The Government announced today that it will publish the Protection of Critical Infrastructures (Computer Systems) Bill in the Gazette on Friday.

Critical infrastructures are infrastructures that are necessary for the maintenance of normal functioning of society and the normal life of people. The bill seeks to impose statutory requirements on designated operators of critical infrastructures to ensure that they take appropriate measures to protect their computer systems and minimise the chance of essential services being disrupted or compromised due to cyberattacks, thereby maintaining the normal functioning of Hong Kong society and the normal life of people.

The Security Bureau said there are three categories of statutory obligations under the bill, including organisational obligations, preventive obligations, as well as incident reporting and response obligations. Operators of critical infrastructures are required to set up dedicated management units to oversee their computer-system security, and take preventive measures to enhance their resilience against cyberattacks.

When a computer-system security incident occurs, the operator shall report it to a corresponding commissioner’s office, and at the same time take its own response measures to restore the systems in accordance with the emergency response plan it submitted. The commissioner’s office may provide timely assistance and take remedial measures to contain the problem and minimise the chance of affecting other critical infrastructures, so as to maintain the normal operations in Hong Kong society and the normal life of citizens.

The bureau stressed that the proposed requirements serve to safeguard computer systems that are critical to the core functions of the critical infrastructure, and in no way target personal data and trade secrets.

It also emphasised that operators of critical infrastructures to be regulated will be those necessary for the continuous provision of essential services or maintaining critical societal and economic activities in Hong Kong, most of which are large organisations. Small and medium enterprises and the general public will not be regulated.

The bureau noted that in drafting the bill, reference has been made to relevant legislations of other jurisdictions in order to establish a regulatory model suitable for Hong Kong.

In addition to holding more than 30 consultation sessions, the bureau also consulted the Legislative Council Panel on Security and launched a one-month consultation exercise.

On the whole, the stakeholders and society have responded positively to the legislation, it remarked.

The Protection of Critical Infrastructures (Computer Systems) Bill will be introduced into the Legislative Council for the first and second readings on December 11.