What you need to know about the Protection of Critical Infrastructures (Computer Systems) Ordinance, the cybersecurity legislation in Hong Kong (Part 5)
The Protection of Critical Infrastructures (Computer Systems) Ordinance (Cap. 653) came into force in Hong Kong on 1 January 2026. This is the first substantial horizontal cybersecurity legislation in Hong Kong. We are exploring the scope and impact of this legislation in a series of articles, focusing in a Q&A format on the key issues businesses and industries need to be aware of. Our previous articles in the series are available on here, here, here, and here.
In this article, Pádraig Walsh from our Cybersecurity practice reviews the strict reporting and notification to the CICS Commissioner under PCICSO.
12. Incident Response Obligations: Incident notice and reporting obligations
12.1 What is the basic obligation of the CI Operator in respect of notification and reporting of security incidents?
The basic obligation of the CI Operator is to notify and report a computer system security incident to the CICS Commissioner if it becomes aware of the security incident.
12.2 What is the policy purpose of computer-system security incident notification?
The policy purpose is to enable the CICS Commissioner to assess the overall consequences of the computer-system security incident. The CICS Commissioner will assess the consequences for the provision of essential services in different sectors, or for the maintenance of critical societal or economic activities in Hong Kong. The CICS Commissioner will then assess and take appropriate remedial measures to prevent the impact from spreading to other sectors.
12.3 What is a notifiable computer-system security incident?
All computer-system security incidents are notifiable. A computer-system security incident is an event that:
(a) involves unauthorised access to the CCS or any other unauthorised act on or through the CCS or another computer system; and
(b) has an actual adverse effect on the computer-system security of the CCS.
12.4 What are examples of notifiable computer-system security incidents?
Examples of notifiable computer-system security incidents are:
(a) large-scale or volumetric distributed denial of service (“DDoS”) attack causing degradation of an essential service;
(b) ransom DDoS attack where a ransom note is received;
(c) ransomware attack that causes suspension of an essential service or shows signs of data compromise;
(d) unintended external connection to a CCS caused by malware infection or by an adversary exploiting a vulnerability;
(e) an employee or other insider accesses sensitive digital data of a CCS and maliciously exfiltrates that data or maliciously misconfigures the access privilege of the CCS;
(f) configurations or data of a CCS are modified by a malicious payload or script;
(g) an employee or other insider abuses his authority to interfere with the functioning of the CCS; and
(h) any tampering with cryptographic key management devices that hampers the normal functioning of a CCS.
12.5 What is a notifiable serious computer-system security incident?
A notifiable serious security incident is a computer-system security incident which has disrupted, is disrupting or is likely to disrupt the core function of the critical infrastructure concerned. The timelines for notifying a serious security incident are shorter.
12.6 How can a CI Operator assess if a notifiable computer-system security incident is also a serious security incident?
A computer-system security incident is considered as a serious incident if:
(a) the downtime affecting the core function of the critical infrastructure concerned has exceeded or is likely to exceed the maximum tolerable downtime prescribed in the business continuity management plan of the CI Operator;
(b) the service performance has dropped or is likely to drop below the minimum service level prescribed in the business continuity management plan of the CI Operator;
(c) the incident has triggered or is likely to trigger the activation of business continuity or disaster recovery procedures;
(d) the incident has caused or is likely to cause the leakage of material volume of customer data according to volumes prescribed in the business continuity management plan of the CI Operator;
(e) the incident has leaked or is likely to leak sensitive digital data that hampers the normal functioning of the CCS;
(f) the incident has caused or is likely to cause a material number of customer enquiries or complaints according to numbers and volume prescribed in the business continuity management plan of the CI Operator; or
(g) threat actors have threatened to launch an attack against a CCS at a specified time that would likely trigger any of these scenarios.
12.7 Are all incidents causing adverse impacts to CCS notifiable?
No. Examples of incidents that would not be notifiable include:
(a) an event arising from pure technical failure;
(b) natural disaster;
(c) mass power outage;
(d) a computer-system security threat that is detected and timely removed or quarantined; or
(e) personal data leakage arising from human mistake.
12.8 What is the timeline for notifying a computer-system security incident?
The CI Operator must notify the CICS Commissioner as soon as practicable after becoming aware of a serious computer-system security incident, and no later than 48 hours after becoming aware. The timelines are shorter for a serious computer-system security incident.
Failure to give notice when required is an offence.
12.9 What is the timeline for notifying a serious computer-system security incident?
The CI Operator must notify the CICS Commissioner as soon as practicable after becoming aware of a serious computer-system security incident, and no later than 12 hours after becoming aware.
Failure to give notice when required is an offence.
12.10 When will a CI Operator be considered to have become aware of a computer-system security incident?
The CICS Commissioner accepts that, once signs of disruption or irregularity are noticed in a CCS, then a short period of investigation is needed to confirm whether a computer-system security incident. Once the CI Operator has a reasonable degree of certainty that a computer-system security incident has occurred, the CI Operator will be deemed to have become aware of the computer-system security incident.
12.11 How is the notification made?
The CICS Commissioner has published a prescribed form [link] that must be used by the CI Operator to notify the CICS Commissioner of a computer-system security incident. The CI Operator should complete the form as far as practicable based on the information available, and submit the form through a designated secured channel.
The CI Operator may first make the notification to a designated telephone number. If the initial notification is not in the prescribed notice form of the CICS Commissioner, then the CI Operator must complete and submit the prescribed notice form to the CICS Commissioner within 48 hours of the initial notification.
12.12 What information is required under the prescribed notice form?
The prescribed notice form requires information on:
(a) name of the CI Operator;
(b) CCS affected;
(c) assessment of seriousness of the incident;
(d) nature of the incident;
(e) time of the identifying the incident, and becoming aware of it;
(f) summary of key incident points; and
(g) details of the reporting party.
If the initial notification is by call to a designated number, then the information required is:
(a) the nature of the computer-system security incident;
(b) the CCSs involved; and
(c) the key summary points of the incident.
In this case, the prescribed notice form must be submitted within 48 hours of the call.
12.13 What is the timeline for providing a report to the CICS Commissioner on a computer-system security incident?
The CI Operator must submit a report to the CICS Commissioner in respect of the computer-system security incident within 14 days after the date on which the CI Operator became aware of the incident.
Failure to submit a report when required is an offence.
12.14 What is the process to submit a report the CICS Commissioner in respect of a computer-system security incident?
The CICS Commissioner has published a prescribed form for the purpose of submitting a report in respect of a computer-system security incident [link].
12.15 What information is required under the prescribed report form?
The prescribed report form requires information on:
(a) name of the CI Operator;
(b) details and physical location of CCS affected;
(c) nature and details of the incident;
(d) point of intrusion;
(e) root cause analysis;
(f) time of the identifying the incident, and becoming aware of it;
(g) method and means of identification of incident
(h) details of vulnerabilities found;
(i) impact assessment, including scope of impact, operational and service impact, data impact, customer/third party impact, and financial impact;
(j) duration of disruption;
(k) response actions, current status summary and future actions with timelines;
(l) details of third party service providers engaged to support;
(m) stakeholder communications, including to media; and
(n) details of the reporting party.
12.14 Is the report to the CICS Commissioner intended to be a final report?
No. The CI Operator is expected to promptly provide a supplementary report or material to the CICS Commissioner if additional information becomes available after submitting the written report.
12.15 Is the CI Operator required to make other notifications and reports in respect of a computer-system security incident?
The notice and reporting obligations under PCICSO are without prejudice to notice and reporting obligations under sector-specific regulations. So, if other applicable laws or regulations impose notification and reporting obligations on the CI Operator, then the CI Operator will need to additionally fulfil those obligations and cannot rely on its notification and report to the CICS Commissioner.
Examples of other sector specific notice obligations include:
(a) Banking sector: There is a duty on authorised institutions to notify the Monetary Authority when they become aware that a significant incident, IT-related fraud or a major security breach has occurred. There is also a specific obligation to notify affected customers, and make public announcements if necessary.
(b) Insurance sector: There is a duty on insurers, upon detection of a relevant cyber incident, to report the incident with the related information to the Insurance Authority as soon as practicable, and in any event within 72 hours from detection.
(c) Financial services sector: There is a duty on licensed corporations to report to the Securities and Futures Commission upon the happening of any material cybersecurity incident (including ransomware attacks) or any material failure, error or defect in the operation or functioning of trading, accounting, clearing or settlement systems or equipment.
12 hours and 48 hours. These are the timelines that CISOs leading CSS Management Units will be acutely mindful of. Notification obligations are the core emergency legal requirement under PCICSO. However, CI Operators must be mindful that it will not be possible to fully and accurately provide the information required for notifications unless the organisational and preventative obligations have also been rigorously followed. It is the exacting process of preparing plans, assessments and audits, and conducting training and drills, that provides the resources, information and expertise to make accurate complete notifications within the exceptionally short timelines required under PCICSO.
In our final article in this series, we will review the enforcement powers of the CICS Commissioner under PCICSO.
Pádraig Walsh
If you want to know more about the content of this article, please contact:
Pádraig Walsh
Partner | Email
Disclaimer: This publication is general in nature and is not intended to constitute legal advice. You should seek professional advice before taking any action in relation to the matters dealt with in this publication. This article was last reviewed on 16 April 2026.