Hong Kong passes cybersecurity law for 'critical infrastructure'

Hong Kong passed a law on Wednesday that officials say will better protect "critical infrastructure" against cyber attacks, imposing security requirements on entities in sectors ranging from banking to air transport.

Authorities have cited the need to defend computer systems that are "increasingly vulnerable to attacks with serious consequences", while distancing the bill from perceptions of government overreach.

The Chinese city's tech hub Cyberport suffered a ransomware attack in 2023 that exposed the personal information of 13,000 staffers and prospective employees.

Security chief Chris Tang reassured lawmakers on Wednesday that the legislation applied only to "critical infrastructure operators" and "absolutely does not target personal data or commercial secrets".

Those operators are "mostly large organisations, while small- and medium-sized enterprises and members of the public are unregulated and unaffected", Tang said before the bill was passed in Hong Kong's opposition-free legislature.

Those operators could be fined up to HK$5 million ($640,000) for breaching legal obligations to conduct security audits, provide contingency plans and report attacks on critical computer systems.

The law is set to take effect at the start of next year, Tang said, adding that a new government office will designate who those "operators" are.

The law covers critical infrastructure operators in eight sectors -- energy, banking and financial services, healthcare, telecommunications and broadcasting, information technology, as well as land, maritime and air transport.

The American Chamber of Commerce in Hong Kong voiced reservations last year about including "information technology" as one of the sectors, calling the label "broad and vague".

Authorities said the bill was in line with similar protections in the United States, Britain, Australia and the European Union.

Names of the operators will not be disclosed to avoid painting a bullseye for attackers, officials added.

The law also covers infrastructure that, if damaged, could "affect the maintenance of critical societal or economic activities in Hong Kong" -- for example major sports venues.

Officials in the Chinese finance hub have stressed the need for order and stability after quelling huge and sometimes violent pro-democracy protests in 2019.

Article 19, a London-based group promoting free expression, said last year that the Hong Kong bill "appears modelled more to close additional gaps in internet freedom than addressing authentic cybersecurity challenges".

Tang said the government held multiple consultations since 2023 and that "stakeholders and society... agree with the need for legislation".

The new law has no extraterritorial effect, but will encompass overseas servers connected to a Hong Kong-based operator, he added.