Protection of Critical Infrastructures (Computer Systems) Bill to be gazetted on Friday
***************************************************************************************
The spokesman said, "Critical infrastructures are infrastructures that are necessary for the maintenance of normal functioning of society and the normal life of the people. The Bill seeks to impose statutory requirements on designated operators of critical infrastructures to ensure they take appropriate measures to protect their computer systems and minimise the chance of essential services being disrupted or compromised due to cyberattacks, thereby maintaining the normal functioning of Hong Kong society and the normal life of the people. This is conducive to enhancing overall computer-system security in Hong Kong.
"The statutory obligations under the Bill are grouped into three categories, namely, organisational obligations, preventive obligations, and incident reporting and response obligations. Operators of critical infrastructures are required to set up dedicated management units to oversee their computer-system security, and take preventive measures to enhance their resilience against cyberattacks. When a computer-system security incident occurs, the operator shall report it to the Commissioner's Office responsible for enforcing the Ordinance, and at the same time take its own response measures to restore the systems in accordance with the emergency response plan it submitted. The Commissioner's Office may provide timely assistance and take remedial measures to contain the problem and minimise the chance of affecting other critical infrastructures, so as to maintain the normal operations in Hong Kong society and the normal life of the people."
The spokesman emphasised, "In drafting the Bill, reference has been made to relevant legislation of other jurisdictions to establish a regulatory model suitable for Hong Kong. The operators of critical infrastructures to be regulated will be those necessary for the continuous provision of essential services or maintaining critical societal and economic activities in Hong Kong, most of which are large organisations. Small and medium enterprises and the general public will not be regulated. The purpose of these statutory obligations to be imposed is to safeguard the security of the computer systems that are critical to the core functions of the critical infrastructure, and in no way target personal data and trade secrets."
The spokesman added, "The Security Bureau has started consulting various stakeholders since 2023 and has organised more than 30 consultation sessions so far. The Bureau also consulted the Panel on Security of the Legislative Council in July this year and launched a one-month consultation exercise. The Bureau reported the outcome of the consultation to the Panel on Security of the Legislative Council in October this year and incorporated the views received into the Bill as appropriate. On the whole, the stakeholders and society have responded positively to the legislation."
Ends/Wednesday, December 4, 2024
Issued at HKT 15:10
Issued at HKT 15:10
NNNN