In July, the Hong Kong Security Bureau proposed cyber security regulations for systemically important services (or critical infrastructure operators, CIOs).
Our experts examine how the regulations will impact compliance requirements for key sectors in Hong Kong and the main considerations for multinational businesses operating in the market.
- Business concerns have focused on ambiguities in the proposed cyber security legislation, mainly around the designation of CIOs and the potential impact of future compliance obligations on technology and information handling.
- The legislation is much less stringent than similar regulations in mainland China, which partly reflects both Beijing’s and Hong Kong’s prioritisation of Hong Kong as an international business hub.
- Given the potential for further mainland-Hong Kong regulatory alignment in future, businesses should consider lessons learnt from the evolution of mainland Chinese cyber security regulations as they review their compliance with the new rules.
- Businesses should also factor in implications from future geopolitical scenarios when evaluating their cyber security strategies in Hong Kong, particularly the increasing pressure on the technology and information supply chain.
Main concerns for businesses
The legislative framework for the “Protection of Critical Infrastructure (Computer System) Bill” represents the Hong Kong Special Administrative Region (SAR) government’s increased efforts in strengthening its cyber security. The law, proposed by the Hong Kong Security Bureau in early July, will exempt small and medium-sized enterprises from its reach and focus instead on large-scale organisations in two categories: eight “essential services” sectors, and other infrastructure crucial for “maintaining important societal and economic activities”.
Proposed critical infrastructure categories
Category 1: Infrastructure for delivering essential services in Hong Kong | Category 2: Other infrastructure for maintaining important societal and economic activities |
---|---|
Energy Information technology Banking and financial services Land transport Air transport Maritime Healthcare services Communications and broadcasting |
Major sports and performance venues, research and development parks, etc. |
The legislation has been long-awaited. In his October 2023 policy, Hong Kong SAR Chief Executive John Lee had already pledged a drafted bill on cyber security protection for legislative review within 2024. There has also been a general anticipation for the government to introduce new regulations in response to the increased high-profile incidents of cyber attacks and data leaks in recent years.
More broadly, the legislation in Hong Kong is in line with the larger global trend of development in digital regulations governing technology and information handling. Adoption of CIO regulations has been taking place in various markets, including mainland China, the EU, the UK and Singapore.
It remains unclear which specific firms would be designated as CIOs under the legislation. It is likely that standards for CIO designation are still in the early stages of development, requiring coordination of different sectoral authorities. In many jurisdictions, CIOs are never publicly identified for security reasons.
For companies, a CIO designation means they will face much closer regulatory oversight of their cyber security practices and obligations. They will be required to have a regulated and localised team for cyber security, will experience tighter governance over the use of third parties, and must comply with mandatory registration and collaboration with regulators on cyber security controls and incident response. These layers of oversight would significantly expand compliance requirements, require additional staff, and potentially drive more targeted efforts in practice to meet local Hong Kong requirements.
With the conclusion of the legislation’s public consultation on 1 August, regulators in the coming months are likely to factor in some feedback from businesses before submitting the full legislation draft to the Legislative Council. However, fundamental revisions to the key principles of CIOs’ “operational, preventive, and response” obligations, as well as the overall increased governmental oversight in cyber security, are unlikely.
A different blueprint for regulations
The legislation comes at a time of increased alignment with Beijing on national security policy agendas. The priority sectors for cyber security protection and principles of CIOs’ obligations are generally aligned with the framework introduced in mainland China’s Cyber Security Law (CSL, issued in 2016) and the “Regulations on the Security Protection of Critical Information Infrastructure (CII)” (issued in 2021). Macao, China’s other SAR, also introduced its own cyber security law in 2019, with a similar focus on CIOs.
Hong Kong’s technology and information handling regulations will continue to converge with the mainland in the coming years. However, policymakers in Hong Kong are striving to assuage concerns among multinational businesses about any tightened regulations. The Hong Kong Security Bureau has stated that the current legislation had gone through extensive industry consultation since 2023.
Meanwhile, there are still major differences between Hong Kong’s proposed legislation and the regulatory framework seen in mainland China, with China’s being much more extensive. For example, the Hong Kong bill does not introduce extra requirements on outbound data transfers for CIOs, which has been a core component of compliance obligations for mainland China-based CIOs. Personal and business information has also been excluded from the current legislation scope in Hong Kong, which differs from the two regulations in mainland China mentioned above.
Efforts to maintain such key differences in CIO-related regulations reflects that Hong Kong’s regulatory environment, including on cyber security, remains distinct from mainland China. Preserving its role as the offshore financial and commercial hub for the Chinese economy remains a major priority for both Hong Kong and Beijing.
Lessons from the mainland
Increasing scrutiny of information technology and their related supply chains means that Hong Kong-based companies should prepare for additional compliance requirements in the coming years. Businesses should review their longer-term digital strategy to anticipate further digital sovereignty regulation in Hong Kong.
As in the mainland, CIO regulation is only one aspect of a larger effort to manage societal cyber security risks. Updates to existing regulations and the introduction of new regulations should be expected. As the regulatory environment matures, firms should approach compliance as a long-term driver of digital strategy rather than a short-term remediation exercise.
Tightened requirements on personal information protection will also become more likely as Hong Kong’s regulatory convergence towards the mainland’s cyber security regulations continues. One main area with potential changes is the requirements around exports of personal data in the Personal Data (Privacy) Ordinance (PDPO), Hong Kong’s main regulation regarding personal information protection, passed in 1995. While the PDPO’s Section 33 – which sets restrictions for cross-border transfer of personal data – is currently not in force, there is a higher chance in the coming years for the SAR government to release a timeline for its implementation.
A global challenge
Hong Kong’s new CIO regulation is another milestone in a larger effort by authorities to manage cyber security risks in their societies. The uncertainty over how it will be applied and its potential impact on technology services in Hong Kong is challenging the digital strategies of global firms.
US regulations further complicate the picture. Emerging US regulations are restricting technology access from Hong Kong and already affecting the availability of technology services in the market. The large, US-based artificial intelligence (AI) providers have blocked mainland China, Hong Kong and Macao from accessing their services. China-based firms’ use of US-based AI services via global cloud service providers is also coming under increased scrutiny. Information technology, previously an apolitical, back-office function, is now becoming a national security issue.
The strategic competition between the US and China has extended into technology and information. Global firms with operations in Hong Kong and mainland China are caught between different regulatory regimes and increasing cyber security requirements. Firms must now account for this geopolitical rivalry in developing their digital strategies for Hong Kong and the mainland.