Hong Kong's PCICSO: What Designated Critical Infrastructure Operators Must Do Now

For more than a decade, Hong Kong managed cyber risk in critical sectors through voluntary frameworks, supervisory guidance, and sectoral expectations — most notably the Hong Kong Monetary Authority's Cybersecurity Fortification Initiative and Cyber Resilience Assessment Framework (C-RAF) for Authorised Institutions, and the Communications Authority's standards for telecommunications operators. The arrangement worked, but it left gaps: cyber resilience varied widely across sectors, suppliers were inconsistently held to standard, and no single regulator had the legal authority to compel action across the whole critical-infrastructure landscape.

That changed on 1 January 2026 with the entry into force of the Protection of Critical Infrastructures (Computer Systems) Ordinance (Cap. 653) — PCICSO. The Ordinance establishes a statutory regime applicable to designated Critical Infrastructure Operators (CIOs) across eight essential service sectors, with criminal penalties for non-compliance and a new sectoral regulator — the Office of the Commissioner of Critical Infrastructure (Computer-system Security), or OCCICS — given powers to investigate, designate, and direct.

On the same day, the Commissioner published the Code of Practice (Version 1.0) — the operational handbook that translates the Ordinance's broad statutory duties into specific, assessable requirements. While the Code is not subsidiary legislation and non-compliance with it is not itself an offence, it functions in practice as the compliance benchmark: the Commissioner may issue written directions referencing the Code's requirements, and failure to comply with such directions is a criminal offence.

This piece explains the regime: who is covered, the three categories of statutory obligations, how the Code of Practice fleshes them out, the supply-chain ripple already affecting third-party providers, the penalty regime, and what designated CIOs — and likely CIOs — should be doing this quarter.

Where the Regime Currently Sits

The PCICSO timeline has moved quickly by Hong Kong standards, with each milestone increasing the operational pressure on potentially in-scope organisations.

• 19 March 2025

  PCICSO Bill passed

  The Legislative Council passed the Protection of Critical Infrastructures (Computer Systems) Bill, completing more than two years of consultation and drafting. The Ordinance was gazetted on 28 March 2025.

• 27 June 2025

  Commencement date set

  The Security Bureau gazetted the commencement notice appointing 1 January 2026 as the date on which the Ordinance would come into operation.

• 1 January 2026

  PCICSO in force; OCCICS established; Code of Practice released

  The Ordinance came into operation. The Office of the Commissioner of Critical Infrastructure (Computer-system Security) was established under the Security Bureau, and Mr. Francis Chan Wing-on (former Chief Superintendent of the Cyber Security and Technology Crime Bureau) was appointed Commissioner for a three-year term. The Code of Practice Version 1.0 was issued the same day.

• Early 2026

  Communications Authority adopts the Code

  The Communications Authority — the designated authority for telecommunications and broadcasting — formally adopted the Code for CI operators in its sector. The HKMA is expected to issue a banking-and-financial-services sectoral code in due course.

• Q1–Q2 2026

  Phase 1 designations rolling out

  The Commissioner and designated authorities began issuing pre-designation inquiries to organisations operating in the eight covered sectors. These inquiries typically request network diagrams, dependency maps, sensitive-data inventories, and design documentation to determine whether a Critical Computer System designation is warranted.

• Ongoing

  Supply-chain flow-down underway

  Designated CIOs have been renegotiating contracts with suppliers and cloud providers to flow down PCICSO obligations — a pattern dubbed the "supply chain ripple". Suppliers that previously regarded themselves as out of scope are finding PCICSO-derived compliance clauses arriving in their contracts.

Who Is Covered

PCICSO applies to designated Critical Infrastructure Operators across eight essential service sectors:

• Energy — electricity, gas, town gas, and other essential energy services
• Information technology — data centres, digital service platforms, and other IT infrastructure essential to Hong Kong's economy
• Banking and financial services — supervised by the HKMA as the designated authority
• Land transport — railway, road, and other land-based transport infrastructure
• Air transport — airports and air traffic systems
• Maritime transport — ports and maritime traffic systems
• Healthcare — hospital networks, clinical systems, and related infrastructure
• Telecommunications and broadcasting — supervised by the Communications Authority as the designated authority

In addition to these eight, the Ordinance extends to major sports and performance venues and research and development parks where compromise could substantially affect critical societal or economic activities in Hong Kong. There is also a catch-all that allows the Commissioner to designate any other infrastructure whose damage, loss of functionality, or data leakage would substantially affect the maintenance of critical societal or economic activities.

Crucially, an organisation only becomes subject to the statutory obligations once formally designated as a CIO. Designation is by the Commissioner (for most sectors) or by the relevant designated authority — currently the HKMA for banking and financial services and the Communications Authority for telecommunications and broadcasting.

The Three Categories of Obligations

Designated CIOs face three categories of statutory obligations. Each category contains multiple specific duties; the Code of Practice translates each duty into operational requirements.

Category 1 — Organisational

Category 1 establishes the governance and accountability foundation for everything that follows.

• Maintain an office in Hong Kong. The CoP clarifies this means carrying on actual business activities in Hong Kong — managing daily operations and making business decisions locally — not merely holding a correspondence address. For multinationals, this has triggered structural rethinking of where cyber-governance accountability sits.
• Notify operator changes within one month. Any change of operator of the critical infrastructure must be notified in writing to the relevant Regulating Authority. Ownership change is not itself a notification trigger (changes in shareholding of large listed corporations are too frequent), but transfer, expiration or termination of operating contracts is.
• Establish a computer-system security management unit. The unit must manage the security of the CCSs operated by the CIO. The CoP clarifies the unit and its supervising employee need not be based in Hong Kong, but the unit must have practical day-to-day authority over CCS security.
• Appoint a qualified supervisor. The person supervising the security management unit must have adequate professional knowledge in computer-system security. The CoP provides a non-exhaustive list of acceptable qualifications — including CISP, CISA, CISM and CISSP — and links competence to professional experience commensurate with the risk profile of the CCSs being protected.

Category 2 — Preventive

Category 2 is where the bulk of operational compliance work sits. It covers everything from identifying which systems are Critical Computer Systems through to implementing the technical and procedural safeguards that protect them.

• Identify and designate Critical Computer Systems (CCSs). Not every system operated by a CIO is a CCS — only those essential to the core function of the critical infrastructure. The CoP sets out indicators including materiality to the CI's core function, severe impact if disrupted, processing of sensitive digital data used directly in essential services, and strong dependencies with other CCSs or with other CIOs.
• Notify material changes. Material changes to a CCS — platform migrations, server virtualisation, major version upgrades, application redesigns — must be notified to the Commissioner. The notification window is broadly one month.
• Implement a board-approved Management Plan. The Plan must be approved by the CIO's Board, reviewed at least biennially or after major changes, and address policies, standards and guidelines aligned with business needs, statutory requirements and international standards.
• Establish enforceable computer-system security policies. Policies must cover the lifecycle of CCSs, technical safeguards, vulnerability management, and the operational technology components where applicable.
• Treat cloud services as part of the supply chain. The CoP is explicit: external cloud services used for CCSs are part of the supply chain. CIOs must require providers to comply with the relevant Code standards through contractual terms, and define shared responsibility between CIO and provider.
• Run regular training programmes. Security awareness training for personnel handling CCSs, covering policies, incident reporting and role-specific responsibilities, with the programme reviewed and updated regularly.
• Conduct security audits and risk assessments. Periodic independent audits and risk assessments must verify the design and operating effectiveness of CCS security controls.

Category 3 — Incident Reporting and Response

Category 3 governs how CIOs prepare for, respond to, and report cyber incidents affecting their CCSs.

• Maintain a board-endorsed Emergency Response Plan (ERP). The ERP must address detection, triage and classification, containment, eradication, recovery, communications, evidence preservation, and post-incident review.
• Participate in computer-system security drills. The Commissioner may require CIOs to participate in sector-wide or cross-sector drills to test response readiness.
• Notify incidents within designated timeframes. Serious computer-system security incidents in respect of CCSs must be notified to the Commissioner within the timeframe set out in the Code. Notification thresholds and channels are defined to support both regulator situational awareness and CIO operational continuity.
• Preserve evidence and conduct post-incident review. Evidence must be preserved to support investigation, and post-incident review must feed back into the Management Plan and ERP for continuous improvement.

The Code of Practice — From Statute to Operations

The Ordinance sets high-level duties; the Commissioner's Code of Practice is what makes them operational. The Code clarifies governance expectations, technical baselines and operational processes, and resolves key uncertainties around CCS designation, material change triggers, and incident reporting thresholds and timelines.

Although the Code is not subsidiary legislation — failing to follow it is not, by itself, a criminal offence — it functions as the operative compliance benchmark. The Commissioner may issue written directions with reference to the Code's requirements, and failure to comply with such directions is an offence. In practice, this means designated CIOs should treat the Code as the standard against which their policies, controls and response capabilities will be assessed.

The Code also signals that designated authorities — the HKMA and Communications Authority currently, and others as designated — may issue sectoral codes for Category 1 and Category 2 obligations to reflect sectoral risk profiles. The Communications Authority has already adopted the Code for the telecommunications and broadcasting sector; the HKMA's banking-and-financial-services sectoral code is anticipated. For Authorised Institutions already familiar with C-RAF 2.0, the eventual sectoral CoP will likely complement rather than replace the existing framework — but interactions between PCICSO and CFI/C-RAF will need careful management.

The Supply Chain Ripple

The most significant secondary effect of PCICSO has been the rapid spread of compliance obligations beyond designated CIOs and into their supplier ecosystems. PCICSO explicitly requires CIOs to ensure their suppliers and cloud service providers adhere to specified security requirements. The Code reinforces this: external cloud services for CCSs are part of the supply chain, and shared responsibility must be defined contractually.

The practical consequence has been a renegotiation cycle through Q1 and Q2 2026. CIOs have been amending or replacing contracts with cloud providers, SaaS vendors, managed service providers, software suppliers, and consulting firms whose work touches CCSs — flowing down PCICSO-derived obligations through revised terms covering:

• Compliance with Code-equivalent security standards
• Audit rights and supervisory access
• Incident reporting to the CIO within defined timeframes
• Personnel screening and access controls
• Data handling and retention obligations
• Notification of material changes to supplier systems supporting CCSs
• Indemnification and liability for compliance failures

Suppliers and SaaS providers — including many headquartered outside Hong Kong — that previously regarded themselves as commercially independent are finding themselves subject to detailed compliance clauses with significant cost and operational implications. For some providers, the realistic options are: accept the flow-down terms, accept liability caps that don't cover PCICSO penalty exposure, or exit the customer relationship.

Penalties and Enforcement

PCICSO is the first Hong Kong cybersecurity regime backed by genuine enforcement powers and meaningful penalties. Non-compliance with the statutory obligations, the Commissioner's requests, or the Commissioner's directions is a criminal offence. Fines for organisations range from HK$300,000 to HK$5 million, with daily penalties of up to HK$100,000 for continuing offences.

Directors and senior officers face personal liability where an offence is committed with their consent or connivance, or is attributable to their neglect. Separate criminal liabilities attach to providing false statements or obstructing the Commissioner's investigations.

The Ordinance also contains strict secrecy obligations around designation-related information. Unauthorised disclosure of information about a CIO's designation status, CCS designations, security plans or incident reports can attract fines of up to HK$1 million under section 57. This has practical implications for how organisations communicate internally about their compliance status — and is one reason the Government has chosen not to publicly disclose the list of designated CIOs.

Beyond regulatory penalties, designated CIOs face significant commercial exposure. A finding of non-compliance under PCICSO could serve as powerful evidence of negligence in civil claims brought by customers whose data was compromised or whose services were disrupted, even though the Ordinance does not create a direct private right of action.

Designated Authorities — Who Regulates What

PCICSO is administered by a small set of regulating authorities working together:

• The Office of the Commissioner of Critical Infrastructure (Computer-system Security) — OCCICS is the lead regulator. Established within the Security Bureau, the OCCICS has primary responsibility for monitoring and supervising compliance with the Ordinance, coordinating with designated authorities, and exercising investigation and direction powers. Mr. Francis Chan Wing-on, former Chief Superintendent of the Cyber Security and Technology Crime Bureau of the Hong Kong Police Force, was appointed as the inaugural Commissioner.
• The Hong Kong Monetary Authority (HKMA) is the designated authority for the banking and financial services sector. The HKMA will adopt the Commissioner's Code for Category 1 and Category 2 obligations in its sector and is expected to issue a sectoral code reflecting the specific risk profile of Authorised Institutions, supplementing the existing CFI 2.0 / C-RAF framework.
• The Communications Authority (CA) is the designated authority for the telecommunications and broadcasting services sector. The CA has already adopted the Commissioner's Code for Category 1 and Category 2 obligations.

The OCCICS retains supervisory responsibility for Category 3 obligations across all sectors, regardless of which designated authority oversees Categories 1 and 2. This means incident reporting flows centrally to the Commissioner, even where day-to-day supervision sits with the HKMA or CA.

What to Do This Quarter

For organisations operating in any of the eight covered sectors — whether you have received a pre-designation inquiry or not — there are practical steps worth taking in the next 90 days.

1. Conduct a designation likelihood assessment. Review your operations against the eight sectors and the major-venue / R&D-park extensions. Map dependencies, sensitive-data flows, and the extent of operational and management control. If you are likely to be designated, prepare as if you already have been.
2. Inventory potential Critical Computer Systems. Identify the systems essential to your core function — including OT systems, control systems, transactional platforms, and the underlying IT infrastructure that supports them. Apply the CoP's CCS indicators: materiality, impact, sensitive-data processing, dependencies.
3. Benchmark against the Code of Practice. Treat the Code as the operative compliance benchmark. Run a structured gap analysis across all three obligation categories and identify where existing policies, controls and response capabilities fall short.
4. Brief the board. The Management Plan and Emergency Response Plan both require board approval or endorsement. Make sure the board understands the regime, the likely designation status, the gap, and the remediation horizon before you need their approval on artefacts.
5. Establish the Hong Kong office and security management unit. If you are likely to be designated and don't already have a substantive Hong Kong presence with daily decision-making authority, address this early. Identifying a qualified supervisor with adequate professional knowledge takes time.

Three things are worth doing in the next two quarters.

1. Negotiate supplier and cloud provider flow-down terms. If you are a CIO, flow down the compliance obligations to your supply chain through revised contracts. If you are a supplier, review your liability exposure under PCICSO-derived clauses arriving from CIO customers — and make sure your indemnification and liability caps are commensurate with the new risk.
2. Establish a quarterly assessment cadence. Single-point compliance is not enough. The Commissioner will examine whether compliance is being actively maintained — biennial Management Plan reviews are the floor, not the ceiling. A quarterly self-assessment cadence with structured remediation and audit-grade evidence is the operational rhythm that earns supervisory trust.
3. Plan for sectoral CoPs. For banks and Authorised Institutions, the HKMA's sectoral code is anticipated. For telecommunications and broadcasting operators, the CA's adoption of the Code is already in effect. Build flexibility into your compliance programme to absorb sectoral overlays without re-architecting.

The Bottom Line

PCICSO marks a paradigm shift in Hong Kong's approach to cybersecurity — from voluntary frameworks to legally enforceable obligations, with criminal penalties, supplier flow-down, and a dedicated sectoral regulator. The Code of Practice provides the operational detail; designations are rolling out through 2026; and the supply chain ripple is already affecting providers far beyond the eight designated sectors.

For organisations likely to be designated, the work of complying with PCICSO is not a one-off project but a continuous programme: assessment, evidence, board approval, training, audit, response readiness, period review. Organisations that begin that work now — before formal designation, before the Commissioner's first inquiry, before a regulator-directed audit — give themselves the runway to land a defensible compliance posture without the time pressure of statutory deadlines bearing down on them.