{"id":32717,"date":"2026-04-09T06:08:01","date_gmt":"2026-04-09T06:08:01","guid":{"rendered":"https:\/\/prelive-tdw.visibleone.app\/?post_type=insight-and-news&#038;p=32717"},"modified":"2026-05-18T07:08:16","modified_gmt":"2026-05-18T07:08:16","slug":"what-you-need-to-know-about-the-protection-of-critical-infrastructures-computer-systems-ordinance-the-cybersecurity-legislation-in-hong-kong-part-3","status":"publish","type":"insight-and-news","link":"https:\/\/www.tannerdewitt.com\/zh-hant\/insight-and-news\/what-you-need-to-know-about-the-protection-of-critical-infrastructures-computer-systems-ordinance-the-cybersecurity-legislation-in-hong-kong-part-3\/","title":{"rendered":"What you need to know about the Protection of Critical Infrastructures (Computer Systems) Ordinance, the cybersecurity legislation in Hong Kong (Part 3)"},"content":{"rendered":"\n    \n\n<div style=\"background-image:url('https:\/\/www.tannerdewitt.com\/wp-content\/themes\/tanner-de-witt\/images\/insightdetails.jpeg')\"\n    class=\"insight-news-detail-hero\" id=\"insight-news-detail-hero\">\n\n\t\t<div style=\"background-color:\" class=\"insight-news-detail-hero-overlay \"><\/div>\n            <div class=\"z-[0]\">\n                <div class=\"insight-news-breadcrumbs flex items-end practice-areas-featured-breadcrumbs \">\n                    <a class=\"page-link no-underline\" href=\"https:\/\/www.tannerdewitt.com\/zh-hant\/\">Home<\/a>                <\/div>\n\n\n                <div class=\"hero-title\">\n                    <h1>\n                        What you need to know about the Protection of Critical Infrastructures (Computer Systems) Ordinance, the cybersecurity legislation in Hong Kong (Part 3)                    <\/h1>\n                <\/div>\n                \n                    <div style=\"\" class=\"hero-date \">\n\n                        <span class=\"month\">Apr<\/span>\n                        <span class=\"day\">09<\/span>\n                        <span class=\"year\">2026<\/span>\n                    <\/div>\n\n            <\/div>\n    \n\n    \n\n\n\n<\/div>\n\n\n\n<script >\n    (function () {\n        document.addEventListener(\"DOMContentLoaded\", () => {\n\n            const breadCrumbsContainer = Array.from(document.querySelectorAll(\".practice-areas-featured-breadcrumbs\"));\n\n            breadCrumbsContainer.forEach(container => {\n                const breadCrumbLinks = Array.from(container.querySelectorAll('.page-link'));\n                const breadCrumbSeperators = Array.from(container.querySelectorAll('.separator'));\n\n                if (Array.from(breadCrumbLinks).length === 1) {\n                    const homeNode = breadCrumbLinks[0];\n\n                    if (!homeNode) {\n                        return\n                    }\n\n                    const postTypeNode = homeNode.cloneNode(true);\n                    postTypeNode.textContent = \"Insights and News\";\n                    container.insertAdjacentHTML('beforeend', `<span class=\"separator practice-areas-featured-breadcrumb-item-slash\">\/<\/span>`)\n                    container.insertAdjacentElement('beforeend', postTypeNode)\n                    breadCrumbLinks.push(postTypeNode);\n\n                    if (\"Insights\") {\n                        const categoryNode = homeNode.cloneNode(true);\n\n                        categoryNode.textContent = \"Insights\";\n                        container.insertAdjacentHTML('beforeend', `<span class=\"separator practice-areas-featured-breadcrumb-item-slash\">\/<\/span>`)\n                        container.insertAdjacentElement('beforeend', categoryNode)\n                        breadCrumbLinks.push(categoryNode);\n                    }\n\n\n                    const titleNode = homeNode.cloneNode(true);\n\n                    titleNode.textContent = \"What you need to know about the Protection of Critical Infrastructures (Computer Systems) Ordinance, the cybersecurity legislation in Hong Kong (Part 3)\";\n                    container.insertAdjacentHTML('beforeend', `<span class=\"separator practice-areas-featured-breadcrumb-item-slash\">\/<\/span>`)\n                    container.insertAdjacentElement('beforeend', titleNode)\n                    breadCrumbLinks.push(titleNode);\n\n\n\n\n                }\n\n                breadCrumbLinks.forEach((link, index) => {\n\n                    link.classList.add('practice-areas-featured-breadcrumb-item-name');\n                    const origin = window.location.origin;\n                    const href = window.location.href;\n\n                    const originSplitter = window.location.href.includes(\"insight-and-news\") ? \"insight-and-news\" : window.location.href.includes('insights-and-news') ? \"insights-and-news\" : \"\"\n\n                    const paths = href.split(originSplitter);\n                    const links = paths[1].split(\"\/\").filter(Boolean)\n\n\n                    const resolvedOrigin = originSplitter ? (href.split(originSplitter)[0] || \"\") : (origin + \"\/\")\n\n                    if (index === 0) {\n\n                        if (!originSplitter) {\n                            link.href = origin\n                        } else {\n                            link.href = resolvedOrigin;\n                        }\n\n\n                    } else if (index === 1) {\n                        link.href = resolvedOrigin + originSplitter\n\n                    }\n                    else if (index === 2) {\n                        console.log(links)\n                        link.href = resolvedOrigin + originSplitter + \"\/\" + (links[0] || \"\")\n                    }\n                    else if (index === 3) {\n\n                        link.href = resolvedOrigin + originSplitter + \"\/\" + (links[0] || \"\") + \"\/\" + (links[1] || \"\")\n\n                    }\n\n\n\n                    \/\/ const words = link.textContent.split(\" \")\n                    \/\/ if (words.length > 4) {\n                    \/\/     link.textContent = words.slice(0, 4).join(\" \") + \"...\"\n                    \/\/ }\n\n                })\n\n                breadCrumbSeperators.forEach(separator => {\n                    separator.textContent = \"\/\"\n                    separator.classList.add('practice-areas-featured-breadcrumb-item-slash')\n                });\n\n\n            })\n\n\n        })\n        removeDivTag()\n    })();\n\n    function removeDivTag() {\n        console.log(\"remasfljas\");\n        const editorContainer = document.querySelector(\".editor-wysiwyg\");\n        \/\/ editorContainer.innerText = editorContainer.innerText.replace(\"<\/div>\", \"\")\n        Array.from(editorContainer.childNodes).forEach(el => {\n            if (el.textContent.includes(\"<\/div>\")) {\n                el.textContent = \"\"\n            }\n        })\n    }\n<\/script>\n\n<div class=\"editor-wysiwyg my-[40px]\">\n<div class=\"single-section\">\u00a0<\/div>\n<p id=\"ember60\" class=\"ember-view reader-text-block__paragraph\">The Protection of Critical Infrastructures (Computer Systems) Ordinance (Cap. 653) came into force in Hong Kong on 1 January 2026. This is the first substantial horizontal cybersecurity legislation in Hong Kong. We are exploring the scope and impact of this legislation in a series of articles, focusing in a Q&amp;A format on the key issues businesses and industries need to be aware of. Our previous articles in the series are available on <a class=\"xRPuXKfUpBkIORjMpZxQAvTEeNvfshyBJs \" tabindex=\"0\" href=\"https:\/\/www.tannerdewitt.com\/insight-and-news\/what-you-need-to-know-about-the-protection-of-critical-infrastructures-computer-systems-ordinance-the-cybersecurity-legislation-in-hong-kong-part-1\/\" target=\"_self\" data-test-app-aware-link=\"\">here<\/a> and <a class=\"xRPuXKfUpBkIORjMpZxQAvTEeNvfshyBJs \" tabindex=\"0\" href=\"https:\/\/www.tannerdewitt.com\/insight-and-news\/what-you-need-to-know-about-the-protection-of-critical-infrastructures-computer-systems-ordinance-the-cybersecurity-legislation-in-hong-kong-part-2\/\" target=\"_self\" data-test-app-aware-link=\"\">here<\/a>.<\/p>\n<p id=\"ember61\" class=\"ember-view reader-text-block__paragraph\">In this article, <a class=\"xRPuXKfUpBkIORjMpZxQAvTEeNvfshyBJs \" tabindex=\"0\" href=\"https:\/\/www.tannerdewitt.com\/our-people\/padraig-walsh\/\" target=\"_self\" data-test-app-aware-link=\"\">P\u00e1draig Walsh<\/a> from our <a class=\"xRPuXKfUpBkIORjMpZxQAvTEeNvfshyBJs \" tabindex=\"0\" href=\"https:\/\/www.tannerdewitt.com\/practice-areas\/cybersecurity\/\" target=\"_self\" data-test-app-aware-link=\"\">Cybersecurity<\/a> practice reviews the preventive obligations for management plans for computer-system security of critical computer systems, critical computer system risk assessment, and an independent critical computer system audit.<\/p>\n<p id=\"ember62\" class=\"ember-view reader-text-block__paragraph\">6. <strong>Preventive Obligations: CSS Management Plans<\/strong><\/p>\n<p id=\"ember63\" class=\"ember-view reader-text-block__paragraph\">6.1 <strong>What is the basic obligation of the CI Operator in respect of CSS Management Plans?<\/strong><\/p>\n<p id=\"ember64\" class=\"ember-view reader-text-block__paragraph\">A CI Operator must submit a plan for protecting the computer-system security of the CCS of the critical infrastructure operated by the CI Operator within three months of its designation by the CICS Commissioner.<\/p>\n<p id=\"ember65\" class=\"ember-view reader-text-block__paragraph\">6.2 <strong>Who is responsible for the CSS Management Plan?<\/strong><\/p>\n<p id=\"ember66\" class=\"ember-view reader-text-block__paragraph\">The CSS Management Plan is considered a critical document by the CICS Commissioner, and is not a mere administrative matter. The CI Operator must ensure that the CSS Management Plan and any subsequent material changes are approved by:<\/p>\n<p id=\"ember67\" class=\"ember-view reader-text-block__paragraph\">(a)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 the Board of Directors of the CI Operator;<\/p>\n<p id=\"ember68\" class=\"ember-view reader-text-block__paragraph\">(b)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 a functional sub-committee properly delegated by the Board; or<\/p>\n<p id=\"ember69\" class=\"ember-view reader-text-block__paragraph\">(c)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 senior management overseeing the operation of the concerned critical infrastructure, such as a Chief Executive Officer or Chief Operating Officer.<\/p>\n<p id=\"ember70\" class=\"ember-view reader-text-block__paragraph\">6.3 <strong>What general matters should be included in the CSS Management Plan?<\/strong><\/p>\n<p id=\"ember71\" class=\"ember-view reader-text-block__paragraph\">The general matters required by PCICSO to be included in a CSS Management Plan are:<\/p>\n<p id=\"ember72\" class=\"ember-view reader-text-block__paragraph\">(a)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 The organisation of the CSS Management Unit.<\/p>\n<p id=\"ember73\" class=\"ember-view reader-text-block__paragraph\">(b)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 The process of identifying computer systems that are essential to the core function of the critical infrastructure operated by the CI Operator.<\/p>\n<p id=\"ember74\" class=\"ember-view reader-text-block__paragraph\">(c)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Various policies and guidelines, including for:<\/p>\n<p id=\"ember75\" class=\"ember-view reader-text-block__paragraph\">(i)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 identifying, assessing, monitoring, responding to and mitigating computer-system security risks, vulnerabilities, threats and incidents to CCS;<\/p>\n<p id=\"ember76\" class=\"ember-view reader-text-block__paragraph\">(ii)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 detecting computer-system security threats and incidents to CCS;<\/p>\n<p id=\"ember77\" class=\"ember-view reader-text-block__paragraph\">(iii)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 controlling access to, and preventing unauthorised acts on, CCS;<\/p>\n<p id=\"ember78\" class=\"ember-view reader-text-block__paragraph\">(iv)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 change management controls in respect of changes to CCS;<\/p>\n<p id=\"ember79\" class=\"ember-view reader-text-block__paragraph\">(v)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 security of all components of CSS;<\/p>\n<p id=\"ember80\" class=\"ember-view reader-text-block__paragraph\">(vi)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 security by design principles;<\/p>\n<p id=\"ember81\" class=\"ember-view reader-text-block__paragraph\">(vii)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 availability of the systems during disruption;<\/p>\n<p id=\"ember82\" class=\"ember-view reader-text-block__paragraph\">(viii)\u00a0\u00a0\u00a0\u00a0 managing contracts and communications with suppliers and vendors of third party services and products; and<\/p>\n<p id=\"ember83\" class=\"ember-view reader-text-block__paragraph\">(ix)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 periodic review of the CSS Management Plan.<\/p>\n<p id=\"ember84\" class=\"ember-view reader-text-block__paragraph\">(d)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Training and awareness programmes in respect of the CSS.<\/p>\n<p id=\"ember85\" class=\"ember-view reader-text-block__paragraph\">6.4 <strong>What specific computer-system security policies and guidelines should be in place under a CSS Management Plan?<\/strong><\/p>\n<p id=\"ember86\" class=\"ember-view reader-text-block__paragraph\">The Code of Practice published by the CICS Commissioner [<a class=\"xRPuXKfUpBkIORjMpZxQAvTEeNvfshyBJs \" tabindex=\"0\" href=\"https:\/\/www.occics.gov.hk\/filemanager\/en\/content_19\/CoP_en_v1.0.pdf\" target=\"_self\" data-test-app-aware-link=\"\" rel=\"noopener\">link<\/a>] publishes a series of expectations and requirements in respect of the subject matter of and standards stipulated in a CSS Management Plan. The relevant subject matter headings are:<\/p>\n<div class=\"reader-image-block reader-image-block--resize\">\n<figure class=\"reader-image-block__figure\">\n<div class=\"ivm-image-view-model    reader-image-block__img-container\">\n<div class=\"ivm-view-attr__img-wrapper\n        \n        \"><img decoding=\"async\" id=\"ember87\" class=\"ivm-view-attr__img--centered  reader-image-block__img evi-image lazy-image ember-view\" src=\"https:\/\/media.licdn.com\/dms\/image\/v2\/D5612AQGuUyWVOafaEA\/article-inline_image-shrink_1000_1488\/B56Z1v.hMZIQAQ-\/0\/1775700153652?e=1780531200&amp;v=beta&amp;t=sORGNOqnQiRTETqo1Y5ROssQekcblwnJLIFBOwvBp0I\" alt=\"Article content\" \/><\/div>\n<\/div>\n<figcaption class=\"reader-image-block__figure-image-caption display-block full-width text-body-small-open t-sans text-align-center t-black--light\"><\/figcaption>\n<\/figure>\n<\/div>\n<p id=\"ember88\" class=\"ember-view reader-text-block__paragraph\">The CSS Management Plan will essentially consist of a collection of policies, standards and guidelines. In its submissions to the CICS Commissioner, the CI Operator should provide a clear cross-reference that maps each applicable requirement between relevant sections of the CSS Management Plan and the Code of Practice published by the CICS Commissioner.<\/p>\n<p id=\"ember89\" class=\"ember-view reader-text-block__paragraph\">6.5 <strong>How frequently should the CSS Management Plan be reviewed?<\/strong><\/p>\n<p id=\"ember90\" class=\"ember-view reader-text-block__paragraph\">The CSS Management Plan should be reviewed upon any material changes to CCS, and in any event at least once every two years.<\/p>\n<p id=\"ember91\" class=\"ember-view reader-text-block__paragraph\">6.6 <strong>What is the process to notify the CICS Commissioner in respect of the CSS Management Plan?<\/strong><\/p>\n<p id=\"ember92\" class=\"ember-view reader-text-block__paragraph\">There is no prescribed format for a CSS Management Plan. Accordingly, the CICS Commissioner has not published a prescribed form for the purpose of giving notice.<\/p>\n<p id=\"ember93\" class=\"ember-view reader-text-block__paragraph\">The CI Operator must submit the CSS Management Plan to the CICS Commissioner within three months of designation, and thereafter within one month of any revision to the CSS Management Plan.<\/p>\n<p id=\"ember94\" class=\"ember-view reader-text-block__paragraph\">Failure to give notice when required is an offence.<\/p>\n<p id=\"ember95\" class=\"ember-view reader-text-block__paragraph\">6.7 <strong>What other regulatory oversight is there of the CSS Management Plan?<\/strong><\/p>\n<p id=\"ember96\" class=\"ember-view reader-text-block__paragraph\">PCICSO includes a positive statutory obligation on CI Operators to implement the CSS Management Plan. It is not a document for presentation and filing purposes. It is a document to direct the activities of the CI Operator in respect of CCS.<\/p>\n<p id=\"ember97\" class=\"ember-view reader-text-block__paragraph\">If the CICS Commissioner believes that a CI Operator has not properly implemented a CSS Management Plan to its satisfaction, the CICS Commissioner can direct the CI Operator to arrange to carry out a CSS Audit to ascertain if the CSS Management Plan or any part of it has been properly implemented, and to submit the audit report to the CICS Commissioner.<\/p>\n<p id=\"ember98\" class=\"ember-view reader-text-block__paragraph\">7. <strong>Preventive Obligations: CSS Risk Assessments<\/strong><\/p>\n<p id=\"ember99\" class=\"ember-view reader-text-block__paragraph\">7.1 <strong>What is the basic obligation of the CI Operator in respect of CSS Risk Assessments?<\/strong><\/p>\n<p id=\"ember100\" class=\"ember-view reader-text-block__paragraph\">A CI Operator must conduct an annual computer-system security risk assessment (&#8220;CSS Risk Assessment&#8221;) in respect of the risks relating to security of the CSS of critical infrastructure it operates, and submit a report of the CSS Risk Assessment to the CICS Commissioner. The CSS Risk Assessment must include vulnerability assessment and penetration testing.<\/p>\n<p id=\"ember101\" class=\"ember-view reader-text-block__paragraph\">7.2 <strong>What matters should be included in a CSS Risk Assessment?<\/strong><\/p>\n<p id=\"ember102\" class=\"ember-view reader-text-block__paragraph\">The matters required by PCICSO to be included in a CSS Risk Assessment are:<\/p>\n<p id=\"ember103\" class=\"ember-view reader-text-block__paragraph\">(a)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Vulnerability assessment of the CCS.<\/p>\n<p id=\"ember104\" class=\"ember-view reader-text-block__paragraph\">(b)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Penetration test of the CCS.<\/p>\n<p id=\"ember105\" class=\"ember-view reader-text-block__paragraph\">(c)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Identification and prioritisation of identified risks.<\/p>\n<p id=\"ember106\" class=\"ember-view reader-text-block__paragraph\">(d)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Determination of the impact on the security of the CCS that may result from the identified risks, and the level of risks that CCS can tolerate.<\/p>\n<p id=\"ember107\" class=\"ember-view reader-text-block__paragraph\">(e)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Identification of the treatment and monitoring required to deal with the identified risks.<\/p>\n<p id=\"ember108\" class=\"ember-view reader-text-block__paragraph\">7.3 <strong>Who can conduct CSS Risk Assessments?<\/strong><\/p>\n<p id=\"ember109\" class=\"ember-view reader-text-block__paragraph\">There is requirement of independence of the personnel conducting risk assessments. Vulnerability assessments should be conducted under the supervision of personnel with relevant qualifications. Penetration tests should be carried out by personnel with relevant qualifications.<\/p>\n<p id=\"ember110\" class=\"ember-view reader-text-block__paragraph\">7.4 <strong>How should CSS Risk Assessments be conducted?<\/strong><\/p>\n<p id=\"ember111\" class=\"ember-view reader-text-block__paragraph\">CSS Risk Assessments should be conducted according to nationally or internationally recognised methodologies or standards. These include standards published by:<\/p>\n<p id=\"ember112\" class=\"ember-view reader-text-block__paragraph\">(a)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 the China National Standardisation Administration (SAC);<\/p>\n<p id=\"ember113\" class=\"ember-view reader-text-block__paragraph\">(b)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 the Hong Kong Digital Policy Office;<\/p>\n<p id=\"ember114\" class=\"ember-view reader-text-block__paragraph\">(c)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 the US National Institute of Standards and Technology (NIST); and<\/p>\n<p id=\"ember115\" class=\"ember-view reader-text-block__paragraph\">(d)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 international bodies such as the International Electrotechnical Commission (IEC) and the International Organisation for Standardisation (ISO).<\/p>\n<p id=\"ember116\" class=\"ember-view reader-text-block__paragraph\">7.5 <strong>What are the regulatory expectations for the conduct of the vulnerability assessment?<\/strong><\/p>\n<p id=\"ember117\" class=\"ember-view reader-text-block__paragraph\">Vulnerability assessments should be conducted under the supervision of personnel with relevant qualifications. The vulnerability assessment should involve various vulnerability identification activities to identify potential security loopholes and vulnerabilities. These include vulnerability scanning, source code reviews, and configuration reviews.<\/p>\n<p id=\"ember118\" class=\"ember-view reader-text-block__paragraph\">7.6 <strong>What are the regulatory expectations for the conduct of the penetration testing?<\/strong><\/p>\n<p id=\"ember119\" class=\"ember-view reader-text-block__paragraph\">The penetration test should be conducted by a tester having suitable knowledge, relevant experience and appropriate professional qualification. The penetration test in the CSS Risk Assessment should be carried out from the position of a potential attacker or based on threat intelligence, and can involve active exploitation of possible vulnerabilities of the CCS. The test should include areas of network security, system software security, client-side application security and server-side application security.<\/p>\n<p id=\"ember120\" class=\"ember-view reader-text-block__paragraph\">7.7 <strong>What should be included in a CSS Risk Assessment report?<\/strong><\/p>\n<p id=\"ember121\" class=\"ember-view reader-text-block__paragraph\">The CSS Risk Assessment report should include:<\/p>\n<p id=\"ember122\" class=\"ember-view reader-text-block__paragraph\">(a)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Background information;<\/p>\n<p id=\"ember123\" class=\"ember-view reader-text-block__paragraph\">(b)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Executive summary;<\/p>\n<p id=\"ember124\" class=\"ember-view reader-text-block__paragraph\">(c)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Assessment scope, objectives, methodology, time frame and assumptions;<\/p>\n<p id=\"ember125\" class=\"ember-view reader-text-block__paragraph\">(d)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Description of current environment or system, including network diagrams;<\/p>\n<p id=\"ember126\" class=\"ember-view reader-text-block__paragraph\">(e)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Security requirements;<\/p>\n<p id=\"ember127\" class=\"ember-view reader-text-block__paragraph\">(f)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Personnel involved in the computer-system security risk assessment;<\/p>\n<p id=\"ember128\" class=\"ember-view reader-text-block__paragraph\">(g)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Summary of findings and recommendations;<\/p>\n<p id=\"ember129\" class=\"ember-view reader-text-block__paragraph\">(h)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Risk analysis results, including identified assets, threats, vulnerabilities and their impact, likelihood and risk levels;<\/p>\n<p id=\"ember130\" class=\"ember-view reader-text-block__paragraph\">(i)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Recommended safeguards with cost-benefit analysis;<\/p>\n<p id=\"ember131\" class=\"ember-view reader-text-block__paragraph\">(j)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Conclusions; and<\/p>\n<p id=\"ember132\" class=\"ember-view reader-text-block__paragraph\">(k)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Annexes, including completed vulnerability assessment report, penetration test report, covered asset inventories, and asset valuation results.<\/p>\n<p id=\"ember133\" class=\"ember-view reader-text-block__paragraph\">7.8 <strong>What is the timeline to complete the CSS Risk Assessment, and to submit the report to the CICS Commissioner?<\/strong><\/p>\n<p id=\"ember134\" class=\"ember-view reader-text-block__paragraph\">The first CSS Risk Assessment must be completed within 12 months of designation by the CICS Commissioner, and a further CSS Risk Assessment must be conducted within each successive 12 months thereafter.<\/p>\n<p id=\"ember135\" class=\"ember-view reader-text-block__paragraph\">The CI Operator must submit its report from the CSS Risk Assessment to the CICS Commissioner within three months after deadline for conduct of the relevant assessment.<\/p>\n<p id=\"ember136\" class=\"ember-view reader-text-block__paragraph\">Failure to conduct the CSS Risk Assessment, or to file the report to the CICS Commissioner, when required is an offence.<\/p>\n<p id=\"ember137\" class=\"ember-view reader-text-block__paragraph\">8. <strong>Preventive Obligations: CSS Risk Audits<\/strong><\/p>\n<p id=\"ember138\" class=\"ember-view reader-text-block__paragraph\">8.1 <strong>What is the basic obligation of the CI Operator in respect of CSS Audits?<\/strong><\/p>\n<p id=\"ember139\" class=\"ember-view reader-text-block__paragraph\">A CI Operator must arrange to carry out an audit every two years in respect of the computer-system security of the CCS of critical infrastructure it operates (&#8220;CSS Audit&#8221;), and submit a report of the CSS Audit to the CICS Commissioner.<\/p>\n<p id=\"ember140\" class=\"ember-view reader-text-block__paragraph\">8.2 <strong>What matters should be included in a CSS Audit?<\/strong><\/p>\n<p id=\"ember141\" class=\"ember-view reader-text-block__paragraph\">The matters required by PCICSO to be included in a CSS Audit are:<\/p>\n<p id=\"ember142\" class=\"ember-view reader-text-block__paragraph\">(a)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Verification of whether the existing protection measures in respect of the CSS have been performed properly. This includes whether CSS Management Plans have been properly implemented, and whether the implementation observed relevant provisions in an applicable Code of Practice or was conducted otherwise.<\/p>\n<p id=\"ember143\" class=\"ember-view reader-text-block__paragraph\">(b)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 An opinion on the condition of the computer-system security of the CCS based on its verification and assessment.<\/p>\n<p id=\"ember144\" class=\"ember-view reader-text-block__paragraph\">8.3 <strong>Who can conduct CSS Audits?<\/strong><\/p>\n<p id=\"ember145\" class=\"ember-view reader-text-block__paragraph\">The CSS Audit must be conducted by persons who are independent of the operation or maintenance of the CCS, and who were not involved in the design or maintenance of the computer-system security controls. The expectation is that the CSS Audit would be conducted by independent third party auditors or by an internal audit department that is not involved in the operation or maintenance of the CCS.<\/p>\n<p id=\"ember146\" class=\"ember-view reader-text-block__paragraph\">The auditor should possess suitable knowledge, relevant experience and appropriate professional qualifications.<\/p>\n<p id=\"ember147\" class=\"ember-view reader-text-block__paragraph\">8.4 <strong>How should CSS Audits be conducted?<\/strong><\/p>\n<p id=\"ember148\" class=\"ember-view reader-text-block__paragraph\">CSS Audits should be conducted according to nationally or internationally recognised methodologies or standards. These include standards published by:<\/p>\n<p id=\"ember149\" class=\"ember-view reader-text-block__paragraph\">(a)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 the China National Standardisation Administration (SAC);<\/p>\n<p id=\"ember150\" class=\"ember-view reader-text-block__paragraph\">(b)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 the Hong Kong Digital Policy Office; and<\/p>\n<p id=\"ember151\" class=\"ember-view reader-text-block__paragraph\">(c)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 international bodies such as the International Electrotechnical Commission (IEC) and the International Organisation for Standardisation (ISO).<\/p>\n<p id=\"ember152\" class=\"ember-view reader-text-block__paragraph\">8.5 <strong>What should be included in a CSS Audit report?<\/strong><\/p>\n<p id=\"ember153\" class=\"ember-view reader-text-block__paragraph\">The CSS Audit report should include:<\/p>\n<p id=\"ember154\" class=\"ember-view reader-text-block__paragraph\">(a)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Background information;<\/p>\n<p id=\"ember155\" class=\"ember-view reader-text-block__paragraph\">(b)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Executive summary;<\/p>\n<p id=\"ember156\" class=\"ember-view reader-text-block__paragraph\">(c)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Scope;<\/p>\n<p id=\"ember157\" class=\"ember-view reader-text-block__paragraph\">(d)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Objectives;<\/p>\n<p id=\"ember158\" class=\"ember-view reader-text-block__paragraph\">(e)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Audit methodologies;<\/p>\n<p id=\"ember159\" class=\"ember-view reader-text-block__paragraph\">(f)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Assumptions, limitations and qualifications;<\/p>\n<p id=\"ember160\" class=\"ember-view reader-text-block__paragraph\">(g)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Findings and report; and<\/p>\n<p id=\"ember161\" class=\"ember-view reader-text-block__paragraph\">(h)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Statement of opinion.<\/p>\n<p id=\"ember162\" class=\"ember-view reader-text-block__paragraph\">8.6 <strong>What is the timeline to complete the CSS Audit, and to submit the report to the CICS Commissioner?<\/strong><\/p>\n<p id=\"ember163\" class=\"ember-view reader-text-block__paragraph\">The first CSS Audit must be completed within 24 months of designation by the CICS Commissioner, and a further CSS Audit must be conducted within each successive 24 months thereafter.<\/p>\n<p id=\"ember164\" class=\"ember-view reader-text-block__paragraph\">The CI Operator must submit its report from the CSS Audit to the CICS Commissioner within three months after the deadline for conducting the relevant assessment.<\/p>\n<p id=\"ember165\" class=\"ember-view reader-text-block__paragraph\">Failure to conduct the CSS Audit, or to file the report to the CICS Commissioner, when required is an offence.<\/p>\n<p id=\"ember166\" class=\"ember-view reader-text-block__paragraph\">Plans, assessments and audits are the core work of the CSS Management Unit. The regulatory intent is that a strong focus on prevention will mitigate the risk of security incidents. The CSS Management Plan is not a once-and-done task. The process of assessment, audit and review are intended to bring about a virtuous cycle of continuous improvement in the security of critical computer systems.<\/p>\n<p id=\"ember167\" class=\"ember-view reader-text-block__paragraph\">In the next article in this series, we will look at some incident reporting and response obligations under PCICSO.<\/p>\n<p style=\"text-align: right;\"><strong><em>P\u00e1draig Walsh<\/em><\/strong><\/p>\n<p>If you want to know more about the content of this article, please contact:<\/p>\n<p><a href=\"https:\/\/www.tannerdewitt.com\/our-people\/padraig-walsh\/\">P\u00e1draig Walsh<\/a><br \/>Partner |\u00a0<a href=\"mailto:padraigwalsh@tannerdewitt.com\">Email<\/a><\/p>\n<p>Disclaimer: This publication is general in nature and is not intended to constitute legal advice. You should seek professional advice before taking any action in relation to the matters dealt with in this publication. This article was last reviewed on <em>9 April 2026.<\/em><\/p>\n<\/div>\n\n\n\n\n<\/div>\n\n\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>\u00a0 The Protection of Critical Infrastructures (Computer Systems) Ordinance (Cap. 653) came into force in Hong Kong on 1 January 2026. This is the first substantial horizontal cybersecurity legislation in Hong Kong. We are exploring the scope and impact of this legislation in a series of articles, focusing in a Q&amp;A format on the key [&hellip;]<\/p>\n","protected":false},"author":22,"featured_media":32718,"parent":0,"menu_order":0,"template":"","meta":{"_acf_changed":false,"footnotes":""},"tags":[162,23,291],"insight-category":[1121],"insight-month":[1155],"insight-practice-area":[1146,1142],"insight-year":[1162],"class_list":["post-32717","insight-and-news","type-insight-and-news","status-publish","has-post-thumbnail","hentry","tag-cybersecurity","tag-legal-updates","tag-tmt","insight-category-legal-updates-and-insights","insight-month-april","insight-practice-area-cybersecurity","insight-practice-area-technology-media-and-telecommunications-tmt","insight-year-1162"],"acf":[],"_links":{"self":[{"href":"https:\/\/www.tannerdewitt.com\/zh-hant\/wp-json\/wp\/v2\/insight-and-news\/32717","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.tannerdewitt.com\/zh-hant\/wp-json\/wp\/v2\/insight-and-news"}],"about":[{"href":"https:\/\/www.tannerdewitt.com\/zh-hant\/wp-json\/wp\/v2\/types\/insight-and-news"}],"author":[{"embeddable":true,"href":"https:\/\/www.tannerdewitt.com\/zh-hant\/wp-json\/wp\/v2\/users\/22"}],"version-history":[{"count":4,"href":"https:\/\/www.tannerdewitt.com\/zh-hant\/wp-json\/wp\/v2\/insight-and-news\/32717\/revisions"}],"predecessor-version":[{"id":32784,"href":"https:\/\/www.tannerdewitt.com\/zh-hant\/wp-json\/wp\/v2\/insight-and-news\/32717\/revisions\/32784"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.tannerdewitt.com\/zh-hant\/wp-json\/wp\/v2\/media\/32718"}],"wp:attachment":[{"href":"https:\/\/www.tannerdewitt.com\/zh-hant\/wp-json\/wp\/v2\/media?parent=32717"}],"wp:term":[{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.tannerdewitt.com\/zh-hant\/wp-json\/wp\/v2\/tags?post=32717"},{"taxonomy":"insight-category","embeddable":true,"href":"https:\/\/www.tannerdewitt.com\/zh-hant\/wp-json\/wp\/v2\/insight-category?post=32717"},{"taxonomy":"insight-month","embeddable":true,"href":"https:\/\/www.tannerdewitt.com\/zh-hant\/wp-json\/wp\/v2\/insight-month?post=32717"},{"taxonomy":"insight-practice-area","embeddable":true,"href":"https:\/\/www.tannerdewitt.com\/zh-hant\/wp-json\/wp\/v2\/insight-practice-area?post=32717"},{"taxonomy":"insight-year","embeddable":true,"href":"https:\/\/www.tannerdewitt.com\/zh-hant\/wp-json\/wp\/v2\/insight-year?post=32717"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}