What you need to know about the Protection of Critical Infrastructures (Computer Systems) Ordinance, the cybersecurity legislation in Hong Kong (Part 3)

The Protection of Critical Infrastructures (Computer Systems) Ordinance (Cap. 653) came into force in Hong Kong on 1 January 2026. This is the first substantial horizontal cybersecurity legislation in Hong Kong. We are exploring the scope and impact of this legislation in a series of articles, focusing in a Q&A format on the key issues businesses and industries need to be aware of. Our previous articles in the series are available on here and here.

In this article, Pádraig Walsh from our Cybersecurity practice reviews the preventive obligations for management plans for computer-system security of critical computer systems, critical computer system risk assessment, and an independent critical computer system audit.

6. Preventive Obligations: CSS Management Plans

6.1 What is the basic obligation of the CI Operator in respect of CSS Management Plans?

A CI Operator must submit a plan for protecting the computer-system security of the CCS of the critical infrastructure operated by the CI Operator within three months of its designation by the CICS Commissioner.

6.2 Who is responsible for the CSS Management Plan?

The CSS Management Plan is considered a critical document by the CICS Commissioner, and is not a mere administrative matter. The CI Operator must ensure that the CSS Management Plan and any subsequent material changes are approved by:

(a)          the Board of Directors of the CI Operator;

(b)          a functional sub-committee properly delegated by the Board; or

(c)          senior management overseeing the operation of the concerned critical infrastructure, such as a Chief Executive Officer or Chief Operating Officer.

6.3 What general matters should be included in the CSS Management Plan?

The general matters required by PCICSO to be included in a CSS Management Plan are:

(a)          The organisation of the CSS Management Unit.

(b)          The process of identifying computer systems that are essential to the core function of the critical infrastructure operated by the CI Operator.

(c)          Various policies and guidelines, including for:

(i)           identifying, assessing, monitoring, responding to and mitigating computer-system security risks, vulnerabilities, threats and incidents to CCS;

(ii)          detecting computer-system security threats and incidents to CCS;

(iii)        controlling access to, and preventing unauthorised acts on, CCS;

(iv)         change management controls in respect of changes to CCS;

(v)          security of all components of CSS;

(vi)         security by design principles;

(vii)       availability of the systems during disruption;

(viii)     managing contracts and communications with suppliers and vendors of third party services and products; and

(ix)         periodic review of the CSS Management Plan.

(d)          Training and awareness programmes in respect of the CSS.

6.4 What specific computer-system security policies and guidelines should be in place under a CSS Management Plan?

The Code of Practice published by the CICS Commissioner [link] publishes a series of expectations and requirements in respect of the subject matter of and standards stipulated in a CSS Management Plan. The relevant subject matter headings are:

The CSS Management Plan will essentially consist of a collection of policies, standards and guidelines. In its submissions to the CICS Commissioner, the CI Operator should provide a clear cross-reference that maps each applicable requirement between relevant sections of the CSS Management Plan and the Code of Practice published by the CICS Commissioner.

6.5 How frequently should the CSS Management Plan be reviewed?

The CSS Management Plan should be reviewed upon any material changes to CCS, and in any event at least once every two years.

6.6 What is the process to notify the CICS Commissioner in respect of the CSS Management Plan?

There is no prescribed format for a CSS Management Plan. Accordingly, the CICS Commissioner has not published a prescribed form for the purpose of giving notice.

The CI Operator must submit the CSS Management Plan to the CICS Commissioner within three months of designation, and thereafter within one month of any revision to the CSS Management Plan.

Failure to give notice when required is an offence.

6.7 What other regulatory oversight is there of the CSS Management Plan?

PCICSO includes a positive statutory obligation on CI Operators to implement the CSS Management Plan. It is not a document for presentation and filing purposes. It is a document to direct the activities of the CI Operator in respect of CCS.

If the CICS Commissioner believes that a CI Operator has not properly implemented a CSS Management Plan to its satisfaction, the CICS Commissioner can direct the CI Operator to arrange to carry out a CSS Audit to ascertain if the CSS Management Plan or any part of it has been properly implemented, and to submit the audit report to the CICS Commissioner.

7. Preventive Obligations: CSS Risk Assessments

7.1 What is the basic obligation of the CI Operator in respect of CSS Risk Assessments?

A CI Operator must conduct an annual computer-system security risk assessment (“CSS Risk Assessment”) in respect of the risks relating to security of the CSS of critical infrastructure it operates, and submit a report of the CSS Risk Assessment to the CICS Commissioner. The CSS Risk Assessment must include vulnerability assessment and penetration testing.

7.2 What matters should be included in a CSS Risk Assessment?

The matters required by PCICSO to be included in a CSS Risk Assessment are:

(a)          Vulnerability assessment of the CCS.

(b)          Penetration test of the CCS.

(c)          Identification and prioritisation of identified risks.

(d)          Determination of the impact on the security of the CCS that may result from the identified risks, and the level of risks that CCS can tolerate.

(e)          Identification of the treatment and monitoring required to deal with the identified risks.

7.3 Who can conduct CSS Risk Assessments?

There is requirement of independence of the personnel conducting risk assessments. Vulnerability assessments should be conducted under the supervision of personnel with relevant qualifications. Penetration tests should be carried out by personnel with relevant qualifications.

7.4 How should CSS Risk Assessments be conducted?

CSS Risk Assessments should be conducted according to nationally or internationally recognised methodologies or standards. These include standards published by:

(a)          the China National Standardisation Administration (SAC);

(b)          the Hong Kong Digital Policy Office;

(c)          the US National Institute of Standards and Technology (NIST); and

(d)          international bodies such as the International Electrotechnical Commission (IEC) and the International Organisation for Standardisation (ISO).

7.5 What are the regulatory expectations for the conduct of the vulnerability assessment?

Vulnerability assessments should be conducted under the supervision of personnel with relevant qualifications. The vulnerability assessment should involve various vulnerability identification activities to identify potential security loopholes and vulnerabilities. These include vulnerability scanning, source code reviews, and configuration reviews.

7.6 What are the regulatory expectations for the conduct of the penetration testing?

The penetration test should be conducted by a tester having suitable knowledge, relevant experience and appropriate professional qualification. The penetration test in the CSS Risk Assessment should be carried out from the position of a potential attacker or based on threat intelligence, and can involve active exploitation of possible vulnerabilities of the CCS. The test should include areas of network security, system software security, client-side application security and server-side application security.

7.7 What should be included in a CSS Risk Assessment report?

The CSS Risk Assessment report should include:

(a)          Background information;

(b)          Executive summary;

(c)          Assessment scope, objectives, methodology, time frame and assumptions;

(d)          Description of current environment or system, including network diagrams;

(e)          Security requirements;

(f)           Personnel involved in the computer-system security risk assessment;

(g)         Summary of findings and recommendations;

(h)          Risk analysis results, including identified assets, threats, vulnerabilities and their impact, likelihood and risk levels;

(i)           Recommended safeguards with cost-benefit analysis;

(j)           Conclusions; and

(k)          Annexes, including completed vulnerability assessment report, penetration test report, covered asset inventories, and asset valuation results.

7.8 What is the timeline to complete the CSS Risk Assessment, and to submit the report to the CICS Commissioner?

The first CSS Risk Assessment must be completed within 12 months of designation by the CICS Commissioner, and a further CSS Risk Assessment must be conducted within each successive 12 months thereafter.

The CI Operator must submit its report from the CSS Risk Assessment to the CICS Commissioner within three months after deadline for conduct of the relevant assessment.

Failure to conduct the CSS Risk Assessment, or to file the report to the CICS Commissioner, when required is an offence.

8. Preventive Obligations: CSS Risk Audits

8.1 What is the basic obligation of the CI Operator in respect of CSS Audits?

A CI Operator must arrange to carry out an audit every two years in respect of the computer-system security of the CCS of critical infrastructure it operates (“CSS Audit”), and submit a report of the CSS Audit to the CICS Commissioner.

8.2 What matters should be included in a CSS Audit?

The matters required by PCICSO to be included in a CSS Audit are:

(a)          Verification of whether the existing protection measures in respect of the CSS have been performed properly. This includes whether CSS Management Plans have been properly implemented, and whether the implementation observed relevant provisions in an applicable Code of Practice or was conducted otherwise.

(b)          An opinion on the condition of the computer-system security of the CCS based on its verification and assessment.

8.3 Who can conduct CSS Audits?

The CSS Audit must be conducted by persons who are independent of the operation or maintenance of the CCS, and who were not involved in the design or maintenance of the computer-system security controls. The expectation is that the CSS Audit would be conducted by independent third party auditors or by an internal audit department that is not involved in the operation or maintenance of the CCS.

The auditor should possess suitable knowledge, relevant experience and appropriate professional qualifications.

8.4 How should CSS Audits be conducted?

CSS Audits should be conducted according to nationally or internationally recognised methodologies or standards. These include standards published by:

(a)          the China National Standardisation Administration (SAC);

(b)          the Hong Kong Digital Policy Office; and

(c)          international bodies such as the International Electrotechnical Commission (IEC) and the International Organisation for Standardisation (ISO).

8.5 What should be included in a CSS Audit report?

The CSS Audit report should include:

(a)          Background information;

(b)          Executive summary;

(c)          Scope;

(d)          Objectives;

(e)          Audit methodologies;

(f)           Assumptions, limitations and qualifications;

(g)          Findings and report; and

(h)          Statement of opinion.

8.6 What is the timeline to complete the CSS Audit, and to submit the report to the CICS Commissioner?

The first CSS Audit must be completed within 24 months of designation by the CICS Commissioner, and a further CSS Audit must be conducted within each successive 24 months thereafter.

The CI Operator must submit its report from the CSS Audit to the CICS Commissioner within three months after the deadline for conducting the relevant assessment.

Failure to conduct the CSS Audit, or to file the report to the CICS Commissioner, when required is an offence.

Plans, assessments and audits are the core work of the CSS Management Unit. The regulatory intent is that a strong focus on prevention will mitigate the risk of security incidents. The CSS Management Plan is not a once-and-done task. The process of assessment, audit and review are intended to bring about a virtuous cycle of continuous improvement in the security of critical computer systems.

In the next article in this series, we will look at some incident reporting and response obligations under PCICSO.

Pádraig Walsh

If you want to know more about the content of this article, please contact:

Pádraig Walsh
Partner | Email

Disclaimer: This publication is general in nature and is not intended to constitute legal advice. You should seek professional advice before taking any action in relation to the matters dealt with in this publication. This article was last reviewed on 9 April 2026.