Search for:
Cybersecurity, Data and Tech

Hong Kong: The first draft of the new critical infrastructures cybersecurity law is here

By and 3 Mins Read

In brief

The Hong Kong Government has published on 6 December 2024 a draft of the Protection of Critical Infrastructures (Computer Systems) Bill (“Bill”), marking a significant step towards enhancing cybersecurity standards in relation to essential services and critical societal or economic activities in Hong Kong. This Bill aims to protect the security of the critical computer systems (CCSs) of critical infrastructures (CIs), to regulate operators of CIs (i.e., critical infrastructure operators (CIOs)) and to provide for the investigation into, and response to, computer-system security threats and incidents. This article considers the key provisions of the Bill, compares the differences between the original legislative proposal and the Bill, and discusses areas of uncertainty with some key takeaways as things stand now. 

With significant obligations and penalties (from HKD 300,000 up to HKD 5 million plus daily penalty for a continuing offence), potential CIOs and service providers should watch this space closely for further developments and undertake suitable preparatory work, such as assessing the likelihood of designation, readiness of its existing cybersecurity framework and organizational structure for compliance and contractual provisions for risk allocation and mitigation.

Key takeaways

The draft provides much-needed clarity on various aspects of the legislative framework, particularly regarding the process of designation of CIOs and CSSs, as well as compliance standards. Organizations are recommended to conduct self-assessments to determine the likelihood of being designated by the Regulating Authorities. We are able to assist with assessments of the likelihood of an individual infrastructure or operator being regarded as a CI or a CIO, respectively.

For organizations with a higher likelihood of being designated, it is advisable to consider their existing cybersecurity framework in order to ensure compliance with the three categories of obligations, and to start formulating the required CCS management plans and/or emergency response plans in accordance with the requirements outlined in Schedule 3 of the Bill. This is especially important for multi-nationals facing competing obligations under different legal regimes (e.g., the EU’s NIS2 Directive) and organizations subject to additional sector-specific regulations. We are able to assist with drafting such plans and revising them once the COPs are available.

Potential CIOs and customers that rely on CIs should review existing supplier contracts in light of the Bill to ensure sufficient protection, especially for provisions relating to compensation, audit rights, service levels and termination. Third party service providers (e.g., cloud providers) may expect that their CIO customers would attempt to flow down certain obligations under the Bill, given the liability of CIOs in relation to CIs.

Particularly for companies with interconnected computer systems located outside of Hong Kong, it is important to consider whether computer system accessibility limitations need to be imposed, as much of the Bill’s obligations depend on accessibility rather than geographical location or control.

Click here to access the full alert.

* * * * *

Jacqueline Wong, Knowledge Lawyer, has contributed to this legal update.

Categories:
Tags:
Author

Dr. Isabella Liu is the head of the Firm's Asia Pacific Intellectual Property and Technology Group. She advises clients on matters relating to the creation, exploitation and protection of IP rights. She is also responsible for the local IP Group's China and Hong Kong patent prosecution matters. Previously, Dr. Isabella Liu was the head of the Firm's Asia Pacific Healthcare and Life Sciences Industry Group for three years, leading a team of legal experts in this field cross multiple practices in the region. Dr. Liu is ranked as a leading lawyer in her field by top legal directories such as Chambers Asia Pacific for the Life Sciences category and IAM Patent. She has been complimented by clients that she possesses "a superb ability to understand the most complex technologies" and was noted for "advis[ing] in a way that is very commercial and strategic." Dr. Liu is also engaged as a regular guest lecturer by the University of Hong Kong's Department of Pharmacology and Pharmacy to share her expertise on intellectual property in the pharmaceutical industry with HKU students.

Author

Dominic Edmondson is a special counsel in Baker McKenzie's Hong Kong office and a member of the Firm's Intellectual Property Practice Group. His practice focuses on information technology advisory work, IT sourcing & transactions, cybersecurity, e-commerce, telecommunications, global data privacy and data protection, digital media as well as contentious and non-contentious intellectual property matters. Dominic has a keen interest in AI, big data and distributed ledger technology and their impact on business in the Greater China region. He studied Mandarin and put it to good use advising clients on intellectual property strategy and enforcement in Mainland China, where he worked for four years (in Beijing) before moving to Hong Kong.

Related Posts