Hong Kong has passed a cybersecurity law aimed at strengthening the city’s critical infrastructure against cyber threats. The new legislation, titled the Protection of Critical Infrastructures (Computer Systems) Bill, was approved by the Legislative Council on Wednesday. The Hong Kong cybersecurity law introduces stringent cybersecurity requirements for organizations managing key infrastructure sectors, imposing fines of up to HK$5 million for non-compliance.
Security Minister Chris Tang emphasized that the law’s primary objective is to establish legal requirements for organizations designated as critical infrastructure operators. The regulation covers multiple sectors, including:
- Energy
- Information technology
- Banking and financial services
- Land, air, and maritime transport
- Communications and broadcasting
- Healthcare services
Additionally, infrastructure supporting critical societal or economic activities, such as sports stadiums, performance venues, and technology parks, will also be subject to cybersecurity regulations. This broad scope reflects the government’s commitment to securing Hong Kong’s digital landscape.
Controversy Over Government Powers
The Hong Kong cybersecurity law grants the government authority to seek court warrants to access computer systems or install monitoring software on critical infrastructure networks if operators fail to respond adequately to cybersecurity incidents. This provision has sparked concerns from international tech firms and advocacy groups.
Last year, organizations such as the Asia Internet Coalition and the American Chamber of Commerce in Hong Kong warned that such measures could have a “chilling effect” on tech investments in the region. Article 19, a London-based free expression advocacy group, also raised concerns, stating that the law provides the government with “excessive” investigative powers, including the ability to demand any “relevant information” when investigating cybersecurity breaches.
However, city authorities have dismissed these criticisms, pointing out that similar cybersecurity regulations exist in other jurisdictions, including the United States, the United Kingdom, and the European Union.
Hong Kong Cybersecurity Law: No Impact on Personal Data
To address concerns regarding privacy, Tang assured lawmakers that the law strictly applies to computer systems at large organizations and does not target personal data or commercial secrets. Additionally, government departments are explicitly excluded from the law’s scope.
Interestingly, despite this exclusion, several government bodies, including the Fire Services Department, the Registration & Electoral Office, the Electrical and Mechanical Services Department, Cyberport, the Consumer Council, and the Companies Registry, have recently reported data leaks.
Operators of critical infrastructure—whether managing systems in-house or through outsourcing—must comply with the new regulations. Although the law does not have extraterritorial reach, it can extend to overseas servers if they are linked to a Hong Kong-based operator.
Compliance and Penalties
The cybersecurity law imposes strict compliance measures, including:
- Mandatory cybersecurity risk assessments at least once a year
- Incident reporting within 12 hours of a cybersecurity breach
- Hefty fines of up to HK$5 million for failing to implement adequate security safeguards
Despite concerns raised by lawmakers and businesses, the government has decided not to publicly disclose the list of critical infrastructure operators, citing security reasons. Officials argue that making such information public could make these organizations more vulnerable to cyberattacks.
Permanent Secretary for Security Patrick Li stated in an interview that over 100 critical infrastructure operators would be regulated under the law but reiterated that the list would remain confidential.
Rising Cybersecurity Concerns in Hong Kong
The passage of this law comes at a time when cybersecurity incidents in Hong Kong have been on the rise. Over the past year, multiple cyberattacks have targeted universities, NGOs, and hospitals. Additionally, a 2023 report by the city’s privacy watchdog revealed that 70% of Hong Kong companies had experienced some form of cyberattack.
As the city’s reliance on technology grows, so does the demand for strong cybersecurity solutions.
The cybersecurity market in Hong Kong is expected to reach US$852.65 million in 2025, with security services dominating the sector, accounting for an estimated US$484.04 million in revenue. Furthermore, the market is projected to grow at an annual rate of 7.64% from 2025 to 2029, reaching US$1.14 billion by the end of this period.
Implications for Businesses and the Tech Industry
Hong Kong’s status as a global financial hub and its increasing dependence on digital infrastructure make cybersecurity a top priority for both businesses and regulators. The implementation of this law is expected to enhance the resilience of critical infrastructure while ensuring that operators take proactive measures to prevent cyber threats.
However, concerns persist about how the new cybersecurity requirements will impact international companies operating in Hong Kong. The added compliance burden could influence business decisions, especially for tech firms evaluating long-term investments in the region.
As businesses adapt to these changes, one key question remains: Will this new law successfully balance cybersecurity enforcement with maintaining Hong Kong’s appeal as a leading technology and financial hub?
