Gabriela Kennedy, Joanna K.C. Wong, and Roslie Liu of Mayer|Brown write:
On 1 January 2026, the Office of the Commissioner of Critical Infrastructure (Computer-system Security) issued a Code of Practice (the “CoP”) under the Protection of Critical Infrastructures (Computer Systems) Ordinance (Cap. 653) (the “Ordinance”), which came into force on the same day (see our previous legal update on Hong Kong passing its first cybersecurity legislation regulating critical infrastructures). The CoP clarifies key requirements under the Hong Kong new critical infrastructure cybersecurity regime and sets a baseline for compliance across sectors. On the same date, the Hong Kong Government appointed Mr. Francis Chan Wing-on, former Chief Superintendent of the Cyber Security and Technology Crime Bureau of the Hong Kong Police Force, as Commissioner of Critical Infrastructure (Computer-system Security) for a three-year term.
The CoP translates the high-level obligations under the Ordinance into specific, actionable requirements for critical infrastructure operators (“CIOs”). It clarifies scope and governance expectations, and specifies compliance processes, marking a clear shift from principles to implementation. Although the CoP is not subsidiary legislation, it will be a central reference point for supervisory expectations and for any enforcement directions addressing non-compliance under the Ordinance.
What the CoP is and how it will be used
The CoP is not subsidiary legislation and non-compliance with it does not itself constitute an offence. However, the Commissioner may issue written directions with reference to the CoP’s requirements, and failure to comply with such directions is an offence. In practice, the CoP functions as a compliance handbook against which CIOs can benchmark their cybersecurity governance and controls.
Read more at Mayer|Brown.