Pedestrians walk along a street in Hong Kong on March 19, 2025. (Photo by Peter PARKS / AFP)
Hong Kong: Hong Kong passed a law on Wednesday that officials say will better protect "critical infrastructure" against cyber attacks, imposing security requirements on entities in sectors ranging from banking to air transport.
Authorities have tried to downplay the political undertones of the law, saying last year that it applied only to "critical infrastructure operators" and "in no way involves personal data (or) business information".
Those operators could be fined up to HK$5 million ($640,000) for breaching legal obligations to conduct security audits, provide contingency plans and report attacks on critical computer systems.
Security chief Chris Tang said on Wednesday the law is targeted to take effect at the start of next year, adding that the government will set up a dedicated office.
The law covers critical infrastructure operators in eight sectors -- energy, banking and financial services, healthcare, telecommunications and broadcasting, information technology, as well as land, maritime and air transport.
The American Chamber of Commerce in Hong Kong voiced reservations last year about including "information technology" as one of the sectors, calling the label "broad and vague".
Authorities said the bill was in line with similar protections in the United States, Britain, Australia and the European Union.
Names of the operators will not be disclosed to avoid painting a bullseye for attackers, officials added.
The law also covers infrastructure that, if damaged, could "affect the maintenance of critical societal or economic activities in Hong Kong".
Officials in the Chinese finance hub have stressed the need for order and stability after quelling huge and often violent pro-democracy protests in 2019.
As Beijing tightens its grip on Hong Kong, some firms have raised concerns that stricter cybersecurity rules may curb the free flow of information core to the city's international appeal.
The government said earlier that the law only applies to designated operators and will not affect small and medium enterprises.
