{"id":32712,"date":"2026-04-02T06:02:49","date_gmt":"2026-04-02T06:02:49","guid":{"rendered":"https:\/\/prelive-tdw.visibleone.app\/?post_type=insight-and-news&#038;p=32712"},"modified":"2026-05-18T07:08:07","modified_gmt":"2026-05-18T07:08:07","slug":"what-you-need-to-know-about-the-protection-of-critical-infrastructures-computer-systems-ordinance-the-cybersecurity-legislation-in-hong-kong-part-2","status":"publish","type":"insight-and-news","link":"https:\/\/www.tannerdewitt.com\/zh-hant\/insight-and-news\/what-you-need-to-know-about-the-protection-of-critical-infrastructures-computer-systems-ordinance-the-cybersecurity-legislation-in-hong-kong-part-2\/","title":{"rendered":"What you need to know about the Protection of Critical Infrastructures (Computer Systems) Ordinance, the cybersecurity legislation in Hong Kong (Part 2)"},"content":{"rendered":"\n    \n\n<div style=\"background-image:url('https:\/\/www.tannerdewitt.com\/wp-content\/themes\/tanner-de-witt\/images\/insightdetails.jpeg')\"\n    class=\"insight-news-detail-hero\" id=\"insight-news-detail-hero\">\n\n\t\t<div style=\"background-color:\" class=\"insight-news-detail-hero-overlay \"><\/div>\n            <div class=\"z-[0]\">\n                <div class=\"insight-news-breadcrumbs flex items-end practice-areas-featured-breadcrumbs \">\n                    <a class=\"page-link no-underline\" href=\"https:\/\/www.tannerdewitt.com\/zh-hant\/\">Home<\/a>                <\/div>\n\n\n                <div class=\"hero-title\">\n                    <h1>\n                        What you need to know about the Protection of Critical Infrastructures (Computer Systems) Ordinance, the cybersecurity legislation in Hong Kong (Part 2)                    <\/h1>\n                <\/div>\n                \n                    <div style=\"\" class=\"hero-date \">\n\n                        <span class=\"month\">Apr<\/span>\n                        <span class=\"day\">02<\/span>\n                        <span class=\"year\">2026<\/span>\n                    <\/div>\n\n            <\/div>\n    \n\n    \n\n\n\n<\/div>\n\n\n\n<script >\n    (function () {\n        document.addEventListener(\"DOMContentLoaded\", () => {\n\n            const breadCrumbsContainer = Array.from(document.querySelectorAll(\".practice-areas-featured-breadcrumbs\"));\n\n            breadCrumbsContainer.forEach(container => {\n                const breadCrumbLinks = Array.from(container.querySelectorAll('.page-link'));\n                const breadCrumbSeperators = Array.from(container.querySelectorAll('.separator'));\n\n                if (Array.from(breadCrumbLinks).length === 1) {\n                    const homeNode = breadCrumbLinks[0];\n\n                    if (!homeNode) {\n                        return\n                    }\n\n                    const postTypeNode = homeNode.cloneNode(true);\n                    postTypeNode.textContent = \"Insights and News\";\n                    container.insertAdjacentHTML('beforeend', `<span class=\"separator practice-areas-featured-breadcrumb-item-slash\">\/<\/span>`)\n                    container.insertAdjacentElement('beforeend', postTypeNode)\n                    breadCrumbLinks.push(postTypeNode);\n\n                    if (\"Insights\") {\n                        const categoryNode = homeNode.cloneNode(true);\n\n                        categoryNode.textContent = \"Insights\";\n                        container.insertAdjacentHTML('beforeend', `<span class=\"separator practice-areas-featured-breadcrumb-item-slash\">\/<\/span>`)\n                        container.insertAdjacentElement('beforeend', categoryNode)\n                        breadCrumbLinks.push(categoryNode);\n                    }\n\n\n                    const titleNode = homeNode.cloneNode(true);\n\n                    titleNode.textContent = \"What you need to know about the Protection of Critical Infrastructures (Computer Systems) Ordinance, the cybersecurity legislation in Hong Kong (Part 2)\";\n                    container.insertAdjacentHTML('beforeend', `<span class=\"separator practice-areas-featured-breadcrumb-item-slash\">\/<\/span>`)\n                    container.insertAdjacentElement('beforeend', titleNode)\n                    breadCrumbLinks.push(titleNode);\n\n\n\n\n                }\n\n                breadCrumbLinks.forEach((link, index) => {\n\n                    link.classList.add('practice-areas-featured-breadcrumb-item-name');\n                    const origin = window.location.origin;\n                    const href = window.location.href;\n\n                    const originSplitter = window.location.href.includes(\"insight-and-news\") ? \"insight-and-news\" : window.location.href.includes('insights-and-news') ? \"insights-and-news\" : \"\"\n\n                    const paths = href.split(originSplitter);\n                    const links = paths[1].split(\"\/\").filter(Boolean)\n\n\n                    const resolvedOrigin = originSplitter ? (href.split(originSplitter)[0] || \"\") : (origin + \"\/\")\n\n                    if (index === 0) {\n\n                        if (!originSplitter) {\n                            link.href = origin\n                        } else {\n                            link.href = resolvedOrigin;\n                        }\n\n\n                    } else if (index === 1) {\n                        link.href = resolvedOrigin + originSplitter\n\n                    }\n                    else if (index === 2) {\n                        console.log(links)\n                        link.href = resolvedOrigin + originSplitter + \"\/\" + (links[0] || \"\")\n                    }\n                    else if (index === 3) {\n\n                        link.href = resolvedOrigin + originSplitter + \"\/\" + (links[0] || \"\") + \"\/\" + (links[1] || \"\")\n\n                    }\n\n\n\n                    \/\/ const words = link.textContent.split(\" \")\n                    \/\/ if (words.length > 4) {\n                    \/\/     link.textContent = words.slice(0, 4).join(\" \") + \"...\"\n                    \/\/ }\n\n                })\n\n                breadCrumbSeperators.forEach(separator => {\n                    separator.textContent = \"\/\"\n                    separator.classList.add('practice-areas-featured-breadcrumb-item-slash')\n                });\n\n\n            })\n\n\n        })\n        removeDivTag()\n    })();\n\n    function removeDivTag() {\n        console.log(\"remasfljas\");\n        const editorContainer = document.querySelector(\".editor-wysiwyg\");\n        \/\/ editorContainer.innerText = editorContainer.innerText.replace(\"<\/div>\", \"\")\n        Array.from(editorContainer.childNodes).forEach(el => {\n            if (el.textContent.includes(\"<\/div>\")) {\n                el.textContent = \"\"\n            }\n        })\n    }\n<\/script>\n\n<div class=\"editor-wysiwyg my-[40px]\">\n<div class=\"single-section\">\u00a0<\/div>\n<p id=\"ember60\" class=\"ember-view reader-text-block__paragraph\">The Protection of Critical Infrastructures (Computer Systems) Ordinance (Cap. 653) came into force in Hong Kong on 1 January 2026. This is the first substantial horizontal cybersecurity legislation in Hong Kong. We are exploring the scope and impact of this legislation in a series of articles, focusing in a Q&amp;A format on the key issues businesses and industries need to be aware of. In our <a class=\"xRPuXKfUpBkIORjMpZxQAvTEeNvfshyBJs \" tabindex=\"0\" href=\"https:\/\/www.tannerdewitt.com\/insight-and-news\/what-you-need-to-know-about-the-protection-of-critical-infrastructures-computer-systems-ordinance-the-cybersecurity-legislation-in-hong-kong-part-1\/\" target=\"_self\" data-test-app-aware-link=\"\">first article in the series<\/a>, we looked at sectors covered by the legislation and the designation process.<\/p>\n<p id=\"ember61\" class=\"ember-view reader-text-block__paragraph\">In this article, <a class=\"xRPuXKfUpBkIORjMpZxQAvTEeNvfshyBJs \" tabindex=\"0\" href=\"https:\/\/www.tannerdewitt.com\/our-people\/padraig-walsh\/\" target=\"_self\" data-test-app-aware-link=\"\">P\u00e1draig Walsh<\/a> from our <a class=\"xRPuXKfUpBkIORjMpZxQAvTEeNvfshyBJs \" tabindex=\"0\" href=\"https:\/\/www.tannerdewitt.com\/practice-areas\/cybersecurity\/\" target=\"_self\" data-test-app-aware-link=\"\">Cybersecurity<\/a> practice reviews the organisational obligations under PCICSO, and the preventive obligations for reporting material changes to critical computer systems.<\/p>\n<p id=\"ember62\" class=\"ember-view reader-text-block__paragraph\"><strong>3. <\/strong> <strong>Organisational Obligations<\/strong><\/p>\n<p id=\"ember63\" class=\"ember-view reader-text-block__paragraph\"><strong>3.1\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 What is the main purpose of the organisational obligations of CI Operators?<\/strong><\/p>\n<p id=\"ember64\" class=\"ember-view reader-text-block__paragraph\">The main purpose of organisational obligations of CI Operators under PCICSO is to ensure CI Operators have a sound management structure to implement necessary protection measures.<\/p>\n<p id=\"ember65\" class=\"ember-view reader-text-block__paragraph\"><strong>3.2 <\/strong> <strong>What are the main organisational obligations of CI Operators?<\/strong><\/p>\n<p id=\"ember66\" class=\"ember-view reader-text-block__paragraph\">The main organisational obligations of CI Operators are to:<\/p>\n<p id=\"ember67\" class=\"ember-view reader-text-block__paragraph\">(a)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 maintain a permanent office in Hong Kong;<\/p>\n<p id=\"ember68\" class=\"ember-view reader-text-block__paragraph\">(b)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 notify the CICS Commissioner or Designated Regulator of a change of the organisation that operates the critical infrastructure;<\/p>\n<p id=\"ember69\" class=\"ember-view reader-text-block__paragraph\">(c)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 establish and maintain a computer-system security management unit (&#8220;CSS Management Unit&#8221;); and<\/p>\n<p id=\"ember70\" class=\"ember-view reader-text-block__paragraph\">(d)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 appoint an employee with adequate professional knowledge of computer-system security to supervise the CSS Management Unit.<\/p>\n<p id=\"ember71\" class=\"ember-view reader-text-block__paragraph\"><strong>3.3\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Can the office of the CI Operator be a PO box, registered office address or virtual office?<\/strong><\/p>\n<p id=\"ember72\" class=\"ember-view reader-text-block__paragraph\">No. The office in Hong Kong will not be merely an address to which notices and other documents may be given or sent. The office must also be the location where a CI Operator employs persons and conducts business. The office is expected to be the location for managing daily operations, making business decisions, interacting with stakeholders, and maintaining business records.<\/p>\n<p id=\"ember73\" class=\"ember-view reader-text-block__paragraph\"><strong>3.4\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 What are examples of changes in the organisation of a CI Operator?<\/strong><\/p>\n<p id=\"ember74\" class=\"ember-view reader-text-block__paragraph\">Examples of operator changes include:<\/p>\n<p id=\"ember75\" class=\"ember-view reader-text-block__paragraph\">(a) <em>Transfer of operations<\/em>: The daily operation, management or maintenance of a critical infrastructure is changed from an existing CI Operator to another CI Operator.<\/p>\n<p id=\"ember76\" class=\"ember-view reader-text-block__paragraph\">(b) <em>Cessation or closure<\/em>: The existing CI Operator ceases to provide daily operation, management or maintenance of the critical infrastructure.<\/p>\n<p id=\"ember77\" class=\"ember-view reader-text-block__paragraph\">(c) <em>Sale of operations (M&amp;A)<\/em>: Merger, acquisition and other trade sale scenarios that affect the operation of the critical infrastructure.<\/p>\n<p id=\"ember78\" class=\"ember-view reader-text-block__paragraph\">Routine changes in shareholding or ownership transfer of a CI Operator do not in themselves constitute operator changes.<\/p>\n<p id=\"ember79\" class=\"ember-view reader-text-block__paragraph\"><strong>3.5 <\/strong> <strong>Can the CI Operator outsource or engage third parties to perform the functions of the CSS Management Unit?<\/strong><\/p>\n<p id=\"ember80\" class=\"ember-view reader-text-block__paragraph\">The PCICSO expressly allows that the CI Operator can either set up and maintain the CSS Management Unit by itself, or engage a service provider instead. This includes engaging overseas or outsourced CSS Management Units. However, the person responsible for supervising the CSS Management Unit must be an employee appointed by the CI Operator.<\/p>\n<p id=\"ember81\" class=\"ember-view reader-text-block__paragraph\"><strong>3.6\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 What are the competence requirements for the supervisor of the CSS Management Unit?<\/strong><\/p>\n<p id=\"ember82\" class=\"ember-view reader-text-block__paragraph\">The basic requirement is that the supervisor of the CSS Management Unit must have adequate professional knowledge of computer system security. This means possessing appropriate professional qualifications and professional experience in computer-system security commensurate with the risk of their CCSs to discharge the duties effectively.<\/p>\n<p id=\"ember83\" class=\"ember-view reader-text-block__paragraph\">Examples of appropriate professional qualifications include:<\/p>\n<p id=\"ember84\" class=\"ember-view reader-text-block__paragraph\">(a)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Certified Information Security Professional (\u201cCISP\u201d);<\/p>\n<p id=\"ember85\" class=\"ember-view reader-text-block__paragraph\">(b)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Certified Information Systems Auditor (\u201cCISA\u201d);<\/p>\n<p id=\"ember86\" class=\"ember-view reader-text-block__paragraph\">(c)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Certified Information Security Manager (\u201cCISM\u201d); and<\/p>\n<p id=\"ember87\" class=\"ember-view reader-text-block__paragraph\">(d)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Certified Information Systems Security Professional (\u201cCISSP\u201d).<\/p>\n<p id=\"ember88\" class=\"ember-view reader-text-block__paragraph\"><strong>3.7\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 What is the process to notify the CICS Commissioner in respect of organisational obligations?<\/strong><\/p>\n<p id=\"ember89\" class=\"ember-view reader-text-block__paragraph\">The CICS Commissioner has published forms for the purpose of giving notice in respect of organisational obligations:<\/p>\n<p id=\"ember90\" class=\"ember-view reader-text-block__paragraph\">(a)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Form for notifying office address [<a class=\"xRPuXKfUpBkIORjMpZxQAvTEeNvfshyBJs \" tabindex=\"0\" href=\"https:\/\/www.occics.gov.hk\/filemanager\/en\/content_20\/CICS001.pdf\" target=\"_self\" data-test-app-aware-link=\"\" rel=\"noopener\">link<\/a>];<\/p>\n<p id=\"ember91\" class=\"ember-view reader-text-block__paragraph\">(b)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Form for notifying changes of CI Operator [<a class=\"xRPuXKfUpBkIORjMpZxQAvTEeNvfshyBJs \" tabindex=\"0\" href=\"https:\/\/www.occics.gov.hk\/filemanager\/en\/content_20\/CICS002.pdf\" target=\"_self\" data-test-app-aware-link=\"\" rel=\"noopener\">link<\/a>]; and<\/p>\n<p id=\"ember92\" class=\"ember-view reader-text-block__paragraph\">(c)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Form for notifying employment of supervisor of CSS Management Unit [<a class=\"xRPuXKfUpBkIORjMpZxQAvTEeNvfshyBJs \" tabindex=\"0\" href=\"https:\/\/www.occics.gov.hk\/filemanager\/en\/content_20\/CICS003.pdf\" target=\"_self\" data-test-app-aware-link=\"\" rel=\"noopener\">link<\/a>].<\/p>\n<p id=\"ember93\" class=\"ember-view reader-text-block__paragraph\">In general, notice must be given within one month of designation as a CI Operator, or within one month after any material change in circumstances. Failure to give notice when required is an offence.<\/p>\n<p id=\"ember94\" class=\"ember-view reader-text-block__paragraph\">Designated Regulators may create separate notification forms.<\/p>\n<p id=\"ember95\" class=\"ember-view reader-text-block__paragraph\"><strong>4. <\/strong> <strong>Preventive Obligations<\/strong><\/p>\n<p id=\"ember96\" class=\"ember-view reader-text-block__paragraph\"><strong>4.1 <\/strong> <strong>What is the main purpose of the preventive obligations of CI Operators?<\/strong><\/p>\n<p id=\"ember97\" class=\"ember-view reader-text-block__paragraph\">The main purpose of preventive obligations of CI Operators under PCICSO is to ensure CI Operators take measures to prevent cyber attacks.<\/p>\n<p id=\"ember98\" class=\"ember-view reader-text-block__paragraph\"><strong>4.2 <\/strong> <strong>What are the main preventive obligations of CI Operators?<\/strong><\/p>\n<p id=\"ember99\" class=\"ember-view reader-text-block__paragraph\">The main preventive obligations of CI Operators are to:<\/p>\n<p id=\"ember100\" class=\"ember-view reader-text-block__paragraph\">(a)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 notify material changes to CCS;<\/p>\n<p id=\"ember101\" class=\"ember-view reader-text-block__paragraph\">(b)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 submit and implement a computer-system security management plan (&#8220;CSS Management Plan&#8221;);<\/p>\n<p id=\"ember102\" class=\"ember-view reader-text-block__paragraph\">(c)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 conduct regular security risk assessments and submit a report; and<\/p>\n<p id=\"ember103\" class=\"ember-view reader-text-block__paragraph\">(d)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 carry out regular independent security audits and submit a report.<\/p>\n<p id=\"ember104\" class=\"ember-view reader-text-block__paragraph\"><strong>5.\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Preventive Obligations: Material changes to CCS<\/strong><\/p>\n<p id=\"ember105\" class=\"ember-view reader-text-block__paragraph\"><strong>5.1 <\/strong> <strong>What constitutes a material change to a CCS?<\/strong><\/p>\n<p id=\"ember106\" class=\"ember-view reader-text-block__paragraph\">A change to a CCS is a material change if the change:<\/p>\n<p id=\"ember107\" class=\"ember-view reader-text-block__paragraph\">(a)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 affects the computer-system security of the CCS, the ability of the CI Operator to respond to a computer-system security threat or incident in respect of the CCS; or<\/p>\n<p id=\"ember108\" class=\"ember-view reader-text-block__paragraph\">(b)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 makes any information provided to the CICS Commissioner or Designated Regulator in respect of the CCS no longer accurate in a material particular.<\/p>\n<p id=\"ember109\" class=\"ember-view reader-text-block__paragraph\">This is generally a change that would reasonably be expected to have a significant effect on the computer-system security risk of a CCS or risk to the CI\u2019s core function.<\/p>\n<p id=\"ember110\" class=\"ember-view reader-text-block__paragraph\"><strong>5.2 <\/strong> <strong>What type of material changes to a CCS trigger a notification obligation?<\/strong><\/p>\n<p id=\"ember111\" class=\"ember-view reader-text-block__paragraph\">Material changes to a CCS that trigger a notification obligation to the CICS Commissioner or Designated Regulator are:<\/p>\n<p id=\"ember112\" class=\"ember-view reader-text-block__paragraph\">(a)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 a material change to the design, configuration, security or operation of a CCS;<\/p>\n<p id=\"ember113\" class=\"ember-view reader-text-block__paragraph\">(b)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 a CCS is removed from the critical infrastructure;<\/p>\n<p id=\"ember114\" class=\"ember-view reader-text-block__paragraph\">(c)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 a computer system is added to the critical infrastructure that is accessible by the CI Operator in or from Hong Kong, and is essential to the core function of the critical infrastructure;<\/p>\n<p id=\"ember115\" class=\"ember-view reader-text-block__paragraph\">(d)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 a change occurs to a computer system that is an existing computer system of the critical infrastructure and is accessible by the CI Operator in or from Hong Kong, such that the system becomes essential to the core function of the infrastructure.<\/p>\n<p id=\"ember116\" class=\"ember-view reader-text-block__paragraph\"><strong>5.3 <\/strong> <strong>What are examples of material changes to a CCS?<\/strong><\/p>\n<p id=\"ember117\" class=\"ember-view reader-text-block__paragraph\">Examples of material changes to a CCS include:<\/p>\n<p id=\"ember118\" class=\"ember-view reader-text-block__paragraph\">(a)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Platform migration;<\/p>\n<p id=\"ember119\" class=\"ember-view reader-text-block__paragraph\">(b)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Server virtualisation;<\/p>\n<p id=\"ember120\" class=\"ember-view reader-text-block__paragraph\">(c)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Major version upgrade of a core component (e.g. database);<\/p>\n<p id=\"ember121\" class=\"ember-view reader-text-block__paragraph\">(d)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Changes to the computing platform or hardware;<\/p>\n<p id=\"ember122\" class=\"ember-view reader-text-block__paragraph\">(e)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Application re-design;<\/p>\n<p id=\"ember123\" class=\"ember-view reader-text-block__paragraph\">(f)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Significant code changes;<\/p>\n<p id=\"ember124\" class=\"ember-view reader-text-block__paragraph\">(g)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Changes to the underlying infrastructure that supports the CCS;<\/p>\n<p id=\"ember125\" class=\"ember-view reader-text-block__paragraph\">(h)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Integration with or change in interdependency on external systems or networks;<\/p>\n<p id=\"ember126\" class=\"ember-view reader-text-block__paragraph\">(i)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Changes of mission or major functions that alters the CSS\u2019s operational scope, intended purpose or requirements in security, resources or functions;<\/p>\n<p id=\"ember127\" class=\"ember-view reader-text-block__paragraph\">(j)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Any system modification that fundamentally alters the characteristics or nature of the CCS; or<\/p>\n<p id=\"ember128\" class=\"ember-view reader-text-block__paragraph\">(k)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Substantial changes in CCS components maintained by cloud service suppliers that the CI Operator becomes aware of.<\/p>\n<p id=\"ember129\" class=\"ember-view reader-text-block__paragraph\"><strong>5.4 <\/strong> <strong>What is the process to notify the CICS Commissioner in respect of material changes to CCS?<\/strong><\/p>\n<p id=\"ember130\" class=\"ember-view reader-text-block__paragraph\">The CICS Commissioner has published a form for the purpose of giving notice in respect of changes to a CCS [<a class=\"xRPuXKfUpBkIORjMpZxQAvTEeNvfshyBJs \" tabindex=\"0\" href=\"https:\/\/www.occics.gov.hk\/filemanager\/en\/content_20\/CICS004.pdf\" target=\"_self\" data-test-app-aware-link=\"\" rel=\"noopener\">link<\/a>].<\/p>\n<p id=\"ember131\" class=\"ember-view reader-text-block__paragraph\">Designated Regulators may create separate notification forms.<\/p>\n<p id=\"ember132\" class=\"ember-view reader-text-block__paragraph\">The CI Operator must submit the completed form within one month of the triggering change event. The date on which the event occurs generally refers to the moment when a change is deployed to a production environment. If the deployment is conducted in phases, the date on which the event occurs should apply to each individual phase of the change deployment. A CI Operator can notify the CICS Commissioner of all changes collectively at the initial phase of the change deployment.<\/p>\n<p id=\"ember133\" class=\"ember-view reader-text-block__paragraph\">Failure to give notice when required is an offence.<\/p>\n<p id=\"ember134\" class=\"ember-view reader-text-block__paragraph\">5.5 <strong>Can the CICS Commissioner conduct follow up actions after notification of a material change to a CCS?<\/strong><\/p>\n<p id=\"ember135\" class=\"ember-view reader-text-block__paragraph\">The CICS Commissioner may direct the CI Operator to:<\/p>\n<p id=\"ember136\" class=\"ember-view reader-text-block__paragraph\">(a)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 conduct a CSS Risk Assessment in respect of all or part of the CCS, and file the report for the assessment; or<\/p>\n<p id=\"ember137\" class=\"ember-view reader-text-block__paragraph\">(b)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 arrange to carry out a CSS Audit in respect of all or part of the CCS, and file the report of the audit.<\/p>\n<p id=\"ember138\" class=\"ember-view reader-text-block__paragraph\">CI Operators must have a substantive business presence in Hong Kong, with a dedicated management unit responsible for computer system security supervised by a suitably qualified and competent professional. This organisational setup is essential to be able to meet the other obligations under PCICSO, including the notification of material changes to a critical computer system summarised above.<\/p>\n<p id=\"ember139\" class=\"ember-view reader-text-block__paragraph\">In the next article in this series, we will look at more preventative obligations under PCICSO.<\/p>\n<p style=\"text-align: right;\"><strong><em>P\u00e1draig Walsh<\/em><\/strong><\/p>\n<p>If you want to know more about the content of this article, please contact:<\/p>\n<p><a href=\"https:\/\/www.tannerdewitt.com\/our-people\/padraig-walsh\/\">P\u00e1draig Walsh<\/a><br \/>Partner |\u00a0<a href=\"mailto:padraigwalsh@tannerdewitt.com\">Email<\/a><\/p>\n<p>Disclaimer: This publication is general in nature and is not intended to constitute legal advice. You should seek professional advice before taking any action in relation to the matters dealt with in this publication. This article was last reviewed on <em>2 April\u00a02026.<\/em><\/p>\n<\/div>\n\n\n\n\n<\/div>\n\n\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>\u00a0 The Protection of Critical Infrastructures (Computer Systems) Ordinance (Cap. 653) came into force in Hong Kong on 1 January 2026. This is the first substantial horizontal cybersecurity legislation in Hong Kong. We are exploring the scope and impact of this legislation in a series of articles, focusing in a Q&amp;A format on the key [&hellip;]<\/p>\n","protected":false},"author":22,"featured_media":32713,"parent":0,"menu_order":0,"template":"","meta":{"_acf_changed":false,"footnotes":""},"tags":[162,23,291],"insight-category":[1121],"insight-month":[1155],"insight-practice-area":[1146,1142],"insight-year":[1162],"class_list":["post-32712","insight-and-news","type-insight-and-news","status-publish","has-post-thumbnail","hentry","tag-cybersecurity","tag-legal-updates","tag-tmt","insight-category-legal-updates-and-insights","insight-month-april","insight-practice-area-cybersecurity","insight-practice-area-technology-media-and-telecommunications-tmt","insight-year-1162"],"acf":[],"_links":{"self":[{"href":"https:\/\/www.tannerdewitt.com\/zh-hant\/wp-json\/wp\/v2\/insight-and-news\/32712","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.tannerdewitt.com\/zh-hant\/wp-json\/wp\/v2\/insight-and-news"}],"about":[{"href":"https:\/\/www.tannerdewitt.com\/zh-hant\/wp-json\/wp\/v2\/types\/insight-and-news"}],"author":[{"embeddable":true,"href":"https:\/\/www.tannerdewitt.com\/zh-hant\/wp-json\/wp\/v2\/users\/22"}],"version-history":[{"count":4,"href":"https:\/\/www.tannerdewitt.com\/zh-hant\/wp-json\/wp\/v2\/insight-and-news\/32712\/revisions"}],"predecessor-version":[{"id":32783,"href":"https:\/\/www.tannerdewitt.com\/zh-hant\/wp-json\/wp\/v2\/insight-and-news\/32712\/revisions\/32783"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.tannerdewitt.com\/zh-hant\/wp-json\/wp\/v2\/media\/32713"}],"wp:attachment":[{"href":"https:\/\/www.tannerdewitt.com\/zh-hant\/wp-json\/wp\/v2\/media?parent=32712"}],"wp:term":[{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.tannerdewitt.com\/zh-hant\/wp-json\/wp\/v2\/tags?post=32712"},{"taxonomy":"insight-category","embeddable":true,"href":"https:\/\/www.tannerdewitt.com\/zh-hant\/wp-json\/wp\/v2\/insight-category?post=32712"},{"taxonomy":"insight-month","embeddable":true,"href":"https:\/\/www.tannerdewitt.com\/zh-hant\/wp-json\/wp\/v2\/insight-month?post=32712"},{"taxonomy":"insight-practice-area","embeddable":true,"href":"https:\/\/www.tannerdewitt.com\/zh-hant\/wp-json\/wp\/v2\/insight-practice-area?post=32712"},{"taxonomy":"insight-year","embeddable":true,"href":"https:\/\/www.tannerdewitt.com\/zh-hant\/wp-json\/wp\/v2\/insight-year?post=32712"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}