• Fostering good preventive management systems by operators of critical infrastructure.
• Reducing the risk of supply chain issues and disruptions to critical services.
• Enabling the smooth operation of essential services.
• Consolidating Hong Kong’s favorable business environment and status as an international financial center.
• Promoting a positive image of Hong Kong in the global community for adherence to critical cybersecurity protocols.

The proposed legislation seeks to regulate operators of crucial infrastructure that are necessary for the continuous delivery of essential services or maintaining important societal and economic activities in Hong Kong. Only CIOs will be regulated - meaning mostly large organizations. Small and medium enterprises and the general public will not be affected.

No, the proposed legislation will only require operators of critical infrastructure to bear the responsibility for securing their Critical Computer Systems - without targeting or accessing the personal data or commercial secrets therein.

Critical infrastructure can be categorized into two groups under the proposed legislation:

• Infrastructure for delivering essential services in Hong Kong, covering the following eight sectors: energy, information technology, banking and financial services, land transport, air transport, maritime, communications and broadcasting, and healthcare services.
• Other infrastructures for maintaining important societal and economic activities, such as major sports and performance venues, research and development parks, and more. 

Critical infrastructure under the new proposed law will not cover the Government and the government has already put in place a set of detailed internal Government Information Technology Security Policy and Guidelines.

Designated operators of critical infrastructure ("CIO") will need to fulfill three types of obligations:

• Organizational
• Preventive
• Incident Reporting and Response

Under the proposed legislation, operators of critical infrastructure will need to report to the Commissioner’s Office computer system security incidents so that the Commissioner may instruct timely response as needed.

• Reports on serious security incidents need to be made within 2 hours after becoming aware of the incident.
• Other computer system security incidents need to be reported within 24 hours after becoming aware of the incident.

The proposed offenses include:

• CIOs' non-compliance with statutory obligations.
• CIOs' non-compliance with written directions issued by the Commissioner's Office.
• Non-compliance with requests of the Commissioner's Office under the statutory power of investigation.
• Non-compliance with requests of the Commissioner's Office to provide relevant information relating to a CI.

While the legislative intent is to cause operators of critical infrastructure to enhance protection of the security of their computer systems and not to punish them, organizations will still be fined for violations - with maximum fines ranging from HK$500,000 to HK$5 million. However, if the relevant violations involve a breach of some existing criminal legislation, such as making false statements, using false instruments, or other fraud-related offenses, as is the current situation, the officers involved may be held personally criminally responsible.

Yes, an appeal board will be established to allow CIOs to appeal against a CIO or CCS designation or a written direction issued by the Commissioner's Office.

Some of the essential service sectors to be regulated are already comprehensively regulated by statutory sector regulators. The new legislature proposes to designate certain sector regulators as designated authorities to monitor the discharging of organizational and preventive obligations by these essential services sectors.

This approach allows the designated authorities to establish sets of standards and requirements, on organizational and preventive obligations, under their existing regulatory regimes that best suit the sectors’ needs. Operators of critical infrastructure in these sectors will not need to fulfill additional requirements of the Commissioner’s Office concerning these two types of obligations.

At this stage, the agency proposes to designate (1) the Monetary Authority as the authority responsible for regulating some service providers in the banking and financial services sector, and (2) the Communications Authority as the authority responsible for regulating some service providers in the communications and broadcasting sector.

Yes, the new legislation refers to the legislative direction of other jurisdictions in formulating a regulatory regime that is suitable for Hong Kong – such as Mainland China, Macao Special Administrative Region, Australia, the European Union, Singapore, the United Kingdom, and the United States.