Hong Kong: New cybersecurity legislation proposed

Latest developments

Currently, Hong Kong does not have specific legal requirements on the cyber security of critical infrastructures.

The plan to introduce new legislation to strengthen the cybersecurity of critical information infrastructure in Hong Kong (the “Plan") was first announced in the 2021 Policy Address.

In April 2022, the Innovation and Technology Bureau and the Office of the Government Chief Information Officer submitted a paper on information security which, amongst others, provides updates of the Plan to the Panel on Information Technology and Broadcasting of the Legislative Council.

On 25 May 2022, in a written reply to Legislative Council regarding questions on cybersecurity standards in Hong Kong (the “Written Reply"), the Secretary for Innovation and Technology confirmed that preparatory work to clearly define cybersecurity obligations of critical information infrastructure operators (CII operators) in Hong Kong is underway.

Summary

With a view to strengthening the cybersecurity of critical information infrastructures in Hong Kong, the Policy Addresses in three consecutive years of 2021, 2022 and 2023 all promoted the establishment of a management system by CII operators coupled with the Government’s proposal for the enactment of cybersecurity legislation.

The key takeaways from the Written Reply are as follows:

• Legislation specific to cybersecurity of critical information infrastructures is needed to supplement the guidelines and requirements imposed by individual regulatory bodies in formulating a unified approach to cybersecurity in Hong Kong; and
• The legislative proposals will reference cybersecurity standards adopted by other jurisdictions around the world.

According to the Report of the Panel on Security for submission to the Legislative Council, dated 7 December 2022) , public consultation was originally set to kick-off in early 2023. However, as of September 2023, according to the list of outstanding items for discussion by the Panel on security, the need for public consultation on the legislative proposals on cybersecurity will only be revisited in the end of 2023 or early 2024.

Details of the proposed legislation have yet to be revealed but the following would have a bearing on the effect and direction of the proposed legislation:

• The proposed scope of the regulation and terms such as “CII operators” and “network operators”;
• Whether there would be any restrictions on the transfer of data collected or generated by CII operators out of Hong Kong; and
• The proposed authority for oversight and enforcement of the proposed legislation.

How could it be relevant for you?

Interested parties, such as finance, telecommunications and technology companies dealing with critical information infrastructure, should observe the upcoming public consultation and details of the proposed legislative changes and assess the likely impact to their operations.

Next steps

The Government is currently making preparations, including working on the draft legislative framework and soliciting views from industries, with a view to clearly defining the obligations of CII operators in respect of cybersecurity through legislation. The need for a public consultation exercise on the newly proposed cybersecurity legislation is now expected to be discussed in late 2023 to early 2024. Given the developments in cyber security legislation globally and in particular in China in recent years, it is expected that similar legislation will be introduced in Hong Kong in the near future.

*Information is accurate up to 27 November 2023