On 6 December 2024, the Hong Kong government published a draft of the Protection of Critical Infrastructures (Computer Systems) Bill, marking a significant step towards enhancing cybersecurity standards in relation to essential services and critical societal or economic activities in Hong Kong.
The bill aims to protect the security of the critical computer systems (CCS) of critical infrastructures (CIs), to regulate operators of CIs (CIOs) and to provide for the investigation into, and response to, computer system security threats and incidents.
Hong Kong’s chief executive will appoint a new commissioner of computer system security, who, along with designated authorities for specific sectors, will serve as the regulating authorities. The regulating authorities may give compliance directions to CIOs, directing them to do or refrain from doing any act in order to comply with CIO obligations, in addition to publishing codes of practice.
CIO obligations
Under the bill, CIOs’ obligations can be summarised as follows.
Organisational obligations include:
- maintain an office in Hong Kong and notify the regulating authorities of any change of the correspondence address;
- notify the regulating authorities of a change of the organisation that operates the CI; and
- set up and maintain a CCS security management unit, either internally or through a service provider, and notify the regulating authorities of the appointment and change of the supervising employee.
Preventative obligations include:
- notify the regulating authorities of material changes to certain computer systems as set out in section 22;
- submit to the regulating authorities and implement a CCS security management plan within three months of the CIO being designated;
- conduct and submit a report on an annual CCS security risk assessment; and
- conduct and submit a report on a biennial CCS security audit by an independent auditor.
Incident reporting and response obligations include:
- participate in a CCS security drill conducted by the commissioner on written notice by the commissioner; and
- submit to the commissioner and implement a CCS security incident emergency response plan within three months of the CIO being designated.
CIOs should notify the commissioner of any CCS security incident and submit a further written record and/or report of the incident in the specified form and manner within the specified time limits under schedule 6 of the bill, which is 12 hours after becoming aware in the case of incidents disrupting or likely to disrupt the core function of the CI, and 48 hours in any other case.
Key mechanisms
The bill establishes an appeal mechanism against several types of decisions (e.g. designation of CIOs or CCS, and giving compliance directions). The decision of the appeal board is said to be final. The bill does not otherwise have an express provision stating that a decision of the appeal board or the regulating authorities cannot be challenged by a judicial review.
The commissioner may exempt a CIO from any of the above-mentioned obligations, after considering whether the CIO has done, or is doing, an act that can achieve the same purpose as the compliance with the subject obligation, and whether the CIO is subject to any alternative obligation that corresponds substantially to the subject obligation.
In any legal proceedings for an offence of non-compliance with the regulatory authorities’ compliance directions or the above-mentioned obligations, the defendant can rely on a due diligence defence if the committing of the offence was due to a cause beyond its control, and it took all reasonable precautions and exercised all due diligence to avoid the committing of the offence. The onus is on the defendant to adduce evidence to support such defence. The defence of reasonable excuse is available in relation to certain offences.
What to expect
The bill was introduced into the Legislative Council on 11 December 2024, with the second reading debate being adjourned. A bills committee has been formed, and its first meeting was held on 7 January 2025. Potential CIOs and service providers should watch this space for further developments. Given the bill’s significant public interest, it is standard practice for the bills committee to invite views from the public during a window of two to three weeks.
With significant obligations and penalties, ranging from HKD300,000 (USD38,500) up to HKD5 million plus daily penalties for a continuing offence, potential CIOs and service providers should watch this space closely for further developments and undertake suitable preparatory work, such as assessing the likelihood of designation, readiness of its existing cybersecurity framework and organisational structure for compliance, and contractual provisions for risk allocation and mitigation.
Business Law Digest is compiled with the assistance of Baker McKenzie. Readers should not act on this information without seeking professional legal advice. You can contact Baker McKenzie by e-mailing Howard Wu (Shanghai) at howard.wu@bakermckenzie.com
