Open navigation
Search
Search
All expertise
Explore our breadth of expertise.
Sectors View all
Practice Areas View all
Offices
Discover the scope of our presence in the jurisdiction.
Global Reach
Learn about our capabilities beyond borders.
CMS Hong Kong
All insights
Leverage our expert analysis, intelligence and thought leadership for your strategic advantage.
Personalised updates
Receive tailored insights and intelligence that apply directly to your business.
Topics in Focus View all
Insights by type
CMS News
Stay up to date with our growth, evolution and our many successes.
Contact us
For all general enquiries.
About CMS
CMS Careers

Select your region

International Europe Africa Asia-Pacific The Americas Middle East
Legal Update

Legal Update: The Protection of Critical Infrastructure (Computer Systems) Bill will come into effect on 1 January 2026

26 Mar 2025 Hong Kong SAR, China 3 min read

The Protection of Critical Infrastructure (Computer Systems) Bill was passed by Legislative Council on 19 March 2025.  As Hong Kong’s first standalone legislation on enhancing the overall cybersecurity, it sets out a comprehensive regulatory framework and lays down the statutory requirements for the protection of computer systems within critical infrastructures, signifying an important step for aligning Hong Kong's cybersecurity practices with international standards, improving its global standing and attractiveness for international business and investment.

Key Takeaways from the Bill:

  1. Establishment of Regulatory Authorities: the Commissioner of Critical Infrastructure (Computer-system Security) will be appointed and specific entities responsible for managing and regulating critical infrastructures will be established.
  2. Regulating Critical Infrastructure Operators (“CI Operators”) and Critical Computer Systems: CI Operators and Critical Computer Systems will be ascertained, designated and notified by the regulatory authorities.  Eight sectors, namely, energy, information technology, banking and financial services, air transport, land transport, maritime transport, healthcare services, and telecommunications and broadcasting services, fall within the definition of critical infrastructure.
  3. Key obligations of CI Operators: maintaining an office in Hong Kong, establishing dedicated security management units, submitting and implementing security management plans and performing regular risks assessment and audits.

Implications for Businesses:

  1. For large organizations that operate critical infrastructures, once designated as a CI Operator, more resources will need to be allocated for the purpose of complying with the new regulatory standards and maintaining compliance.
  2. For smaller businesses, if they are part of the supply chain of CI Operators, they will likely be required by CI Operators to meet the same regulatory standards.  Terms of the relevant service contracts may need to be renegotiated or amended.
More insights
Banking & Finance Energy & Climate Change Infrastructure & Projects

Explore more

Event Hong Kong SAR, China

IP Insights webinar series 2026

28 Apr 2026
Expert Guide International

CMS Expert Guide for taking security in Hong Kong

15 min read
Publication Hong Kong SAR, China

CMS toolkit series

02 Jul 2025 1 min read
Back to top Back to top
You will now find all Law-Now content on CMS.law
Explore more
Law-Now, RegZone, LEXplicite and Blogtt have moved to CMS.law. Law-Now has moved to CMS.law. RegZone has moved to CMS.law. LEXplicite has moved to CMS.law. Blogtt has moved to CMS.law.
Learn more Learn more Learn more Learn more
If you want to use third party tools, please enable personalisation cookies as part of your cookie preferences. You can change this setting at any time via the button below or in our Cookie Notice.