Hong Kong’s legislature has approved the city’s first bill targeted at cybersecurity for computer systems needed for critical infrastructure, with operators facing fines of up to HK$5 million (US$643,000) for failing to keep them up to date.
The Legislative Council on Wednesday passed the Protection of Critical Infrastructure (Computer System) Bill amid a spate of cyberattacks against essential service providers.
Secretary for Security Chris Tang Ping-keung said authorities would start setting up a commissioner’s office and shortlisting affected operators by June, with a target for the legislation to come into effect on January 1, 2026.
The bill covers infrastructure in eight areas deemed crucial to the normal functioning of society – the energy, information technology, banking, communications, maritime and healthcare services, and land and air transport sectors.
Other infrastructure operators maintaining critical social and economic activities, such as those managing major sports and performance venues, as well as research and development parks, were also included.
“The purpose of the bill is to establish legal requirements for organisations designated as critical infrastructure operators, to ensure they take appropriate measures to protect their computer systems and reduce the impact of their operations on society and residents’ daily lives in the event of a cyberattack,” Tang said.
