The Protection of Critical Infrastructures (Computer Systems) Ordinance (Cap. 653) ("PCICSO") comes into operation on 1 January 2026. It aims to impose statutory obligations on designated operators of critical infrastructures ("CI operators") to ensure they adopt appropriate measures to protect their computer systems, minimising the risk of essential services being disrupted or compromised due to cyberattacks, thereby maintaining the normal functioning of Hong Kong society and the daily lives of its people.
The PCICSO imposes three categories of statutory obligations on CI operators as follows –
The Commissioner is responsible for, among others, the monitoring and supervision of compliance with the provisions of the PCICSO, and coordinating the implementation of the PCICSO with designated authorities. CA, as a designated authority under the PCICSO, is responsible for enforcing the PCICSO in respect of supervising and monitoring compliance with category 1 obligations and category 2 obligations by CI operators in the telecommunications and broadcasting services sector under its purview.
Pursuant to section 8 of the PCICSO, the Commissioner issued a Code of Practice ("CoP") that provides practical guidance on how a CI operator is to comply with category 1 obligations, category 2 obligations and category 3 obligations under the PCICSO.
CA adopts the CoP in respect of category 1 obligations and category 2 obligations of CI operators regulated by CA. The adoption of the Commissioner's CoP does not preclude CA from issuing any sectoral codes of practice in respect of category 1 obligations and category 2 obligations of CI operators under its purview when necessary.