Dr. Kunal Sehgal
Fromer Principal Cybersecurity ConsultantHong Kong’s 'Protection of Critical Infrastructures (Computer Systems) Bill' introduces strict cybersecurity mandates for organisations in critical sectors. The law aims to strengthen cyber hygiene by enforcing a comprehensive set of security controls, including regular risk assessments, real-time system monitoring, penetration testing, and timely incident reporting.
Organisations must not only implement robust cybersecurity measures but also demonstrate their effectiveness in mitigating cyber threats. Non-compliance may result in severe penalties, making it essential for businesses to take proactive steps toward meeting these new obligations. Compliance is no longer optional; it’s a legal imperative and the stakes couldn’t be higher.
The challenge also lies in the law’s ambiguity: it does not clearly define which organisations fall under the classification of 'critical infrastructure'. While it broadly targets sectors such as finance, telecommunications, healthcare, energy, and transportation, the lack of qualifying criteria may leave some businesses in limbo, uncertain about the need for compliance.
The risk? Unintentional non-compliance could trigger penalties, audits, or worse, expose vulnerabilities during a cyber crisis. With enforcement looming as early as 2026, businesses need to be proactive and ensure they are not caught off guard given this uncertainty.
A wake-up call for CIOs & CISOs of critical infrastructure operators
The Bill targets large organisations, especially those responsible for delivering essential services or maintaining vital societal and economic functions. Think CIOs of financial institutions, power grids, transport networks, and telecom providers, across sectors where a single cyber breach could paralyse business operations or disrupt daily life.
With enforcement set to begin on January 1, 2026, organisations must act now to ensure they are ready and meet the requirements within the time frame. We advise focusing on the following topics:
The Protection of Critical Infrastructures (Computer Systems) Bill is a game-changer, and the window to prepare is closing fast.
At Zühlke, we understand the complexity of this new regulatory landscape. As a global technology partner, we’ve helped organisations across industries like BitMEX and Justitia.Swiss, the Swiss justice system, to fortify their cybersecurity frameworks and navigate compliance challenges.
“The introduction of this new legislation couldn't be more timely. With cyberattacks surging by approximately 39% year-on-year, according to HKCERT, the threat landscape is growing more dangerous by the day. This serves as a wake-up call, urging organisations to strengthen their cybersecurity defences, before they become the next target.”
