The recent proposal by the Security Bureau, “Proposed Legislative Framework to Enhance Protection of the Computer Systems of Critical Infrastructure (Proposed Framework)”, has sparked intense discussion within the industry. The Bureau expects to submit the related draft legislation to the Legislative Council by the end of 2024, with an anticipated effective date in early 2026. As a member of the industry, I would like to leverage my experience to share insights on this subject, helping all stakeholders to be fully prepared for the forthcoming opportunities and challenges.
Striking a Balance between Service Continuity and National Security
The implementation of this proposed legislation is imperative. I believe that regardless of the scale and mode of operation of enterprises, all operators of critical infrastructures for delivering essential services in Hong Kong (eight sectors, i.e. energy, information technology, banking and financial services, land transport, air transport, maritime, healthcare services, and communications and broadcasting) or other infrastructures for maintaining important societal and economic activities (e.g. major sports and performance venues, research and development parks, etc.) must prepare for the new compliance landscape. One primary objective of this proposed legislation is to maintain the continuity of critical services while meeting compliance requirements. For example, the uninterrupted operation of local community and livelihood matters is crucial, as is ensuring robust connectivity with Mainland government and business entities to prevent large-scale disruptions.
System Perfection is Not Required, But Resilience Is Essential
Another important aspect of securing critical infrastructure computer systems is allowing these systems to be susceptible to attacks- while maintaining resilience. IT management departments and teams must exhibit a comprehensive procedural framework, including tracking network attacks or system failures, handling incidents, and ensuring timely recovery and transparency in external communications.
Moreover, it is essential to understand that this legislation should not be perceived as an overwhelming threat. The government recognizes that no system can be perfectly secure and aims to promote a safer and more reliable digital economy. After receiving 53 submissions during the consultation period, the Security Bureau proposed to extend the severe incident reporting deadline from two hours to 12 hours, and other incidents to up to 48 hours, demonstrating a gesture of goodwill.
Enhancing Professionalism and Constructive Interactions with Regulatory Bodies
By the time the final legislative framework is officially enacted in 2026, regardless of any modifications, it is expected to enhance the IT industry’s ecosystem and the collaborative spirit among peers. Traditionally, some IT teams may be accustomed to managing daily operations through ad-hoc methods. However, as operational complexities and compliance requirements increase, there is a need for regulated processes and professionalization. IT teams must also strive for continuous improvement, such as obtaining certifications such as ISO27001 for information security, and ISO9001 to maintain consistent quality services.
In addition, businesses must not only ensure robust system security but also continuously understand and improve compliance-related operations. Establishing a positive relationship with regulatory bodies is crucial for fostering a proactive attitude that benefits enterprises, vendors, and the government alike, creating a “win-win-win” scenario. If you have any questions about the future direction of these issues, feel free to contact our team. Together, we can successfully navigate this inevitable digital transformation.