Scope and Targets of Regulation

Critical Infrastructures

Critical Infrastructures ("CIs") are the linchpin of society and economy, and are essential to maintaining the normal functioning of society. As such, their computer-system security must be safeguarded. The Ordinance covers two major categories of CIs as follows:

Category 1: Infrastructures for continuous provision of essential services in Hong Kong

These infrastructures relate to services that are vital for our everyday life, which, if disrupted, compromised, or rendered unavailable for an extended period, will significantly impact the everyday life and functioning of society. The following eight sectors are regulated under the Ordinance:

Energy
Information technology
Banking and financial services
Air transport
Land transport
Maritime transport
Healthcare services
Telecommunications and broadcasting services

Category 2: Infrastructures for maintaining critical societal or economic activities

These relate to infrastructures that may hinder or otherwise substantially affect maintenance of critical societal and economic activities in Hong Kong if they are damaged, lose functionality and suffer any data leakage. Examples:

Major sports venues
Major performance venues
Research and development parks

The Ordinance does not cover Government departments as the Government has already put in place a set of internal Government Information Technology Security Policy and Guidelines, which was formulated with reference to the latest international standards and industry best practices.

Ascertaining CIs

The factors considered in ascertaining whether an infrastructure is a CI include:

The kind of service provided by the infrastructure
Whether it will cause disruption or other significant impact for maintaining critical societal or economic activities in Hong Kong if the infrastructure is damaged, loses functionality or suffers any data leakage
Any other matters that the authority concerned considers relevant

Example: Power plants in the energy sector

Critical Infrastructures (CIs) Operators

The factors considered in considering designating an organization as an operator include:

The extent of dependence of the core function of the infrastructure concerned on computer systems
The sensitivity of the digital data controlled by the infrastructure concerned
The extent of control over the operation and management of the infrastructure concerned

Example: Electricity companies

Critical Computer Systems

The factors considered in considering designating a computer system as a critical computer system include:

Whether the computer system is accessible by operators in or from Hong Kong
The role of the subject system in respect of the core function of the infrastructure concerned
How such a core function will be impacted if the subject system is disrupted or destroyed
The extent to which the subject system is related to any other computer systems of the operator concerned
The extent to which the subject system is related to computer systems of other operators
Any other matters that the authority concerned considers relevant

Examples: Distribution systems and monitoring systems

The Ordinance covers critical computer systems of CI operators that are accessible in Hong Kong or accessible from Hong Kong. Example: Energy Sector, Critical Infrastructure: Power Plant, CI Operator: Electricity Company, Critical Computer Systems: Fuel transportation system, temperature monitoring system, Non‑critical Computer Systems: Attendance record system, recruitment system

Targets of Regulation

Only organizations designated as CI operators, and computer systems designated as critical computer systems under the Ordinance shall be subject to the regulation of the Ordinance.