Privacy Policy Terms of Use
Home

What you need to know about the Protection of Critical Infrastructures (Computer Systems) Ordinance, the cybersecurity legislation in Hong Kong (Part 4)

Apr 14 2026
 

The Protection of Critical Infrastructures (Computer Systems) Ordinance (Cap. 653) came into force in Hong Kong on 1 January 2026. This is the first substantial horizontal cybersecurity legislation in Hong Kong. We are exploring the scope and impact of this legislation in a series of articles, focusing in a Q&A format on the key issues businesses and industries need to be aware of. Our previous articles in the series are available on here, herehere and here .

In this article, Pádraig Walsh from our Cybersecurity practice reviews the reporting and response obligations in respect of security drills led by the Commissioner of Critical Infrastructure (Computer-system Security) and maintaining a detailed emergency response plan.

9. Incident Reporting and Response Obligations

9.1 What is a computer-system security incident?

A computer-system security incident is an event that:

(a)          involves unauthorised access to the CCS or any other unauthorised act on or through the CCS or another computer system; and

(b)          has an actual adverse effect on the computer-system security of the CCS.

9.2 What is the main purpose of the incident reporting and response obligations of CI Operators?

The main purpose of incident reporting and response obligations of CI Operators under PCICSO is to ensure CI Operators respond to incidents and recover CCS promptly.

9.3 What are the main incident reporting and response obligations of CI Operators?

The main incident reporting and response obligations of CI Operators are to:

(a)          participate in a computer-system security drill required by the CICS Commissioner;

(b)          submit and implement a computer-system security incident emergency response plan; and

(c)          notify computer-system security incidents to the CICS Commissioner.

9.4 What is the role of the designated regulators in respect of incident reporting and response obligations under PCICSO?

There is no primary role for the designated regulators in respect of incident reporting and response obligations under PCICSO. The CICS Commissioner will perform those obligations directly.

The regulatory intent is that designated regulators can apply specialist sector regulatory oversight and expertise in respect of organisational and preventive obligations, while the CICS Commissioner will have global oversight of incident reporting and response by all CI Operators. So, CI Operators that deal with their designated regulators for organisational and preventive obligations for computer system security under PCICSO, must directly deal with the CICS Commissioner for incident reporting and response obligations under PCICSO. Those CI Operators may have sector specific reporting obligations in addition to the obligations to the CICS Commissioner.

The currently designated regulators under PCICSO are the Hong Kong Monetary Authority for the banking and financial services sector, and the Communications Authority for the telecommunications and broadcasting services sector.

10. Incident Response Obligations: Security drills

10.1 Can the obligation to perform a security drill be performed unilaterally by CI Operators?

The statutory obligation under PCICSO specifically relates to a requirement notified by the CICS Commissioner in writing to participate in a computer system security drill conducted by the CICS Commissioner. The CI Operator cannot excuse itself from this statutory requirement on the basis of the conduct of internally organised security drills.

10.2 What are the purposes of the security drill?

The purposes of the security drill are for the CI Commissioner to test the CI Operator’s readiness to respond to security incidents, primarily:

(a)          assessing the validity and effectiveness of CI Operator’s emergency response plan; and

(b)          assessing the participating personnel’s knowledge of their roles and responsibilities in responding to security incidents.

10.3 What are the features of a security drill conducted by the CICS Commissioner?

The particular features of a security drill will be determined by the CICS Commissioner. The security drill may be conducted as a tabletop exercise, functional exercise, simulated attack or other means directed by the CICS Commissioner.

A security drill may involve multiple CI Operators in the same or different sectors, and multiple government units. The purpose could be to test the coordination of security incidents with large societal or economic impacts and restoration of public order.

A security drill will not involve actual deployment of CCSs or their production environment.

10.4 How frequently will security drills be conducted?

No more than once every two years.

10.5 Who would be required to attend a security drill?

The expectation of the CICS Commissioner is that these persons should attend a security drill:

(a)          management personnel with a role in the emergency response plan;

(b)          CSS Management Unit;

(c)          emergency response team members;

(d)          corporate communications personnel; and

(e)          other personnel necessary for the particular security drill.

10.6 What is the role of the CICS Commissioner after the security drill?

The CICS Commissioner will provider comments on the performance of the CI Operator in the security drill, including areas of improvement. The CI Operator will be required to take remedial actions to adopt and implement recommendations of the CICS Commissioner.

10.7 Is participation in a security drill conducted by the CICS Commissioner discretionary?

It is mandatory for a CI Operator to participate in a security drill conducted by the CICS Commissioner, once the CICS Commissioner has given written notice to the CI Operator to do so. Failure to participate once notified is an offence.

11. Incident Response Obligations: Emergency response plan

11.1 What is the basic obligation of the CI Operator in respect of its emergency response plan?

A CI Operator must submit an emergency response plan detailing the particulars and process for the CI Operator’s response to security incidents in respect of CCS of its critical infrastructure within three months of its designation by the CICS Commissioner, and within one month after any revisions thereafter.

11.2 What is the scope of the emergency response plan?

The scope of the emergency response plan should include incident management, and business continuity management and disaster recovery planning.

11.3 What is incident management?

The incident management aspects of the emergency response plan ensure that the incident response activities are carried out in an orderly, efficient and effective manner, minimising damage from the security incident.

11.4 What is business continuity management?

The primary focus of business continuity management is on the CI Operator’s ability to continue essential operation during disruptions arising from security incidents.

11.5 What is disaster recovery planning?

The primary focus of disaster recovery planning is on the effective restoration of the CCS from severe disruption. This enhances the resilience of business operations in connection with CCS.

11.6 Who is responsible for the emergency response plan?

The emergency response plan is considered a critical document by the CICS Commissioner, and is not an administrative matter. The CI Operator must ensure that the emergency response plan and any subsequent material changes are approved by:

(a)          the Board of Directors of the CI Operator;

(b)          a functional sub-committee properly delegated by the Board; or

(c)          senior management overseeing the operation of the concerned critical infrastructure, such as a Chief Executive Officer or Chief Operating Officer.

11.7 What security incident response matters should be included in the emergency response plan?

The security incident matters to be included in the emergency response plan include:

(a)          the structure, roles and responsibilities of a team responsible for responding to security incidents;

(b)          the threshold for initiating emergency response protocols to security incidents;

(c)          the procedures for reporting security incidents;

(d)          The procedures for investigating the cause and assessing the impact of security incidents, including playbooks for:

(i)           containing the security incident;

(ii)          handling of digital evidence, including identification, collection, acquisition, preservation of evidence and chain of custody;

(iii)        investigating the cause and impact of the incident;

(iv)         recording the incident response process, including details of the incident, actions taken and decisions made; and

(v)          conducting a post-incident review;

(e)          the recovery plan for resuming the provision of essential services by, or the normal operation of, affected critical infrastructure;

(f)           the plan for communicating with stakeholders and the general public in respect of security incidents;

(g)         the recommended post-incident measures for mitigating the risks of recurrence of security incidents, including a post-security incident review that address:

(i)           facts and causes of the security incident;

(ii)          gaps in existing governance, risk management and compliance in respect of the security incident, and the degree of consequence;

(iii)        effectiveness and efficiency in executing the emergency response plan; and

(iv)         improvement actions recommended; and

(h)          review procedure for the emergency response plan.

11.8 What business continuity matters should be included in the emergency response plan?

The business continuity matters to be included in the emergency response plan include:

(a)          the business continuity objectives to be achieved;

(b)          business impact analysis of the CCS to identify, as applicable:

(i)           maximum tolerable downtime (“MTD”);

(ii)          recovery time objectives (“RTO”);

(iii)        recovery point objectives (“RPO”); and

(iv)         minimum service levels (“MSL”).

(c)          resources needed to resume the relevant business processes;

(d)          policies and procedures to ensure continuity of essential services;

(e)          roles and responsibilities of relevant management and personnel;

(f)           training and testing to ensure responsible employees are familiar with the business continuity plan and policy; and

(g)          evaluation and review whenever there are material changes to CCS.

11.9 What disaster recovery matters should be included in the emergency response plan?

The business continuity matters to be included in the emergency response plan include:

(a)          recovery strategy that aligns with the business continuity objectives;

(b)          policies and procedures for backup, taking into account geo-location risk management for data hosting sites;

(c)          recovery procedures to an alternative site, including resumption plans for the primary site;

(d)          regular testing of backup media and telecommunication services; and

(e)          evaluation and review whenever there are material changes to CCS.

11.10 What training obligations are required by CI Operators?

The CI Operator must ensure all members of the emergency response team are familiar with both their own roles and responsibilities and those of other team members as defined in the emergency response plan. The CI Operator must also provide training for all team members to ensure their capabilities to carry out their assigned duties.

Members of the emergency response team are expected to participate in security drills conducted by the CICS Commissioner, and may be subject to comment by the CICS Commissioner in respect of performance at that security drill.

11.11 How should the emergency response plan address communication matters in the context of security incident response?

The CI Operator must ensure there are multiple communication channels (e.g. phone, correspondence and email) available to effectively communicate with stakeholders in response to the security incident.

The CI Operator should appoint at least two contact points for non-working hours emergencies in relation to computer security issues. The contact points will be required to maintain communication with the CICS Commissioner during an emergency, and should also be capable of handling security incidents or relaying security messages to responsible personnel in a timely manner.  The CI Operator must provide contact details of these contact points to the CICS Commissioner.

11.12 Are there requirements in respect of data gathering in the course of security incident response?

The CI Operator is expected to collect and preserve digital evidence of the security incident, and is encouraged to engage capable incident response and forensic examination personnel to do so. Initially, the CI Operator must prioritise timely system recovery to restore essential impacted business operations. Otherwise, collection of digital evidence is a priority.

11.13 How frequently should the emergency response plan be reviewed?

The emergency response plan should be reviewed upon any material changes to CCS, and in any event at least once every two years.

11.14 What is the process to notify the CICS Commissioner in respect of the emergency response plan?

There is no prescribed format for an emergency response plan. Accordingly, the CICS Commissioner has not published a prescribed form for the purpose of giving notice.

The CI Operator must submit the emergency response plan to the CICS Commissioner within three months of designation, and thereafter within one month of any revision to the emergency response plan.

Failure to give notice when required is an offence.

11.15 What other regulatory oversight is there of the emergency response plan?

PCICSO includes a positive statutory obligation on CI Operators to implement the emergency response plan. The Code of Practice requires that the CI Operator should provide necessary resources required to implement the emergency response plan. It is not a document for presentation and filing purposes. It is a document to direct the activities of the CI Operator in respect of CCS.

Cybersecurity professionals will be very familiar with security drills and exercises. They are the tried and tested means of assessing whether an emergency response plan is fit for purpose. The innovation of PCICSO is to set the framework for the conduct of those drills periodically on the scale of the Hong Kong economy. An emergency response plan is a critical document, and will assist CI Operators to think through foreseeable issues that might arise in a security incident.

In the next article in this series, we will look at specific incident notification obligations under PCICSO.

Pádraig Walsh

If you want to know more about the content of this article, please contact:

Pádraig Walsh
Partner | Email

Disclaimer: This publication is general in nature and is not intended to constitute legal advice. You should seek professional advice before taking any action in relation to the matters dealt with in this publication. This article was last reviewed on 14 April 2026.

Tags:

Cybersecurity Legal Updates TMT

Share this post

Pádraig Walsh

Featured Articles

Insights
News update: Hong Kong Privacy Commissioner claws back privacy protection from agentic AI tools
Pádraig Walsh 18 May 2026
Insights
News update: Finfluencers on the SFC regulatory radar
Pádraig Walsh 18 May 2026
Insights
What Is the Right Measure of Compensation in Hong Kong Discrimination Claims?
Russell Bennett 14 May 2026
Insights
News update: Secondary Trading of Tokenised Authorised Investment Products Permitted in Hong Kong
Pádraig Walsh 04 May 2026
Insights
Enforcement action follows PCPD finding of ineffective data privacy training
Pádraig Walsh 29 April 2026
Insights
What you need to know about the Protection of Critical Infrastructures (Computer Systems) Ordinance, the cybersecurity legislation in Hong Kong (Part 6)
Pádraig Walsh 21 April 2026