When we talk about data breaches, the prevailing metaphor is often one of plumbing: there is a leak, you find the hole, patch the software, notify the customers, and mop the floor. It is unpleasant, costly, but ultimately contained. However, critical infrastructure does not behave like plumbing. A disruption in the systems that underpin a city’s financial hub, energy grid, or transport network can cascade into systemic failure.
On 1 January 2026, Hong Kong fundamentally altered the architecture of corporate risk by bringing the Protection of Critical Infrastructures (Computer Systems) Ordinance (Cap. 653) (“PCICSO”) into force. This landmark legislation replaced a fragmented, largely voluntary framework with legally enforceable obligations around governance, technical safeguards, and incident response for the computer systems that power essential services. Now, three months into its implementation, the reality of PCICSO is taking shape, and its impact is rippling far beyond the boardrooms of the designated giants it ostensibly targets.
Today we analyse the drivers behind this legislative shift, examines the developments of the first quarter of 2026, and highlights the potential compliance pitfalls and litigation risks that organisations — both designated operators and their suppliers — must navigate.
The drivers: a perfect storm of cyber threats
To understand why Hong Kong enacted PCICSO, one must look at the escalating cyber threat landscape that preceded it. The legislation was not born in a vacuum; it was a necessary response to a stark reality.
In 2024, the Hong Kong Police Force recorded 33,903 technology crime cases, which included 112 destructive cyberattacks. More alarmingly, an assessment of over 90,000 internet-facing assets belonging to Hong Kong’s critical infrastructures revealed that 5% had varying degrees of system vulnerabilities. By 2025, the situation had intensified. The Office of the Privacy Commissioner for Personal Data (PCPD) reported a record 246 data breach notifications, a 21% increase from the previous year, with a third of these incidents involving hacking.
The sophistication of these attacks was also evolving. The rise of AI-enabled threats, ransomware, and supply chain vulnerabilities meant that traditional, siloed approaches to cybersecurity were no longer sufficient. The government recognised that the disruption of essential services — such as banking, healthcare, and telecommunications — due to a cyberattack could severely jeopardise public safety, economic stability, and societal functioning.
Furthermore, Hong Kong was playing catch-up with global regulatory trends. Jurisdictions like the European Union (with the NIS2 Directive), Singapore (with its Cybersecurity Act), and Mainland China had already established robust statutory frameworks for critical infrastructure protection. To maintain its status as a secure and resilient global financial and digital hub, Hong Kong needed a dedicated cybersecurity law with teeth.
The first three months: from principles to practice
PCICSO designates Critical Infrastructure Operators (CIOs) across eight essential sectors: energy, information technology, banking and financial services, land, air, and maritime transport, healthcare, and telecommunications and broadcasting. The law imposes three categories of statutory obligations on these CIOs: organisational (maintaining a local office and security management unit), preventive (implementing security plans and conducting audits), and incident reporting and response (participating in drills and reporting serious incidents within 12 hours).
Simultaneously with the Ordinance coming into effect on 1 January 2026, the newly established Office of the Commissioner of Critical Infrastructure (Computer-system Security) issued the Code of Practice (CoP). While the CoP is not subsidiary legislation, it serves as the operative compliance benchmark, translating the Ordinance’s high-level requirements into actionable, operational terms.
The first three months of 2026 have been characterised by a flurry of compliance activity. The government has begun shortlisting and designating CIOs, although the list remains confidential to avoid making these entities targets for threat actors. Designated authorities, such as the Communications Authority for the telecommunications sector, have formally adopted the CoP, and sectoral codes for industries like energy are being rolled out.
For designated CIOs, this period has involved intense internal restructuring. The requirement to anchor cybersecurity governance in Hong Kong, rather than relying on a geographically ambiguous global security operations centre, has forced multinationals to establish dedicated local security management units led by qualified personnel.
However, the most significant development has been the “supply chain ripple.” PCICSO explicitly requires CIOs to ensure their suppliers and cloud service providers adhere to specified security requirements. Consequently, CIOs have spent the first quarter of 2026 aggressively renegotiating contracts, flowing down their statutory obligations to every vendor whose systems touch their critical operations.
Potential pitfalls: the illusion of the safe SME
The most dangerous misconception regarding PCICSO is that it only affects the designated giants. If you run a small or medium-sized enterprise (SME), a SaaS provider, or a third-party analytics firm, you might assume you are exempt. You are not.
When a major bank is mandated to report a serious incident within 12 hours, it cannot meet that deadline if its cloud provider takes 24 hours to notify them of a breach. Therefore, the bank will contractually demand immediate notification, audit rights, and stringent security controls from its suppliers.
This creates a significant compliance pitfall for vendors. Many SMEs lack the sophisticated security infrastructure, dedicated personnel, and rapid response capabilities required to meet these new contractual demands. Failing to comply with these flowed-down obligations can result in immediate termination of lucrative contracts and severe reputational damage.
For the CIOs themselves, the pitfalls are equally treacherous. The 12-hour reporting window for serious incidents is notoriously unforgiving. In the chaos of a live cyberattack, determining the scope of the breach, classifying the incident, and drafting a regulatory notification within half a day requires a level of preparedness that many organisations still lack. Treating “twelve hours” as a target to be hoped for, rather than a muscle to be trained through rigorous drills, is a recipe for regulatory failure.
Furthermore, the CoP clarifies that operational technology (OT) systems — such as supervisory control and data acquisition (SCADA) systems — are considered computer systems under the law. Many organisations historically managed IT and OT in silos, with OT often lagging in security updates. Bridging this gap and securing legacy OT infrastructure represents a substantial technical and financial challenge.
Litigation risks: the cost of non-compliance
PCICSO is backed by significant enforcement powers and severe penalties. Non-compliance with statutory obligations or the Commissioner’s directions constitutes a criminal offence, attracting fines ranging from HKD 300,000 to HKD 5 million, with daily penalties of up to HKD 100,000 for continuing breaches.
While the law is designed to penalise the organisation rather than imposing automatic individual liability on senior management, executives are not entirely shielded. If an offence is committed with the consent or connivance of, or is attributable to the neglect of, a director or senior officer, that individual may also face prosecution. Furthermore, providing false statements or obstructing the Commissioner’s investigations carries distinct criminal liabilities.
The litigation risks extend beyond regulatory fines. As CIOs flow down obligations to their supply chain, the likelihood of commercial disputes increases. If a vendor’s security failure causes a CIO to breach its PCICSO obligations, the CIO will undoubtedly seek to recover the regulatory fines and associated damages through breach of contract claims. Vendors must carefully review indemnification clauses and liability caps in their service agreements to manage this exposure.
Additionally, while PCICSO does not create a direct private right of action for data subjects, a regulatory finding of non-compliance under PCICSO could serve as powerful evidence of negligence in civil claims brought by customers whose data was compromised or whose services were disrupted.
A new era of cyber resilience
The Protection of Critical Infrastructures (Computer Systems) Ordinance represents a paradigm shift in Hong Kong’s approach to cybersecurity. Moving away from voluntary guidelines, the city has embraced a rigorous, legally enforceable framework designed to protect its essential services from an increasingly hostile digital environment.
Three months into its implementation, the law is already reshaping corporate governance and supply chain dynamics. For general counsel, chief risk officers, and business leaders, the message is clear: cybersecurity is no longer merely an IT issue; it is a fundamental legal and operational mandate.
Organisations must move beyond a check-the-box compliance mentality. They must map their critical systems, stress-test their incident response plans, and rigorously assess their supply chain vulnerabilities. In this new era of cyber resilience, the cost of unpreparedness is simply too high.
Our team at Hugill & Ip has extensive experience in dealing with regulatory and compliance matters – so kindly get in touch with us to find out how we can help.
This article is intended only to provide a summary of the subject covered. It does not purport to be comprehensive or to provide legal advice. No person should act in reliance on any statement contained in this publication without first obtaining specific professional advice.
