Hogan Lovells - Asia-Pacific Data, Privacy and Cybersecurity Guide 2025 - Flipbook - Page 33
Asia-Pacific Data Privacy and Cybersecurity Guide 2025
The Protection of Critical Infrastructure
(Computer System) Ordinance
In late June 2024, the Security Bureau of
the Hong Kong SAR Government proposed
the first specific cybersecurity legislation in
Hong Kong, entitled the Protection of Critical
Infrastructure (Computer System) Bill (the
Bill), to strengthen the security of the computer
systems of critical infrastructure and minimize
the chance of essential services being disrupted
or compromised due to cyberattacks.
After a proposal for the Bill was released for
public consultation in July 2024, the draft
Bill was introduced to the LegCo for the
legislative process in late 2024. After rounds
of deliberation and further amendments, the
Bill was enacted on March 19, 2025, and the
Protection of Critical Infrastructures (Computer
Systems) Ordinance was gazetted on March 28,
2025 (the PCICSO).
The PCICSO marks the first standalone
cybersecurity law in Hong Kong, an important
step to narrow the gap between Hong Kong’s
cybersecurity regulatory requirements
and international standards. A regulatory
framework is established to empower
authorities to:
· Identify critical infrastructures (“CI”), which
deliver essential services in eight core sectors
(i.e. energy; information technology; banking
and financial services; air transport; land
transport; maritime transport; healthcare
services; and telecommunications and
broadcasting services), and those that
maintains important societal and economic
activities; and
· Designate operators of such CI (“CI
Operators”), and their computer system as
critical computer systems (“CCSs”).
The PCICSO imposes statutory obligations on
CIOs to establish and maintain cybersecurity
measures and internal policies in relation to
33
