Prepare your organization for Hong Kong's Protection of Critical Infrastructures (Computer Systems) Bill. Effective January 1, 2026, designated operators must comply with stringent security requirements or face penalties up to HK$5 million.
Hong Kong's Protection of Critical Infrastructures (Computer Systems) Bill was passed on March 19, 2025, establishing comprehensive security requirements for designated operators.
A new Commissioner's Office under the Security Bureau will oversee compliance, supported by Designated Authorities for specific sectors.
Applies to designated Critical Infrastructures (CIs), Critical Infrastructure Operators (CIOs), and Critical Computer Systems (CCSs).
Non-compliance can result in fines from HK$300,000 to HK$5 million, with additional daily fines for continuing offenses.
The Bill covers eight essential service sectors, plus other infrastructure whose damage could substantially affect critical societal or economic activities.
Power generation, transmission, and distribution facilities
Data centers, cloud services, and IT infrastructure
Banks, payment systems, and financial institutions
Airports, air traffic control, and aviation services
Railways, tunnels, and public transportation systems
Ports, shipping, and maritime logistics
Hospitals, clinics, and medical facilities
Telecom networks, ISPs, and broadcast services
Major sports and performance venues, technology parks, and other infrastructure whose damage or data leakage could substantially affect critical societal or economic activities.
Critical Infrastructure Operators must fulfill three categories of obligations under the Bill.
Comprehensive services to help your organization achieve and maintain compliance with the Protection of Critical Infrastructures Bill.
Comprehensive gap analysis to evaluate your current security posture against CI Bill requirements and identify areas requiring improvement.
Development of comprehensive security management plans aligned with CI Bill requirements and industry best practices.
Mandatory annual security risk assessments to identify, evaluate, and prioritize security threats to your critical computer systems.
Independent security audits conducted every two years to verify compliance and assess the effectiveness of security controls.
Development and implementation of emergency response plans to meet the Bill's incident reporting and response requirements.
Assistance in establishing and staffing your Computer System Security Management Unit with qualified professionals.
A structured approach to achieving CI Bill compliance before the July 2026 deadline.
Comprehensive gap analysis to understand your current compliance status and identify critical areas requiring attention.
Identify and document all Critical Computer Systems within your organization and their dependencies.
Develop comprehensive security policies, procedures, and governance frameworks aligned with CI Bill requirements.
Implement required security controls, establish the Security Management Unit, and deploy monitoring capabilities.
Conduct security assessments, tabletop exercises, and validate incident response procedures.
Maintain compliance through annual risk assessments, biennial audits, and continuous monitoring.
Now is the time to assess your readiness and begin implementation. Our experts are ready to guide you through every step of the compliance process.