Hong Kong Passes Landmark Cybersecurity Law for Critical Infrastructure

The new law mandates strict security measures and penalties to protect essential systems, set to take effect on January 1, 2026.

The legislation requires annual risk assessments, independent audits every two years, and rapid reporting of serious cybersecurity incidents within two hours.
It applies to eight critical industries, including banking, IT, energy, healthcare, and transport, as well as sectors like sports venues and research parks.
Non-compliance could result in fines ranging from HK$500,000 to HK$5 million, with additional penalties for ongoing violations.
Authorities plan to establish a commissioner’s office and identify affected operators by June 2025 in preparation for the law’s implementation.
The law responds to recent cyberattacks on essential services and raises concerns about potential impacts on foreign investment due to increased compliance costs.