Regulatory Ramblings: Episode 83 - Hong Kong’s New Protection of Critical Infrastructures (Computer Systems) Ordinance

Regulatory Ramblings: Episode 83 – Hong Kong’s New Protection of Critical Infrastructures (Computer Systems) Ordinance

December 5, 2025

This episode focuses on Hong Kong’s new Protection of Critical Infrastructures (Computer Systems) Ordinance. Currently in bill form before the territory’s Legislative Council, it is expected to go into effect in January 2026. The discussion first features Wendy Chow, Invest Hong Kong’s Head of Digital Technologies & Data Infrastructure, on how her group is raising awareness of the forthcoming legislation locally.

Following that, the conversation moves to Nicky Au, Ensign InfoSecurity’s General Manager, Greater Bay Area, and Pierre Malgorn, I-TRACING Cybersecurity’s Asia Pacific Director, about what financial institutions and corporations need to do to prepare for the new law.

The Protection of Critical Infrastructure (Computer Systems) Ordinance in Hong Kong seeks to safeguard the computer systems of designated Critical Infrastructures (CIs) by creating a regulatory framework to boost cybersecurity and strengthen defenses against cyber threats. The Ordinance will take effect on January 1, 2026.

Who are Considered Critical Infrastructure Providers?

Organizations crucial for delivering essential services for daily life operating in the following eight designated sectors will be affected:

Air Transport, Banking and Financial services, Energy, Healthcare services, Information Technology, Land Transport, Maritime, and Telecommunications and Broadcasting services.

Key highlights:

The Ordinance requires organizations that manage critical infrastructure in Hong Kong to comply with strict cybersecurity regulations.
Failure to meet the Ordinance’s obligations may result in fines ranging from HK$500,000 to HK$5 million. For ongoing offenses, an additional daily fine of HK$50,000 to HK$100,000 may be imposed for each day the offense persists.
Penalties target the organization as a whole, not senior management individually. However, individuals may be personally liable for crimes such as providing false information or committing fraud.

Biography:

Wendy Chow is based in Hong Kong and has been with Invest Hong Kong for almost a quarter of a century in various roles. She is currently the Head of Digital Technologies and Data Infrastructure. She specializes in providing bespoke guidance and hands-on facilitation services to help establish and grow mainland Chinese and overseas tech businesses in Hong Kong and regional markets.

An HKU alum, she holds a BA, a master’s in social science in mental health, and an MBA from the University of Hong Kong. She also has an MA degree from the University of Massachusetts Amherst.

Nicky Au is Ensign InfoSecurity’s Hong Kong-based General Manager for the Greater Bay Area. He is a graduate of the City University of Hong Kong, where he earned his bachelor’s degree in business administration with a focus on information systems, and he is also a certified professional, holding CISSP, CISM, CISA, and CISP-CISO certifications.

Pierre Malgorn is the Asia Pacific Director for I-TRACING Cybersecurity. He holds an engineer’s degree in IT technologies from the EPF Engineering School in Cachan, France, and is currently based in Hong Kong.

Discussion:

The spotlight chat begins with Wendy sharing why the Ordinance matters to Hong Kong and what it means for the territory’s digital regulatory landscape. She goes on to explain Invest Hong Kong’s role in raising awareness of the bill and helping the local business community understand and adapt to it. She also shares her thoughts on whether there was sufficient cybersecurity and infrastructure support locally in the city and, if not, what the strategy was to attract more talent and firms to Hong Kong.

Wendy acknowledges that for multinationals operating across Asia, the regulatory landscape can be complex. Yet, the belief is that the new ordinance is necessary and will strengthen Hong Kong’s long-term position as a secure, reliable hub for international business.

Following that, we continue the discussion on the Ordinance with Nicky and Pierre. They share their views on how the law will likely affect their clients and what they are doing to help them prepare for its rollout. While awareness and preparation are key for smooth implementation, the Ordinance’s definition of “critical infrastructure” can seem broad. Nicky and Pierre comment on how they help companies determine whether they are covered by the new law and on the practical first steps they would recommend.

They also comment on how the Ordinance introduces financial penalties, which are helping change the conversation at the board level, with cybersecurity matters now treated as a core business risk. Increasingly, the risk landscape includes emerging threats such as AI-powered attacks. Nicky and Pierre comment on how new technologies are changing the threat landscape for their clients and how they would advise them to build genuine security—going beyond mere box-ticking and compliance.

A sad reality is that in a major cyber incident, the local authorities will get involved. How does one prepare their clients to manage crisis communications while interacting with regulators, law enforcement, and policymakers? Our guests offer some “dos” or “don’ts” for such scenarios.

Regulatory Ramblings podcasts is brought to you by The University of Hong Kong – Reg/Tech Lab, HKU-SCF Fintech Academy, Asia Global Institute, and HKU-edX Professional Certificate in Fintech, with support from the HKU Faculty of Law.

Useful links in this episode:

Follow Wendy Chow on LinkedIn
Follow Nicky Au on LinkedIn
Follow Pierre Malgorn on LinkedIn

Regulatory Ramblings: Episode 83 – Hong Kong’s New Protection of Critical Infrastructures (Computer Systems) Ordinance

Share this:

Leave a Reply Cancel reply

What are you looking for?