Hong Kong Introduces Code of Practice for Critical Infrastructure Cybersecurity

Key Takeaways:

• The Office of the Commissioner of Critical Infrastructure (Computer-system Security) has issued a Code of Practice (CoP) to clarify key requirements under Hong Kong’s new critical infrastructure cybersecurity regime.
• The CoP provides practical guidance for critical infrastructure operators (CIOs) to fulfill their obligations under the Protection of Critical Infrastructures (Computer Systems) Ordinance (Cap. 653).
• The CoP sets out indicators for Critical Computer System (CCS) designation, including materiality to a critical infrastructure’s core function, severe impact if disrupted, and processing of sensitive digital data.
• CIOs must comply with three categories of obligations: organisational (category 1), preventive (category 2), and incident reporting and response (category 3).
• The CoP provides guidance on security drills, emergency response plans, and notification obligations for CIOs.

Introduction to the Code of Practice
The Office of the Commissioner of Critical Infrastructure (Computer-system Security) issued a Code of Practice (CoP) on 1 January 2026, under the Protection of Critical Infrastructures (Computer Systems) Ordinance (Cap. 653). The CoP clarifies key requirements under Hong Kong’s new critical infrastructure cybersecurity regime and sets a baseline for compliance across sectors. The CoP is not subsidiary legislation, but it will be a central reference point for supervisory expectations and enforcement directions addressing non-compliance under the Ordinance. The Commissioner may issue written directions with reference to the CoP’s requirements, and failure to comply with such directions is an offense.

Understanding Critical Computer Systems
A computer system that is accessible by a CIO in or from Hong Kong and is essential to the core function of a critical infrastructure operated by the CIO may be designated as a Critical Computer System (CCS). The CoP sets out indicators for CCS designation, including materiality to a critical infrastructure’s core function, severe impact if disrupted, processing of sensitive digital data, and strong dependencies with other CIOs or CCSs. The CoP expressly brings industrial control systems within scope as computer systems, including supervisory control and data acquisition (SCADA) systems, distributed control systems (DCS), and programmable logic controllers (PLC). Underlying IT infrastructure, such as network components, operating platforms, middleware, Internet-of-Things (IoT) devices, and uninterruptible power supply systems, may be treated as components of a computer system.

Obligations for Critical Infrastructure Operators
The CoP provides practical guidance to help CIOs fulfill their obligations under the Ordinance, which are categorized into three areas: organisational (category 1), preventive (category 2), and incident reporting and response (category 3). Category 1 obligations include maintaining an office in Hong Kong, notifying the relevant Regulating Authority of changes to the operator of a critical infrastructure, and setting up and maintaining a computer-system security management unit. The CoP clarifies that "maintaining an office in Hong Kong" means carrying on actual business activities in Hong Kong, and provides a non-exhaustive list of qualifications evidencing adequate professional knowledge in relation to computer-system security.

Preventive Obligations
Category 2 obligations include notifying material changes to certain computer systems, submitting and implementing a computer-system security management plan, and conducting security audits. The CoP supplies operational detail and clarifies how CIOs should comply with these obligations. Material changes are defined as changes reasonably expected to have a significant effect on the security risk of a CCS or the risk to the core function of the relevant critical infrastructure. The CoP provides concrete examples of events that may constitute material changes, including platform migrations, major version upgrades of core components, and changes to computing platforms or hardware.

Incident Reporting and Response
Category 3 obligations include incident reporting and response, security drills, and emergency response plans. The CoP clarifies incident response obligations, including security drills, emergency response plans, and notification obligations. The Commissioner may require a CIO to participate in a security drill to test readiness to respond to computer-system security incidents. CIOs must submit an emergency response plan detailing protocols for responding to computer-system security incidents in respect of the CCSs of their critical infrastructures. The CoP clarifies what constitutes a "computer-system security incident" and provides examples of incidents, including large-scale or volumetric DDoS attacks, ransomware attacks, and malicious exfiltration of sensitive digital data.

Conclusion and Next Steps
The CoP clarifies governance expectations, technical baselines, and operational processes under the new cybersecurity regime, and resolves key uncertainties around CCS designation, material change triggers, and incident reporting thresholds and timelines. Although non-statutory in form, the CoP helps CIOs translate legal duties into implementable controls and measures, and anchors supervisory expectations that will be central to compliance audits and enforcement. The Commissioner may review and revise the CoP from time to time to reflect technological developments and industry best practice. Organisations that have been, or are likely to be, designated as CIOs should treat the CoP as the operative compliance benchmark and implement structured programmes to align governance and controls with both the CoP and the Ordinance.