the European Union, Singapore and the United Kingdom. For a recap of the PRC Cybersecurity Law, please see our previous article here (only available in Chinese): https://www.kwm.com/cn/zh/insights/latest-thinking/review-and-outlook-network-security-and-data-compliance-in-2023.html

KWM has a dedicated team of lawyers advising local and international clients in cybersecurity law related projects, and is available to assist potential CIOs with governance around preparing for the forthcoming changes. 

https://www.legco.gov.hk/yr2024/english/panels/se/papers/se20240702cb2-930-3-e.pdf
Categories

Reference

MEET THE AUTHORS

LATEST THINKING
Insight
Abolition of MPF Offsetting Arrangement in Hong Kong: Key Impacts and Considerations
Abolition of MPF Offsetting Arrangement in Hong Kong: Key Impacts and Considerations

12 May 2025

Insight
Vietnam Sets the Stage for Carbon Trading
Vietnam has released an approved roadmap for a domestic carbon market, in a significant step towards achieving net-zero emissions by 2050. A phased approach will see a pilot start in June 2025, working towards full implementation by 2029.

05 May 2025

Insight
Public-Private Partnerships in Asia - Bangladesh Guide
In Bangladesh, Public-Private Partnerships (PPPs) are gaining momentum as a strategic tool to bridge the infrastructure gap and drive economic growth.

17 April 2025

EXPLORE LATEST THINKING
OUR PEOPLE
LOCATIONS
MEDIA CENTRE
CAREERS
ABOUT US
Explore Our Expertise
Explore insights
Explore Our Insights

Advertising and Targeting Cookies