What you need to know about the Protection of Critical Infrastructures (Computer Systems) Ordinance, the cybersecurity legislation in Hong Kong (Part 6)

The Protection of Critical Infrastructures (Computer Systems) Ordinance (Cap. 653) came into force in Hong Kong on 1 January 2026. This is the first substantial horizontal cybersecurity legislation in Hong Kong. We are exploring the scope and impact of this legislation in a series of articles, focusing in a Q&A format on the key issues businesses and industries need to be aware of. This article and our previous articles are now available here, here, here, here and here.

In this final article in the series, Pádraig Walsh from our Cybersecurity practice reviews the investigation, inspection and enforcement powers available to the CICS Commissioner under PCICSO.

13. Enforcement powers

13.1 Does the CICS Commissioner have investigation and enforcement powers?

Yes. The investigation and enforcement powers of the CICS Commissioner under PCICSO include powers to:

(a)          direct the CI Operator to perform or prohibit certain acts;

(b)          require the CI Operator to produce relevant information and documents;

(c)          enter premises of a CI Operator with a warrant; and

(d)          enter premises of a CI Operator without a warrant in emergency cases.

13.2 Does the CICS Commissioner have powers of early intervention to conduct an enquiry?

The CICS Commissioner has the power to appoint an authorised officer to make enquiries into an event if the CICS Commissioner believes the event has had actual adverse effect, or is likely to have an adverse effect, on the CCS of a critical infrastructure. The scope of the inquiry is directed to identifying what caused the event and whether a computer-system security threat or a computer-system security incident has occurred in respect of the CCS.

This early intervention power to investigate is specifically characterised as investigating events that are not, or not yet, characterised as computer-system security incidents. The purpose is to obtain additional information to assess the event. The scope of the enquiry may be extended if the early intervention investigations confirm a computer-system security threat or incident with an adverse effect has occurred.

13.3 Is a CI Operator required to produce documents, information and statements to the CICS Commissioner in early intervention enquiries?

The authorised officer appointed by the CICS Commissioner for an early intervention investigation has the power by notice to require a CI Operator to:

(a)          produce documents the authorised officer reasonably believes to be relevant to his inquiries, and to be in the possession or control of the CI Operator or accessible in or from Hong Kong by the CI Operator;

(b)          give an explanation or further particulars in relation to the documents;

(c)          send a representative to attend before the authorised officer to answer questions relating to the enquiry; and

(d)          answer in writing written questions relating to the enquiry.

Failure to comply with a notice by the authorised officer when required is an offence.

13.4 Does the CICS Commissioner have powers to conduct a direct investigation in relation to a computer-system security threat or incident?

Yes. The CICS Commissioner has the power to appoint an authorised officer to carry out an investigation into, and to respect to, a computer-system security threat or incident. The investigation will be directed to:

(a)          identify what caused the threat or incident;

(b)          assess the impact, or potential impact, of the threat or incident;

(c)          remedy harm that has arisen from the threat or incident;

(d)          prevent any further harm from arising from the threat or incident; and

(e)         prevent any further computer-system security incident from arising from the threat or incident.

13.5 Is a CI Operator required to produce documents, information and statements to the CICS Commissioner in relation to direct investigation of a computer-system security threat or incident?

The authorised officer appointed by the CICS Commissioner for an investigation has the power by notice to require a CI Operator to:

(a)          produce documents the authorised officer reasonably believes to be relevant to his investigation, and to be in the possession or control of the CI Operator or accessible in or from Hong Kong by the CI Operator;

(b)          give an explanation or further particulars in relation to the documents;

(c)          send a representative to attend before the authorised officer to answer questions relating to the investigation; and

(d)          answer in writing written questions relating to the investigation.

Failure to comply with a notice by the authorised officer when required is an offence.

13.6 Can the CICS Commissioner compel the CI Operator to take direct action in the course of the direct investigation?

The CICS Commissioner can additionally authorise its authorised officer to require the CI Operator to take specific actions. This additional authorisation would only arise and be granted if the CI Operator is unwilling or unable to take reasonable steps to assist in the investigation or respond to the threat or incident, and there are public interest grounds for granting the additional authority. Public interest grounds would include the potential harm or disruption that may be caused by the threat or incident.

13.7 What direct action could be required of the CI Operator?

Upon being granted the additional authority by the CICS Commissioner, the authorised officer could require the CI operator:

(a)          not to use the investigated system;

(b)          to preserve the state of the system;

(c)          to monitor the system;

(d)          to perform a scan of the system to detect vulnerabilities and assess the impact of the threat or incident in respect of the system;

(e)          to carry out any remedial measures, or to cease carrying on any activities, in relation to the threat or incident; and

(f)           to give the authorised officer other assistance.

13.9 Is a third party who is not the CI Operator required to produce documents or comply with directions of the CICS Commissioner in respect of a direct investigation?

Yes, but only if and after certain due process conditions are fulfilled.

The authorised officer for the investigation may apply to a Magistrate for a warrant to provide documents and information, make statements and perform actions. The authorised officer must confirm on oath that there are reasonable grounds to believe that the CI Operator is unwilling or unable to assist the investigation or respond to the threat or incident, and there are public interest grounds for granting the requested warrant. The warrant can only be directed to an organisation having, or appearing to have, control over the investigated system (other than the investigated CI Operator).

The warrant will authorise the authorised officer of the CICS Commissioner to require the third party to provide documents and information, make statements and perform actions to the same extent as may be required of a CI Operator.

13.10 Can the CICS Commissioner enter premises of the CI Operator to obtain documents and information for early intervention enquiries and direct investigations?

Yes, but only if and after certain due process conditions are fulfilled.

The authorised officer for the enquiry may apply to a Magistrate for a warrant to enter premises and seize documents. The authorised officer must confirm on oath that there are reasonable grounds to suspect that there are, or are likely to be, documents relevant to his inquiries or investigations on the premises in question. In addition, the Magistrate must be satisfied that the CI Operator is unwilling or unable to take all reasonable steps to respond to the inquiries or investigations of the authorised officer or to the threat or incident, and it is in the public interest to issue the warrant. Exceptions to this process can apply in emergency situations.

The warrant will authorise the authorised officer of the CICS Commissioner to enter the specified premises, if necessary by force, and to search for, inspect, make copies of, take extracts from, seize and remove documents relevant to the enquiries of the authorised officer. This power applies to both early intervention enquiries and direct investigations.

Additionally, for direct investigations, the authorised officer of the CICS Commissioner can be authorised to:

(a)          access, inspect and carry out remedial measures on the accessible systems relevant to the investigation;

(b)          search for, inspect, make copies of and take extracts from any information stored in accessible systems if the officer has reasonable grounds to believe the information is relevant to the investigation;

(c)          carry out other remedial measures in relation to the threat or incident; and

(d)          require other assistance from an organisation having, or appearing to have, control over the investigated system.

The warrant can apply in respect of any premises, and not merely premises owner or occupied by the CI Operator.

13.11 Can the CICS Commissioner enter premises without a warrant in emergency situations?

Yes, this is possible in exceptional emergency situations.

The normal conditions and considerations for seeking a Magistrate’s warrant must be fulfilled. Additionally, the CICS Commissioner must be satisfied that it is not reasonably practicable to obtain a warrant. Then, the CICS Commissioner may authorise the authorised officer to enter any premises in emergencies without a warrant to search for and seize relevant items, access and inspect the investigated system to carry out remedial measures, search for, inspect and make copies of information relating to the investigated system, and require relevant organisations to assist in the investigation or respond to the threat or incident.

13.12 Is the CI Operator required to implement directions of the CICS Commissioner in the course of an investigation?

Failing to comply with specified requirements imposed by the CICS Commissioner in response to computer-system security threats and incidents without reasonable excuse is an offence for which a fine of up to HK$500,000 may be imposed.

13.13 How will the CICS Commissioner’s powers apply in respect of operations of the CCS that are conducted outside Hong Kong?

The CI Operator is required to submit information accessible to them in or from Hong Kong in compliance with a request made by the CICS Commissioner under PCICSO.

13.14 Will employees of CI Operators be personally liable for offences under PCICSO?

No. PCICSO itself only imposes penalties on CI Operators on an organisation basis, and those penalties are fines only.

Criminal liability under other legislation may still apply.

13.15 Will a CI Operator be required to provide documents or information subject to legal professional privilege?

No, a CI Operator will not be required to provide documents or information subject to legal professional privilege. PCICSO provides that any claims, rights or entitlements on the ground of legal professional privilege are not affected by PCICSO.

13.16 What defences are available to defendants in prosecutions under PCICSO?

PCICSO provides a defendant a statutory defence that arises if the defendant exercised proper due diligence to avoid the commission of the offence. This will require the defendant to produce sufficient evidence that the commission of the offence was due to a cause beyond the defendant’s control, and the defendant took all reasonable precautions and exercised all due diligence to avoid the commission of the offence by the defendant.

If this due diligence defence is based on the commission of the offence being due to the act of another person or reliance on information given by another person, then the defendant must:

(a)          identify that other person;

(b)          take reasonable steps to secure the co-operation of the other person; and

(c)          establish it was reasonable to rely on the information provided by the person.

A defence of reasonable excuse may also apply in respect of some offences under PCICSO.

14. Other relevant matters

14.1 Will service providers to CI Operators be directly responsible to the CICS Commissioner for services in respect of CCS?

CI Operators can outsource their work, but not their responsibilities. The Code of Practice makes clear that a CI Operator must maintain an agreed level of CCS security within supplier relationships to ensure that all suppliers adhere to a defined set of computer-system security requirements. This includes:

(a)          defining security responsibilities of service providers in contract terms;

(b)          having and exercising audit and compliance monitoring rights to verify that service providers have implemented sufficient controls over its CCS;

(c)          putting in place retention and deletion protocols to ensure all sensitive digital data in service provider services or facilities is deleted at the expiry or termination of the service or upon request of the CI Operator;

(d)          entering into confidentiality and non-disclosure agreements with service providers to protect the sensitive digital data; and

(e)          undertaking and providing training in respect of CCS subject to the service delivery.

Sample contract clauses are set out in Annex H to the Code of Practice.

14.2 Does PCICSO have extra-territorial effect outside Hong Kong?

No. There is no power under PCICSO to directly take enforcement actions outside Hong Kong against or in respect of computer systems located outside Hong Kong.

There are indirect extra-territorial implications under PCICSO. CI Operators are required to produce information relevant to the security of their CCS that is accessible in or from Hong Kong, regardless of whether that information or the server it is stored on is physically located outside Hong Kong.

Investigation, inspection and enforcement powers are a necessary and important part of any regulatory framework. The CICS Commissioner has broad powers, which must be exercised with conventional due process safeguards. The particular nature of critical infrastructure means that there must be a statutory power to step in and take control if a CI Operator refuses or neglects to do so. Critical infrastructure is, by definition, necessary for the proper functioning of the Hong Kong economy and society.

This concludes our review of this important new legislation for Hong Kong. You may review the entire series here.