Communications Authority - Frequently Asked Questions

Q1:

What is critical infrastructure ("CI")?

A1:Pursuant to section 2 of the PCICSO, CI refers to –

(a) any infrastructure that is essential to the continuous provision in Hong Kong of an essential service in the following sectors –

Energy;
Information technology;
Banking and financial services;
Air transport;
Land transport;
Maritime transport;
Healthcare services; and
Telecommunications and broadcasting services; or

(b) any other infrastructure the damage, loss of functionality or data leakage of which may hinder or otherwise substantially affect the maintenance of critical societal or economic activities in Hong Kong.

Q2:

What is critical computer system ("CCS")?

A2:Pursuant to section 13 of the PCICSO, a regulating authority may, by written notice to a CI operator regulated by the authority, designated a computer system that (a) is accessible by the CI operator in or from Hong Kong; and (b) is essential to the core function of a CI operated by the CI operator, as a CCS for the infrastructure.

Q3:

Which regulating authority will be responsible for the enforcement of category 3 obligations?

A3: The Commissioner, as a regulating authority under the PCICSO, is responsible for, among others, the enforcement of category 3 obligations relating to incident reporting and response of CI operators for all eight sectors under the PCICSO.

Q4:

What kind of organizations is regulated by CA under the PCICSO?

A4: CA may, by written notice, designate a regulated organization in the telecommunications and broadcasting services sector as a CI operator if the organization operates a CI specified by CA. Regulated organizations include the following types of licensees –

A holder of a unified carrier licence;
A holder of a space station carrier licence;
A domestic free television programme service licensee; and
A licensee as defined by section 13A(1) of the Telecommunications Ordinance (Cap. 106).

CI operators to be regulated will mostly be large organizations. Small and medium enterprises and the general public will not be affected.

Q5:

Which organizations have been designated as CI operators by CA?

A5:To prevent CIs in the telecommunications and broadcasting services sector from becoming targets of cyberattacks, CA will not publish the list of CI operators designated by CA.