From Guidance to Action: Operational Implications of Hong Kong’s Critical Infrastructures (Computer Systems) Ordinance Code of Practice

Hong Kong’s “Protection of Critical Infrastructures (Computer Systems) Ordinance” (Cap. 653) came into force on 1 January 2026. The related “Code of Practice” (“Code”) sets out clear, practical expectations for operators of critical computer systems (CCSs) in Hong Kong. This is guidance rather than subsidiary legislation. BRG’s Asia–Pacific Cyber and Forensic Technology team highlights the essentials of this ordinance to help avoid regulatory directions and potential enforcement action.

Why This Matters

• Practical baseline. The Code provides a structured, risk-based framework to protect CCSs and aligns with international best practice.
• Broader scope. Operational technology (OT) is treated explicitly as a computer system, and legacy industrial systems are now squarely in scope.
• Regulatory visibility. Regulators will expect detailed technical submissions and timely incident reporting. Transparency and documented controls matter.

Checklist for Immediate Priorities

• Confirm designation. Identify systems that meet CCS criteria (material role, disruption impact, sensitive data, interdependencies), and prepare the technical documents regulators will expect.

  

• Governance and presence. Maintain a Hong Kong office for official correspondence, and set up a security management unit led by appropriately certified staff.
• Security management plan. Draft, submit and implement a computer system security management plan endorsed by senior management and reviewed at least every two years. Ensure it covers governance, risk management, security by design, asset inventories, access controls, patch/change management, backups, cloud and supply chain security, monitoring and training.
• Testing and assurance. Schedule vulnerability assessments, penetration tests, independent audits and biennial security drills.
• Incident readiness. Put incident notification processes in place: serious incidents within twelve hours, other incidents within forty-eight hours, and written reports within fourteen days.

Practical Trade‑Offs to Consider

• Speed vs. disruption. Rapid remediation reduces regulatory risk but can disrupt operations. Prioritise high-impact CCSs, and apply compensating controls for fragile OT systems.
• Inhouse vs. third-party assurance. Decide which supplier controls to accept and where independent testing or audits are needed to satisfy regulators.
• Documentation as evidence. Regulators will look for senior management signoff and clear records. Invest now in concise, auditable documentation.

Conclusion

The Code establishes a robust framework for CI operators (CIOs) to safeguard critical computer systems. It emphasises risk management, compliance, incident response and continuous improvement.

The Code aligns with international standards and best practices, ensuring resilience and security of essential services in Hong Kong.

Operators must maintain transparency, accountability and readiness to respond to evolving threats and regulatory requirements.

Next Steps

Consider a short gap assessment to identify priority actions and the minimum evidence regulators will expect. BRG professionals can help translate the Code into practical, defensible actions such as:

• Gap assessments: mapped to the Code and a concise remediation roadmap
• Drafting and review: computer system security management plans and incident playbooks
• Technical assurance: vulnerability assessments, penetration testing and independent audits aligned to regulator expectations
• OT and supply chain advice: pragmatic compensating controls and supplier assurance frameworks
• Readiness exercises: tabletop and live drills to validate response and evidence readiness

This is the first article in the new client alert series APAC LegalTech & Cyber Digest, where BRG professionals will share monthly updates highlighting key developments across legal technology, data governance, cybersecurity, and eDiscovery in the Asia‑Pacific region.