Main Offences and Penalties

Section	Main offences against the operators	Maximum penalty
19	Failing to maintain an office in Hong Kong or to notify the authority of the change in office address within the specified time*	A fine of $500,000 (a further fine of $50,000 for every day during which the offence continues)
21	Failing to set up or maintain a computer-system security management unit within the specified time Failing to appoint an employee with adequate professional knowledge to supervise the computer-system security management unit
22	Failing to notify the authority of material changes to certain computer systems within the specified time*
23	Failing to submit a computer-system security management plan /a revised plan within the specified time
24	Failing to conduct a computer-system security risk assessment/to submit the assessment report within the specified time
25	Failing to carry out a computer-system security audit/to submit the audit report within the specified time
27	Failing to submit an emergency response plan/a revised plan within the specified time
42	Failing to comply with the specified requirements imposed by the Commissioner in response to computer-system security threats and computer-system security incidents without reasonable excuse	A fine of $500,000
45	Failing to comply with the directions given or requirements imposed by the regulating authorities in relation to offences to be investigated without reasonable excuse	A fine of $500,000
7	Failing to comply with the written directions given by the regulating authorities regarding the compliance with Categories 1 to 3 obligations	A fine of $5,000,000 (a further fine of $100,000 for every day during which the offence continues)
18	Failing to submit information to the regulating authorities as instructed on ascertaining CIs / designation of operators / designation of critical computer systems / understanding potential threats or potential incidents*
20	Failing to notify operator changes within the specified time*
26	Failing to comply with the Commissioner's written notice to participate in a computer-system security drill	A fine of $5,000,000
28	Failing to notify the Commissioner of computer-system security incidents or submit a written report on the incidents within the specified time*	A fine of $5,000,000

Section	Main offences against the CI operators	Maximum penalty
58	Allowing or permitting, without authority, any person to gain access to any confidential matter obtained under the Ordinance, or communicating such a matter to any person other than the one to whom the matter relates Disclosing, without authority, confidential information obtained under the Ordinance	A fine of $1,000,000 and imprisonment for 2 years

*Notification must be made in the specified form and way

# For details, please refer to the Protection of Critical Infrastructures (Computer Systems) Ordinance.