{"id":32496,"date":"2026-03-31T10:00:00","date_gmt":"2026-03-31T10:00:00","guid":{"rendered":"https:\/\/prelive-tdw.visibleone.app\/?post_type=insight-and-news&#038;p=32496"},"modified":"2026-05-18T06:15:52","modified_gmt":"2026-05-18T06:15:52","slug":"what-you-need-to-know-about-the-protection-of-critical-infrastructures-computer-systems-ordinance-the-cybersecurity-legislation-in-hong-kong-part-1","status":"publish","type":"insight-and-news","link":"https:\/\/www.tannerdewitt.com\/zh-hans\/insight-and-news\/what-you-need-to-know-about-the-protection-of-critical-infrastructures-computer-systems-ordinance-the-cybersecurity-legislation-in-hong-kong-part-1\/","title":{"rendered":"What you need to know about the Protection of Critical Infrastructures (Computer Systems) Ordinance, the cybersecurity legislation in Hong Kong (Part 1)"},"content":{"rendered":"\n    \n\n<div style=\"background-image:url('https:\/\/www.tannerdewitt.com\/wp-content\/themes\/tanner-de-witt\/images\/insightdetails.jpeg')\"\n    class=\"insight-news-detail-hero\" id=\"insight-news-detail-hero\">\n\n\t\t<div style=\"background-color:\" class=\"insight-news-detail-hero-overlay \"><\/div>\n            <div class=\"z-[0]\">\n                <div class=\"insight-news-breadcrumbs flex items-end practice-areas-featured-breadcrumbs \">\n                    <a class=\"page-link no-underline\" href=\"https:\/\/www.tannerdewitt.com\/zh-hans\/\">Home<\/a>                <\/div>\n\n\n                <div class=\"hero-title\">\n                    <h1>\n                        What you need to know about the Protection of Critical Infrastructures (Computer Systems) Ordinance, the cybersecurity legislation in Hong Kong (Part 1)                    <\/h1>\n                <\/div>\n                \n                    <div style=\"\" class=\"hero-date \">\n\n                        <span class=\"month\">Mar<\/span>\n                        <span class=\"day\">31<\/span>\n                        <span class=\"year\">2026<\/span>\n                    <\/div>\n\n            <\/div>\n    \n\n    \n\n\n\n<\/div>\n\n\n\n<script >\n    (function () {\n        document.addEventListener(\"DOMContentLoaded\", () => {\n\n            const breadCrumbsContainer = Array.from(document.querySelectorAll(\".practice-areas-featured-breadcrumbs\"));\n\n            breadCrumbsContainer.forEach(container => {\n                const breadCrumbLinks = Array.from(container.querySelectorAll('.page-link'));\n                const breadCrumbSeperators = Array.from(container.querySelectorAll('.separator'));\n\n                if (Array.from(breadCrumbLinks).length === 1) {\n                    const homeNode = breadCrumbLinks[0];\n\n                    if (!homeNode) {\n                        return\n                    }\n\n                    const postTypeNode = homeNode.cloneNode(true);\n                    postTypeNode.textContent = \"Insights and News\";\n                    container.insertAdjacentHTML('beforeend', `<span class=\"separator practice-areas-featured-breadcrumb-item-slash\">\/<\/span>`)\n                    container.insertAdjacentElement('beforeend', postTypeNode)\n                    breadCrumbLinks.push(postTypeNode);\n\n                    if (\"Insights\") {\n                        const categoryNode = homeNode.cloneNode(true);\n\n                        categoryNode.textContent = \"Insights\";\n                        container.insertAdjacentHTML('beforeend', `<span class=\"separator practice-areas-featured-breadcrumb-item-slash\">\/<\/span>`)\n                        container.insertAdjacentElement('beforeend', categoryNode)\n                        breadCrumbLinks.push(categoryNode);\n                    }\n\n\n                    const titleNode = homeNode.cloneNode(true);\n\n                    titleNode.textContent = \"What you need to know about the Protection of Critical Infrastructures (Computer Systems) Ordinance, the cybersecurity legislation in Hong Kong (Part 1)\";\n                    container.insertAdjacentHTML('beforeend', `<span class=\"separator practice-areas-featured-breadcrumb-item-slash\">\/<\/span>`)\n                    container.insertAdjacentElement('beforeend', titleNode)\n                    breadCrumbLinks.push(titleNode);\n\n\n\n\n                }\n\n                breadCrumbLinks.forEach((link, index) => {\n\n                    link.classList.add('practice-areas-featured-breadcrumb-item-name');\n                    const origin = window.location.origin;\n                    const href = window.location.href;\n\n                    const originSplitter = window.location.href.includes(\"insight-and-news\") ? \"insight-and-news\" : window.location.href.includes('insights-and-news') ? \"insights-and-news\" : \"\"\n\n                    const paths = href.split(originSplitter);\n                    const links = paths[1].split(\"\/\").filter(Boolean)\n\n\n                    const resolvedOrigin = originSplitter ? (href.split(originSplitter)[0] || \"\") : (origin + \"\/\")\n\n                    if (index === 0) {\n\n                        if (!originSplitter) {\n                            link.href = origin\n                        } else {\n                            link.href = resolvedOrigin;\n                        }\n\n\n                    } else if (index === 1) {\n                        link.href = resolvedOrigin + originSplitter\n\n                    }\n                    else if (index === 2) {\n                        console.log(links)\n                        link.href = resolvedOrigin + originSplitter + \"\/\" + (links[0] || \"\")\n                    }\n                    else if (index === 3) {\n\n                        link.href = resolvedOrigin + originSplitter + \"\/\" + (links[0] || \"\") + \"\/\" + (links[1] || \"\")\n\n                    }\n\n\n\n                    \/\/ const words = link.textContent.split(\" \")\n                    \/\/ if (words.length > 4) {\n                    \/\/     link.textContent = words.slice(0, 4).join(\" \") + \"...\"\n                    \/\/ }\n\n                })\n\n                breadCrumbSeperators.forEach(separator => {\n                    separator.textContent = \"\/\"\n                    separator.classList.add('practice-areas-featured-breadcrumb-item-slash')\n                });\n\n\n            })\n\n\n        })\n        removeDivTag()\n    })();\n\n    function removeDivTag() {\n        console.log(\"remasfljas\");\n        const editorContainer = document.querySelector(\".editor-wysiwyg\");\n        \/\/ editorContainer.innerText = editorContainer.innerText.replace(\"<\/div>\", \"\")\n        Array.from(editorContainer.childNodes).forEach(el => {\n            if (el.textContent.includes(\"<\/div>\")) {\n                el.textContent = \"\"\n            }\n        })\n    }\n<\/script>\n\n<div class=\"editor-wysiwyg my-[40px]\">\n<div class=\"single-section\">\n<p>The Protection of Critical Infrastructures (Computer Systems) Ordinance (Cap. 653) came into force in Hong Kong on 1 January 2026. This is the first substantial horizontal cybersecurity legislation in Hong Kong. We will explore the scope and impact of this legislation in a series of articles, focusing in a Q&amp;A format on the key issues businesses and industries need to be aware of.<\/p>\n<p>In this first article, <a href=\"https:\/\/www.tannerdewitt.com\/our-people\/padraig-walsh\/\">P\u00e1draig Walsh<\/a> from our <a href=\"https:\/\/www.tannerdewitt.com\/practice-areas\/cybersecurity\/\">Cybersecurity<\/a> practice reviews who qualifies as critical infrastructure operators, how operators are designated, and which sectors fall under the regulatory ambit of the Commissioner of Critical Infrastructure (Computer-system Security) and sector regulators.<\/p>\n<p><strong>Introduction<\/strong><\/p>\n<p>1.1\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 <strong>Is there a cybersecurity law in Hong Kong?<\/strong><\/p>\n<p>Yes. The Protection of Critical Infrastructures (Computer Systems) Ordinance, (Chapter 653, Laws of Hong Kong) (&#8220;PCICSO&#8221;) came into operation on 1 January 2026. This is a comprehensive cybersecurity law, focussing on the protection of critical computer systems in critical infrastructure from cybersecurity risk.<\/p>\n<p>1.2\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 <strong>What is the competent regulatory authority?<\/strong><\/p>\n<p>The Office of the Commissioner of Critical Infrastructure (Computer-system Security) (&#8220;CICS Commissioner&#8221;) is the competent regulatory authority. This office is a division of the Security Bureau of the Government of Hong Kong, and is not an independent statutory body.<\/p>\n<p>1.3\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 <strong>What is the role of designated regulatory authorities?<\/strong><\/p>\n<p>Some regulatory responsibilities are shared with designated statutory sector regulators. Specifically, PCICSO designated the Monetary Authority and the Communications Authority (&#8220;Designated Regulators&#8221;) as competent regulators to directly supervise the responsibilities for organisational and preventive obligations under PCICSO in respect of certain regulated entities under its regulatory purview, as summarised below:<\/p>\n<\/div>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-32503 size-full\" src=\"https:\/\/www.tannerdewitt.com\/wp-content\/uploads\/2026\/03\/PCICSO.png\" alt=\"\" width=\"690\" height=\"740\" srcset=\"https:\/\/www.tannerdewitt.com\/wp-content\/uploads\/2026\/03\/PCICSO.png 690w, https:\/\/www.tannerdewitt.com\/wp-content\/uploads\/2026\/03\/PCICSO-280x300.png 280w\" sizes=\"auto, (max-width: 690px) 100vw, 690px\" \/><\/p>\n<p>This reflects that the Monetary Authority and Communications Authority already regulate their respective sectors with a degree of sophistication and familiarity with the operations and needs of the relevant sectors. This will avoid duplication of effort with the remit of the CICS Commissioner.<\/p>\n<p>The means that the Monetary Authority and Communications Authority, as designated authorities under PCICSO, will perform these functions in respect of CI Operators under their scope of authority:<\/p>\n<p>(a)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Identify and designate CI Operators and critical computer systems;<\/p>\n<p>(b)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Monitor CI Operators&#8217; compliance with organisational and preventive obligations under PCICSO;<\/p>\n<p>(c)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Issue codes of practice to CI Operators, setting out the proposed standards for the organisational and preventive obligations. This can include adopting Codes of Practice published by the CICS Commissioner, as well as supplementing with sector specific Codes of Practice; and<\/p>\n<p>(d)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Issuing a written direction to a CI Operator if it has failed to fully comply with organisational or preventive obligations under PCICSO.<\/p>\n<p>The CICS Commissioner will be responsible for regulating CI Operators of all sectors (including banking and financial services and telecommunications and broadcasting services) for incident reporting and response obligations.<\/p>\n<p>1.4\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 <strong>How will the regulation be applied?<\/strong><\/p>\n<p>The main piece of legislation is the PCICSO. The CICS Commissioner will issue codes of conduct, guidelines and forms. The CICS Commissioner issued a General Code of Practice on 1 January 2026 [<a href=\"https:\/\/www.occics.gov.hk\/filemanager\/en\/content_19\/CoP_en_v1.0.pdf\" target=\"_blank\" rel=\"noopener\">link<\/a>], and a Code of Practice for the Energy Sector on 28 January 2026 [<a href=\"https:\/\/www.occics.gov.hk\/filemanager\/en\/content_19\/SCoP_Energy_en_v1.0.pdf\" target=\"_blank\" rel=\"noopener\">link<\/a>]. We can expect the CICS Commissioner to publish other sector-specific Codes of Practice.<\/p>\n<p>Codes of Practice are not subsidiary legislation. Failure to comply with the requirements of a Code of Practice would not in itself constitute an offence. However, the CICS Commissioner may issue written directions to require a CI Operator to take appropriate actions in relation to compliance with obligations under the PCICSO. Those directions are likely to be based on requirements set out in Codes of Practice, and compliance will be measured against the relevant provisions in the Code of Practice. Failure to comply with directions issued by the CICS Commissioner is an offence.<\/p>\n<p>Guidelines are non-binding.<\/p>\n<p><strong>The Regulatory Perimeter<\/strong><\/p>\n<p>2.1\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 <strong>Who and what is the target of regulation under PCICSO?<\/strong><\/p>\n<p>The primary target of regulation is the protection of critical infrastructure and designated computer systems operated by designated critical infrastructure operators in Hong Kong. Direct regulation will only apply to large organisations. Only organisations designated by the authorities will be subject to PCICSO.<\/p>\n<p>2.2\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 <strong>What is not regulated under PCICSO?<\/strong><\/p>\n<p>PCICSO does not cover, or is not intended to cover:<\/p>\n<p>(a)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Government departments. The Hong Kong Government already applies internal Government Information Technology Security Policy and Guidelines.<\/p>\n<p>(b)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Personal data, trade secrets and business information in computer systems. Personal data is already subject to regulation of the Office of Privacy Commissioner for Personal Data (&#8220;PCPD&#8221;) under the Personal Data (Privacy) Ordinance, Chapter 486, Laws of Hong Kong (&#8220;PDPO&#8221;).<\/p>\n<p>(c)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Small and medium size organisations or the general public.<\/p>\n<p>2.3\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 <strong>What are critical infrastructure operators?<\/strong><\/p>\n<p>Critical infrastructure operators (&#8220;CI Operators&#8221;) are businesses or organisations that operate critical infrastructure. We analyse that description more in the paragraphs below.<\/p>\n<p>2.4\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 <strong>What is critical infrastructure?<\/strong><\/p>\n<p>Critical infrastructure is any infrastructure that is essential to the continuous provision in Hong Kong of an essential service in a specified sector, and any other infrastructure the damage, loss of functionality or data leakage of which may hinder or substantially affect the maintenance of critical societal or economic activities in Hong Kong.<\/p>\n<p>2.5\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 <strong>What are the specified sectors of CI Operators?<\/strong><\/p>\n<p>The specified sectors are:<\/p>\n<ol>\n<li>Energy<\/li>\n<li>Information technology<\/li>\n<li>Banking and financial services<\/li>\n<li>Air transport<\/li>\n<li>Land transport<\/li>\n<li>Maritime transport<\/li>\n<li>Healthcare services<\/li>\n<li>Telecommunications and broadcasting services<\/li>\n<\/ol>\n<p>2.6\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 <strong>What are examples of critical infrastructure and CI Operators?<\/strong><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-32506 size-full\" src=\"https:\/\/www.tannerdewitt.com\/wp-content\/uploads\/2026\/03\/PCICSO-1.png\" alt=\"\" width=\"714\" height=\"664\" srcset=\"https:\/\/www.tannerdewitt.com\/wp-content\/uploads\/2026\/03\/PCICSO-1.png 714w, https:\/\/www.tannerdewitt.com\/wp-content\/uploads\/2026\/03\/PCICSO-1-300x279.png 300w\" sizes=\"auto, (max-width: 714px) 100vw, 714px\" \/><\/p>\n<p>2.7\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 <strong>What does designation mean?<\/strong><\/p>\n<p>Not all businesses in the specified sectors are directly subject to the obligations of PCICSO and the regulatory oversight of the CICS Commissioner or the Direct Regulators under PCICSO. Direct regulation will only apply to large organisations, and will not apply to small and medium size organisations or the general public.<\/p>\n<p>Designation is the process the CICS Commissioner and Designated Regulators will use to identify CI Operators, and the designated computer systems, that will be subject to direct regulation. The process will involve the CICS Commissioner and Designated Regulators identifying critical infrastructure, the CI Operators operating the critical infrastructure, and the critical computer systems relied upon in those operations.<\/p>\n<p>The CICS Commissioner and the Designated Regulators have the statutory power to require operators to provide information he reasonably believes necessary to ascertain and assess each level of enquiry, from assessment of critical infrastructure, assessment of operators and ultimately, assessment of computer systems. It is an offence for an operator to fail to comply with an information request of the CICS Commissioner or Designated Regulators.<\/p>\n<p>2.8\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 <strong>How will critical infrastructure be identified?<\/strong><\/p>\n<p>In general, the CICS Commissioner and Designated Regulator will have regard to:<\/p>\n<p>(a)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 the kind of service provided by the infrastructure.<\/p>\n<p>(b)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 whether there would be disruption or other significant impact to critical societal or economic activities in Hong Kong if the infrastructure was damaged, lost functionality or suffered data leakage.<\/p>\n<p>2.9\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 <strong>What factors will be applied in the designation of CI Operators?<\/strong><\/p>\n<p>The factors considered when designating an organisation as CI Operator include:<\/p>\n<p>(a)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 The extent of dependence of core functions on computer systems;<\/p>\n<p>(b)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 The sensitivity of the data controlled by the infrastructure concerned; and<\/p>\n<p>(c)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 The extent of control over the operation and management of the infrastructure concerned by the CI Operator in Hong Kong.<\/p>\n<p>2.10\u00a0\u00a0\u00a0\u00a0 <strong>What factors are considered in the designation of critical computer systems?<\/strong><\/p>\n<p>The ultimate target of PCICSO and the primary concern of the CICS Commissioner and Designated Regulators is the protection of critical computer systems (&#8220;CCS&#8221;) in the operation of critical infrastructure by CI Operators.<\/p>\n<p>These factors must be taken into account before designating a computer system as a CCS:<\/p>\n<p>(a)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 the role of the computer system in core functions of the critical infrastructure;<\/p>\n<p>(b)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 the impact of disruption or destruction of the computer system on core functions;<\/p>\n<p>(c)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 the extent to which the computer system is related to other computer systems of the CI Operator;<\/p>\n<p>(d)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 the extent to which the computer system and other computer systems of the CI Operator are related to those of other CI Operators and the computer systems other CI Operators use;<\/p>\n<p>(e)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 the sensitivity of digital data stored or processed by the computer system that are used directly in the provision of essential services; and<\/p>\n<p>(f)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 any information provided by the CI Operator.<\/p>\n<p>Operational technology systems can also be considered as computer systems for the purpose of PCICSO. These systems could include supervisory control and data acquisition systems, distributed control systems or programmable logic controllers.<\/p>\n<p>Underlying IT infrastructure of a computer system could also be regarded as components of the computer system, and within the scope of regulation under PCICSO. This could include network components, operating platforms, middleware, IoT devices and uninterruptible power supply systems.<\/p>\n<p>2.11\u00a0\u00a0\u00a0\u00a0 <strong>What information is required to assess designation?<\/strong><\/p>\n<p>The CICS Commissioner and the Designated Regulators have discretion to require an operator to provide information reasonably necessary for learning about the operator and its critical computer systems.<\/p>\n<p>In practice, this is likely to include:<\/p>\n<p>(a)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 organisation chart of the operator;<\/p>\n<p>(b)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 system functions;<\/p>\n<p>(c)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 network infrastructure diagram and architecture;<\/p>\n<p>(d)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 nature and volume of data processed;<\/p>\n<p>(e) \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 manufacturers and models of hardware and software;<\/p>\n<p>(f)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 third party IT or telecom services provided by third parties;<\/p>\n<p>(g)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 backup plans;<\/p>\n<p>(h)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 information and technical specifications of the system design and operation; and<\/p>\n<p>(i)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 other facts and functions about the computer system, including upstream and downstream dependencies.<\/p>\n<p>2.12\u00a0\u00a0\u00a0\u00a0 <strong>How will an operator know it has been designated for compliance with obligations under PCICSO?<\/strong><\/p>\n<p>The process of designation is initiated by the CICS Commissioner and Designated Regulator through communication. The decision to designate will be notified in writing by the CICS Commissioner or Designated Regulator, setting out the effective date and CCS covered.<\/p>\n<p>2.13\u00a0\u00a0\u00a0\u00a0 <strong>Is designation of a CI Operator or CCS made public?<\/strong><\/p>\n<p>No.<\/p>\n<p>The sectors included under the ambit of PCICSO are the conventional sectors in similar legislation in other jurisdictions. PCICSO though will follow a designation process. Simply being a significant business in a covered sector does not automatically make a business subject to the legislation. There will be a formal process of designation that will pragmatically and systematically brings organisations under the purview of the CICS Commissioner (or designated regulator) over time.<\/p>\n<p>In the next article in this series, we will look at the organisational obligations and certain preventative obligations under PCICSO.<\/p>\n<p style=\"text-align: right;\"><strong><em>P\u00e1draig Walsh<\/em><\/strong><\/p>\n<p>If you want to know more about the content of this article, please contact:<\/p>\n<p><a href=\"https:\/\/www.tannerdewitt.com\/our-people\/padraig-walsh\/\">P\u00e1draig Walsh<\/a><br \/>Partner |\u00a0<a href=\"mailto:padraigwalsh@tannerdewitt.com\">Email<\/a><\/p>\n<p>Disclaimer: This publication is general in nature and is not intended to constitute legal advice. You should seek professional advice before taking any action in relation to the matters dealt with in this publication. This article was last reviewed on <em>31 March 2026.<\/em><\/p>\n<\/div>\n\n\n\n\n<\/div>\n\n\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>The Protection of Critical Infrastructures (Computer Systems) Ordinance (Cap. 653) came into force in Hong Kong on 1 January 2026. This is the first substantial horizontal cybersecurity legislation in Hong Kong. We will explore the scope and impact of this legislation in a series of articles, focusing in a Q&amp;A format on the key issues [&hellip;]<\/p>\n","protected":false},"author":22,"featured_media":32497,"parent":0,"menu_order":0,"template":"","meta":{"_acf_changed":false,"footnotes":""},"tags":[162,23,291],"insight-category":[1121],"insight-month":[1156],"insight-practice-area":[1146,1142],"insight-year":[1162],"class_list":["post-32496","insight-and-news","type-insight-and-news","status-publish","has-post-thumbnail","hentry","tag-cybersecurity","tag-legal-updates","tag-tmt","insight-category-legal-updates-and-insights","insight-month-march","insight-practice-area-cybersecurity","insight-practice-area-technology-media-and-telecommunications-tmt","insight-year-1162"],"acf":[],"_links":{"self":[{"href":"https:\/\/www.tannerdewitt.com\/zh-hans\/wp-json\/wp\/v2\/insight-and-news\/32496","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.tannerdewitt.com\/zh-hans\/wp-json\/wp\/v2\/insight-and-news"}],"about":[{"href":"https:\/\/www.tannerdewitt.com\/zh-hans\/wp-json\/wp\/v2\/types\/insight-and-news"}],"author":[{"embeddable":true,"href":"https:\/\/www.tannerdewitt.com\/zh-hans\/wp-json\/wp\/v2\/users\/22"}],"version-history":[{"count":3,"href":"https:\/\/www.tannerdewitt.com\/zh-hans\/wp-json\/wp\/v2\/insight-and-news\/32496\/revisions"}],"predecessor-version":[{"id":32728,"href":"https:\/\/www.tannerdewitt.com\/zh-hans\/wp-json\/wp\/v2\/insight-and-news\/32496\/revisions\/32728"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.tannerdewitt.com\/zh-hans\/wp-json\/wp\/v2\/media\/32497"}],"wp:attachment":[{"href":"https:\/\/www.tannerdewitt.com\/zh-hans\/wp-json\/wp\/v2\/media?parent=32496"}],"wp:term":[{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.tannerdewitt.com\/zh-hans\/wp-json\/wp\/v2\/tags?post=32496"},{"taxonomy":"insight-category","embeddable":true,"href":"https:\/\/www.tannerdewitt.com\/zh-hans\/wp-json\/wp\/v2\/insight-category?post=32496"},{"taxonomy":"insight-month","embeddable":true,"href":"https:\/\/www.tannerdewitt.com\/zh-hans\/wp-json\/wp\/v2\/insight-month?post=32496"},{"taxonomy":"insight-practice-area","embeddable":true,"href":"https:\/\/www.tannerdewitt.com\/zh-hans\/wp-json\/wp\/v2\/insight-practice-area?post=32496"},{"taxonomy":"insight-year","embeddable":true,"href":"https:\/\/www.tannerdewitt.com\/zh-hans\/wp-json\/wp\/v2\/insight-year?post=32496"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}