Currently, some sectors are already regulated (e.g. through a licensing regime) by statutory sector regulators ("regulators") and these regulators are well familiar with the operations and needs of the relevant sectors. As such, these regulators are specified as designated authorities under the Ordinance to regulate the discharging of organizational (Category 1) and preventive (Category 2) obligations by CI operators of these sectors. The Commissioner's Office will take charge of regulating the operators of all sectors in compliance of incident reporting and response (Category 3) obligations.
In this way, designated authorities may establish a set of standards and requirements on organizational and preventive obligations under the Ordinance that best suit the sectors' needs. Relevant operators need not duplicate efforts in fulfilling requirements of the Commissioner's Office separately for these two categories of obligations. Meanwhile, the Commissioner's Office can fully grasp the incident reporting and response arrangements of all operators for co-ordination, investigation and assistance, and to prevent the spread of the incident to other sectors.
The Monetary Authority and the Communications Authority are specified as designated authorities under the Ordinance. They are responsible for regulating operators currently under their regulation in the banking and financial services sector as well as the telecommunications and broadcasting services sector respectively.
Functions and powers of designated authorities
For CI operators under their purview in the Ordinance:
- Identify and designate CI operators and critical computer systems
- Monitor CI operators' compliance with organizational and preventive obligations
- Issue codes of practice to CI operators, setting out the proposed standards for the organizational and preventive obligations
- May issue a written direction to a CI operator if the operator has failed to comply with the organizational orpreventive obligations, or if the operator's compliance is defective
#For details, please refer to the Protection of Critical Infrastructures (Computer Systems) Ordinance.