Hong Kong's new cybersecurity bill: what does it mean?

With insights from

Dr. Kunal Sehgal
Former Principal Cybersecurity Consultant

Hong Kong’s 'Protection of Critical Infrastructures (Computer Systems) Bill' introduces strict cybersecurity mandates for organisations in critical sectors. The law aims to strengthen cyber hygiene by enforcing a comprehensive set of security controls, including regular risk assessments, real-time system monitoring, penetration testing, and timely incident reporting.

Organisations must not only implement robust cybersecurity measures but also demonstrate their effectiveness in mitigating cyber threats. Non-compliance may result in severe penalties, making it essential for businesses to take proactive steps towards meeting these new obligations. Compliance is no longer optional; it’s a legal imperative and the stakes couldn’t be higher.

The challenge also lies in the law’s ambiguity: it does not clearly define which organisations fall under the classification of 'critical infrastructure'. While it broadly targets sectors such as finance, telecommunications, healthcare, energy, and transportation, the lack of qualifying criteria may leave some businesses in limbo, uncertain about the need for compliance.

The risk? Unintentional non-compliance could trigger penalties, audits, or worse, expose vulnerabilities during a cyber crisis. With enforcement looming as early as 2026, businesses need to be proactive and ensure they are not caught off guard given this uncertainty.

A wake-up call for CIOs & CISOs of critical infrastructure operators

The Bill targets large organisations, especially those responsible for delivering essential services or maintaining vital societal and economic functions. Think of CIOs at financial institutions, power grids, transport networks, and telecom providers - sectors where a single cyber breach could paralyse operations or disrupt daily life.

With enforcement set to begin on January 1, 2026, organisations must act now to ensure they are ready and meet the requirements within the time frame. We advise focusing on the following topics:

Submit and implement a computer-system security management plan

You'll need to create a security management plan for your critical computer systems, following the requirements in Schedule 3.

Conduct computer-system security risk assessments

Assess the security risks of your critical computer systems. Complete the first assessment within 12 months of your designation date, then repeat at least annually. Each assessment must cover all matters in Schedule 4.

Arrange to carry out computer-system security audits

Arrange for an independent auditor to review your critical computer systems. Complete the first audit within 24 months of your designation date, then repeat at least every 24 months. Each audit must cover the specified period and all matters in Schedule 5.

Submit and implement an emergency response plan

Create an emergency response plan for security incidents affecting your critical computer systems. Prepare it following clause 27(3), covering all matters in Part 2 of Schedule 3.

The Protection of Critical Infrastructures (Computer Systems) Bill is a game-changer, and the window to prepare is closing fast.

At Zühlke, we understand the complexity of this new regulatory landscape. As a global technology partner, we’ve helped organisations across industries like BitMEX and Justitia.Swiss, the Swiss justice system, to fortify their cybersecurity frameworks and navigate compliance challenges.

“The introduction of this new legislation couldn't be more timely. With cyberattacks surging by approximately 39% year-on-year, according to HKCERT, the threat landscape is growing more dangerous by the day. This serves as a wake-up call, urging organisations to strengthen their cybersecurity defences, before they become the next target.”
Raphael Reischuk
Partner and Group Head Cybersecurity