The New Cybersecurity Dawn – Hong Kong readies for new critical infrastructure legislation

Critical Infrastructure (CI)

• Essential infrastructure in a specified sector in Hong Kong (telecoms and broadcasting, energy, IT, banking and financial services, air, land and maritime transport, healthcare services) or
• Infrastructure which if compromised will substantially affect critical societal or economic activities in Hong Kong.

Critical Computer Systems (CCS)

Designated computer systems (whether under the control of the operator or not) that are accessible in or from Hong Kong and are essential to the core function of a CI by CIO.

This means only those systems expressly designated by the Commissioner of Critical Infrastructure (Computer-system Security) will be regulated by the Bill.

Critical Infrastructure Operators (CIO)

Designated operators which operate a Specified CI.

A CI is a Specified CI if:

1. it is prescribed as a Specified CI under the designated authority within the specified sector; or
2. it is otherwise determined to be a Specified CI for the Commissioner in accordance with the Bill.

HONG KONG

PRC

REMARKS

Definition of CI

• Essential infrastructure in a specified sector in Hong Kong (telecoms and broadcasting, energy, IT, banking and financial services, air, land and maritime transport, healthcare services); or
• Infrastructure which if compromised will substantially affect critical societal or economic activities in Hong Kong.

• Key network facilities and info systems in important industries (e.g. public telecoms, energy, transport etc.) which if compromised will seriously endanger national security or economy, people’s livelihood or public welfare.

Key similarities: Both definitions are very similar in scope, stressing specific sectors as well as the negative impact if such CI is compromised (e.g. suffering damage, loss of functionality or data leakage).

Subject of regulation

CI, CIO and CCS

CI and CIO

Key similarity: Both laws place primary obligations on CIOs

Notable differences: The PRC position does not have a separate category for CCS and no express references to systems accessible in or from the jurisdiction.

Responsible Regulatory Authorities

Key authority: Commissioner of Critical Infrastructure (Computer-system Security) (Commissioner).

Other currently designated authorities are the HKMA and CA.

While the primary power to designate CIOs and CCS rests with the Commissioner, the designated authorities will be involved in monitoring the discharging of organisational and preventive obligations (see Category 1 and 2 below).

Key authority: Cyberspace Administration of China (CAC).

Other authorities include public security departments and relevant departments of each important industry.

Key similarity: Both laws establish a regulatory mechanism whereby a central key regulator is supported by other regulatory bodies.

Comment: In line with majority respondents’ views, HKMA and CA are designated to regulate CIOs for Categories 1 and 2 obligations in their respective sectors, given their familiarity and capabilities. The Commissioner will regulate all sectors for Category 3 obligations.

Organisational Obligations (Category 1 Obligations)

• Maintain office in Hong Kong
• Notify operator changes
• Maintain computer-system security management unit (including employee with “adequate knowledge”)

• Notify operator’s merger, demerger, dissolution
• Maintain independent and specialised security management institutions and designate responsible persons

Key similarities: Both laws require establishment of dedicated internal units and personnel to oversee network security, as well as notification requirements regarding certain types of operator changes.

Preventive Obligations (Category 2 Obligations)

In relation to computer system:

• Notify material changes
• Implement security management plan
• Conduct security risk assessments at least once a year (this includes vulnerability assessment and penetrating testing)
• Conduct security audits at least once every 2 years

• Notify material changes
• Formulate internal security management systems
• Conduct cybersecurity detection and risk assessment at least once a year

Key similarities: Both laws require internal cybersecurity plans or policies in place, and periodical cybersecurity protective practices (the results of which must be submitted to the regulators).

Notable difference: In contrast to the Bill, the PRC position does not specifically prescribe an audit requirement.

Incident Reporting and Response Obligations (Category 3 Obligations)

• Partake in security drill
• Submit and implement emergency response plan
• Notify security incidents, as soon as possible:
  • within 12 hours (from awareness) if core function is or likely to be disrupted;
  • within 48 hours (from awareness) in any other case.

• Carry out drills periodically
• Formulate emergency response plans for cybersecurity incidents
• Promptly report network security incidents or major threats

Key similarities: Both laws contain similar incident reporting and response obligations.

Notable difference: The Bill is more prescriptive for the timing of incident reporting.

Comment: To strike a balance between regulatory aims and respondents’ concerns, the Bill relaxes the timing for reporting serious incidents (from 2 hours to 12 hours) and other incidents (from 24 hours to 48 hours).

Penalties for Non-Compliance

In general:

*Failure to notify operator changes is subject to HKD 3 M – 5 M.

Depending on the offence in question, the penalties typically range between RMB 100,000 – 1,000,000.

Comment: The maximum fines set out in the Bill largely align with the initial proposal by the Government in July 2024, despite respondents’ concerns that the fines are excessive.