Hong Kong has passed a new law aimed at enhancing the protection of "critical infrastructure" against cyber attacks. The legislation, which targets entities across a variety of sectors, mandates strict security protocols to safeguard essential services, such as banking, air transport, healthcare, and more.

Purpose and Scope of the Law

The law was introduced in response to growing concerns about the vulnerability of critical systems to cyber threats, which could have severe consequences on societal and economic activities. It focuses on operators of critical infrastructure—large organizations in sectors such as energy, telecommunications, broadcasting, banking, and transportation.

The government clarified that the law does not extend to small- and medium-sized enterprises, nor does it affect personal data or commercial secrets. The aim is to ensure that the essential sectors that support the economy and public services are properly protected against potential disruptions.

Key Provisions and Penalties

Under the new legislation, organizations identified as "critical infrastructure operators" are required to conduct security audits, prepare contingency plans, and report cyber attacks affecting critical computer systems. Failure to comply with these obligations could result in substantial fines, up to HK$5 million (approximately $640,000).

The law is set to take effect at the beginning of next year, and a new government office will be responsible for designating the operators that fall under the law’s provisions.

Coverage of the Law

The law applies to a wide range of sectors deemed vital for the functioning of society, including:

• Energy

• Banking and Financial Services

• Healthcare

• Telecommunications and Broadcasting

• Information Technology

• Land, Maritime, and Air Transport

Authorities aim to ensure that infrastructure crucial to the functioning of Hong Kong’s economy and society is secure from cyber threats.

Concerns and Global Context

There has been some concern about the inclusion of the "information technology" sector, with some industry representatives calling the term too broad and unclear. However, the government assured that the bill follows global standards set by countries such as the United States, the UK, Australia, and the European Union.

Additionally, the identities of the critical infrastructure operators will not be disclosed to avoid making them targets for cyber attackers. The law also extends to infrastructure located outside Hong Kong, such as overseas servers connected to Hong Kong-based operators.

Moving Forward

The new law marks a significant step in strengthening cybersecurity measures within Hong Kong's most essential sectors. While there were reservations from certain groups about the scope and impact of the law, the legislation has received broad support following consultations with various stakeholders. As Hong Kong continues to adapt to the evolving digital landscape, the law aims to ensure that its critical infrastructure remains resilient in the face of growing cyber risks.

 

For any enquiries or information, contact info@thelawreporters.com or call us on +971 52 644 3004. Follow The Law Reporters on WhatsApp Channels