Hong Kong’s Critical Infrastructure Law: Sector-Specific Compliance, Timelines & Penalties

In response to escalating cyber threats, Hong Kong enacted the Protection of Critical Infrastructures (Computer Systems) Ordinance (Cap. 653), which received Legislative Council approval on March 19, 2025, and was gazetted on March 28. It becomes effective on January 1, 2026, with designated operators (CIOs) and their critical computer systems (CCSs) becoming subject to its requirements.

The goal: protect essential services, including energy, finance, transport, healthcare, IT, telecom & broadcasting, from major cyber disruptions that could destabilize society or the economy

1. Who Must Comply, and When Designation Happens

Not every company is automatically covered. Only those formally designated by the Office of the Commissioner of Critical Infrastructure (CCI), to be set up under the Security Bureau by mid-2026, will become CIOs responsible for CCSs 

Phased Designation Process

• Mid‑2026 onward: the CCI begins designation in phases 
• Operators will be grouped into priority categories (e.g., energy, finance, transport, healthcare, IT, telecom & broadcasting, plus R&D and major venues)
• Formal obligations (such as plans, audits, risk assessments) kick in within months of designation, even before the law’s January 2026 effective date 

2. Obligations of CIOs and CCSs, What Must Be Done, When

Once designated, organizations must meet obligations in three core areas:

A. Organizational Setup

• Local presence: Maintain an office or in-region address for liaison  
• Security leadership: Appoint a senior team or CIO security manager 
• Change notifications: Inform the CCI of ownership or operatorship changes within 30 days 

B. Preventive Cybersecurity Measures

• Security Management Plan (SMP): Submit within 3 months of designation. Must cover systems, personnel, risk identification, access controls, threat detection, and training  
• Emergency Response Plan: Also due in 3 months; to include response team responsibilities, incident thresholds, reporting procedures (internal and CCI), recovery plans, public communication, and post-mortem steps 
• Annual Risk Assessments: Yearly cybersecurity risk analyses and biennial independent audits, with reports submitted within 3 months  

C. Incident Reporting and Drills

• Serious incident reporting: Events causing service disruption must be reported within 2 hours of detection or up to 12 hours, depending on severity  
• Less severe incidents: Must be notified per regulatory guidance (typically within 24 hours)  
• Incident drills: Participating in periodic simulations as organized by the CCI  

4. Sector-Specific Timelines: When to Act

Since designation is phased, obligations follow soon after. Here’s a sector-by-sector breakdown based on global cybersecurity patterns (HK closely mirrors Australia, UK & EU timelines):

Sector	Estimated Designation Date	Key Deliverable Deadlines (3 mo)
Energy (electricity, gas)	Q2–Q3 2026	CMP and ERP by Q4 2026; risk & audit reporting by Q1 2027
Banking & Finance	Q3–Q4 2026	Plans due Q1 2027; follow-up by mid-2027
IT & Telecom/Broadcasting	Q3–Q4 2026	Security plans by Q1 2027
Transport (air, land, sea)	Q4 2026–Q1 2027	Plans due Q2 2027; audits by Q3 2027
Healthcare	Q4 2026–Q1 2027	Similar timelines to transport
Other (R&D parks, venues)	by 2027	Follow similar phased deadlines

Exact schedules depend on each sector’s designated month. Once designated, you have 3 months to submit your core plans.

5. Penalties & Enforcement: What’s at Risk

Monetary Fines

• One-off fines: Up to HK$5 million (~US$640,000) per offence  
• Ongoing non-compliance: Daily fines range HK$50,000 – HK$100,000 if violations continue after due dates  

Other Consequences

• Enforcement orders: The CCI can mandate corrective measures.
• Public exposure: Authorities may disclose non-compliance, risking reputational damage.
• Operational impact: CIOs may be subject to additional audits or monitoring.

Individual liability is limited unless there’s false information or criminal intent; only then could executives face personal penalties  

6. Why This Matters  

Operational Resilience

Structured risk assessments and emergency planning help you avoid outages and ensure service continuity.

Stakeholder Confidence

Complying demonstrates integrity to customers, vendors, regulators, and investors. Hong Kong’s enforcement approach is credible and globally watched.

Regulatory Preparedness

Aligning with HK’s temporal obligations puts organizations ahead of similar cybersecurity regimes worldwide, especially with rising scrutiny around AI, data, and automation.

Supply Chain Security

Vendors, suppliers, or contractors of CIOs will face rising requirements. Early internal compliance avoids bottlenecks in procurement and operations.

7. How to Prepare 

Here’s a comprehensive compliance process you can follow before your sector’s designation window opens:

Step 1: Pre-Designation Audit

• Catalog systems and business functions
• Conduct internal penetration testing and identify vulnerabilities
• Assess whether any systems will likely be deemed “CCSs.”

Step 2: Engage with Regulators

• Monitor CCI-related updates published via the HK Government gazettes and the Security Bureau communications.
• Initiate industry-wide contingency planning groups

Step 3: Assemble Your Cybersecurity Team

• Appoint security leads
• Define roles, responsibilities, escalation protocols, and reporting structures.

Step 4: Draft & Submit Core Plans

• CMP & ERP templates should align tightly with bill schedules
• Based on global best practices (e.g., NIST, ISO 27001)
• Have tabletop exercises simulating serious cyber incidents

Step 5: Schedule Risk & Audit Cycles

• Set annual internal risk assessment dates
• Engage with auditors to set audits every 2 years
• Automate evidence collection to streamline reporting

Step 6: Train, Drill & Demonstrate

• Mandatory staff training on incident detection and reporting
• Regular drills adhering to statutory deadlines for simulated breaches

Step 7: Build Compliance Governance

• Hold quarterly steering committee meetings
• Maintain an issues log and track effects and remediation timelines
• Automate near-real-time incident logging with alerts

Step 8: Supplier & Vendor Compliance

• Map out vendor dependencies supporting CCSs
• Embed minimum security requirements (e.g., incident notification within 24 h) in contracts
• Run third-party security assessments annually

8. What Comes Next

Guidance & Code of Practice (CoP)

The CCI will release a CoP outlining minimum standards for CMP, ERP, and audits, a must-read once published.  

Ongoing Monitoring

Expect periodic updates to compliance requirements, particularly around cross-border data, encryption standards, IIoT, AI governance, and cloud infrastructure.

Cross-Jurisdictional Alignment

Hong Kong is aligning with global regulations (NIS2, Australia’s Critical Infrastructure Act, UK’s DPA) to support international investors and trade.  

10. Next Steps: Navigating Your Sector’s Path

Identify your anticipated designation period:

• Energy: prep by Q2–Q3 2026, aim to submit CMP/ERP by Q4 2026
• Finance: target Q3–Q4 2026 designation, plan submission by Q1 2027
• Transport/Healthcare/IT/Telecom: ready for Q4 2026–Q1 2027, with submissions by Q2 2027

Start now by downloading our free, detailed compliance roadmap below that includes:

• Sector-by-sector timeline charts
• Template CMP/ERP outlines aligned with Schedule 3
• Audit checklists and vendor briefings
• Best practice benchmarks (i.e., NIST-CSF alignment)

[Download Your Sector-Specific CIO Compliance Roadmap]

Staying Ahead of 2026

• Legislation is real: Passed in March 2025, effective Jan 1, 2026 (Legislative Council of Hong Kong, China Briefing).
• Designation begins mid‑2026, with compliance triggers within months (Eversheds Sutherland).
• Penalties include up to HK$5M per offence + HK$50K–100K/day for ongoing breaches (Reuters).
• Compliance improves resilience, readiness, investor confidence, and supply chain security.

Act early, even if designation comes months down the line, to avoid missed deadlines, costly fines, audits, and reputation risks.

Book a free compliance consultation with our smart AI-powered consultancy team at ComplyNexus or explore our automated tools uniquely tailored for critical infrastructure operators.