3 minutes to read With insights from... Dr. Kunal Sehgal Principal Cybersecurity Consultant kunal.sehgal@zuhlke.com Hong Kong’s 'Protection of Critical Infrastructures (Computer Systems) Bill' introduces strict cybersecurity mandates for organisations in critical sectors. The law aims to strengthen cyber hygiene by enforcing a comprehensive set of security controls, including regular risk assessments, real-time system monitoring, penetration testing, and timely incident reporting.Organisations must not only implement robust cybersecurity measures but also demonstrate their effectiveness in mitigating cyber threats. Non-compliance may result in severe penalties, making it essential for businesses to take proactive steps toward meeting these new obligations. Compliance is no longer optional; it’s a legal imperative and the stakes couldn’t be higher.The challenge also lies in the law’s ambiguity: it does not clearly define which organisations fall under the classification of 'critical infrastructure'. While it broadly targets sectors such as finance, telecommunications, healthcare, energy, and transportation, the lack of qualifying criteria may leave some businesses in limbo, uncertain about the need for compliance.The risk? Unintentional non-compliance could trigger penalties, audits, or worse, expose vulnerabilities during a cyber crisis. With enforcement looming as early as 2026, businesses need to be proactive and ensure they are not caught off guard given this uncertainty. A wake-up call for CIOs & CISOs of critical infrastructure operators The Bill targets large organisations, especially those responsible for delivering essential services or maintaining vital societal and economic functions. Think CIOs of financial institutions, power grids, transport networks, and telecom providers, across sectors where a single cyber breach could paralyse business operations or disrupt daily life. With enforcement set to begin on January 1, 2026, organisations must act now to ensure they are ready and meet the requirements within the time frame. We advise focusing on the following topics: Submit and implement a computer-system security management plan for protecting the computer-system security of their critical computer systems. This plan must be prepared following the requirements specified in Schedule 3. Conduct computer-system security risk assessments in respect of the risks relating to the computer-system security of their critical computer systems. The first assessment must be within 12 months of the designation date, and subsequent assessments at least once every 12 months thereafter. These assessments must cover all matters specified in Schedule 4. Arrange to carry out computer-system security audits in respect of the computer-system security of their critical computer systems. The first audit must be within 24 months of the designation date, and subsequent audits at least once every 24 months thereafter. These audits must cover the specified period, and all matters specified in Schedule 5 and must be carried out by an independent auditor. Submit and implement an emergency response plan detailing the protocol for responding to computer-system security incidents in respect of their critical computer systems. This plan must be prepared following clause 27(3) and cover all matters specified in Part 2 of Schedule 3. The Protection of Critical Infrastructures (Computer Systems) Bill is a game-changer, and the window to prepare is closing fast.At Zühlke, we understand the complexity of this new regulatory landscape. As a global technology partner, we’ve helped organisations across industries like BitMEX and Justitia.Swiss, the Swiss justice system, to fortify their cybersecurity frameworks and navigate compliance challenges. ' The introduction of this new legislation couldn't be more timely. With cyberattacks surging by approximately 39% year-on-year, according to HKCERT, the threat landscape is growing more dangerous by the day. This serves as a wake-up call, urging organisations to strengthen their cybersecurity defences, before they become the next target. ' Raphael Reischuk Partner and Group Head Cybersecurity Learn how you can safeguard your organisation with our global team of cybersecurity consultants Learn more
' The introduction of this new legislation couldn't be more timely. With cyberattacks surging by approximately 39% year-on-year, according to HKCERT, the threat landscape is growing more dangerous by the day. This serves as a wake-up call, urging organisations to strengthen their cybersecurity defences, before they become the next target. ' Raphael Reischuk Partner and Group Head Cybersecurity
Industrial sector – From paper prototype to finished product. End-to-end development with Zühlke, demonstrated with the example of a digital parking meter. Learn more