
Hong Kong has enacted a new law aimed at strengthening cybersecurity measures for critical infrastructure systems. The legislation imposes fines of up to HK$5 million for inadequate protection against cyberattacks. This regulatory framework establishes legal obligations for operators of facilities deemed essential to the public interest, encompassing both public and private entities operating within priority sectors.
According to a statement by Secretary for Security Chris Tang, the regulation will apply to systems within the energy sector, information technology, banking and finance, and all modes of transportation—land, air, and maritime. The law also extends to telecommunications, broadcasting, and IT infrastructure within the healthcare sector.
Special emphasis is placed on facilities serving key social and economic functions, including sports arenas, concert venues, and science parks. Entities within these categories are now required to conduct regular risk assessments and ensure timely incident response.
The law grants authorities the power to install software or access systems associated with critical infrastructure, should an operator be incapable of mitigating the threat independently. While these actions require a court order, they have nonetheless raised concerns among international technology companies and human rights organizations.
The Asia Internet Coalition and the American Chamber of Commerce in Hong Kong have cautioned that such broad authority may deter investment and hinder the growth of the technology sector. The UK-based rights group Article 19 described the legislation as “excessive,” particularly in its allowance for requesting any form of information under suspicion of wrongdoing.
Despite the criticism, Hong Kong authorities and the Legislative Council contend that comparable regulations are already in effect in the United States, the United Kingdom, and European Union member states. Tang reassured the public that personal data and trade secrets fall outside the scope of the law, as do government departments.
Ironically, it is precisely those departments and affiliated institutions—including the Fire Services Department, the Electoral Affairs Office, and Cyberport—that have recently suffered data breaches. Nonetheless, the new measures are designed to target large-scale organizations rather than individual agencies or citizens.
The law also applies to both in-house and external IT teams responsible for maintaining critical infrastructure. While the legislation lacks extraterritorial reach, it may extend to overseas servers if they are linked to Hong Kong-based operators.
Operators must submit an annual risk assessment report and are obligated to notify authorities of any cybersecurity incident within 12 hours of detection. For security reasons, the list of regulated entities will remain confidential. According to Permanent Secretary for Security Patrick Li, more than one hundred organizations will fall under the purview of the new regulations.
The bill was introduced in the summer of last year following a surge in cyberattacks that targeted universities, non-profit organizations, and hospitals. Data from the Office of the Privacy Commissioner for Personal Data reveals that approximately 70% of companies in Hong Kong encountered cyber threats over the past year, underscoring the urgency behind the legislative action.