HONG KONG – The Hong Kong Special Administrative Region on Wednesday passed a cybersecurity law to regulate operators of critical infrastructure, forcing them to strengthen computer systems and report cybersecurity incidents or risk penalties of up to HK$5 million ($640,000).

Set to take effect in 2026, the law aims to safeguard the security of computer systems vital to the functioning of critical infrastructure, said Secretary for Security Chris Tang Ping-keung.

"It's definitely not to target personal information or commercial secrets," he added.

The law was necessary because disruption or sabotage of the computer systems at the heart of the SAR's critical infrastructure posed a risk to society and the economy, the Security Bureau told the Legislative Council.

Such incidents could have "a rippling effect affecting the entire society, seriously jeopardizing the economy, people's livelihood, public safety, and even national security", it added.

The proposed legislation seeks to regulate operators of crucial infrastructure that are necessary for the delivery of essential services and maintaining important societal and economic activities in the city, according to the Security Bureau.

ALSO READ: HK urged to enhance cybersecurity through cross-boundary collaboration

Infrastructures for delivering essential services cover energy; information technology; banking and financial services; land transport; air transport; maritime; healthcare services; and communications and broadcasting sectors.

The second category covers other infrastructures needed for maintaining important societal and economic activities such as major sports and performance venues, research and development parks, etc.

“Operators to be regulated will mostly be large organizations. Small and medium enterprises and the general public will not be affected,” it added.

Authorities would notify the concerned operators, but would not identify them individually to keep them from becoming targets, the city’s secretary chief had said earlier.

The legislation does not cover the government, which has already put in place a set of detailed internal information technology security policies and guidelines, which are reviewed and updated regularly.

READ MORE: Cybersecurity deficiencies led to sports club data leak

The bill, which mandates annual security risk assessments and an independent security audit every two years, sets a deadline of two hours to report serious security incidents.

Non-compliance could lead to fines ranging from HK$500,000 to HK$5 million ($64,000 to $640,000), along with additional daily fines for persistent non-compliance in some cases.

“If the relevant violations involve breach of some existing criminal legislation, such as making false statements, using false instruments or other fraud-related offenses, as is the current situation, the officers involved may be held personally criminally responsible,” adds the Security Bureau.