Hong Kong Passes Landmark Cybersecurity Law for Critical Infrastructure
The new law mandates strict security measures and penalties to protect essential systems, set to take effect on January 1, 2026.
- The legislation requires annual risk assessments, independent audits every two years, and rapid reporting of serious cybersecurity incidents within two hours.
- It applies to eight critical industries, including banking, IT, energy, healthcare, and transport, as well as sectors like sports venues and research parks.
- Non-compliance could result in fines ranging from HK$500,000 to HK$5 million, with additional penalties for ongoing violations.
- Authorities plan to establish a commissioner’s office and identify affected operators by June 2025 in preparation for the law’s implementation.
- The law responds to recent cyberattacks on essential services and raises concerns about potential impacts on foreign investment due to increased compliance costs.