Hong Kong issues Code of Practice under the Protection of Critical Infrastructures Computer Systems Ordinance Insights Mayer Brown
pOn 1 January 2026 the Office of the Commissioner of Critical Infrastructure Computersystem Security issued a Code of Practice the CoP under the Protection of Critical Infrastructures Computer Systems Ordinance Cap 653 the Ordinance which came into force on the same day see our previous legal update on Hong Kong passing its first cybersecurity legislation regulating critical infrastructures The CoP clarifies key requirements under the Hong Kong new critical infrastructure cybersecurity regime and sets a baseline for compliance across sectors On the same date the Hong Kong Government appointed Mr Francis Chan Wingon former Chief Superintendent of the Cyber Security and Technology Crime Bureau of the Hong Kong Police Force as Commissioner of Critical Infrastructure Computersystem Security for a threeyear termppThe CoP translates the highlevel obligations under the Ordinance into specific actionable requirements for critical infrastructure operators CIOs It clarifies scope and governance expectations and specifies compliance processes marking a clear shift from principles to implementation Although the CoP is not subsidiary legislation it will be a central reference point for supervisory expectations and for any enforcement directions addressing noncompliance under the OrdinanceppThe CoP is not subsidiary legislation and noncompliance with it does not itself constitute an offence However the Commissioner may issue written directions with reference to the CoPs requirements and failure to comply with such directions is an offence In practice the CoP functions as a compliance handbook against which CIOs can benchmark their cybersecurity governance and controlsppThe CoP also indicates that designated authorities currently the Hong Kong Monetary Authority HKMA and the Communications Authority CA may adopt the CoP for category 1 and category 2 obligations and may issue sectoral codes in respect of those obligations where necessaryppUnder the Ordinance a computer system that is accessible by the CIO in or from Hong Kong and is essential to the core function of a critical infrastructure operated by the CIO may be designated as a Critical Computer System CCS At first glance this might appear to confer extraterritorial reach to the Ordinance The Security Bureau has clarified this is not the case although the Commissioner may request information accessible by a CIO in or from Hong Kong whether located in or outside Hong KongppThe CoP sets out indicators for CCS designation including materiality to a critical infrastructures core function severe impact if disrupted processing of sensitive digital data used directly in essential services and strong dependencies with other CIOs for example centralised processing or data exchange systems across a sector or multiple sectors or with other CCSs of the same CIO for example firewalls and backup facilitiesppThe CoP expressly brings industrial control systems within scope as computer systems including supervisory control and data acquisition SCADA systems distributed control systems DCS and programmable logic controllers PLC recognising that operational technology can be missioncritical It also indicates that underlying IT infrastructure such as network components operating platforms middleware InternetofThings IoT devices and uninterruptible power supply systems may be treated as components of a computer systemppTo support a predictable designation process the CoP lists the kinds of information regulators may request to determine a CCS designation including without limitation the systems functions and dependencies upstream and downstream architecture and network diagrams the nature and volume of sensitive digital data processed manufacturers and models external service subscriptions resilient setups and design and operations descriptionsppThe CoP provides practical guidance to help CIOs fulfil the three categories of obligations under the Ordinance organisational category 1 preventive category 2 and incident reporting and response category 3ppUnder the Ordinance a designated CIO must maintain an office in Hong Kong and must notify the relevant Regulating Authority in writing of any change of operator of a critical infrastructure within one month of the changeppThe CoP clarifies that maintain an office in Hong Kong means carrying on actual business activities in Hong Kong not merely having a correspondence address such as managing daily operations and making business decisions In relation to the obligation to set up and maintain a computersystem security management unit the CoP clarifies that the unit and its supervising employee need not be based in Hong Kong It also provides a nonexhaustive list of qualifications evidencing adequate professional knowledge in relation to computersystem security for example Certified Information Security Professional CISP Certified Information Systems Auditor CISA and links competence to professional experience commensurate with the risk profile of the CCSs These are practical touchpoints not covered in the OrdinanceppThe Ordinance requires CIOs to notify material changes to certain computer systems and to submit and implement a computersystem security management plan among other requirements The CoP supplies operational detail and clarifies how CIOs should complypp
ppThe CoP clarifies incident response obligations including security drills emergency response plans and notification obligationsppThe CoP also clarifies the moment of awareness tying it to a reasonable degree of certainty that an incident has occurred a frequent operational question in breach response Once that threshold is met time starts to run for notification Incidents must be notified within the prescribed timelines using the specified form and submitted via the designated secure channel Alternatively an initial notification may be made by telephone to the designated number provided the specified form is submitted through the designated secure channel within 48 hours of that call The CoP notes that other sectorspecific incident notification requirements may apply in parallelppThe CoP clarifies governance expectations technical baselines and operational processes under the new cybersecurity regime and resolves key uncertainties particularly around CCS designation material change triggers and incident reporting thresholds and timelines Although nonstatutory in form the CoP helps CIOs translate legal duties into implementable controls and measures and anchors supervisory expectations that will be central to compliance audits and enforcement The Commissioner may review and revise the CoP from time to time to reflect technological developments and industry best practice Designated authorities may also issue sectoral codes for organisational category 1 and preventive category 2 obligations to reflect sectoral risk profiles and expectationsppOrganisations that have been or are likely to be designated as CIOs should now treat the CoP as the operative compliance benchmark They should implement structured programmes to align governance and controls with both the CoP and the Ordinance and closely monitor ongoing developments including updates to the CoP sectoral codes and regulatory practices to ensure timely adjustments to their compliance postureppThe authors would like to thank Roslie Liu Legal Practice Assistant at Mayer Brown Hong Kong LLP for her assistance with this legal updatepp 2026 Mayer Brown All Rights Reservedpp pp ppMayer Brown is a global legal services provider comprising associated legal practices that are separate entities including Mayer Brown LLP Illinois USA Mayer Brown International LLP England Wales Mayer Brown Hong Kong LLP a Hong Kong limited liability partnership and Tauil Chequer Advogados a Brazilian law partnership collectively the Mayer Brown Practices The Mayer Brown Practices are established in various jurisdictions and may be a legal person or a partnership PK Wong LLC PKW is the constituent Singapore law practice of our licensed joint law venture in Singapore Mayer Brown PK Wong Pte Ltd More information about the individual Mayer Brown Practices and PKW can be found in the Legal Notices section of our websiteppMayer Brown and the Mayer Brown logo are the trademarks of Mayer BrownppAttorney Advertising Prior results do not guarantee a similar outcomep
ppThe CoP clarifies incident response obligations including security drills emergency response plans and notification obligationsppThe CoP also clarifies the moment of awareness tying it to a reasonable degree of certainty that an incident has occurred a frequent operational question in breach response Once that threshold is met time starts to run for notification Incidents must be notified within the prescribed timelines using the specified form and submitted via the designated secure channel Alternatively an initial notification may be made by telephone to the designated number provided the specified form is submitted through the designated secure channel within 48 hours of that call The CoP notes that other sectorspecific incident notification requirements may apply in parallelppThe CoP clarifies governance expectations technical baselines and operational processes under the new cybersecurity regime and resolves key uncertainties particularly around CCS designation material change triggers and incident reporting thresholds and timelines Although nonstatutory in form the CoP helps CIOs translate legal duties into implementable controls and measures and anchors supervisory expectations that will be central to compliance audits and enforcement The Commissioner may review and revise the CoP from time to time to reflect technological developments and industry best practice Designated authorities may also issue sectoral codes for organisational category 1 and preventive category 2 obligations to reflect sectoral risk profiles and expectationsppOrganisations that have been or are likely to be designated as CIOs should now treat the CoP as the operative compliance benchmark They should implement structured programmes to align governance and controls with both the CoP and the Ordinance and closely monitor ongoing developments including updates to the CoP sectoral codes and regulatory practices to ensure timely adjustments to their compliance postureppThe authors would like to thank Roslie Liu Legal Practice Assistant at Mayer Brown Hong Kong LLP for her assistance with this legal updatepp 2026 Mayer Brown All Rights Reservedpp pp ppMayer Brown is a global legal services provider comprising associated legal practices that are separate entities including Mayer Brown LLP Illinois USA Mayer Brown International LLP England Wales Mayer Brown Hong Kong LLP a Hong Kong limited liability partnership and Tauil Chequer Advogados a Brazilian law partnership collectively the Mayer Brown Practices The Mayer Brown Practices are established in various jurisdictions and may be a legal person or a partnership PK Wong LLC PKW is the constituent Singapore law practice of our licensed joint law venture in Singapore Mayer Brown PK Wong Pte Ltd More information about the individual Mayer Brown Practices and PKW can be found in the Legal Notices section of our websiteppMayer Brown and the Mayer Brown logo are the trademarks of Mayer BrownppAttorney Advertising Prior results do not guarantee a similar outcomep
