Currently, Hong Kong does not have specific legal requirements on the cyber security of critical infrastructures.
The plan to introduce new legislation to strengthen the cybersecurity of critical information infrastructure in Hong Kong (the “Plan") was first announced in the 2021 Policy Address.
In April 2022, the Innovation and Technology Bureau and the Office of the Government Chief Information Officer submitted a paper on information security which, amongst others, provides updates of the Plan to the Panel on Information Technology and Broadcasting of the Legislative Council.
On 25 May 2022, in a written reply to Legislative Council regarding questions on cybersecurity standards in Hong Kong (the “Written Reply"), the Secretary for Innovation and Technology confirmed that preparatory work to clearly define cybersecurity obligations of critical information infrastructure operators (CII operators) in Hong Kong is underway.
With a view to strengthening the cybersecurity of critical information infrastructures in Hong Kong, the Policy Addresses in three consecutive years of 2021, 2022 and 2023 all promoted the establishment of a management system by CII operators coupled with the Government’s proposal for the enactment of cybersecurity legislation.
The key takeaways from the Written Reply are as follows:
According to the Report of the Panel on Security for submission to the Legislative Council, dated 7 December 2022) , public consultation was originally set to kick-off in early 2023. However, as of September 2023, according to the list of outstanding items for discussion by the Panel on security, the need for public consultation on the legislative proposals on cybersecurity will only be revisited in the end of 2023 or early 2024.
Details of the proposed legislation have yet to be revealed but the following would have a bearing on the effect and direction of the proposed legislation:
Interested parties, such as finance, telecommunications and technology companies dealing with critical information infrastructure, should observe the upcoming public consultation and details of the proposed legislative changes and assess the likely impact to their operations.
The Government is currently making preparations, including working on the draft legislative framework and soliciting views from industries, with a view to clearly defining the obligations of CII operators in respect of cybersecurity through legislation. The need for a public consultation exercise on the newly proposed cybersecurity legislation is now expected to be discussed in late 2023 to early 2024. Given the developments in cyber security legislation globally and in particular in China in recent years, it is expected that similar legislation will be introduced in Hong Kong in the near future.
*Information is accurate up to 27 November 2023