New Hong Kong cyber law forces first-time oversight on key sectors

Hong Kong’s 2026 ordinance puts critical infrastructure under mandatory cybersecurity compliance.

Hong Kong's Legislative Council passed its inaugural cybersecurity legislation on March 19, bringing large-scale regulatory oversight to critical infrastructure operators—some of whom will face enforceable cybersecurity obligations for the first time.

The law mandates incident reporting within two hours of a breach and imposes strict requirements around system audits, risk prevention, and governance structures. Targeted at essential sectors including banking, energy, healthcare, transport, and IT, the law threatens penalties of up to HK$5 million for noncompliance.

“For other areas, there will be new people who are coming under the umbrella of a formal cybersecurity type of reporting and obligation with a regulator for the first time,” said Pádraig Walsh, Partner at Tanner De Witt Hong Kong. “And for those businesses, they will need to prepare significantly more.”

Unlike broader privacy laws, the ordinance zeroes in on businesses with operational infrastructure critical to Hong Kong’s economic stability. “It’s really directed towards businesses in certain critical sectors, or large venues that may have been running events or engagements that are important to the economy as a whole,” Walsh said.

Designated sectors include energy, healthcare, land, air and maritime transport, telecommunications, information technology, banking, and financial services. The government will further narrow scope by designating specific “important or critical” computer systems within each sector.

While some sectors—such as finance and telecommunications—already face cybersecurity scrutiny under regulators like the HKMA or Communications Authority, the law introduces a unified benchmark for cyber resilience and breach accountability. “They do need to be aware of new reporting obligations, particularly around incident reporting,” Walsh added.

The ordinance requires compliance in three areas: internal organisational structure, preventative system testing, and incident response planning. “There are organisational obligations about how you set yourself up… preventative measures… and an incident response plan that you will need to prepare, activate when needed, and [file] reporting obligations,” said Walsh.

The ordinance has already been gazetted. A new cybersecurity commissioner will soon be appointed under the Security Bureau to begin drafting implementation guidelines and building an enforcement unit.