Background
Critical infrastructures ("CIs") refer to infrastructures that are essential or of great importance to maintaining the normal functioning of society and the normal life of the people. Nowadays, the operation of CIs has become more dependent on the Internet, computer systems, telecommunications infrastructures and smart devices, etc., and the computer systems of CIs are also increasingly vulnerable to cyberattacks with serious consequences. If the computer systems of CIs are disrupted or sabotaged, such incidents could affect society as a whole, seriously jeopardizing the economy, people's livelihood, public safety and national security.
Legislative intent
The Protection of Critical Infrastructures (Computer Systems) Ordinance ("the Ordinance") is enacted to serve the following primary purposes:
- Impose statutory requirements to safeguard the computer-system security of CIs that maintain the normal functioning of society
- Minimise the chance of essential services being disrupted or compromised by cyberattacks, and to require CI operators to strengthen the protection of their computer systems
- Establish the Office of the Commissioner of Critical Infrastructure (Computer-system Security) ("The Commissioner") and empower existing regulators of individual sectors to enforce the law
Legislative principles
- Set out a regulatory model suitable for Hong Kong with reference to the laws of other jurisdictions
- Targets primarily large organizations, small and medium enterprises or the general public will not be affected
- In no way target personal data and business information in the systems
- Set out basic requirements from which CI operators can build up and enhance their capabilities for securing their computer systems with regard to their own needs and characteristics