On 26 March 2025, Hong Kong's Legislative Council passed the Protection of Critical Infrastructures (Computer Systems) Bill — now officially the Protection of Critical Infrastructures (Computer Systems) Ordinance (PCICSO). It took effect on 1 January 2026, marking Hong Kong's first dedicated critical infrastructure cybersecurity law. For a city that serves as Asia's leading financial centre, a global logistics hub, and a gateway to the Greater Bay Area, this legislation was long overdue.
The PCICSO creates a regulatory framework that requires operators of critical infrastructure to meet specific cybersecurity standards — covering everything from organisational structure to incident reporting timelines. If your business operates in one of the 8 regulated sectors, or if you are a vendor to an organisation that does, this law will change how you approach cybersecurity.
This guide breaks down the PCICSO in practical terms: who it applies to, what obligations it creates, what the penalties are, and exactly what you need to do to prepare. We have reviewed the full ordinance text, the General Code of Practice published on 1 January 2026, and the Energy sector code published on 28 January 2026 to give you the most complete and accurate picture available.
What Is the PCICSO and Why Does It Matter?
Hong Kong has long relied on sector-specific guidelines and voluntary frameworks for cybersecurity. The HKMA's Cybersecurity Fortification Initiative (CFI) covers banks. The Securities and Futures Commission has its own guidelines. But there was no unified, enforceable law covering all critical infrastructure. The PCICSO changes that.
The ordinance establishes the Commissioner of Critical Infrastructure (Computer System) Security — a new statutory role with the power to designate Critical Infrastructure Operators (CIOs), issue codes of practice, conduct investigations, and impose penalties. The Commissioner works with sector-specific authorities: the HKMA for banking and finance, the Communications Authority for telecommunications and broadcasting, and other designated regulators for their respective sectors.
The law focuses specifically on computer systems that are essential to the continuous delivery of critical services. It does not regulate the entire business operation of a critical infrastructure operator — only the computer systems that, if compromised, could disrupt essential services.
PCICSO targets institutional accountability, not individual criminal liability. The ordinance does not impose criminal penalties on individual employees or directors. Penalties are financial — fines against the organisation — with the goal of ensuring systemic resilience rather than punishing individuals.
The 8 Regulated Sectors: Who Is Covered?
The PCICSO defines critical infrastructure as infrastructure that delivers an essential service in one of two schedules. Schedule 1 covers the 8 core sectors. Schedule 2 extends to other "important societal and economic activities" — including major venues, technology parks, and research facilities.
| Sector | Sector Authority | Examples of Infrastructure | Sector Code Published |
|---|---|---|---|
| Energy | Environment and Ecology Bureau | Power plants, gas networks, fuel supply | 28 Jan 2026 |
| Information Technology | Innovation, Technology and Industry Bureau | Data centres, cloud services, DNS providers | Pending |
| Banking & Financial Services | Hong Kong Monetary Authority (HKMA) | Banks, payment systems, clearing houses | Pending |
| Air Transport | Transport and Logistics Bureau | Airport systems, air traffic control, airlines | Pending |
| Land Transport | Transport and Logistics Bureau | MTR, bus management systems, traffic control | Pending |
| Maritime Transport | Transport and Logistics Bureau | Port management, container terminals, ferry systems | Pending |
| Healthcare Services | Health Bureau | Hospital Authority systems, eHealth record systems | Pending |
| Telecommunications & Broadcasting | Communications Authority (CA) | Fixed/mobile networks, ISPs, broadcast systems | Pending |
Schedule 2 covers "other important societal and economic activities" — this includes major sports and entertainment venues, technology parks, science parks, and facilities critical to Hong Kong's socioeconomic function. If your organisation operates large-scale digital systems serving the public, you may fall within scope even if you are not in the core 8 sectors.
The 3 Categories of Obligations
Once designated as a CIO, the PCICSO imposes three categories of legal obligations. Each carries specific requirements and timelines, and failure to comply triggers penalties.
Organisational Obligations
These obligations ensure the CIO has the structural foundation for cybersecurity governance. They must be met within the timeframe specified in the designation notice.
- Maintain an office in Hong Kong — the CIO must have a physical presence in HK, regardless of where the parent company is headquartered
- Establish a computer system security management unit — a dedicated team or function responsible for the cybersecurity of critical computer systems
- Appoint a senior oversight officer — a person in a position of authority within the organisation who supervises the security management unit
- Notify the Commissioner of the contact details of the security management unit and senior officer, and update within 30 days of any change
Preventive Obligations
Preventive obligations require CIOs to proactively manage cybersecurity risks through documented plans, regular assessments, and external audits.
- Develop and submit a Computer Security Management Plan (CSMP) — covering security policies, access controls, asset management, data backup, network security, and personnel responsibilities
- Develop and submit an Emergency Response Plan (ERP) — covering incident detection, escalation procedures, containment, recovery, and communication protocols
- Conduct computer system security risk assessments every 2 years — and submit the results to the Commissioner
- Conduct independent computer system security audits every 2 years — performed by qualified external auditors, with results submitted to the Commissioner
- Comply with the General Code of Practice and any applicable sector-specific code of practice
Incident Response Obligations
The incident reporting obligations are among the strictest in the Asia-Pacific region. CIOs must maintain the capability to detect and report incidents within tight timeframes.
- Report serious computer system security incidents within 2 hours of becoming aware — serious incidents include those that disrupt or are likely to disrupt the essential service
- Report other computer system security incidents within 24 hours — including attempts, near-misses, or incidents that could escalate
- Provide follow-up reports as required by the Commissioner, including root cause analysis and remediation steps
- Cooperate with the Commissioner's investigation and audit powers — the Commissioner may enter premises, inspect systems, and require production of documents
Obligation Matrix: Requirements at a Glance
| Obligation | Category | Frequency | Submission Required | Penalty for Non-Compliance |
|---|---|---|---|---|
| Maintain HK office | Organisational | Ongoing | Notification | HK$300,000 |
| Security management unit | Organisational | Ongoing | Notification | HK$300,000 |
| Submit CSMP | Preventive | Within 3 months of designation + updates | Yes — to Commissioner | HK$500,000 |
| Submit ERP | Preventive | Within 3 months of designation + updates | Yes — to Commissioner | HK$500,000 |
| Security risk assessment | Preventive | Every 2 years | Yes — results to Commissioner | HK$500,000 |
| Independent security audit | Preventive | Every 2 years | Yes — audit report to Commissioner | HK$500,000 |
| Report serious incidents | Incident Response | Within 2 hours | Yes — to Commissioner | HK$500,000 |
| Report other incidents | Incident Response | Within 24 hours | Yes — to Commissioner | HK$300,000 |
| Non-compliance with Commissioner direction | Enforcement | As directed | N/A | HK$5,000,000 |
Penalty Structure: What Non-Compliance Costs
The PCICSO's penalty regime is deliberately structured to make non-compliance more expensive than compliance. Fines range from HK$300,000 for administrative failures to HK$5,000,000 for non-compliance with Commissioner's directions. Continuing offences attract daily fines on top.
| Offence | Maximum Fine | Daily Fine (Continuing) |
|---|---|---|
| Failure to maintain HK office / security management unit | HK$300,000 | HK$50,000/day |
| Failure to submit CSMP or ERP | HK$500,000 | HK$50,000/day |
| Failure to conduct risk assessment / audit | HK$500,000 | HK$50,000/day |
| Failure to report serious incident within 2 hours | HK$500,000 | HK$100,000/day |
| Failure to report other incident within 24 hours | HK$300,000 | HK$50,000/day |
| Failure to participate in cyber drills | HK$500,000 | N/A |
| Non-compliance with Commissioner's direction | HK$5,000,000 | HK$100,000/day |
| Obstruction of Commissioner's investigation | HK$500,000 | N/A |
Missing a serious incident report by just one week could cost HK$500,000 + (HK$100,000 x 7 days) = HK$1,200,000. For context, implementing a comprehensive CSMP and ERP typically costs HK$200,000-600,000 — less than the penalty for a single week of non-compliance on a single obligation.
Implementation Timeline: Key Dates
The PCICSO follows a phased implementation approach. Understanding these dates is critical for planning your compliance programme.
Phase 1 designations are expected to focus on the highest-impact operators across all 8 sectors. Once you receive a designation notice, you have 3 months to submit your Computer Security Management Plan (CSMP) and Emergency Response Plan (ERP). Risk assessments and audits must be completed within the first cycle (approximately 2 years from designation) and then repeated biennially.
Do not wait for your designation notice. If your organisation is likely to be designated, begin developing your CSMP and ERP now. Three months is a tight timeline if you are starting from scratch — particularly for the risk assessment component, which typically takes 4-6 weeks for a complex infrastructure environment.
The Supply Chain Cascade: How PCICSO Affects Vendors
Even if your company is not a CIO, PCICSO will likely affect you through the supply chain. CIOs are required to manage the security of their entire supply chain — this means every IT vendor, cloud provider, managed service provider, software developer, and outsourced service partner that has access to or interacts with the CIO's critical computer systems.
In practice, this means vendors can expect the following from their CIO clients:
- Security questionnaires and assessments — CIOs will require vendors to demonstrate their own cybersecurity practices, including certifications (ISO 27001, SOC 2), security policies, and incident response capabilities
- Contractual security clauses — expect new clauses covering data handling, access controls, breach notification obligations, right-to-audit provisions, and termination rights for security failures
- Incident notification requirements — vendors may be contractually required to notify the CIO of security incidents within 1-2 hours (to allow the CIO to meet its own 2-hour reporting obligation)
- Regular security audits — CIOs may require vendors to undergo periodic security audits and share results
- Personnel security — background checks and security training for vendor staff who access CIO systems
Vendors who proactively achieve ISO 27001 certification, implement SOC 2 controls, and demonstrate PCICSO-aligned security practices will have a significant competitive advantage when selling to CIOs. This is a market differentiator, not just a compliance burden.
Sector-by-Sector Impact Assessment
The impact of PCICSO varies significantly by sector, depending on existing regulatory frameworks, digital maturity, and the criticality of the infrastructure.
| Sector | Existing Regulation | Additional PCICSO Burden | Preparation Priority |
|---|---|---|---|
| Banking & Finance | High (HKMA CFI, SPM TM-E-1) | Moderate — mostly alignment | Map CFI to PCICSO requirements |
| Telecom | Moderate (CA guidelines) | Moderate — formalise existing practices | Document and formalise CSMP |
| Energy | Low (sector-specific standards) | High — new obligations | Sector code already published — begin immediately |
| Healthcare | Low (internal HA policies) | High — significant new requirements | Build security governance from ground up |
| Transport (Air/Land/Maritime) | Variable (ICAO for aviation, limited for others) | High for land/maritime, moderate for air | Start with asset inventory and gap analysis |
| Information Technology | Low (market-driven standards) | High — formalises industry best practices | Leverage existing ISO/SOC certifications |
PCICSO Compliance Checklist
Whether you are a potential CIO or a vendor preparing for supply chain requirements, use this checklist to assess your readiness.
For Potential CIOs
- Assess whether your organisation operates systems essential to a critical service in the 8 sectors
- Confirm you have a physical office in Hong Kong with an authorised representative
- Identify or establish a computer system security management unit (internal or outsourced)
- Appoint a senior oversight officer with authority and accountability
- Begin drafting your Computer Security Management Plan (CSMP) aligned to the General Code of Practice
- Begin drafting your Emergency Response Plan (ERP) with 2-hour serious incident workflow
- Conduct an initial security risk assessment of your critical computer systems
- Identify qualified external auditors for your first independent security audit
- Review and update all vendor and supplier contracts with PCICSO-aligned security clauses
- Implement 24/7 security monitoring and alerting to support the 2-hour reporting requirement
- Establish a communication channel with the relevant sector authority
- Train all staff on incident recognition and reporting procedures
For Vendors and Suppliers to CIOs
- Review your client list to identify which clients may be designated as CIOs
- Obtain or work toward ISO 27001 certification or SOC 2 Type II compliance
- Document your own security policies, incident response procedures, and access controls
- Prepare for security questionnaires and vendor assessments from CIO clients
- Implement internal incident notification within 1 hour (to support client 2-hour reporting)
- Review your cyber insurance coverage and update if needed
Frequently Asked Questions
Directly, no — PCICSO obligations apply only to designated Critical Infrastructure Operators (CIOs). However, if your company is a vendor, supplier, or service provider to a CIO, you will face cascading contractual requirements. CIOs must ensure their supply chain meets the security standards mandated by the ordinance, so expect stricter vendor assessments, security questionnaires, and contractual obligations from your CIO clients.
The Commissioner of Critical Infrastructure (Computer System) Security will designate CIOs based on whether your organisation operates computer systems that are essential to the continuous delivery of a critical service in one of the 8 regulated sectors. Designation is done through written notice and is confidential. Phase 1 designations are expected in the first half of 2026. If you operate in energy, IT, banking, transport, healthcare, or telecom, proactively assess whether your systems qualify.
Failure to report a serious computer system security incident within 2 hours can result in a fine of up to HK$500,000. For other incidents, failure to report within 24 hours can result in a fine of up to HK$300,000. Additionally, daily fines of HK$50,000 to HK$100,000 apply for continuing offences. The ordinance focuses on institutional accountability, not individual criminal liability.
PDPO (Personal Data Privacy Ordinance) protects personal data and applies to all organisations that handle personal data. PCICSO protects critical infrastructure computer systems and applies only to designated Critical Infrastructure Operators. They are complementary: a CIO handling personal data must comply with both. PDPO focuses on data privacy rights; PCICSO focuses on operational resilience and cybersecurity of essential services.
Yes. PCICSO requires CIOs to maintain a computer system security management unit, but the ordinance does not require this to be fully in-house. A CTO-as-a-Service provider can serve as your security management function, help develop your CSMP and ERP, manage biennial risk assessments and audits, and coordinate incident response. This is particularly cost-effective for mid-sized operators who need senior security expertise without a full-time CISO hire.
Prepare for PCICSO Before Designation Day
The organisations that will navigate PCICSO most smoothly are those that start preparing now — before they receive a designation notice. At Astera Technology, our CTO-as-a-Service engagement includes full PCICSO readiness assessment: we identify your critical computer systems, draft your CSMP and ERP, establish your security management function, and build the monitoring infrastructure needed for 2-hour incident reporting.
Our Cloud & DevOps team implements the security controls, monitoring, and alerting systems that underpin PCICSO compliance — from SIEM deployment to automated incident escalation workflows. Whether you are a potential CIO or a vendor preparing for supply chain requirements, book a free consultation to discuss your PCICSO readiness.
For broader cybersecurity guidance, read our comprehensive guide: Cybersecurity for Hong Kong SMEs. For data privacy compliance alongside PCICSO, see our PDPO Compliance for Software Development guide.