Hong Kong Passes Cybersecurity Law to Strengthen Critical Infrastructure Protection
Hong Kong has passed a new cybersecurity law requiring operators of critical infrastructure to enhance computer security and report cybersecurity incidents, with non-compliance carrying penalties of up to HK$5 million ($640,000).
The law, which will take effect in 2026, aims to protect essential computer systems that support critical infrastructure. Security Chief Chris Tang emphasized that the law is not intended to target personal data or trade secrets, but rather to prevent disruptions or cyberattacks that could threaten public safety, the economy, and national security.
Scope of the Law and Compliance Requirements
The legislation applies to eight key industries, including banking, financial services, information technology, energy, transport, healthcare, and communications. Additionally, it covers major sports venues, performance centers, and research and development parks.
Under the new rules, affected operators must:
- Conduct annual security risk assessments.
- Undergo an independent security audit every two years.
- Report serious cybersecurity incidents within two hours.
Failure to comply could result in fines ranging from HK$500,000 to HK$5 million ($64,000 to $640,000), with additional daily fines for continued violations.
Authorities will notify relevant operators privately without publicly identifying them, to prevent them from becoming potential cyberattack targets.
Impact on Businesses and Foreign Investment
Some experts warn that the new regulations may increase compliance costs, particularly for data center operators. George Chen, Co-Chair of Digital Practice at consulting firm The Asia Group, suggested that stricter cybersecurity laws could potentially deter foreign investors, as Hong Kong has recently introduced multiple new regulations, including national security laws in 2020 and 2024.
Chen noted that investors value regulatory stability, and Hong Kong must balance its economic recovery efforts with maintaining an attractive business environment.
Unlike mainland China, which implemented a comprehensive cybersecurity law in 2016, Hong Kong has not had dedicated cybersecurity legislation until now. The introduction of this law marks a significant step toward aligning Hong Kong’s cybersecurity policies with global standards and protecting the city’s critical infrastructure from digital threats.
