As the clock ticks down to the full enforcement of Hong Kong’s Protection of Critical Infrastructures (Computer Systems) Ordinance on January 1, 2026, designated operators of Critical Infrastructures (CI) and Critical Computer Systems (CCS) must act decisively. This landmark law mandates robust cybersecurity measures for Critical Computer Systems (CCS) to prevent disruptions, with non-compliance risking investigations, fines, and reputational damage.
For full words of Ordinance, refer here: https://www.elegislation.gov.hk/hk/2025/4!en
What Constitutes Critical Infrastructure?
The Ordinance defines critical infrastructure (CI) in two categories:
1. Essential Services: Systems vital for continuous delivery of services in eight sectors:
- Energy
- Information technology
- Banking and financial services
- Air transport
- Land transport
- Maritime transport
- Healthcare services
- Telecommunications and broadcasting services
2. Important Societal/Economic Activities: Designated assets like major sports venues or research parks that, if compromised, could severely impact society or the economy (e.g., data leakage from controlled systems).
Key Obligations for CIOs
CIOs must comply with specified cybersecurity measures under the oversight of the Commissioner of Critical Infrastructure (Computer-system Security) and sector-specific Designated Authorities (e.g., Hong Kong Monetary Authority for finance; Communications Authority for telecom). Requirements include:
- Risk Assessments: Conduct regular reviews of CCS vulnerabilities at least once a year.
- Security Audits: Arrange independent audits at least once every two years.
- Incident Notification: Report serious incidents (those disrupting or likely to disrupt core functions) within 12 hours; general incidents within 48 hours.
- Emergency Response Plans: Develop, submit, and implement plans for threats and drills.
- Information Submission: Provide data to authorities upon request, regardless of location.
- Mitigation Measures: Adopt protocols to prevent, detect, and respond to cyber risks.
| Practice | Hong Kong SAR, China | Chinese Mainland |
|---|---|---|
| Security Grading System | No grading (pure risk-based) | Mandatory Multi-Level Protection System (MLPS) Level 1–5 |
| Risk Assessments | within 12 months after the operator’s designation date (first period) , and at least once every 12 months after the expiry of the first period | Annual |
| Security Audits | At least once every two years | Every one, two or three years depending on the MLPS grading |
| Security Drill | Take part in a security drill organized by the Commissioner’s Office at least once every two years | Participate in the annual security drill organized by regulators |
| Incident Reporting | 12 h serious, 48 h others | 1 h for Grade 4–5, 24 h others |
Non-compliance can result in investigations, enforcement actions, and penalties.
How NSFOCUS Makes This Doable (and Fast)
Waiting for perfect internal resources is not an option. NSFOCUS has been protecting China and Global critical infrastructure for 25 years and offers two ready-to-deploy solutions that directly address the Ordinance:
| Solution | What It Does for You | Ordinance Mapping |
|---|---|---|
| NSFOCUS VAPT | CREST-accredited penetration testing (black/gray/white box) on networks, web apps, APIs and cloud. Licensed by Cybersecurity Services Regulation Office (CSRO) of Singapore and National Cyber Security Agency (NACSA) of Malaysia, in accordance with Cybersecurity Act 2018, Singapore and Cyber Security Act 2024, Malaysia | Covers Risk Assessments in Schedule 4 – Matters Specified for Computer-system Security Risk Assessments |
| NSFOCUS RSAS | Vulnerability Scanner with 300k+ vulnerabilities, covers hosts, cloud & OT. Compatible with CVE , CNCVE, CNVD, CNNVD and NSFOCUS vulnerability database. | Same as NSFOCUS VAPT |
World leading banks, telcos, airliners and utilities already use NSFOCUS service and tool for their compliance reports.
For more information, please visit the following link:
https://nsfocusglobal.com/services/nsfocus-security-assessment-services/
https://nsfocusglobal.com/products/remote-security-assessment-system/
or feel free to contact NSFOCUS Hong Kong
Room 507, 5/F New Tech Plaza, 34 Tai Yau Street,
San Po Kong, Kowloon, Hong Kong
TEL: +852- 3461 9770
gcrmarketing@nsfocusglobal.com
