By Jessie Pang
HONG KONG (Reuters) – Hong Kong passed a cybersecurity law on Wednesday to regulate operators of critical infrastructure, forcing them to strengthen computer systems and report cybersecurity incidents or risk penalties of up to HK$5 million ($640,000).
The law, set to take effect in 2026, aims to safeguard the security of computer systems vital to the functioning of critical infrastructure, said Chris Tang, the security chief of the Asian financial hub.
“It’s definitely not to target personal information or commercial secrets,” he added.
The law was necessary because disruption or sabotage of the computer systems at the heart of critical infrastructure posed a risk to society and the economy in the former British colony, the Security Bureau told the legislative council.
Such incidents could have “a rippling effect affecting the entire society, seriously jeopardising the economy, people’s livelihood, public safety and even national security,” it added.
The bill covers infrastructure in eight industries from banking and financial services to information technology, energy transport, healthcare and communications.
Authorities would notify the concerned operators, but would not identify them individually to keep them from becoming targets, Tang had said earlier.
The bill, which also covers major sports and performance venues and research and development parks, mandates annual security risk assessments and an independent security audit every two years.
It sets a deadline of two hours to report serious security incidents.
Non-compliance could lead to fines ranging from HK$500,000 to HK$5 million ($64,000 to $640,000), along with additional daily fines for persistent non-compliance in some cases.
Since the new bill may swell compliance costs for the data centre business, the government needs to consider if it could deter foreign investors, said George Chen, Co-Chair of Digital Practice at consulting firm the Asia Group based in Washington.
“Some investors may feel Hong Kong is now entering a busy cycle of legislation,” Chen said, referring to tougher national security laws the China-ruled city adopted in 2020 and 2024.
Investors’ desire for a more stable regulatory environment is a factor the Hong Kong government must weigh in its effort to retain, or attract, foreign investment, he added.
“Economic recovery remains a top priority for Hong Kong.”
China passed a sweeping cybersecurity law in 2016, but Hong Kong did not have one until now.
(Reporting by Jessie Pang; Editing by Clarence Fernandez)
