What is the Protection of Critical Infrastructures (Computer Systems) Ordinance in Hong Kong?
The Hong Kong Legislative Council passed the Protection of Critical Infrastructures (Computer Systems) Bill (the “CI Bill”) on March 19, 2025, and it became effective on January 1, 2026. It is the first dedicated cybersecurity law in Hong Kong to protect the security of the critical computer systems (CCS) of critical infrastructures (CIs), to regulate CIs’ operators (i.e., critical infrastructure operators (CIO)), and to provide for the investigation into, and response to, computer-system security threats and incidents.
The first version of the Code of Practice (CoP), released on January 1, 2026, by the Office of the Commissioner of Critical Infrastructure (Computer-system Security), provides practical guidance on how a CIO complies with category obligations.
- To ensure the computer system security of critical infrastructure that are necessary for the normal functioning of the Hong Kong society.
- To strengthen the security of the computer systems of critical infrastructure and minimize the chance of essential services being disrupted or compromised due to cyberattacks.
The regulation covers two major categories of critical infrastructure (CI):
Infrastructures for delivering essential services in Hong Kong covering eight sectors:
- Energy
- Information Technology
- Banking and Financial Services
- Land Transport
- Air Transport
- Maritime
- Healthcare Services
- Communications and Broadcasting
Other infrastructures for maintaining important societal and economic activities:
Examples:
- Major sports
- Performance venues
- Research and development parks
Critical Computer Systems (CCS)
CCSs refer to computer systems that are relevant to the provision of essential service of the core functions of computer systems, and those systems which, if interrupted or damaged, will seriously impact the normal functioning of the critical infrastructure.
Critical Infrastructure Operators (CIO)
Designated operators which operate a Specified CI.
CIO will need to fulfill three types of obligations below:
Organizational
- Maintain an address and office in Hong Kong
- Report changes in the ownership and operatorship of CI
- Set up a computer system security management unit with professional knowledge supervised by a dedicated supervisor of the CIO
Preventive
- Inform the Commissioner’s Office of material changes to their CCS
- Formulate and implement a computer system security management plan
- Conduct a computer system security risk assessment and audit (at least once every year and two years respectively)
- Adopt measures to ensure that their 3rd-party services providers are in compliance with the relevant statutory obligations
Incident Reporting and Response
- Participate in a computer system security drill (at least once every two years)
- Formulate an emergency response plan
- Notify the Commissioner’s Office of the occurrence of computer system security incidents in respect of CCS
The Code of Practice (Code) of the Protection of Critical Infrastructures (Computer Systems) Ordinance is issued in respect of CIO obligations to set out recommended standards and provide practical guidance to CIOs to fulfil the obligations.
The Chief Executive of Hong Kong appointed a new Commissioner of Critical Infrastructure (Computer-system Security), who, along with the designated authorities in Schedule 2 of the CI Bill for specific sectors (currently the Monetary Authority and the Communications Authority), (“Designated Authorities”), will serve as the regulating authorities.
Concerning the relevant legislation of the UK and EU, the penalties under the Bill will only include fines, with maximum level ranging from HK$500,000 to HK$5 million, and additional daily fines for persistent non-compliance for certain continuing offences, the maximum of which range from HK$50,000 to HK$100,000.
The obligations and requirements under the Bill which will result in offences and penalties for non-compliance will be imposed on CIOs at the organizational level only, and are not designed to target at their staff at individual level.
Compliance Brief
Complying with The Protection of Critical Infrastructures Ordinance in Hong Kong
Explore solutions for The Protection of Critical Infrastructures (Computer Systems) Ordinance (PCICSO) by simplifying compliance and automating security reducing the burden on security and compliance teams.
How Thales Helps with the Protection of Critical Infrastructures (Computer Systems) Ordinance Compliance
The Protection of Critical Infrastructures (Computer Systems) Ordinance strengthens the cybersecurity of critical infrastructure and minimize disruption of essential services in Hong Kong; Thales’ solutions can help CIOs address the requirements in the Code of the Ordinance by simplifying compliance and automating security reducing the burden on security and compliance teams.
Protection of Critical Infrastructures Bill Compliance Solutions
Application Security
Protect applications and APIs at scale in the cloud, on-premises, or in a hybrid model. Our market leading product suite includes Web Application Firewall (WAF), protection against Distributed Denial of Service (DDoS) and malicious BOT attacks, security for APIs, a secure Content Delivery Network (CDN), and Runtime Application Self-Protection (RASP).
Data Security
Discover and classify sensitive data across hybrid IT and automatically protect it anywhere, whether at rest, in motion, or in use, using encryption tokenization and key management. Thales solutions also identify, evaluate, and prioritize potential risks for accurate risk assessment as well as identify anomalous behavior, and monitor activity to verify compliance, allowing organizations to prioritize where to spend their efforts.
Identity & Access Management
Provide seamless, secure and trusted access to applications and digital services for customers, employees and partners. Our solutions limit the access of internal and external users based on their roles and context with granular access policies and Multi-Factor Authentication that help ensure that the right user is granted access to the right resource at the right time.
Address the requirements in CI Ordinance – The Code of Practice (The Code)
How Thales helps:
- Protect application data and eliminate the need for Developers (Devs) to manage security and update data protection.
- Deploy data protection solutions into environments through orchestration.
- Perform updates and keep up with compliance requirements by Data Security Admins without taking Devs off of other projects.
- Adopt “Shift left” – Security measurement in the early stage of development.
How Thales helps:
- Discover and classify potential risks for all public, private, and shadow APIs.
- Identify structured and unstructured sensitive data at risk on-premises and in the cloud.
- Enable privileged user access control for sensitive data and restrict access from unauthorized access with the least privileged design.
- Identify the current state of compliance, documenting gaps, and providing a path to full compliance.
- Gain full sensitive data activity visibility, track who has access, audit what they are doing and document.
How Thales helps:
- Limit the access of internal and external users to systems and data based on roles and context with policies.
- Analyze access activity and deliver risk intelligence for IT teams to proactively monitor and investigate potential access risks.
- Enforce data access rights and detect policy violations through real-time monitoring.
- Apply contextual security measures based on risk scoring.
- Prevent password fatigue with Smart Single Sign-On with conditional access.
- Centralize access policies and enforcement to multiple hybrid environments in a single pane of glass.
- Prevent hardcoded credentials or token keys in source code or CI/CD environments.
- Enable MFA with the broadest range of hardware and software methods.
Solutions:
Data Security
Identity & Access Management
How Thales helps:
- Provide flexible authentication options for automated workflows to mitigate the reliance on passwords.
- Extend single-sign-on authentication to cloud applications, enabling centralized, secure access with a protected identity.
- Apply privileged access control to sensitive data.
Solutions:
Identity & Access Management
Data Security
How Thales helps:
- Streamline key management on-premises and in the cloud environments with key lifecycle management.
- Manage and protect all secrets and sensitive credentials.
- Protect cryptographic keys in a FIPS 140-3 Level 3 environment.
- Store encrypted data and its encryption key stored in different places for separation of duties principal.
- Employ strong and standard-based encryption protocols, such as the Advanced Encryption Standard (AES) for data encryption and elliptic curve cryptography (ECC) for key exchange.
- Adopt Post-Quantum Agility to deal with the threats from quantum computing.
How Thales helps:
- Leverage smart cards for implementing physical access to sensitive facilities of critical infrastructure.
- Centralize access policies and enforcement to multiple hybrid environments in a single pane of glass.
- Protect the root-of-trust of a cryptographic system within a highly secure environment.
- Detect tamper events, including unauthorized access to HSMs and key management infrastructure, through real-time audit logging and alerting.
Solutions:
Data Security
Identity & Access Management
How Thales helps:
- Enable secure remote access for resources on-premises or in the cloud with a seamless user experience.
- Build and deploy adaptive authentication policies.
- Enable MFA with the broadest range of hardware and software methods.
Solutions:
Identity & Access Management
How Thales helps:
- Safeguard critical network assets from DDoS attacks and Bad Bots while continuing to allow legitimate traffic.
- Detect and prevent cyber threats with web application firewall, ensuring seamless operations and peace of mind.
- Secure data-in-transit with future-proof encryption technologies to avoid “Harvest now, decrypt later”.
How Thales helps:
- Protect apps from runtime exploitation, while integrating with tools in the CI/CD pipeline.
- Stop application attacks with fewer false positives with web application firewall.
- Safeguard critical network assets from DDoS attacks and Bad Bots while continuing to allow legitimate traffic.
- Conduct ongoing risk assessments to identify design flaws and vulnerabilities associated with the OWASP API Security Top 10.
- Encrypt sensitive data once it is created and make sure cleartext data will not be processed or stored by unauthorized applications and personnel.
- Protect and automate access to secrets across DevOps tools.
- Easily access data security solutions through online marketplaces.
- Monitor data traffic to spot data leakage risk.
How Thales helps:
- Provide audit trails of API calls, authentication attempts, and authorization decisions, ensuring accountability and facilitating compliance audits.
- Produce audit trail and reports of all access events to all systems, stream logs to external SIEM systems.
- Prevent unauthorized access and alteration to its internals, including the audit logs.
- Gain visibility by monitoring and auditing all database activity.
- Provide a clear audit trail for demonstrating cryptographic control from centralized key management systems, logging all key lifecycle events such as key creation, rotation, and access.
- Offer encryption logs, data access attempts, and encryption/decryption events, providing auditable proof of data protection without application modifications.
Solutions:
Application Security
Data Security
Identity & Access Management
How Thales helps:
- Reduce third-party risk by maintaining on-premises control over encryption keys protecting data hosted in the cloud.
- Ensure complete separation of roles between cloud provider admins and your organization, restrict access to sensitive data.
- Monitor and alert anomalies to detect and prevent unwanted activities from disrupting supply chain activities.
- Enable relationship management with suppliers, partners or any third-party user; with clear delegation of access rights.
- Minimize privileges by using relationship-based fine-grained authorization.
- Enable MFA for third-party users to thwart phishing attacks.
- Apply sufficient secure measurement with the sensitivity of data.
- Protect network tunnel between cloud and on-premises environment to ensure data is encrypted.
How Thales helps:
- Monitor I/O and block suspicious activity before ransomware can take hold.
- Prevent malicious software and users from accessing sensitive data.
- Use signature, behavioral and reputational analysis to block all malware injection attacks.
- Detect and prevent cyber threats with web application firewall.
- Safeguard critical network assets from DDoS attacks and Bad Bots.
Solutions:
Application Security
Data Security
How Thales helps:
- Detect data exfiltration in real-time through behavioral analytics and anomaly detection to identify abnormal data access patterns.
- Monitor data activity to track unauthorized downloads, copies, or transfers of sensitive customer information.
- Encrypt sensitive data at rest and in transit to minimize the impact of data leakage, ensuring leaked information remains unusable.
- Classify and discover sensitive customer data across the environment to ensure proper protection and visibility.
- Generate audit trails for all data access events to support forensic investigation and regulatory incident reporting.
Related resources
Other key data protection and security regulations
PCI HSM
MANDATE | ACTIVE NOW
The PCI HSM specification defines a set of logical and physical security compliance standards for HSMs specifically for the payments industry. PCI HSM Compliance certification depends on meeting those standards.
DORA
REGULATION | ACTIVE NOW
DORA aims to strengthen the IT security of financial entities to make sure the financial sector in Europe is resilient in the face of the growing volume and severity of cyber-attacks.
Data Breach Notification Laws
REGULATION | ACTIVE NOW
Data breach notification requirements following loss of personal information have been enacted by nations around the globe. They vary by jurisdiction but almost universally include a “safe harbor” clause.
GLBA
REGULATION | ACTIVE NOW
The Gramm-Leach-Bliley Act (GLBA)--also known as the Financial Services Modernization Act of 1999--requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data.