"On 1 January 2026, the Office of the Commissioner of Critical Infrastructure (Computer-system Security) issued a Code of Practice (the "CoP") under the Protection of Critical Infrastructures (Computer Systems) Ordinance (Cap. 653) (the "Ordinance"), which came into force on the same day (see our previous legal update on Hong Kong passing its first cybersecurity legislation regulating critical infrastructures). The CoP clarifies key requirements under the Hong Kong new critical infrastructure cybersecurity regime and sets a baseline for compliance across sectors."
"The CoP translates the high-level obligations under the Ordinance into specific, actionable requirements for critical infrastructure operators ("CIOs"). It clarifies scope and governance expectations, and specifies compliance processes, marking a clear shift from principles to implementation. Although the CoP is not subsidiary legislation, it will be a central reference point for supervisory expectations and for any enforcement directions addressing non-compliance under the Ordinance."
On 1 January 2026 the Office of the Commissioner of Critical Infrastructure (Computer-system Security) issued a Code of Practice under the Protection of Critical Infrastructures (Computer Systems) Ordinance (Cap. 653), which came into force the same day. The Code of Practice clarifies key requirements under the new critical infrastructure cybersecurity regime and sets a baseline for compliance across sectors. The Hong Kong Government appointed Mr. Francis Chan Wing-on as Commissioner of Critical Infrastructure (Computer-system Security) for a three-year term. The CoP converts high-level obligations into specific, actionable requirements, clarifies scope and governance expectations, and specifies compliance processes. The CoP is not subsidiary legislation, but the Commissioner may issue written directions referencing the CoP and failure to comply with such directions is an offence. In practice the CoP functions as a compliance handbook against which critical infrastructure operators can benchmark cybersecurity governance and controls.
Read at DataBreaches.Net
Unable to calculate read time
Collection
[
|
...
]