Frequently Asked Questions

The regulating authorities (i.e. the Commissioner Office and the designating authorities) will approach organizations that may be designated as critical infrastructure ("CI") operators, conduct thorough communication to grasp the organizations' business operation and the computer systems on which they rely to provide services, and request relevant information to assist in considering the designation. Organizations designated as CI operators will receive written notice from the regulating authorities, setting out the effective date and the critical computer systems covered.

No. To prevent CIs from becoming targets of attacks, the legislation only sets out the sectors of CIs, instead of disclosing the full list.

Considering the technological development and risk assessments, the Secretary for Security may, by subsidiary legislation, amend the Schedule to the Ordinance, including the definition and sectors of CIs.

The Ordinance does not prohibit individual operators from disclosing their identities. However, the provisions on preservation of secrecy under the Ordinance stipulate that specified persons (e.g. employees of the regulating authorities), except in the performance of any function under the Ordinance or in specific circumstances, must not disclose information accessible to them in the performance of any official duties. Offenders may be prosecuted.

An authority may, by written notice, require a potential CI operator to provide information that the authority reasonably considers necessary for learning about the operator and its critical computer systems. Such information includes, but is not limited to, details of the potential CI operator and/or the critical computer systems in respect of:

• organization chart of the company
• system functions
• network infrastructure diagram
• nature and volume of data processed
• manufacturers and models of hardware and software
• information technology or telecommunications services provided by third parties
• backup plans
• information and technical specifications of the system design and operation, etc.

The Ordinance requires operators to employ a head to supervise the computer-system security management unit, and the head must possess adequate professional knowledge. The Ordinance does not impose any requirements on other personnel in the unit.

The Codes of Practice have incorporated recommended qualifications of the heads concerned for reference. CI operators may also employ personnel with relevant professional experience based on the technical specifications and security risk assessments of their critical computer systems.

Yes. The Ordinance does not prohibit CI operators from engaging overseas or outsourced computer-system security management units. However, the head responsible for supervising the unit must be an employee appointed by the operator.

Operatorship changes include:

• termination of operating contract, merger or acquisition of the existing operator
• sale of operatorship of facilities by the existing operator to another operator
• transfer of the daily operation, management, maintenance, and supervision of critical computer systems to another company

Routine changes in shareholding or ownership transfer of an operator do not constitute operatorship changes.

No, they cannot. The Ordinance requires operators to maintain a permanent office in Hong Kong for conducting business operations.

Generally, the term refers to changes to the design, configuration, security, or operation of the computer system that are expected to change the risks of a critical computer system or the risks of performing the core function of a CI. Examples of "material changes" include (but are not limited to): platform migration, server virtualization, application re-design, etc.

There is no prescribed format for the computer-system security management plan submitted by an operator. It has to include details of the organizational structure of the security management unit, roles and responsibilities of personnel engaged, and the operator's various policies and guidelines on the protection of its critical computer system, which should cover over 20 areas such as risk management, asset management, access control, account management, physical security, change management, remote access, cyber security, cloud security, supply chain management, etc.

CI operators should conduct a risk assessment with reference to national and internationally recognized methodologies and industry standards. Such assessment also has to include matters on conducting security vulnerability assessments and penetration tests. The risk assessment report has to cover identification and prioritization of relevant risks relating to the security of the critical computer system, determine the extent of the likely impact as well as the level of risks that the system can tolerate, and set out the treatment procedures and monitoring measures required to deal with the identified risks.

The Codes of Practice do not impose requirements on the independence of the personnel conducting risk assessments. However, security vulnerability assessments should be conducted under the supervision of personnel with relevant qualifications while penetration tests should be carried out by personnel with relevant qualifications.

CI operators should conduct a computer system security risk assessment with reference to nationally or internationally recognized methodologies, or industry standards. Computer-system security audit reports for submission have to include sections such as report summary, background and objectives, audit methodologies, assumptions and limitations, scope, investigation findings, etc.

CI operators may engage independent auditors or have the audit performed by an internal audit department not involved in the operation or maintenance of the critical computer system concerned, to ensure the independence of the audit. It should also be ensured that the audit personnel must possess the relevant professional qualifications and that the audit is conducted with reference to national, international or industry standards.

If incidents involving unauthorized access to the critical computer system or posing an actual adverse effect on computer-system security must be reported to the authorities within the specified time after a CI operator becomes aware of such incidents. Examples include (but are not limited to) ransomware attacks/denial of service attacks leading to system outage, malicious tampering with system settings or data by hackers, theft of sensitive data or alteration of access rights by employees. If incidents are caused by misconfigurations due to human errors, natural disasters, accidents, etc., they fall outside the scope of regulation of the Ordinance and there is no need to notify the authorities.

"Becoming aware of" should be interpreted according to its general literal meaning. A short period of investigation for confirming whether or not an incident has occurred may generally not be regarded as being "aware". When personnel of an operator's computer-system security management unit detect service interruption or anomalies in the system, it may take time for them to confirm whether any incident has occurred. The personnel are regarded as "becoming aware of" an incident when they reasonably confirm that the incident has occurred.

A computer-system security incident is considered a serious incident if it has disrupted, is disrupting or is likely disrupt the core function of a CI. The Commissioner's Office must be notified within 12 hours after the operator becomes aware of such incident.

In other cases, where the incident poses other actual adverse effects on the security of the critical computer system (i.e. compromising or undermining the availability, integrity and confidentiality of the information of or services provided by that system, or its protection capability), the authorities must be notified within 48 hours after the operator becomes aware of such incident.

A CI operator is fulfilling the statutory obligations of the Ordinance in notifying the OCCICS after becoming aware of an incident. It still has to notify the relevant authorities in accordance with applicable laws or industry regulatory requirements. They should report to the Police for assistance should criminal elements be involved.

If a regulating authority suspects that a CI operator has failed to comply with its obligations, or that its compliance with obligations is defective, it may request information from the operator to look into the situation.

If the regulating authority confirms the above circumstances, it may issue written directions requiring the CI operator to make rectifications. Non-compliance with written directions by CI operators constitutes an offence. The maximum penalty is a fine of $5,000,000, and in the case of a continuing offence, a further fine of $100,000 may be imposed for every day during which the offence continues.

CI operators can outsource their work, but not their responsibilities. CI operators must ensure compliance with statutory obligations, e.g. by requiring third-party service providers to assist operators in complying with statutory obligations through contract terms.

CI operators have to submit information accessible to them in or from Hong Kong upon request by the authorities. A CI operator may raise the "due diligence" defence for offences in respect of non-compliance with Categories 1 to 3 obligations or written directions issued by regulating authorities, i.e. the commission of the offences concerned were due to causes beyond the CI operator's control, and the CI operator has taken all reasonable precautions and exercised all due diligence to avoid the commission of the offences concerned.

The CI operator is still required to submit information accessible to them in or from Hong Kong in accordance with the laws of Hong Kong, i.e. in compliance with the request made by the authority under the Ordinance. The Ordinance provides for the statutory defences of "due diligence" or "reasonable excuses" (whichever is appropriate). Whether a particular circumstance constitutes a defence will be determined by the court on a case by case basis.

The Ordinance imposes penalties on CI operators on an organization basis which are restricted to fines only. However, if the relevant violation by the personnel of a CI operator involves infringement of other criminal legislations, such as making false statements, using false documents or engaging in other fraud-related crimes, the personnel involved could be held criminally liable personally.

No, they are not. The provisions on preservation of secrecy under the Ordinance (section 57) stipulate that "specified persons" (e.g. employees of the regulating authorities), except in the performance of any function under the Ordinance or in specific circumstances, must not disclose information accessible to them in the performance of any official duties. Offenders may be prosecuted.

In general, CI operators and their employees are not "specified persons".

Failure by CI operators to fulfil statutory obligations in accordance with the provisions of the Codes of Practice does not in itself constitute an offence. CI operators may still achieve comparable outcomes through alternative measures, provided that the objectives of the provisions of the codes of practice are met. If a CI operator is found breaching statutory obligations, the authority may issue written directions requiring the operator to make rectifications. It constitutes an offence should an operator fail to comply with the written directions.

Developed with reference to national, international and industry standards, the codes of practice are believed to be applicable to most operators. However, regulating authorities may issue sector‑specific codes of practice taking into account the actual circumstances and operational needs of the sectors under their regulation.

If a CI operator considers that individual provisions of the Codes of Practice are not applicable to its organization, it should communicate with the regulating authorities to work out appropriate solutions.

The Ordinance does not target personal data or business secrets in the computer systems. In soliciting information from CI operators, the authorities seek to request them to properly fulfil their obligations in protecting their critical computer systems, thereby ensuring timely assessment and response in the event of incidents.

The authorities will not request personal data from members of the public. Members of the public should not trust others easily if they receive a call from someone claiming to be the personnel of the Commissioner's Office requesting the provision of personal data or bank information under various pretexts.

In case of doubt, they should call the "Anti-Scam Helpline" at 18222 or report to the Police for assistance.