Hogan Lovells - Asia-Pacific Data, Privacy and Cybersecurity Guide 2025 - Flipbook - Page 35
Asia-Pacific Data Privacy and Cybersecurity Guide 2025
35
their CCSs. Non-compliance could result
in fines ranging from HK$500,000 to
HK$5 million.
Key obligations of the CI Operators include:
· Organisational: maintaining an office in
Hong Kong, reporting operator change
promptly, and maintaining a computer
system security management unit;
· Preventative: notifying the authorities of
significant changes to CCS, submitting
security management plans, performing
regular risk assessments and audits; and
· Incident reporting and response: participating
in security drills, submit emergency response
plans, and notify authorities of security
incidents in relation to CCSs, etc.
We expect the authorities to publish codes of
practice or guidance notes in the future, to spell
out the technical requirements and clarify how
the PCISCO is to be implemented in practice,
in the run up to and even after the PCICSO’s
effective date of January 1, 2026.
