What you need to know about the Protection of Critical Infrastructures (Computer Systems) Ordinance, the cybersecurity legislation in Hong Kong (Part 2)

The Protection of Critical Infrastructures (Computer Systems) Ordinance (Cap. 653) came into force in Hong Kong on 1 January 2026. This is the first substantial horizontal cybersecurity legislation in Hong Kong. We are exploring the scope and impact of this legislation in a series of articles, focusing in a Q&A format on the key issues businesses and industries need to be aware of. In our first article in the series, we looked at sectors covered by the legislation and the designation process.

In this article, Pádraig Walsh from our Cybersecurity practice reviews the organisational obligations under PCICSO, and the preventive obligations for reporting material changes to critical computer systems.

3. Organisational Obligations

3.1        What is the main purpose of the organisational obligations of CI Operators?

The main purpose of organisational obligations of CI Operators under PCICSO is to ensure CI Operators have a sound management structure to implement necessary protection measures.

3.2 What are the main organisational obligations of CI Operators?

The main organisational obligations of CI Operators are to:

(a)          maintain a permanent office in Hong Kong;

(b)          notify the CICS Commissioner or Designated Regulator of a change of the organisation that operates the critical infrastructure;

(c)          establish and maintain a computer-system security management unit (“CSS Management Unit”); and

(d)          appoint an employee with adequate professional knowledge of computer-system security to supervise the CSS Management Unit.

3.3        Can the office of the CI Operator be a PO box, registered office address or virtual office?

No. The office in Hong Kong will not be merely an address to which notices and other documents may be given or sent. The office must also be the location where a CI Operator employs persons and conducts business. The office is expected to be the location for managing daily operations, making business decisions, interacting with stakeholders, and maintaining business records.

3.4        What are examples of changes in the organisation of a CI Operator?

Examples of operator changes include:

(a) Transfer of operations: The daily operation, management or maintenance of a critical infrastructure is changed from an existing CI Operator to another CI Operator.

(b) Cessation or closure: The existing CI Operator ceases to provide daily operation, management or maintenance of the critical infrastructure.

(c) Sale of operations (M&A): Merger, acquisition and other trade sale scenarios that affect the operation of the critical infrastructure.

Routine changes in shareholding or ownership transfer of a CI Operator do not in themselves constitute operator changes.

3.5 Can the CI Operator outsource or engage third parties to perform the functions of the CSS Management Unit?

The PCICSO expressly allows that the CI Operator can either set up and maintain the CSS Management Unit by itself, or engage a service provider instead. This includes engaging overseas or outsourced CSS Management Units. However, the person responsible for supervising the CSS Management Unit must be an employee appointed by the CI Operator.

3.6        What are the competence requirements for the supervisor of the CSS Management Unit?

The basic requirement is that the supervisor of the CSS Management Unit must have adequate professional knowledge of computer system security. This means possessing appropriate professional qualifications and professional experience in computer-system security commensurate with the risk of their CCSs to discharge the duties effectively.

Examples of appropriate professional qualifications include:

(a)          Certified Information Security Professional (“CISP”);

(b)          Certified Information Systems Auditor (“CISA”);

(c)          Certified Information Security Manager (“CISM”); and

(d)          Certified Information Systems Security Professional (“CISSP”).

3.7        What is the process to notify the CICS Commissioner in respect of organisational obligations?

The CICS Commissioner has published forms for the purpose of giving notice in respect of organisational obligations:

(a)          Form for notifying office address [link];

(b)          Form for notifying changes of CI Operator [link]; and

(c)          Form for notifying employment of supervisor of CSS Management Unit [link].

In general, notice must be given within one month of designation as a CI Operator, or within one month after any material change in circumstances. Failure to give notice when required is an offence.

Designated Regulators may create separate notification forms.

4. Preventive Obligations

4.1 What is the main purpose of the preventive obligations of CI Operators?

The main purpose of preventive obligations of CI Operators under PCICSO is to ensure CI Operators take measures to prevent cyber attacks.

4.2 What are the main preventive obligations of CI Operators?

The main preventive obligations of CI Operators are to:

(a)          notify material changes to CCS;

(b)          submit and implement a computer-system security management plan (“CSS Management Plan”);

(c)          conduct regular security risk assessments and submit a report; and

(d)          carry out regular independent security audits and submit a report.

5.           Preventive Obligations: Material changes to CCS

5.1 What constitutes a material change to a CCS?

A change to a CCS is a material change if the change:

(a)          affects the computer-system security of the CCS, the ability of the CI Operator to respond to a computer-system security threat or incident in respect of the CCS; or

(b)          makes any information provided to the CICS Commissioner or Designated Regulator in respect of the CCS no longer accurate in a material particular.

This is generally a change that would reasonably be expected to have a significant effect on the computer-system security risk of a CCS or risk to the CI’s core function.

5.2 What type of material changes to a CCS trigger a notification obligation?

Material changes to a CCS that trigger a notification obligation to the CICS Commissioner or Designated Regulator are:

(a)          a material change to the design, configuration, security or operation of a CCS;

(b)          a CCS is removed from the critical infrastructure;

(c)          a computer system is added to the critical infrastructure that is accessible by the CI Operator in or from Hong Kong, and is essential to the core function of the critical infrastructure;

(d)          a change occurs to a computer system that is an existing computer system of the critical infrastructure and is accessible by the CI Operator in or from Hong Kong, such that the system becomes essential to the core function of the infrastructure.

5.3 What are examples of material changes to a CCS?

Examples of material changes to a CCS include:

(a)          Platform migration;

(b)          Server virtualisation;

(c)          Major version upgrade of a core component (e.g. database);

(d)          Changes to the computing platform or hardware;

(e)          Application re-design;

(f)           Significant code changes;

(g)          Changes to the underlying infrastructure that supports the CCS;

(h)          Integration with or change in interdependency on external systems or networks;

(i)           Changes of mission or major functions that alters the CSS’s operational scope, intended purpose or requirements in security, resources or functions;

(j)           Any system modification that fundamentally alters the characteristics or nature of the CCS; or

(k)          Substantial changes in CCS components maintained by cloud service suppliers that the CI Operator becomes aware of.

5.4 What is the process to notify the CICS Commissioner in respect of material changes to CCS?

The CICS Commissioner has published a form for the purpose of giving notice in respect of changes to a CCS [link].

Designated Regulators may create separate notification forms.

The CI Operator must submit the completed form within one month of the triggering change event. The date on which the event occurs generally refers to the moment when a change is deployed to a production environment. If the deployment is conducted in phases, the date on which the event occurs should apply to each individual phase of the change deployment. A CI Operator can notify the CICS Commissioner of all changes collectively at the initial phase of the change deployment.

Failure to give notice when required is an offence.

5.5 Can the CICS Commissioner conduct follow up actions after notification of a material change to a CCS?

The CICS Commissioner may direct the CI Operator to:

(a)          conduct a CSS Risk Assessment in respect of all or part of the CCS, and file the report for the assessment; or

(b)          arrange to carry out a CSS Audit in respect of all or part of the CCS, and file the report of the audit.

CI Operators must have a substantive business presence in Hong Kong, with a dedicated management unit responsible for computer system security supervised by a suitably qualified and competent professional. This organisational setup is essential to be able to meet the other obligations under PCICSO, including the notification of material changes to a critical computer system summarised above.

In the next article in this series, we will look at more preventative obligations under PCICSO.

Pádraig Walsh

If you want to know more about the content of this article, please contact:

Pádraig Walsh
Partner | Email

Disclaimer: This publication is general in nature and is not intended to constitute legal advice. You should seek professional advice before taking any action in relation to the matters dealt with in this publication. This article was last reviewed on 2 April 2026.