THEOS Cyber helps critical infrastructure operators meet Hong Kong’s new cybersecurity requirements through Managed Threat Detection and Response (MTDR) for continuous monitoring, Digital Forensics and Incident Response (DF/IR) for rapid incident response, and offensive security testing to identify vulnerabilities before threat actors do. Are your capabilities ready?
Hong Kong’s Protection of Critical Infrastructures (Computer Systems) Ordinance (CI Bill) is now in effect. If you operate in one of eight designated sectors, here’s what compliance requires.
What the ordinance is
The Protection of Critical Infrastructures (Computer Systems) Ordinance establishes mandatory cybersecurity requirements for organisations operating critical infrastructure in Hong Kong. It requires designated operators to implement security management programs, conduct regular assessments and audits, and report security incidents to the Commissioner of Critical Infrastructure within strict timelines. The ordinance aims to minimise the risk of cyberattacks disrupting essential services that society depends on.
Who this applies to
The ordinance covers large organisations in:
- Energy
- Information technology
- Banking and financial services
- Air transport
- Land transport
- Maritime transport
- Healthcare services
- Telecommunications and broadcasting
Other infrastructures for maintaining important societal and economic activities:
- Major sports venue
- Major performance venues
- Research and development parks
Understanding the designation process
Only organisations designated as CI operators, and computer systems designated as critical computer systems under the ordinance, are subject to regulation.
How infrastructures are designated as CIs
The authority considers:
- The kind of service provided
- Whether disruption, loss of functionality, or data leakage would significantly impact critical societal or economic activities
- Other relevant factors
How organisations are designated as CI operators
The authority evaluates:
- Your dependence on computer systems for core functions
- The sensitivity of digital data you control
- Your extent of control over the infrastructure’s operation and management.
How systems are designated as critical computer systems
The authority assesses:
- Whether the system is accessible in or from Hong Kong
- The system’s role in your core functions
- Impact to core functions if the system is disrupted or destroyed
- How the system relates to your other systems and to other operators’ systems
For example, in the energy sector, a power plant would be the critical infrastructure, an electricity company the CI operator, and systems like fuel transportation or temperature monitoring would be critical computer systems. Administrative systems like attendance records would not be designated as critical.
Three categories of compliance obligations
The ordinance imposes the following obligations on CI operators:
Category 1: Organisation of CI operators
- Maintain an office in Hong Kong
- Notify the authority of operator changes
- Set up and maintain a computer system security management unit with a qualified head
These organisational requirements provide the foundation for compliance. They ensure you have the structure and personnel in place to manage your security obligations.
Category 2: Prevention of threats and incidents
- Notify the authority of significant changes to certain systems
- Submit and implement security management plans (details in Schedule 3 of the ordinance)
- Conduct security risk assessments (details in Schedule 4 of the ordinance)
- Arrange security audits (details in Schedule 5 of the ordinance)
These preventive measures ensure you’re actively identifying and addressing security gaps before incidents occur.
Category 3: Incident reporting and response
- Participate in security drills
- Submit and implement emergency response plans
- Notify the Commissioner of incidents within the specified timeframe:
- For serious computer-system security incidents (defined as incidents that have disrupted, are disrupting, or will be likely to disrupt the core function of the critical infrastructure concerned): within 12 hours after becoming aware of the incident
- For other computer-system security incidents: within 48 hours after becoming aware of the incident
- Submit a written report of the incident within 14 days after becoming aware of it.
The incident response requirements are where the ordinance becomes particularly demanding, with tight reporting timelines that require mature detection and response capabilities.
The compliance timeline
Your security management plan and emergency response plan are both due within 3 months of designation. Your first risk assessment is due within 12 months, then annually after that. Security audits are required every 24 months.
Most organisational obligations kick in within 1 month. The timeline is tight from the start.
What non-compliance costs
Fines range from HKD 500,000 for administrative failures to HKD 5,000,000 for serious breaches. Many violations carry additional daily fines while they continue.
Unauthorised disclosure of confidential information can result in imprisonment for up to 2 years.
Meeting the assessment requirements
Annual risk assessments and biennial security audits need to be thorough and evidence-based. You’re documenting these for regulatory compliance, but they also need to identify real security gaps.
Vulnerability assessments and penetration testing provide concrete findings you can use for your risk assessment reports. Red team exercises simulate real-world attacks against your critical systems.
The goal is finding weaknesses before threat actors do while satisfying regulatory requirements.
Building incident response capabilities
You need an emergency response plan within 3 months of designation. But having a plan and having the capability to execute it are different things.
The 12-hour reporting requirement for serious incidents is particularly challenging. Your detection needs to be fast. Your incident classification needs to be accurate. Your escalation process needs to be clear.
When incidents occur, you need forensic capabilities to understand what happened, preserve evidence, and recover operations. All while meeting tight reporting deadlines.
Where this fits in the regional picture
Hong Kong joins Singapore, Australia, and the EU in regulating critical infrastructure security. Each jurisdiction has its own requirements, but the common thread is mandatory incident reporting and regular security assessments.
For organisations operating across APAC, building security programs that can meet varying regulatory requirements is increasingly important.
How THEOS Cyber supports compliance
We help critical infrastructure operators in two areas:
Security assessments: Our offensive security team conducts vulnerability assessments, penetration testing, and red team exercises. These provide the evidence-based findings you need for annual risk assessments and biennial audits while identifying real security gaps in your critical systems.
Incident response: Our DF/IR team helps organisations develop and test emergency response plans. We provide rapid response capabilities when incidents occur, with experience responding under regulatory pressure and tight reporting deadlines.
Getting ready
If you’re likely to be designated, start by assessing your current capabilities:
Can your security program support annual risk assessments and biennial audits? Are your incident detection and response capabilities mature enough to meet the reporting deadlines? Do you have the documentation and processes to demonstrate compliance?
The ordinance sets baseline requirements. How you meet them depends on your organisation’s risk profile and existing capabilities.
If you’re evaluating your readiness for Hong Kong’s CI ordinance, THEOS Cyber can help you strengthen your defences and build the capabilities compliance requires.
About THEOS Cyber
THEOS Cyber is a cybersecurity services firm headquartered in the Asia-Pacific region, specialising in helping organisations protect digital assets and manage cyber risk. We provide elite digital forensics and incident response (DF/IR), managed threat detection and response (MTDR), and offensive security services including red teaming and penetration testing. Our teams work closely with regulated industries—financial services, fintech, healthcare, critical infrastructure—to deliver rapid, expert support across the full cyber incident lifecycle. THEOS Cyber strengthens resilience through technical depth, operational readiness, and legal-aware guidance.
