Hong Kong has recently gazetted the Protection of Critical Infrastructures (Computer Systems) Bill (“PCI Bill”). It has also been presented to the Legislative Council for the first and second reading.
At present, there are no statutory provisions in Hong Kong aimed at safeguarding computer systems of critical infrastructure operators. The proposed PCI Bill intends to close this regulatory gap by imposing certain duties on operators and establishing a Commissioner’s Office to oversee compliance. This move is expected to align Hong Kong with international standards in cybersecurity implemented elsewhere in the world, such as the EU and Australia.
Critical infrastructure refers to any infrastructure essential for the ongoing provision of a critical service in a specified sector in Hong Kong, or any other infrastructure whose damage, loss of functionality, or data breach could disrupt or significantly impact the continuity of important societal or economic operations in Hong Kong. For instance, the banking, healthcare, telecommunications, and transport sectors fall within the above definition.
Under the PCI Bill, there are three classifications of statutory obligations: organisational obligations, preventive obligations, and incident reporting and response obligations. Critical infrastructure operators are mandated to form specialist units tasked with overseeing the implementation of security measures to bolster their defences against cyber threats.
In the event of a security incident, operators must notify the relevant Commissioner’s Office, while concurrently following the previously devised emergency response protocols. Prompt assistance and proactive measures would be provided by the Commissioner’s Office to lessen the impact of a cyberattack, thereby ensuring the continuity of critical infrastructures’ operations.
