Key Highlights of the Protection of Critical Infrastructures (Computer Systems) Bill
-
Insight Articles 2025年2月19日 2025年2月19日
-
亚太地区
-
Tech & AI evolution
This article delves into some major highlights of the recently gazetted Protection of Critical Infrastructures (Computer Systems) Bill (the “Bill”), [1] which was introduced into the Legislative Council for First Reading and Second Reading on 11 December 2024.
The Bill aims to impose statutory requirements to strengthen the security of the computer systems of critical infrastructures (“CIs”) in Hong Kong, regulate the critical infrastructure operators (“CIOs”) and provide for the investigation into, and response to, computer-system security threats and incidents.
1. Who will be the Regulatory Authorities?
The Security Bureau will set up a New Commissioner’s Office headed by a Commissioner [2] appointed by the Chief Executive, supported by the Designated Authorities, including:
(i) the Monetary Authority for regulating the banking and financial services sector; and,
(ii). the Communications Authority for regulatory for regulating the communications and broadcasting sector.
2. What does the Bill intend to regulate?
Only those expressly designated as CIs, CIOs and critical computer systems (“CCSs”) will be regulated and subject to statutory obligations.
What are CIs? Under the Bill, it is proposed that CIs should cover:
(i) infrastructure that is essential to the continuous provision in Hong Kong of an essential service in the following 8 sectors: energy, information technology, banking and financial services, air transport, land transport, maritime transport, healthcare services, and telecommunications and broadcasting services, or
(ii) any other infrastructure the damage, loss of functionality or data leakage of which may hinder or otherwise substantially affect the maintenance of critical societal or economics activities in Hong Kong.
When ascertaining whether an infrastructure is a CI, the regulatory authority will consider factors such as the services provided by that infrastructure, and what practical implications there could be if the infrastructure were damaged, lost functionality or suffered any data leakage.
Who are the CIOs? CIOs are organisations designated under section 12. When designating or revoking a CIO, the regulatory authority may consider factors such as how dependent the core function of the CI concerned is on the computer systems, the sensitivity of the digital data controlled by the organisation in respect of the infrastructure, and the extent of control the organisation has over the operation and management of the infrastructure. Generally speaking, CIOs will mostly be large organisations, where small and medium enterprises and the general public will not be affected.
What are CCSs? CCSs are computer systems that are accessible by CIO in and from Hong Kong and are essential to the core functions of a CI, where, if such systems were interrupted or damaged, it would seriously impact the normal functioning of a CI. When designating or revoking a CCS, the regulatory authority may consider matters, such as the role of the system in respect of the core function of the CI concerned, how such a core function would be impacted if the system were disrupted or destroyed, and the extent to which the system is related to any other computer systems of the CIO concerned.
3. Which obligations are to be imposed on the CIOs?
| Organisational Obligations |
|
|---|---|
| Prevention of Threats and Incidents |
|
| Incident Reporting and Response Obligations |
|
| Reporting Obligations |
|
4. What are the penalties for non-compliance?
In principle, penalties will be imposed on an organisational basis and will be monetary fines. For instance, CIOs may be liable to a maximum fine of HK$5 million for failure to participate in computer-system security drills or notify computer-system security incidents. That said, if the relevant violation involves infringement of existing criminal legislation, such as making false statements, committing other fraud related offences, etc., the officers involved could be held criminally liable.
5. What are the investigative powers of the Commissioner?
Under the Bill, the Commissioner may direct an authorised officer to make inquiries to identify the cause of the event, or to carry out an investigation into the security threat. The authorised officer can also require the CIO to produce documents and apply for a warrant from the magistrate to enter the CIO’s premises to search for, inspect, make copies and seize evidence if specified conditions are met.
6. Will personal data be governed by the Bill?
The Security Bureau explicitly stated that the Bill is not targeted at personal data or commercial confidential information. However, in reality, it is unavoidable that personal data would be leaked in the event of cyber-attacks against the CIs and the CCSs, especially when CIOs are usually large organisations holding vast amount of personal data. It is further clarified that CIOs are required to report to both the Commissioner’s Office and the Privacy Commissioner for Personal Data when a computer system attack incident results in a personal data leak.
Next steps
Given the extensive obligations imposed on CIOs, potential CIOs should consider whether they fall within the scope of the Bill and, if so, review their existing cybersecurity measures and consider the type of implementation or framework that they would need to put in place to ensure compliance with the Bill when it comes into effect.
[1] https://www.elegislation.gov.hk/hk/2024/12/06/supp3/5!en
[2] The Commissioner of Critical Infrastructure (Computer-system Security)
结束
