Hong Kong passes its first cybersecurity bill covering critical infrastructure Hong Kong’s legislature has approved the city’s first bill targeted at cybersecurity for computer systems needed for critical infrastructure, with operators facing fines of up to HK$5 million (US$643,000) for failing to keep their systems up to date. The Legislative Council on Wednesday passed the Protection of Critical Infrastructures (Computer Systems) Bill amid a spate of cyberattacks against essential service providers. Secretary for Security Chris Tang Ping-keung said authorities would start setting up a commissioner’s office and shortlisting affected operators by June, with a target for the legislation to come into effect on January 1, 2026. The bill covers infrastructure in eight areas deemed crucial to the normal functioning of society – the energy, information technology, banking, communications, maritime and healthcare services, and land and air transport sectors. Other infrastructure operators maintaining critical social and economic activities, such as those managing major sports and performance venues, as well as research and development parks, were also included. “The purpose of the bill is to establish legal requirements for organisations designated as critical infrastructure operators, to ensure they take appropriate measures to protect their computer systems and reduce the impact of their operations on society and residents’ daily lives in the event of a cyberattack,” Tang said. Operators will also bear responsibility for implementation of the bill’s requirements, even if they employ contractors to run the infrastructure. “Even if they outsource the work, they cannot outsource the responsibility,” Tang added. Lawmaker Duncan Chiu, who represents the technology and innovation sector, asked if the list of operators should be revealed and the timeline for businesses to comply with the new law. “Many businesses related to the eight sectors are still guessing whether they are included under the new bill,” he said. “I hope the authorities can have clear guidelines on the definition of critical infrastructure operators, and who is included, so those potentially targeted by the bill have time to prepare.” However, Tang said the list of companies that fell under the bill would not be made public in a bid to shield them from becoming potential terrorist targets. Tang said the bill did not have any extraterritorial powers and it only targeted large organisations and would not affect most small and medium-sized enterprises or the public. “The purpose of the added responsibility is to protect the security of critical computer systems, and does not target personal data or commercial secrets,” he said. The bill aims to protect the security of critical computer systems of critical infrastructure, regulate their operators and legislate the investigations of computer system security of their critical computer systems up to date. Operators of essential infrastructure in the eight sectors face a HK$5 million fine if they fail to keep the security of their critical computer systems up to date. They must maintain an office in Hong Kong, conduct risk assessments at least once a year and report their findings to the commissioner’s office that will be created under the Security Bureau. They must also notify the office in the event of an exposure issue within 12 hours. Hong Kong has suffered a disturbing increasing in cyberattacks, including a theft of data from government-funded tech hub Cyberport in 2023. Last year, Union Hospital in Tai Wai revealed that it had fallen prey to a ransomware attack. Hackers reportedly used ransomware called “LockBit” to target it and demand a US$10 million ransom, which the hospital refused to pay. https://www.scmp.com/news/hong-kong/law-and-crime/article/3303050/hong-kong-passes-its-first-cybersecurity-bill-covering-critical-infrastructure https://hongkongfp.com/2025/03/20/hong-kong-security-chief-declines-to-disclose-information-as-lawmaker-asks-about-usaid-funding-in-city/ (ICE HONG KONG)

Fonte notizia: South China Morning Post