( ) Protection of Critical Infrastructures (Computer Systems) Bill

C2884 C2885

( ) Protection of Critical Infrastructures (Computer

Systems) Bill

Contents

Clause Page
1 Part 1

Preliminary
1. ................................................................... C2898 1. Short title and commencement .............................................. C2899
2. ...................................................................................... C2898 2. Interpretation ......................................................................... C2899
2 Part 2

Regulating Authorities
1 Division 1—Commissioner
3. ...................................................................................... C2910 3. Commissioner ........................................................................ C2911
4. ........................................................................... C2910 4. Functions of Commissioner .................................................. C2911
2 Division 2—Designated Authorities
5. ............................................................................... C2912 5. Designated authorities ........................................................... C2913
6. ................................................................... C2912 6. Functions of designated authorities ...................................... C2913
3 Division 3—General Powers of Regulating Authorities
7. ........................................................... C2914 7. Regulating authorities may give directions ............................ C2915
8. .................................................... C2918 8. Regulating authorities may issue codes of practice ............... C2919
9. ................................................ C2922 9. Use of codes of practice in legal proceedings ........................ C2923
10. ....................................................... C2924 10. Regulating authorities may specify forms etc. ....................... C2925
 ( ) Protection of Critical Infrastructures (Computer Systems) Bill

C2886 C2887

Clause Page

3 Part 3

Critical Infrastructures, CI Operators and Critical Computer Systems

1 Division 1—Ascertaining Critical Infrastructures and Designating CI Operators

and Critical Computer Systems

11. ............................................................... C2926 11. Ascertaining critical infrastructures ....................................... C2927

12. .................................................... C2926 12. Designating CI operators ....................................................... C2927

13. ............................................................... C2930 13. Designating critical computer systems ................................... C2931

2 Division 2—Requiring Information

14. 11 .......................................... C2932 14. Requiring information for purposes of section 11 ................. C2933

15. 12 .......................................... C2932 15. Requiring information for purposes of section 12 ................. C2933

16. 13 .......................................... C2934 16. Requiring information for purposes of section 13 ................. C2935

17. ...... C2934 17. Requiring information for understanding critical

18. 14 15 16 17 ..................................... C2938 computer systems and preparing for threats .......................... C2935

18. Offence relating to sections 14, 15, 16 and 17 ........................ C2939

4 Part 4

Obligations of CI Operator
1 Division 1—Obligations relating to Organization of CI Operators
19. ............................................ C2940 19. Obligation to maintain office in Hong Kong ......................... C2941
20. ............................................ C2942 20. Obligation to notify operator changes ................................... C2943
21. ................. C2944 21. Obligation to set up and maintain computer-system
security management unit ...................................................... C2945
 ( ) Protection of Critical Infrastructures (Computer Systems) Bill

C2888 C2889

Clause Page

2 Division 2—Obligations relating to Prevention of Threats and Incidents

22. ..................... C2948 22. Obligation to notify material changes to certain computer

23. ......................... C2952 systems ................................................................................... C2949

24. .................................... C2954 23. Obligation to submit and implement computer-system

security management plan ..................................................... C2953
25. .................................... C2960
24. Obligation to conduct computer-system security risk
assessments ............................................................................ C2955

25. Obligation to arrange to carry out computer-system

security audits ........................................................................ C2961
3 Division 3—Obligations relating to Incident Reporting and Response
26. ............................................ C2966 26. Obligation to participate in computer-system security
27. ................................................ C2966 drill ........................................................................................ C2967

28. ................................ C2970 27. Obligation to submit and implement emergency response
plan ........................................................................................ C2967

28. Obligation to notify computer-system security incidents ������ C2971

5 Part 5

Responding to Computer-system Security Threats and Computer-system

Security Incidents
1 Division 1—Early Intervention
29. 29. Commissioner may direct inquiries to identify computer-
................................................................... C2974 system security threats and computer-system security
incidents ................................................................................. C2975
 ( ) Protection of Critical Infrastructures (Computer Systems) Bill

C2890 C2891

Clause Page

30. .................................... C2974 30. Powers of authorized officers of Commissioner in

31. ................................ C2976 making inquiries .................................................................... C2975

32. ................................................................... C2978 31. Magistrate’s warrants for entering premises for early
intervention ............................................................................ C2977

32. Conditions for issuing warrants ............................................. C2979

2 Division 2—Computer-system Security Investigations
33. ...................................................................................... C2980 33. Interpretation ......................................................................... C2981
34. 34. Commissioner may direct investigations to be carried out
............................................................................... C2980 in relation to computer-system security threats or
35. ............................................ C2982 computer-system security incidents ........................................ C2981

36. ............................................ C2984 35. Powers of authorized officers of Commissioner in

investigations ......................................................................... C2983
37.
....................................................................... C2988 36. Additional power of authorized officer of Commissioner ����� C2985

38. ................. C2990 37. Magistrate’s warrants for imposing requirements on

organizations other than investigated CI operators ............... C2989
39. ................................................................... C2994
38. Magistrate’s warrants for entering premises for computer-
40. ........................................................... C2996
system security investigations ................................................ C2991

39. Conditions for issuing warrants ............................................. C2995

40. Power of entry in emergencies ............................................... C2997

3 Division 3—Supplementary Provisions
41. 41. Use of incriminating evidence in proceedings after
....................................................................... C3000 early interventions and computer-system security
investigations ......................................................................... C3001
 ( ) Protection of Critical Infrastructures (Computer Systems) Bill

C2892 C2893

Clause Page

42. 5 1 2 ......................................... C3002 42. Offences relating to Divisions 1 and 2 of Part 5 .................... C3003

6 Part 6

Investigation of Offences

43. .................................................... C3006 43. Regulating authorities may direct offences to be

44. ......................... C3008 investigated ............................................................................ C3007

45. 43 .............................................................. C3010 44. Use of incriminating evidence in proceedings after

investigations ......................................................................... C3009
46. ......... C3012
45. Offence relating to section 43 ................................................ C3011

46. Magistrate’s warrants for entering premises or accessing

electronic devices for investigations into offences .................. C3013
7 Part 7

Appeals
47. ........................................................................... C3016 47. Appeal panel .......................................................................... C3017
48. ................................................................... C3016 48. Appeals against decisions ...................................................... C3017
49. ............................................................... C3018 49. Decisions of appeal board ..................................................... C3019
8 Part 8

Miscellaneous
50. ....................................................... C3020 50. Appointment of authorized officers by Commissioner ��������� C3021
51. ................................................ C3020 51. Appointment of authorized officers by designated
52. .................................................... C3022 authority ................................................................................ C3021

52. Delegation of functions by Commissioner and designated

authorities .............................................................................. C3023
 ( ) Protection of Critical Infrastructures (Computer Systems) Bill

C2894 C2895

Clause Page

53. ............................................................................... C3022 53. Performance of functions ...................................................... C3023

54. 54. Commissioner may perform functions in respect of

................................. C3024 critical infrastructures and CI operators regulated by

55. ........................................ C3024 designated authorities if necessary ......................................... C3025

56. ................................................ C3028 55. Commissioner may exempt CI operators ............................... C3025

57. ...................................................................................... C3030 56. Designated authorities may prosecute offences ...................... C3029

58. 57 .............................................................. C3040 57. Preservation of secrecy .......................................................... C3031

59. ................................................................... C3042 58. Offences relating to section 57 ............................................... C3041

60. ............................................................... C3044 59. Protection of informers ......................................................... C3043

61. ................................................................... C3046 60. Immunity ............................................................................... C3045

62. .................................................... C3046 61. Legal professional privilege ................................................... C3047

63. .................................................... C3048 62. Production of information in information systems ............... C3047

64. ................................................................... C3048 63. Lien claimed on documents ................................................... C3049

65. ................................................................... C3048 64. Disposal of certain property .................................................. C3049

66. ............................................................................... C3052 65. Due diligence ......................................................................... C3049

67. ....................................................................... C3054 66. Reasonable excuse .................................................................. C3053

68. ........................................................................... C3056 67. Service of notice etc. .............................................................. C3055

69. ....................................................... C3058 68. Certificates of designation ..................................................... C3057

70. ........................................................................... C3058 69. Secretary for Security may make regulations ......................... C3059

1 ........................... C3060 70. Amendment of Schedules ...................................................... C3059

Schedule 1 Sectors Specified for Definition of Critical

Infrastructure ................................................................. C3061
 ( ) Protection of Critical Infrastructures (Computer Systems) Bill

C2896 C2897

Clause Page

2 ............................................... C3062 Schedule 2 Designated Authorities and Regulated

3 ........................... C3068 Organizations ................................................................ C3063

4 .................... C3074 Schedule 3 Computer-system Security Management Plans and

Emergency Response Plans ........................................... C3069
5 ........................... C3078
Schedule 4 Matters Specified for Computer-system Security
6 28 .............................. C3080
Risk Assessments .......................................................... C3075
7 ............................................................................. C3082
Schedule 5 Matters Specified for Computer-system Security
Audits ........................................................................... C3079

Schedule 6 Specified Time for Notifications under Section 28 ������� C3081

Schedule 7 Appeals ......................................................................... C3083

 ( ) Protection of Critical Infrastructures (Computer Systems) Bill

1 Part 1
C2898 1 Clause 1 C2899

A BILL
To
Protect the security of the computer systems of Hong Kong’s critical
infrastructures; to regulate the operators of such
infrastructures; to provide for the investigation into, and
response to, computer-system security threats and incidents in
respect of such computer systems; and to provide for related
matters.

Enacted by the Legislative Council.

1 Part 1

Preliminary
1. 1. Short title and commencement
(1) ( ) (1) This Ordinance may be cited as the Protection of Critical
(2) Infrastructures (Computer Systems) Ordinance.
(2) This Ordinance comes into operation on a day to be
appointed by the Secretary for Security by notice
published in the Gazette.

2. 2. Interpretation
(1) (1) In this Ordinance—
 ( ) Protection of Critical Infrastructures (Computer Systems) Bill

1 Part 1
C2900 2 Clause 2 C2901

(appeal board) 7 4(1) appeal board ( ) means an appeal board appointed

under section 4(1) of Schedule 7;
(appeal panel) 47(1) appeal panel ( ) means the appeal panel mentioned
(document) in section 47(1);
(a) ( authorized officer ( ), in relation to a regulating
) authority, means—
(b) ( (a) if the authority is the Commissioner—a person
appointed under section 50(1); or
) (b) if the authority is a designated authority—a person
(regulated organization) appointed by the authority under section 51(1);
2 2 4 category 1 obligation ( 1 ) means an obligation
(court) imposed by Division 1 of Part 4;
(a) ( 1 ) 3 category 2 obligation ( 2 ) means an obligation
imposed by Division 2 of Part 4, and includes an
obligation to comply with requirement imposed under
(b)
section 24(5) or 25(4) or (6);
(designation date)
category 3 obligation ( 3 ) means an obligation
12 imposed by Division 3 of Part 4;
(designated authority) 5 CI operator ( ) means an organization
(specified critical infrastructure) designated under section 12;
(3)
code of practice ( ), except in section 55, means a code
(core function) of practice issued under section 8 (including such a code
(a) (a) of practice that is revised under section 8);
Commissioner ( ) means the Commissioner of Critical
Infrastructure (Computer-system Security) appointed
under section 3(1);
computer system ( )—
(a) means a set of computer hardware and software that
is organized for the collection, processing, storage,
transmission or disposition of information; and
 ( ) Protection of Critical Infrastructures (Computer Systems) Bill

1 Part 1
C2902 2 Clause 2 C2903

(b) (b) (b) includes a computer;

computer-system security ( ), in relation to a
critical computer system, means the ability of the system
(Commissioner) 3(1) to resist, and the state in which the system is protected
( ) from, events and acts that compromise the availability,
1 (category 1 obligation) 4 1 integrity or confidentiality of—
(a) the information stored in, transmitted or processed
2 (category 2 obligation) 4 2 by, or accessible via, the system; or
24(5) 25(4) (6) (b) the services offered by, or accessible via, the system;
computer-system security incident ( ), in
3 (category 3 obligation) 4 3 relation to a critical computer system, means an event
that—
(regulating authority) (a) involves—
(information) (i) access, without lawful authority, to the critical
computer system; or
(information system) ( 553 ) (ii) any other act done, without lawful authority, on
2(1) or through the critical computer system or
(computer system) another computer system; and
(a) (b) has an actual adverse effect on the computer-system
security of the critical computer system;
(b) computer-system security management unit (
), in relation to a CI operator, means a unit
(computer-system security) maintained by the operator under section 21(1);
computer-system security threat ( ), in relation
to a critical computer system, means an act (whether
known or suspected)—
(a) (a) that is, or is capable of being, done on or through
the critical computer system or another computer
system; and
 ( ) Protection of Critical Infrastructures (Computer Systems) Bill

1 Part 1
C2904 2 Clause 2 C2905

(b) (b) the doing of which is likely to have an adverse effect

(computer-system security incident) on the computer-system security of the critical
computer system;
(a) core function ( ), in relation to a critical infrastructure,
means—
(i)
(a) if the infrastructure falls within paragraph (a) of the
(ii) definition of critical infrastructure in this
( ) subsection—the provision of the essential service
(b) concerned; or
(b) if the infrastructure falls within paragraph (b) of that
(computer-system security threat) definition—any function of the infrastructure that is
( essential to the maintenance of critical societal or
) economic activities in Hong Kong;
(a) ( court ( ) means—
) (a) a court as defined by section 3 of the Interpretation
( ) and General Clauses Ordinance (Cap. 1); or
(b) (b) a magistrate;
critical computer system ( ) means a computer
( computer-system security system designated under section 13;
management unit)
21(1) critical infrastructure ( ) means—
(a) any infrastructure that is essential to the continuous
provision in Hong Kong of an essential service in a
sector specified in Schedule 1; or
(b) any other infrastructure the damage, loss of
functionality or data leakage of which may hinder or
otherwise substantially affect the maintenance of
critical societal or economic activities in Hong Kong;
designated authority ( )—see section 5;
 ( ) Protection of Critical Infrastructures (Computer Systems) Bill

1 Part 1
C2906 2 Clause 2 C2907

(code of practice) 55 8 designation date ( ), in relation to a CI operator, means

( 8 ) the date on which the operator is designated under section
(tribunal) 12;
(organization) document ( ) includes—
(authorized officer) (a) any input or output, in whatever form, into or from
an information system; and
(a) 50(1)
(b) any document, record of information or similar
material (whether produced or stored mechanically,
(b) 51(1) electronically, magnetically, optically, manually or by
any other means);
(function)
function ( ) includes a power and a duty;
(critical infrastructure)
information ( ) includes data, text, images, sound codes,
(a) 1 computer programs, software, databases, and any
combination of them;
(b) information system ( ) has the meaning given by section
2(1) of the Electronic Transactions Ordinance (Cap. 553);
organization ( ) includes a company and any other body
(CI operator) 12 corporate;
(critical computer system) 13 regulated organization ( ), in relation to a designated
authority, means an organization specified in column 4 of
Part 2 of Schedule 2 opposite the authority;
regulating authority ( ) means the Commissioner or a
designated authority;
specified critical infrastructure ( )—see
subsection (3);
tribunal ( ) means a tribunal established by or under an
Ordinance.
 ( ) Protection of Critical Infrastructures (Computer Systems) Bill

1 Part 1
C2908 2 Clause 2 C2909

(2) (2) In this Ordinance, a reference to a critical infrastructure

operated by a CI operator is a reference to a critical
12 infrastructure in relation to which the operator is
(3) designated under section 12.
(a) (3) For the purposes of this Ordinance—
(i) 2 2 3 (a) if a critical infrastructure—
(i) is related to a sector specified in column 3 of
(ii) Part 2 of Schedule 2 opposite a designated
authority; and
(ii) is operated by a regulated organization of the
authority,
(b)
the infrastructure is a specified critical infrastructure
for the authority; and
(4)
(b) a critical infrastructure is otherwise a specified
(a) critical infrastructure for the Commissioner.
(4) For the purposes of this Ordinance—
(b) (a) if a CI operator is a regulated organization of a
designated authority, the operator is a CI operator
regulated by the authority; or
(b) a CI operator is otherwise a CI operator regulated by
the Commissioner,
(5) ( )
and a reference to a regulating authority that regulates a
CI operator is to be construed accordingly.
(a)
(5) For the purposes of this Ordinance, an act (including
(b) access to a computer system) is done without lawful
authority if the person doing the act—
(a) does so in excess of the person’s authority; or
(b) is otherwise not entitled to do so.
 ( ) Protection of Critical Infrastructures (Computer Systems) Bill

2 1 Part 2—Division 1
C2910 3 Clause 3 C2911

2 Part 2

Regulating Authorities

1 Division 1—Commissioner

3. 3. Commissioner
(1) ( (1) For the purposes of this Ordinance, the Chief Executive
) may appoint a person to be the Commissioner of Critical
(2) 5 Infrastructure (Computer-system Security).
(3) (2) The Commissioner is to be appointed for a term of not
more than 5 years, but is eligible for reappointment.
(3) The Commissioner is to be entitled to be paid the
remuneration and allowances determined by the Secretary
for Security.

4. 4. Functions of Commissioner
The functions of the Commissioner are—
(a) (a) to identify critical infrastructures and designate CI
operators and critical computer systems;
(b) 1 2 (b) to issue, revise and maintain codes of practice in
3 respect of category 1 obligations, category 2
(c) obligations and category 3 obligations of CI
operators;
(d)
(c) to monitor and supervise compliance with the
provisions of this Ordinance;
(d) to regulate CI operators with regard to the computer-
system security of the critical computer systems of
critical infrastructures;
 ( ) Protection of Critical Infrastructures (Computer Systems) Bill

2 2 Part 2—Division 2
C2912 5 Clause 5 C2913

(e) (e) to monitor, investigate and respond to computer-

system security threats and computer-system security
(f) incidents in respect of the critical computer systems
of critical infrastructures;
(g)
(f) to coordinate the implementation of this Ordinance
with designated authorities and government
departments; and
(g) to perform any other functions imposed or conferred
on the Commissioner under this or any other
Ordinance.

2 Division 2—Designated Authorities

5. 5. Designated authorities
2 2 2 For the purposes of this Ordinance, an authority is a
designated authority if it is specified in column 2 of Part 2 of
Schedule 2.

6. 6. Functions of designated authorities

The functions of a designated authority are—
(a) ( (a) to identify critical infrastructures regulated by the
) authority (subject infrastructures) and designate CI
operators and critical computer systems for such
(b) ( infrastructures;
) 1 2 (b) to issue, revise and maintain codes of practice in
respect of category 1 obligations and category 2
(c) 1 2 obligations of CI operators regulated by the
authority (subject operators);
(c) to monitor and supervise compliance with category 1
obligations and category 2 obligations;
 ( ) Protection of Critical Infrastructures (Computer Systems) Bill

2 3 Part 2—Division 3
C2914 7 Clause 7 C2915

(d) (d) to regulate subject operators with regard to the

1 2 computer-system security of the critical computer
systems of subject infrastructures to the extent that
(e) such regulation relates to category 1 obligations and
category 2 obligations;
(f)
(e) to facilitate the Commissioner’s performance of the
Commissioner’s functions under this Ordinance; and
(f) to perform any other functions imposed or conferred
on the authority under this Ordinance.

3 Division 3—General Powers of Regulating Authorities

7. 7. Regulating authorities may give directions

(1) (1) The Commissioner—
(a) (a) may, in writing, direct a CI operator regulated by the
(i) Commissioner to do, or refrain from doing, an act
1 2 specified in the direction in relation to the compliance
with a category 1 obligation or category 2 obligation
(ii) if the Commissioner is satisfied that—
(i) the operator has failed to comply with the
obligation; or
(ii) the operator’s compliance with the obligation is
(b) defective; and
(i) 3 (b) may, in writing, direct a CI operator to do, or refrain
from doing, an act specified in the direction in
(ii) relation to the compliance with a category 3
obligation if the Commissioner is satisfied that—
(i) the operator has failed to comply with the
obligation; or
(ii) the operator’s compliance with the obligation is
defective.
 ( ) Protection of Critical Infrastructures (Computer Systems) Bill

2 3 Part 2—Division 3
C2916 7 Clause 7 C2917

(2) (2) A designated authority may, in writing, direct a CI

(a) operator regulated by the authority to do, or refrain from
1 2 doing, an act specified in the direction in relation to the
compliance with a category 1 obligation or category 2
(b) obligation if the authority is satisfied that—
(a) the operator has failed to comply with the obligation;
or
(b) the operator’s compliance with the obligation is
(3) (1) (2) defective.
(3) A direction given under subsection (1) or (2) must specify
(4) (1) (2) (1) (2) the time within which it has to be complied with.
(4) Without limiting subsections (1) and (2), a direction given
under either of those subsections may require the CI
(5) (1) (2) operator concerned to revise and resubmit any document
that has to be submitted under this Ordinance.
(6) (1)(a)(ii) (b)(ii) (2)(b) (5) A direction given under subsection (1) or (2) by a
regulating authority may be revoked at any time by the
authority.
(6) For the purposes of subsections (1)(a)(ii) and (b)(ii) and
(7) (1)(a)(ii) (b)(ii) (2)(b) (2)(b), in considering whether a CI operator’s compliance
with an obligation is defective, the regulating authority
concerned may take into account whether the operator
(a) has observed a relevant provision in a code of practice.
(7) If a direction is given by a regulating authority to a CI
operator by virtue of subsection (1)(a)(ii) or (b)(ii) or
(2)(b), and the operator is able to show to the satisfaction
of the authority that—
(a) the operator has done, or is doing, an act in relation
to the obligation concerned; and
 ( ) Protection of Critical Infrastructures (Computer Systems) Bill

2 3 Part 2—Division 3
C2918 8 Clause 8 C2919

(b) (b) because of the act, the operator’s compliance with

( the obligation is not defective (whether or not on the
) ground that a relevant provision in a code of practice
is observed),
(8) (1) (2) the authority may, in writing, discharge the direction.
(8) A CI operator commits an offence if the operator fails to
(9) (8) comply with a direction given under subsection (1) or (2).
(a) $3,000,000 (9) A CI operator that commits an offence under subsection (8)
is liable—
$60,000 (a) on summary conviction—to a fine of $3,000,000 and,
(b) $5,000,000 in the case of a continuing offence, to a further fine
of $60,000 for every day during which the offence
$100,000 continues; or
(b) on conviction on indictment—to a fine of $5,000,000
and, in the case of a continuing offence, to a further
fine of $100,000 for every day during which the
offence continues.

8. 8. Regulating authorities may issue codes of practice

(1) (1) A regulating authority may issue a code of practice that
provides practical guidance on—
(a) (a) if the authority is the Commissioner—
(i) (i) how a CI operator regulated by the
1 2 Commissioner is to comply with category 1
(ii) 3 obligations and category 2 obligations; and
(b) (ii) how a CI operator is to comply with category 3
1 2 obligations; or
(b) if the authority is a designated authority—how a CI
operator regulated by the authority is to comply with
category 1 obligations and category 2 obligations.
 ( ) Protection of Critical Infrastructures (Computer Systems) Bill

2 3 Part 2—Division 3
C2920 8 Clause 8 C2921

(2) (2) A code of practice may include—

(a) (a) a standard; and
(b) (b) a specification.
(3) (3) If a regulating authority issues a code of practice, the
(a) authority must—
(b) (a) publish the code on a website of the authority; and
(i) (b) by notice published on a website of the authority—
(i) bring the publication of the code to the
(ii) attention of those it considers likely to be
affected by the code;
(iii)
(ii) specify the date on which the code is to take
(4) effect; and
(5) (4) (iii) specify the purposes for which the code is
(a) issued.
(b) (4) A regulating authority may from time to time revise any
(i) code of practice issued by the authority.
(5) If a code of practice is revised under subsection (4), the
(ii) regulating authority must—
(iii) (a) publish the code so revised on a website of the
authority; and
(6) (
) (b) by notice published on a website of the authority—
(i) bring the revision of the code to the attention
of those it considers likely to be affected by the
revision;
(ii) specify the date on which the revision is to take
effect; and
(iii) specify the purposes of the revision.
(6) A regulating authority may revoke (whether in whole or in
part) any code of practice issued by the authority.
 ( ) Protection of Critical Infrastructures (Computer Systems) Bill

2 3 Part 2—Division 3
C2922 9 Clause 9 C2923

(7) (6) ( (7) If a code of practice is revoked (whether in whole or in

) part) under subsection (6), the regulating authority must,
(a) by notice published on a website of the authority—
(a) bring the revocation to the attention of those it
(b) considers likely to be affected by the revocation; and
(8) (b) specify the date on which the revocation is to take
effect.
(9)
(8) A code of practice is not subsidiary legislation.
(9) To avoid doubt, a regulating authority may under this
section issue different codes of practice for different
purposes under this Ordinance.

9. 9. Use of codes of practice in legal proceedings

(1) (1) A failure by an organization to observe a provision of a
code of practice does not by itself make the organization
(2) (1) liable to any civil or criminal proceedings.
( ) (2) Despite subsection (1), if in any legal proceedings the
court or appeal board concerned is satisfied that a code of
(a) ( ) practice (or any part of a code of practice) is relevant to
determining a matter that is in issue in the proceedings—
(b) (a) the code (or part of the code) is admissible in
evidence in the proceedings; and
(b) proof that the organization contravened or did not
(3) contravene a relevant provision of the code may be
relied on by a party to the proceedings as tending to
establish or negate that matter.
(a)
(3) In any legal proceedings, a document purporting to be a
copy of a code of practice printed from a website of a
regulating authority—
(a) is admissible in evidence on production without
further proof; and
 ( ) Protection of Critical Infrastructures (Computer Systems) Bill

2 3 Part 2—Division 3
C2924 10 Clause 10 C2925

(b) (b) unless the contrary is proved, is evidence of the

information contained in the document.
(4) (4) In this section—
(legal proceedings) legal proceedings ( ) includes the proceedings of an
appeal board.

10. 10. Regulating authorities may specify forms etc.

(1) (1) A regulating authority may specify—
(a) (a) the form of a document or notification required to
be provided or made for the purposes of this
(b) Ordinance; and
(2) (b) the way in which it is to be provided or made.
(a) (1)(a) (2) A regulating authority may specify—
(b) (1)(b) (a) more than one form under subsection (1)(a); and
(b) more than one way under subsection (1)(b),
whether as alternatives or to provide for different
circumstances.
 ( ) Protection of Critical Infrastructures (Computer Systems) Bill

3 1 Part 3—Division 1
C2926 11 Clause 11 C2927

3 Part 3

Critical Infrastructures, CI Operators and Critical

Computer Systems

1 Division 1—Ascertaining Critical Infrastructures and

Designating CI Operators and Critical Computer Systems

11. 11. Ascertaining critical infrastructures

(1) (1) For the purposes of this Ordinance, a regulating authority
may ascertain whether an infrastructure is a specified
(2) critical infrastructure for the authority.
(2) A regulating authority may, in ascertaining whether an
(a) infrastructure is a specified critical infrastructure for the
authority, take into account—
(b)
(a) what kind of service is provided by the infrastructure;
(c) 2 (b) what implications there can be if the infrastructure is
damaged, loses functionality or suffers any data
leakage;
(d)
(c) any information provided in respect of the
infrastructure for compliance with a requirement
under Division 2; and
(d) any other matters the authority considers relevant.

12. 12. Designating CI operators

(1) (1) For the purposes of this Ordinance, the Commissioner
(a) may, by written notice, designate an organization as a
CI operator if—
(a) the organization operates a critical infrastructure;
and
 ( ) Protection of Critical Infrastructures (Computer Systems) Bill

3 1 Part 3—Division 1
C2928 12 Clause 12 C2929

(b) (b) the infrastructure is a specified critical infrastructure

for the Commissioner.
(2) For the purposes of this Ordinance, a designated authority
(2) may, by written notice, designate a regulated organization
of the authority as a CI operator if—
(a)
(a) the organization operates a critical infrastructure;
(b) and
(b) the infrastructure is a specified critical infrastructure
for the authority.
(3) To avoid doubt—
(3)
(a) more than one CI operator may be designated in
(a) relation to a critical infrastructure; and
(b) an organization may be designated as a CI operator
(b) for more than one critical infrastructure.
(4) A designation under subsection (1) or (2)—
(4) (1) (2)
(a) may be revoked at any time by the regulating
(a) authority making it; and
(b) (b) has effect until it is so revoked.
(5) (5) In considering whether to designate an organization as a
CI operator or whether to revoke such a designation, a
(a) regulating authority may take into account—
(a) how dependent the core function of the critical
(b) infrastructure concerned is on computer systems;
(c) (b) the sensitivity of the digital data controlled by the
(d) 2 organization in respect of the infrastructure;
(c) the extent of control that the organization has over
the operation and management of the infrastructure;
(d) any information provided in respect of the
infrastructure for compliance with a requirement
under Division 2; and
 ( ) Protection of Critical Infrastructures (Computer Systems) Bill

3 1 Part 3—Division 1
C2930 13 Clause 13 C2931

(e) (e) any other matters the authority considers relevant.

13. 13. Designating critical computer systems

(1) (1) For the purposes of this Ordinance, a regulating authority
(a) may, by written notice to a CI operator regulated by the
authority, designate a computer system (whether under
the control of the operator or not) that—
(b)
(a) is accessible by the operator in or from Hong Kong;
and
(b) is essential to the core function of a critical
infrastructure operated by the operator,
(2) (1) as a critical computer system for the infrastructure.
(a) (2) A designation under subsection (1)—
(b) (a) may be revoked at any time by the regulating
authority making it; and
(3) ( )
(b) has effect until it is so revoked.
(3) In considering whether to designate a computer system
(a) (subject system) as a critical computer system or whether
to revoke such a designation, a regulating authority may
take into account—
(b)
(a) the role of the subject system in respect of the core
function of the critical infrastructure concerned;
(c)
(b) how such a core function would be impacted if the
subject system is disrupted or destroyed;
(d)
(c) the extent to which the subject system is related to
any other computer systems of the CI operator
concerned;
(d) the extent to which the subject system and any other
computer systems of the operator are related to those
of other CI operators;
 ( ) Protection of Critical Infrastructures (Computer Systems) Bill

3 2 Part 3—Division 2
C2932 14 Clause 14 C2933

(e) 2 (e) any information provided in respect of the

infrastructure for compliance with a requirement
(f) under Division 2; and
(f) any other matters the authority considers relevant.

2 Division 2—Requiring Information

14. 11 14. Requiring information for purposes of section 11

(1) 11 (1) For the purposes of section 11, a regulating authority
(a) may, by written notice, require an organization that—
(b) (a) operates, or appears to be operating, an
infrastructure; or
(b) otherwise has, or appears to have, control over an
infrastructure,
(2) (1)
to provide any information the authority reasonably
considers necessary for ascertaining whether the
infrastructure is a specified critical infrastructure for the
authority.
(2) An organization to which a notice is given under
subsection (1) must provide the information concerned
within the time, and in the form and way, specified in the
notice.

15. 12 15. Requiring information for purposes of section 12

(1) 12 (1) For the purposes of section 12, a regulating authority
(a) may, by written notice, require an organization that—
(a) operates, or appears to be operating, a critical
(b) infrastructure that is a specified critical infrastructure
for the authority; or
(b) otherwise has, or appears to have, control over such
a critical infrastructure,
 ( ) Protection of Critical Infrastructures (Computer Systems) Bill

3 2 Part 3—Division 2
C2934 16 Clause 16 C2935

to provide any information the authority reasonably

considers necessary for considering whether to designate
(2) 12 the organization as a CI operator.
(2) For the purposes of section 12, a regulating authority
may, by written notice, require a CI operator regulated by
the authority to provide any information the authority
(3) (1) (2) reasonably considers necessary for considering whether to
revoke the operator’s designation as a CI operator.
(3) An organization to which a notice is given under
subsection (1) or (2) must provide the information
concerned within the time, and in the form and way,
specified in the notice.

16. 13 16. Requiring information for purposes of section 13

(1) 13 (1) For the purposes of section 13, a regulating authority
may, by written notice, require a CI operator regulated by
the authority to provide any information the authority
(a) reasonably considers necessary for considering—
(b) (a) whether to designate a computer system as a critical
computer system; or
(2) (1)
(b) whether to revoke such a designation.
(2) A CI operator to which a notice is given under subsection
(1) must provide the information concerned within the
time, and in the form and way, specified in the notice.

17. 17. Requiring information for understanding critical computer

(1) systems and preparing for threats
(a) (1) The Commissioner—
(a) may, by written notice, require a CI operator
regulated by the Commissioner to provide any
information the Commissioner reasonably considers
necessary for—
 ( ) Protection of Critical Infrastructures (Computer Systems) Bill

3 2 Part 3—Division 2
C2936 17 Clause 17 C2937

(i) (i) better understanding the critical computer

systems of the critical infrastructure operated
by the operator, so that the Commissioner is
able to assess, respond to or prepare for any
(ii) 1 2 potential computer-system security threat and
computer-system security incident in respect of
the critical computer systems of the
(b) infrastructure; or
3 (ii) ascertaining the compliance of the operator
with a category 1 obligation or category 2
(2) obligation; and
(b) may, by written notice, require a CI operator to
provide any information the Commissioner
(a) reasonably considers necessary for ascertaining the
compliance of the operator with a category 3
obligation.
(2) A designated authority may, by written notice, require a
(b) 1 2 CI operator regulated by the authority to provide any
(3) (1) (2) information the authority reasonably considers necessary
for—
(a) better understanding the critical computer systems of
the critical infrastructure operated by the operator,
so that the authority is able to assess, respond to or
prepare for any potential computer-system security
threat and computer-system security incident in
respect of the critical computer systems of the
infrastructure; or
(b) ascertaining the compliance of the operator with a
category 1 obligation or category 2 obligation.
(3) A CI operator to which a notice is given under subsection
(1) or (2) must provide the information concerned within
the time, and in the form and way, specified in the notice.
 ( ) Protection of Critical Infrastructures (Computer Systems) Bill

3 2 Part 3—Division 2
C2938 18 Clause 18 C2939

18. 14 15 16 17 18. Offence relating to sections 14, 15, 16 and 17

(1) 14(2)15 (3)16 (2) (1) An organization commits an offence if the organization,
17(3) without reasonable excuse, fails to comply with section
(2) (1) 14(2), 15(3), 16(2) or 17(3).
(a) (2) An organization that commits an offence under subsection
(1) is liable—
(i) $3,000,000 (a) if the organization is a CI operator at the time of the
offence—
$60,000 (i) on summary conviction—to a fine of $3,000,000
(ii) $5,000,000 and, in the case of a continuing offence, to a
further fine of $60,000 for every day during
$100,000 which the offence continues; or
(b) (ii) on conviction on indictment—to a fine of
$5,000,000 and, in the case of a continuing
(i) $300,000 offence, to a further fine of $100,000 for every
day during which the offence continues; or
$30,000
(b) in any other case—
(ii) $500,000
(i) on summary conviction—to a fine of $300,000
$50,000 and, in the case of a continuing offence, to a
further fine of $30,000 for every day during
which the offence continues; or
(ii) on conviction on indictment—to a fine of
$500,000 and, in the case of a continuing
offence, to a further fine of $50,000 for every
day during which the offence continues.
 ( ) Protection of Critical Infrastructures (Computer Systems) Bill

4 1 Part 4—Division 1
C2940 19 Clause 19 C2941

4 Part 4

Obligations of CI Operator

1 Division 1—Obligations relating to Organization of CI

Operators

19. 19. Obligation to maintain office in Hong Kong

(1) (1) For the purposes of this Ordinance, a CI operator must—
(a) ( (2) ) ( (a) subject to subsection (2), maintain in Hong Kong an
) office to which notices and other documents may be
(b) given or sent; and
( ) (b) notify, in writing, the regulating authority that
(i) ( (ii) ) regulates the operator of the address of the office
1 ( ) (correspondence address)—
(ii) (2)(b) (i) subject to subparagraph (ii), within 1 month
after the operator’s designation date (specified
period); or
(2)
(ii) if the specified period is extended under
subsection (2)(b)—within the period so
(a) (1)(a) extended.
(i) ( (ii) ) (2) If the CI operator does not already maintain an office in
Hong Kong on the operator’s designation date—
(ii) (b) (a) subsection (1)(a) only applies to the operator—
(i) subject to subparagraph (ii), after the expiry of
the specified period; or
(ii) if the specified period is extended under
paragraph (b)—after the expiry of the period so
extended; and
 ( ) Protection of Critical Infrastructures (Computer Systems) Bill

4 1 Part 4—Division 1
C2942 20 Clause 20 C2943

(b) (b) the regulating authority may, on application by the

operator, extend the specified period if the authority
is satisfied that the operator has reasonable grounds
(3) for needing such an extension.
(1)(b) (3) If the CI operator’s correspondence address changes after
1 the operator makes a notification under subsection (1)(b),
the operator must, in writing, notify the regulating
(4) (1) (3) authority of the change within 1 month after the date on
which the change occurs.
(5) (4) (4) A CI operator commits an offence if the operator fails to
comply with subsection (1) or (3).
(a) $300,000
(5) A CI operator that commits an offence under subsection (4)
$30,000 is liable—
(b) $500,000 (a) on summary conviction—to a fine of $300,000 and,
in the case of a continuing offence, to a further fine
$50,000 of $30,000 for every day during which the offence
continues; or
(b) on conviction on indictment—to a fine of $500,000
and, in the case of a continuing offence, to a further
fine of $50,000 for every day during which the
offence continues.

20. 20. Obligation to notify operator changes

(1) (1) A CI operator must, in writing, notify the regulating
( authority that regulates the operator of any operator
1 ) change in relation to a critical infrastructure operated by
the operator as soon as practicable and in any event
(2) (1) within 1 month after the date on which the change occurs.
(3) (2) (2) A CI operator commits an offence if the operator fails to
comply with subsection (1).
(3) A CI operator that commits an offence under subsection (2)
is liable—
 ( ) Protection of Critical Infrastructures (Computer Systems) Bill

4 1 Part 4—Division 1
C2944 21 Clause 21 C2945

(a) $3,000,000 (a) on summary conviction—to a fine of $3,000,000 and,

in the case of a continuing offence, to a further fine
$60,000 of $60,000 for every day during which the offence
(b) $5,000,000 continues; or
(b) on conviction on indictment—to a fine of $5,000,000
$100,000 and, in the case of a continuing offence, to a further
(4) fine of $100,000 for every day during which the
offence continues.
(operator change)
(4) In this section—
operator change ( ), in relation to a critical
infrastructure, means a change of the organization that
operates the infrastructure.

21. 21. Obligation to set up and maintain computer-system security

(1) (3) management unit
( ) (1) A CI operator must, subject to subsection (3), maintain a
unit (however described) for—
(a) (a) managing the computer-system security of the
critical computer systems of the critical infrastructure
(b) operated by the operator; and
(2) (1) (b) ensuring that this Ordinance is complied with in
relation to the infrastructure.
(a)
(2) For the purposes of subsection (1), the CI operator may—
(b)
(a) set up and maintain the computer-system security
(3) management unit by itself; or
(1)
(b) engage a service provider to set up and maintain the
unit.
(3) If the CI operator does not already maintain a computer-
system security management unit on the operator’s
designation date, subsection (1) only applies to the
operator—
 ( ) Protection of Critical Infrastructures (Computer Systems) Bill

4 1 Part 4—Division 1
C2946 21 Clause 21 C2947

(a) ( (b) ) 1 ( (a) subject to paragraph (b), after the expiry of 1 month
) after that date (specified period); or
(b) (5) (b) if the specified period is extended under subsection
(5)—after the expiry of the period so extended.
(4) (4) The CI operator must—
(a) ( (a) appoint an employee of the operator who has
) adequate professional knowledge in relation to
computer-system security (adequate knowledge) to
(b) supervise the computer-system security management
unit; and
(i) ( (ii) ) (b) notify, in writing, the regulating authority that
regulates the operator of the appointment—
(ii) (5)
(i) subject to subparagraph (ii), within the specified
period; or
(5)
(ii) if the specified period is extended under
(a) subsection (5)—within the period so extended.
(b) (5) If, on the CI operator’s designation date, the operator—
(a) does not already maintain a computer-system
security management unit; or
(b) does not already have an employee who has adequate
knowledge appointed to supervise such a unit,
(6) (4)(a)
1 the regulating authority may, on application by the
operator, extend the specified period if the authority is
satisfied that the operator has reasonable grounds for
needing such an extension.
(6) If there is any change in respect of an appointment under
subsection (4)(a) after it is made, the CI operator must, in
writing, notify the regulating authority of the change
within 1 month after the date of the change.
 ( ) Protection of Critical Infrastructures (Computer Systems) Bill

4 2 Part 4—Division 2
C2948 22 Clause 22 C2949

(7) (4)(b) (6) (7) A CI operator commits an offence if the operator fails to
comply with subsection (4)(b) or (6).
(8) (7) (8) A CI operator that commits an offence under subsection (7)
(a) $300,000 is liable—
(a) on summary conviction—to a fine of $300,000 and,
$30,000 in the case of a continuing offence, to a further fine
(b) $500,000 of $30,000 for every day during which the offence
continues; or
$50,000 (b) on conviction on indictment—to a fine of $500,000
and, in the case of a continuing offence, to a further
fine of $50,000 for every day during which the
offence continues.

2 Division 2—Obligations relating to Prevention of Threats

and Incidents

22. 22. Obligation to notify material changes to certain computer

(1) (2) systems
(1) If any of the events specified in subsection (2) occurs in
1 10 respect of a critical infrastructure operated by a CI
operator, the operator must notify, in the form and way
(2) (1) specified under section 10, the regulating authority that
regulates the operator of the event within 1 month after
(a) the date on which the event occurs.
(2) For the purposes of subsection (1), the events are that—
(b)
(a) a material change occurs to the design, configuration,
security or operation of a critical computer system
of the critical infrastructure;
(b) a critical computer system of the infrastructure is
removed;
 ( ) Protection of Critical Infrastructures (Computer Systems) Bill

4 2 Part 4—Division 2
C2950 22 Clause 22 C2951

(c) ( (c) a computer system (whether under the control of the

) CI operator or not) that—
(i) is accessible by the operator in or from Hong
(i) Kong; and
(ii) (ii) is essential to the core function of the
(d) ( infrastructure,
) is added to the infrastructure; and
(i) (d) a change occurs to a computer system (whether
(ii) under the control of the operator or not) that—
(i) is an existing computer system of the
infrastructure; and
(3) (2)(a) “ ” (ii) is accessible by the operator in or from Hong
Kong,
such that the system becomes essential to the core
(a) function of the infrastructure.
(i) (3) For the purposes of subsection (2)(a), without limiting the
meaning of “material”, a change is a material change as
(ii) described in that subsection if the change—
(a) affects—
(b) 16
(i) the computer-system security of the critical
computer system concerned; or
(ii) the ability of the CI operator to respond to a
computer-system security threat or computer-
system security incident in respect of the
system; or
(b) makes any information provided in respect of the
system for compliance with a requirement imposed
under section 16 no longer accurate in a material
particular.
 ( ) Protection of Critical Infrastructures (Computer Systems) Bill

4 2 Part 4—Division 2
C2952 23 Clause 23 C2953

(4) (1) (4) A CI operator commits an offence if the operator fails to

(5) (4) comply with subsection (1).
(a) $300,000 (5) A CI operator that commits an offence under subsection (4)
is liable—
$30,000 (a) on summary conviction—to a fine of $300,000 and,
(b) $500,000 in the case of a continuing offence, to a further fine
of $30,000 for every day during which the offence
$50,000 continues; or
(b) on conviction on indictment—to a fine of $500,000
and, in the case of a continuing offence, to a further
fine of $50,000 for every day during which the
offence continues.

23. 23. Obligation to submit and implement computer-system security

(1) management plan
(3) (1) A CI operator must submit to the regulating authority
that regulates the operator a plan (however described),
( )( prepared in accordance with subsection (3), for protecting
) the computer-system security of the critical computer
(a) ( (b) ) 3 systems of the critical infrastructure operated by the
( ) operator (computer-system security management plan)—
(b) (2) (a) subject to paragraph (b), within 3 months after the
operator’s designation date (submission period); or
(2)
(b) if the submission period is extended under subsection
(2)—within the period so extended.
(3) 3 (2) The regulating authority may, on application by the CI
operator, extend the submission period if the authority is
satisfied that the operator has reasonable grounds for
needing such an extension.
(3) A computer-system security management plan must cover
all of the matters specified in Schedule 3.
 ( ) Protection of Critical Infrastructures (Computer Systems) Bill

4 2 Part 4—Division 2
C2954 24 Clause 24 C2955

(4) (4) If there is any revision to a computer-system security

1 management plan after it is submitted, the CI operator
must submit the revised plan to the regulating authority
(5) that regulates the operator within 1 month after the date
on which the revision is made.
(6) (3) (4) (5)
(5) A CI operator must implement a computer-system
security management plan.
(7) (1) (4)
(6) In subsections (3), (4) and (5), a reference to a computer-
system security management plan includes such a plan
(8) (7) that is revised.
(a) $300,000 (7) A CI operator commits an offence if the operator fails to
comply with subsection (1) or (4).
$30,000
(8) A CI operator that commits an offence under subsection (7)
(b) $500,000 is liable—
$50,000 (a) on summary conviction—to a fine of $300,000 and,
in the case of a continuing offence, to a further fine
of $30,000 for every day during which the offence
continues; or
(b) on conviction on indictment—to a fine of $500,000
and, in the case of a continuing offence, to a further
fine of $50,000 for every day during which the
offence continues.

24. 24. Obligation to conduct computer-system security risk assessments

(1) (1) A CI operator must—
(a) (a) conduct, in accordance with subsection (3), an
(3) assessment in respect of the risks relating to the
( ) computer-system security of the critical computer
systems of the critical infrastructure operated by the
operator (computer-system security risk assessment)—
 ( ) Protection of Critical Infrastructures (Computer Systems) Bill

4 2 Part 4—Division 2
C2956 24 Clause 24 C2957

(i) (i) for the first computer-system security risk

12 ( assessment conducted by the operator—within
) 12 months after the operator’s designation date
(ii) (first period); and
12 (ii) for any subsequent computer-system security
(b) risk assessment—at least once every 12 months
after the expiry of the first period; and
(i) ( (ii) ) (a) (b) submit to the regulating authority that regulates the
3 operator a report for the assessment—
(ii) (i) 3 ( ) (i) subject to subparagraph (ii), within 3 months
(2) after the expiry of the period within which the
assessment is required under paragraph (a) to
(2) be conducted; or
(ii) if the 3-month period mentioned in
subparagraph (i) (submission period) is extended
(3) (1) under subsection (2)—within the period so
4 ( 4 ) extended.
(4) (2) The regulating authority may, on application by the CI
(a) 22(1) operator, extend the submission period if the authority is
satisfied that the operator has reasonable grounds for
(b) 22(2) needing such an extension.
(3) A computer-system security risk assessment conducted for
compliance with subsection (1) must cover all of the
(5) matters specified in Schedule 4 (Schedule 4 matters).
(4) Subsection (5) applies if a regulating authority—
(a) receives a notification from a CI operator under
section 22(1); or
(b) otherwise becomes aware that any of the events
specified in section 22(2) has occurred in respect of a
critical infrastructure operated by a CI operator.
 ( ) Protection of Critical Infrastructures (Computer Systems) Bill

4 2 Part 4—Division 2
C2958 24 Clause 24 C2959

(5) (5) The regulating authority may, by written notice, require

the CI operator—
(a) ( (a) to conduct a computer-system security risk
) assessment in respect of all of the critical computer
systems of the critical infrastructure, or any part of
(b) such systems specified in the notice; and
(b) to submit to the authority a report for the assessment
(6) (5) within the time specified in the notice.
( 4 ) (6) A notice given under subsection (5) must specify the
(7) (5) matters that the computer-system security risk assessment
(1) required to be conducted has to cover (including any
Schedule 4 matters).
(5) (7) To avoid doubt, a computer-system security risk
(8) (1) (5) assessment that a CI operator is required to conduct
under subsection (5) is not to be regarded as a computer-
system security risk assessment for the purposes of
(9) (8) subsection (1) unless the regulating authority specifies
(a) $300,000 otherwise in the notice given under subsection (5).
(8) A CI operator commits an offence if the operator fails to
$30,000 comply with subsection (1) or a requirement imposed
(b) $500,000 under subsection (5).
(9) A CI operator that commits an offence under subsection (8)
$50,000 is liable—
(a) on summary conviction—to a fine of $300,000 and,
in the case of a continuing offence, to a further fine
of $30,000 for every day during which the offence
continues; or
(b) on conviction on indictment—to a fine of $500,000
and, in the case of a continuing offence, to a further
fine of $50,000 for every day during which the
offence continues.
 ( ) Protection of Critical Infrastructures (Computer Systems) Bill

4 2 Part 4—Division 2
C2960 25 Clause 25 C2961

25. 25. Obligation to arrange to carry out computer-system security

(1) audits
(a) (1) A CI operator must—
(3) ( (a) arrange to carry out, in accordance with subsection
) (3), an audit in respect of the computer-system
(i) security of the critical computer systems of the
24 ( ) critical infrastructure operated by the operator
(computer-system security audit)—
(ii) (i) for the first computer-system security audit
24 arranged to be carried out—within 24 months
after the operator’s designation date (first
(b) period); and
(ii) for any subsequent computer-system security
(i) ( (ii) ) (a) audit—at least once every 24 months after the
3 expiry of the first period; and
(ii) (i) 3 ( ) (b) submit to the regulating authority that regulates the
(2) operator a report for the audit—
(2) (i) subject to subparagraph (ii), within 3 months
after the expiry of the period within which the
audit is required under paragraph (a) to be
carried out; or
(ii) if the 3-month period mentioned in
subparagraph (i) (submission period) is extended
under subsection (2)—within the period so
extended.
(2) The regulating authority may, on application by the CI
operator, extend the submission period if the authority is
satisfied that the operator has reasonable grounds for
needing such an extension.
 ( ) Protection of Critical Infrastructures (Computer Systems) Bill

4 2 Part 4—Division 2
C2962 25 Clause 25 C2963

(3) (1) (3) A computer-system security audit carried out for

(a) compliance with subsection (1) must—
(b) 5 ( 5 ) (a) cover the specified period; and
(4) (b) cover all of the matters specified in Schedule 5
(Schedule 5 matters).
( ) (4) If a regulating authority has reasonable grounds to believe
that a CI operator regulated by the authority has not
properly implemented a computer-system security
(a) ( management plan (including such a plan that is revised) in
) respect of a critical infrastructure operated by the
operator to the satisfaction of the authority, the authority
may, by written notice, require the operator—
(b)
(a) to arrange to carry out a computer-system security
audit for ascertaining whether the plan, or any part
(5) of the plan specified in the notice, is properly
(a) 22(1) implemented; and
(b) to submit to the authority a report for the audit
(b) 22(2) within the time specified in the notice.
(5) Subsection (6) applies if a regulating authority—
(a) receives a notification from a CI operator under
(6) section 22(1); or
(6) (b) otherwise becomes aware that any of the events
specified in section 22(2) has occurred in respect of a
(a) ( critical infrastructure operated by a CI operator.
) (6) The regulating authority may, by written notice, require
the CI operator—
(a) to arrange to carry out a computer-system security
audit in respect of all of the critical computer
systems of the critical infrastructure, or any part of
such systems specified in the notice; and
 ( ) Protection of Critical Infrastructures (Computer Systems) Bill

4 2 Part 4—Division 2
C2964 25 Clause 25 C2965

(b) (b) to submit to the authority a report for the audit

within the time specified in the notice.
(7) (4) (6) (7) A notice given under subsection (4) or (6) must specify—
(a) (a) the period that the computer-system security audit
(b) ( 5 ) required to be carried out has to cover; and
(8) (b) the matters that the audit has to cover (including any
Schedule 5 matters).
(9) (4) (6) (8) For the purposes of this section, a computer-system
(1) security audit is not to be regarded as carried out unless it
is carried out by an independent auditor.
(4) (6) (9) To avoid doubt, a computer-system security audit that a
(10) (1) (4) CI operator is required to arrange to be carried out under
(6) subsection (4) or (6) is not to be regarded as a computer-
system security audit for the purposes of subsection (1)
(11) (10) unless the regulating authority specifies otherwise in the
(a) $300,000 notice given under subsection (4) or (6).
(10) A CI operator commits an offence if the operator fails to
$30,000 comply with subsection (1) or a requirement imposed
(b) $500,000 under subsection (4) or (6).
(11) A CI operator that commits an offence under subsection
$50,000 (10) is liable—
(12) (a) on summary conviction—to a fine of $300,000 and,
(specified period) in the case of a continuing offence, to a further fine
of $30,000 for every day during which the offence
continues; or
(b) on conviction on indictment—to a fine of $500,000
and, in the case of a continuing offence, to a further
fine of $50,000 for every day during which the
offence continues.
(12) In this section—
specified period ( )—
 ( ) Protection of Critical Infrastructures (Computer Systems) Bill

4 3 Part 4—Division 3
C2966 26 Clause 26 C2967

(a) (1)(a)(i) (a) in relation to a computer-system security audit that

falls within subsection (1)(a)(i)—means the first
(b) (1)(a)(ii) period; or
24 (b) in relation to a computer-system security audit that
falls within subsection (1)(a)(ii)—means the
24-month period for carrying out the audit as
determined in accordance with that subsection.

3 Division 3—Obligations relating to Incident Reporting and

Response
26. 26. Obligation to participate in computer-system security drill
(1) ( ) (1) The Commissioner may conduct a drill (however
described) for testing the state of readiness of CI
( ) operators in responding to computer-system security
(2) (1) incidents in respect of the critical computer systems of
critical infrastructures (computer-system security drill).
(3) (2) (2) For the purposes of subsection (1), the Commissioner
may, after giving reasonable notice in writing, require a CI
operator to participate in a computer-system security drill.
(4) (3)
(3) A CI operator commits an offence if the operator fails to
(a) $3,000,000
comply with a requirement imposed under subsection (2).
(b) $5,000,000
(4) A CI operator that commits an offence under subsection (3)
is liable—
(a) on summary conviction—to a fine of $3,000,000; or
(b) on conviction on indictment—to a fine of $5,000,000.

27. 27. Obligation to submit and implement emergency response plan

(1) (1) A CI operator must submit to the Commissioner a plan
(3) ( ) (however described), prepared in accordance with
subsection (3), detailing the protocol for the operator’s
 ( ) Protection of Critical Infrastructures (Computer Systems) Bill

4 3 Part 4—Division 3
C2968 27 Clause 27 C2969

response to computer-system security incidents in respect

( ) of the critical computer systems of critical infrastructures
(a) ( (b) ) 3 (emergency response plan)—
( ) (a) subject to paragraph (b), within 3 months after the
(b) (2) operator’s designation date (submission period); or
(2) (b) if the submission period is extended under subsection
(2)—within the period so extended.
(2) The Commissioner may, on application by the CI
(3) 3 2 operator, extend the submission period if the
Commissioner is satisfied that the operator has reasonable
(4) grounds for needing such an extension.
1
(3) An emergency response plan must cover all of the matters
specified in Part 2 of Schedule 3.
(5)
(4) If there is any revision to an emergency response plan
(6) (3) (4) (5) after it is submitted, the CI operator must submit the
revised plan to the Commissioner within 1 month after
(7) (1) (4) the date on which the revision is made.
(5) A CI operator must implement an emergency response
(8) (7) plan.
(a) $300,000 (6) In subsections (3), (4) and (5), a reference to an emergency
response plan includes such a plan that is revised.
$30,000 (7) A CI operator commits an offence if the operator fails to
comply with subsection (1) or (4).
(8) A CI operator that commits an offence under subsection (7)
is liable—
(a) on summary conviction—to a fine of $300,000 and,
in the case of a continuing offence, to a further fine
of $30,000 for every day during which the offence
continues; or
 ( ) Protection of Critical Infrastructures (Computer Systems) Bill

4 3 Part 4—Division 3
C2970 28 Clause 28 C2971

(b) $500,000 (b) on conviction on indictment—to a fine of $500,000

and, in the case of a continuing offence, to a further
$50,000 fine of $50,000 for every day during which the
offence continues.

28. 28. Obligation to notify computer-system security incidents

(1) (1) If a CI operator becomes aware that a computer-system
security incident has occurred in respect of a critical
(2) computer system of a critical infrastructure operated by
(2) the operator, the operator must notify the Commissioner
of the incident in accordance with subsection (2).
(a) (
) (2) The notification—
(b) (a) must be made as soon as practicable and in any event
within the specified time; and
(i) 10 (
) (b) must—
(ii) ( ) (i) be made in the form and way specified under
section 10 (specified form and way); or
(ii) despite not being made in the specified form
(3) and way, include information on the nature of
the computer-system security incident and
identify the critical computer system concerned.
(4) (1) (3) If the notification is not made in the specified form and
(3) way, the CI operator must subsequently submit a written
record of the computer-system security incident concerned
in the specified form and way to the Commissioner within
the specified time.
(4) After a CI operator makes a notification of a computer-
system security incident under subsection (1) in the
specified form and way, or submits a written record of
such an incident under subsection (3), the CI operator
must further submit a written report of the incident in the
 ( ) Protection of Critical Infrastructures (Computer Systems) Bill

4 3 Part 4—Division 3
C2972 28 Clause 28 C2973

specified form and way to the Commissioner within the

specified time.
(5) (1) (3) (4) (5) A CI operator commits an offence if the operator fails to
comply with subsection (1), (3) or (4).
(6) (5) (6) A CI operator that commits an offence under subsection (5)
(a) $3,000,000 is liable—
(b) $5,000,000 (a) on summary conviction—to a fine of $3,000,000; or
(7) (b) on conviction on indictment—to a fine of $5,000,000.
(specified time) 6 2 (7) In this section—
3 specified time ( ), in relation to a provision of this
section specified in column 2 of Schedule 6, means the
time specified in column 3 of that Schedule opposite the
provision.
 ( ) Protection of Critical Infrastructures (Computer Systems) Bill

5 1 Part 5—Division 1
C2974 29 Clause 29 C2975

5 Part 5

Responding to Computer-system Security Threats and

Computer-system Security Incidents

1 Division 1—Early Intervention

29. 29. Commissioner may direct inquiries to identify computer-system

security threats and computer-system security incidents
If the Commissioner reasonably suspects that an event that has
an actual adverse effect, or is likely to have an adverse effect,
on the computer-system security of a critical computer system
of a critical infrastructure has occurred, the Commissioner may
(a) direct an authorized officer of the Commissioner to make
inquiries for the purpose of identifying—
(b)
(a) what caused the event; and
(b) whether a computer-system security threat or a
computer-system security incident has occurred in
respect of the system.

30. 30. Powers of authorized officers of Commissioner in making

(1) 29 inquiries
(1) For making inquiries under section 29, an authorized
officer of the Commissioner may, by written notice,
(a) require the CI operator by which the critical infrastructure
concerned is operated—
(a) to produce, within the time and at the place specified
(i) in the notice, any document so specified that the
officer has reasonable grounds to believe—
(i) to be relevant, or likely to be relevant, to the
inquiries; and
 ( ) Protection of Critical Infrastructures (Computer Systems) Bill

5 1 Part 5—Division 1
C2976 31 Clause 31 C2977

(ii) (ii) to be in the possession, or under the control, of

the operator, or otherwise accessible in or from
(b) Hong Kong by the operator;
(c) (b) to give an explanation or further particulars in
relation to the document;
(c) to send a representative to attend before the officer at
(d) the time and place specified in the notice, and to
answer a question relating to any matter under
investigation that is raised by the officer; and
(2) (1)
(d) to answer in writing, within the time specified in the
notice, a written question relating to any matter
under investigation that is raised by the officer.
(2) If a document is produced for compliance with a
requirement imposed under subsection (1), the authorized
officer may for making the inquiries inspect, make copies
of, take extracts from and take possession of the
document.

31. 31. Magistrate’s warrants for entering premises for early intervention
(1) (1) Subsection (2) applies if a magistrate is satisfied by
information on oath laid by an authorized officer of the
(a) Commissioner that—
30 (a) there are reasonable grounds to suspect that there is,
(b) 32 or is likely to be, on any premises any document that
is relevant to inquiries made under section 30; and
(2)
(b) both of the conditions specified in section 32 are met
(2)
in relation to the inquiries.
(2) The magistrate may issue a warrant authorizing an
authorized officer of the Commissioner, and any other
person whose assistance is necessary for the execution of
the warrant—
 ( ) Protection of Critical Infrastructures (Computer Systems) Bill

5 1 Part 5—Division 1
C2978 32 Clause 32 C2979

(a) (a) to enter the premises, if necessary by force, at any

(i) ( (ii) )7 time within—
(ii) (i) subject to subparagraph (ii), a period of 7 days;
or
( )
(ii) if any longer period is specified in the
(b) warrant—such a period,
beginning on the date of the warrant; and
(b) to search for, inspect, make copies of, take extracts
from, seize and remove any document on the
premises that the officer has reasonable grounds to
believe to be relevant, or likely to be relevant, to the
inquiries.

32. 32. Conditions for issuing warrants

31(1)(b) For the purposes of section 31(1)(b), the conditions are that—
(a) (a) there are reasonable grounds to believe that the CI
operator concerned is unwilling or unable to take all
(b) reasonable steps to respond to the inquiries; and
(b) there are reasonable grounds to believe that it is in
(i) 29 the public interest to issue the warrant, having regard
to—
(ii) (i) the potential harm that could be caused by the
event mentioned in section 29 to the critical
infrastructure concerned;
(iii) 29
(ii) the potential disruption that could be caused by
the event to the core function of the
infrastructure;
(iii) whether or not the purpose mentioned in
section 29 could be effectively achieved if the
warrant is not issued;
 ( ) Protection of Critical Infrastructures (Computer Systems) Bill

5 2 Part 5—Division 2
C2980 33 Clause 33 C2981

(iv) (iv) the benefits likely to accrue from doing the acts
(v) to be authorized by the warrant; and
(v) the potential impact of doing the acts on the
core function of the infrastructure and on any
person who may be affected by the acts.

2 Division 2—Computer-system Security Investigations

33. 33. Interpretation

In this Division—
(investigated system) computer-system security investigation ( )
means an investigation carried out under section 34 and
includes any response made under that section;
(investigated threat or incident) investigated CI operator ( ), in
relation to a computer-system security investigation,
means the CI operator that is the subject of the
(investigated CI operator) investigation;
investigated system ( ), in relation to a computer-
system security investigation, means the critical computer
(computer-system security investigation) system in respect of which the investigated threat or
34 incident has occurred;
investigated threat or incident ( ), in relation
to a computer-system security investigation, means the
computer-system security threat or computer-system
security incident that is the subject of the investigation.

34. 34. Commissioner may direct investigations to be carried out in

relation to computer-system security threats or computer-system
security incidents
If the Commissioner reasonably suspects that a computer-
system security threat or computer-system security incident has
occurred in respect of a critical computer system of a critical
 ( ) Protection of Critical Infrastructures (Computer Systems) Bill

5 2 Part 5—Division 2
C2982 35 Clause 35 C2983

infrastructure, the Commissioner may direct an authorized

officer of the Commissioner to carry out an investigation into,
(a) and to respond to, the threat or incident for the following
purposes—
(b)
(a) identifying what caused the threat or incident;
(c)
(b) assessing the impact, or potential impact, of the
(d) threat or incident;
(e) (c) remedying any harm that has arisen from the threat
or incident;
(d) preventing any, or any further, harm from arising
from the threat or incident;
(e) preventing any, or any further, computer-system
security incident from arising from the threat or
incident.

35. 35. Powers of authorized officers of Commissioner in investigations

(1) (1) For carrying out a computer-system security investigation,
an authorized officer of the Commissioner may, by written
notice, require the investigated CI operator to do one or
(a) more of the following acts—
(a) to produce, within the time and at the place specified
in the notice, any document so specified that the
(i) officer has reasonable grounds to believe—
(ii) (i) to be relevant, or likely to be relevant, to the
investigation; and
(b) (ii) to be in the possession, or under the control, of
the operator, or otherwise accessible in or from
Hong Kong by the operator;
(b) to give an explanation or further particulars in
relation to the document;
 ( ) Protection of Critical Infrastructures (Computer Systems) Bill

5 2 Part 5—Division 2
C2984 36 Clause 36 C2985

(c) (c) to send a representative to attend before the officer at

the time and place specified in the notice, and to
answer a question relating to any matter under
(d) investigation that is raised by the officer;
(d) to answer in writing, within the time specified in the
(2) (1) notice, a written question relating to any matter
under investigation that is raised by the officer.
(2) If a document is produced for compliance with a
requirement imposed under subsection (1), the authorized
officer may for carrying out the investigation inspect,
make copies of, take extracts from and take possession of
the document.

36. 36. Additional power of authorized officer of Commissioner

(1) 35 (1) Without limiting section 35, for carrying out a computer-
system security investigation, the Commissioner may
(a) further authorize an authorized officer of the
Commissioner to exercise the power specified in subsection
(2) if the Commissioner is satisfied that—
(b) (a) there are reasonable grounds to believe that the
investigated CI operator is unwilling or unable to
take all reasonable steps to assist in the investigation
(i) or respond to the investigated threat or incident; and
(b) there are reasonable grounds to believe that it is in
(ii) the public interest to make the further authorization,
having regard to—
(i) the potential harm that could be caused by the
investigated threat or incident to the critical
infrastructure concerned;
(ii) the potential disruption that could be caused by
the investigated threat or incident to the core
function of the infrastructure;
 ( ) Protection of Critical Infrastructures (Computer Systems) Bill

5 2 Part 5—Division 2
C2986 36 Clause 36 C2987

(iii) 34 (iii) whether or not the purposes mentioned in

section 34 could be effectively achieved if the
(iv) further authorization is not made;
(v) (iv) the benefits likely to accrue from exercising the
power; and
(2) (v) the potential impact of exercising the power on
the core function of the infrastructure and on
the operator.
(2) (1)
(2) For the purposes of subsection (1), the power is to, by
written notice, require the investigated CI operator to do
one or more of the following acts—
(a)
(a) not to use the investigated system;
(b)
(b) to preserve the state of the system;
(c)
(c) to monitor the system;
(d)
(d) to perform a scan of the system in order to—
(i)
(i) detect any vulnerabilities of the system; and
(ii)
(ii) assess the impact of the investigated threat or
incident or of a potential computer-system
(e) security incident in respect of the system;
(e) to carry out any remedial measures, or to cease
(f) carrying on any activities, in relation to the
investigated threat or incident;
(f) to give the authorized officer all other assistance in
connection with the computer-system security
investigation that the operator is reasonably able to
give.
 ( ) Protection of Critical Infrastructures (Computer Systems) Bill

5 2 Part 5—Division 2
C2988 37 Clause 37 C2989

37. 37. Magistrate’s warrants for imposing requirements on organizations

other than investigated CI operators
(1) (1) Subsection (2) applies if a magistrate is satisfied by
39 information on oath laid by an authorized officer of the
(2) Commissioner that both of the conditions specified in
(2) section 39 are met in relation to a computer-system
security investigation.
(2) The magistrate may issue a warrant authorizing an
( ) authorized officer of the Commissioner, and any other
person whose assistance is necessary for the execution of
(a) the warrant, to require by written notice, for carrying out
the computer-system security investigation, an
organization having, or appearing to have, control over
the investigated system (other than the investigated CI
(i) operator) to do one or more of the following acts—
(ii) (a) to produce, within the time and at the place specified
in the notice, any document so specified that the
(b) officer has reasonable grounds to believe—
(c) (i) to be relevant, or likely to be relevant, to the
investigation; and
(ii) to be in the possession, or under the control, of
(d) the organization, or otherwise accessible in or
from Hong Kong by the organization;
(b) to give an explanation or further particulars in
relation to the document;
(c) to send a representative to attend before the officer at
the time and place specified in the notice, and to
answer a question relating to any matter under
investigation that is raised by the officer;
(d) to answer in writing, within the time specified in the
notice, a written question relating to any matter
under investigation that is raised by the officer;
 ( ) Protection of Critical Infrastructures (Computer Systems) Bill

5 2 Part 5—Division 2
C2990 38 Clause 38 C2991

(e) (e) not to use the system;

(f) (f) to preserve the state of the system;
(g) (g) to monitor the system;
(h) (h) to perform a scan of the system in order to—
(i) (i) detect any vulnerabilities of the system; and
(ii) (ii) assess the impact of the investigated threat or
incident or of a potential computer-system
(i) security incident in respect of the system;
(i) to carry out any remedial measures, or to cease
(j) carrying on any activities, in relation to the threat or
incident;
(3) (j) to give the officer all other assistance in connection
with the investigation that the organization is
reasonably able to give.
(3) If a document is produced for compliance with a
requirement imposed under the warrant, the authorized
officer may for carrying out the investigation inspect,
make copies of, take extracts from and take possession of
the document.

38. 38. Magistrate’s warrants for entering premises for computer-system

(1) security investigations
(1) Subsection (2) applies if a magistrate is satisfied by
(a) information on oath laid by an authorized officer of the
Commissioner that—
(i)
(a) there are reasonable grounds to suspect that—
(i) there is, or is likely to be, on any premises
anything that is relevant to a computer-system
security investigation; or
 ( ) Protection of Critical Infrastructures (Computer Systems) Bill

5 2 Part 5—Division 2
C2992 38 Clause 38 C2993

(ii) (ii) the investigated system of a computer-system

security investigation is, or is likely to be,
(b) 39 located on certain premises; and
(2) (b) both of the conditions specified in section 39 are met
in relation to the investigation.
(2)
(2) The magistrate may issue a warrant authorizing an
authorized officer of the Commissioner, and any other
person whose assistance is necessary for the execution of
(a) the warrant, to do one or more of the following acts for
(i) ( (ii) )7 carrying out the computer-system security investigation—
(ii) (a) to enter the premises, if necessary by force, at any
( ) time within—
(b) (i) subject to subparagraph (ii), a period of 7 days;
or
(ii) if any longer period is specified in the
(c) 34 warrant—such a period,
beginning on the date of the warrant;
( ) (b) to search for, inspect, make copies of, take extracts
from, seize and remove anything on the premises that
(i) the officer has reasonable grounds to believe to be
(ii) relevant, or likely to be relevant, to the investigation;
(c) to, for the purposes mentioned in section 34, access
and inspect, and carry out any remedial measures in
relation to, the investigated system or another
computer system (accessible system)—
(i) that is accessible via the investigated system;
and
(ii) that the officer has reasonable grounds to
believe to be relevant, or likely to be relevant, to
the investigation;
 ( ) Protection of Critical Infrastructures (Computer Systems) Bill

5 2 Part 5—Division 2
C2994 39 Clause 39 C2995

(d) (d) to search for, inspect, make copies of and take

extracts from any information—
(i) (i) that is stored in the investigated system or an
(ii) accessible system; and
(ii) that the officer has reasonable grounds to
(e) believe to be relevant, or likely to be relevant, to
the investigation;
(f)
(e) to carry out any other remedial measures in relation
to the threat or incident;
(i)
(f) to require an organization having, or appearing to
have, control over the investigated system to give all
(ii) other assistance—
(i) that is reasonably necessary to facilitate the
officer’s performance of functions for the
investigation; and
(ii) that the organization is reasonably able to give.

39. 39. Conditions for issuing warrants

37(1) 38(1)(b) For the purposes of sections 37(1) and 38(1)(b), the conditions
(a) are that—
(i) 37(1) (a) there are reasonable grounds to believe that—
(i) for section 37(1)—the investigated CI operator
is unwilling or unable to take all reasonable
steps to assist in the computer-system security
(ii) 38(1)(b) investigation or respond to the investigated
threat or incident; or
(ii) for section 38(1)(b)—
(A) (A) the investigated CI operator;
(B) 37(2) (B) the organization mentioned in section
37(2); or
 ( ) Protection of Critical Infrastructures (Computer Systems) Bill

5 2 Part 5—Division 2
C2996 40 Clause 40 C2997

(C) 37(2) (C) both the investigated CI operator and the

organization mentioned in section 37(2),
as the case requires, is or are unwilling or
(b) unable to take all reasonable steps to assist in
the computer-system security investigation or
respond to the investigated threat or incident;
(i) and
(b) there are reasonable grounds to believe that it is in
(ii) the public interest to issue the warrant, having regard
to—
(iii) 34 (i) the potential harm that could be caused by the
investigated threat or incident to the critical
(iv) infrastructure concerned;
(v) (ii) the potential disruption that could be caused by
the investigated threat or incident to the core
function of the infrastructure;
(iii) whether or not the purposes mentioned in
section 34 could be effectively achieved if the
warrant is not issued;
(iv) the benefits likely to accrue from doing the acts
to be authorized by the warrant; and
(v) the potential impact of doing the acts on the
core function of the infrastructure and on any
person who may be affected by the acts.

40. 40. Power of entry in emergencies

(1) (2) (1) For carrying out a computer-system security investigation,
the Commissioner may, if satisfied that all of the
conditions specified in subsection (2) are met in relation to
the investigation, authorize an authorized officer of the
Commissioner to enter any premises and do one or more
of the acts specified in section 38(2) (other than the act
 ( ) Protection of Critical Infrastructures (Computer Systems) Bill

5 2 Part 5—Division 2
C2998 40 Clause 40 C2999

38(2) ( 38(2)(a) specified in section 38(2)(a)) (specified acts) without

)( ) warrant.
(2) (1) (2) For the purposes of subsection (1), the conditions are
(a) that—
(i) (a) there are reasonable grounds to suspect that—
(i) there is, or is likely to be, on the premises
(ii) anything that is relevant to the computer-system
security investigation; or
(b)
(ii) the investigated system is, or is likely to be,
located on the premises;
(i) (b) there are reasonable grounds to believe that—
(ii) 37(2) (i) the investigated CI operator;
(iii) 37(2) (ii) the organization mentioned in section 37(2); or
(iii) both the investigated CI operator and the
organization mentioned in section 37(2),
(c) as the case requires, is or are unwilling or unable to
take all reasonable steps to assist in the computer-
system security investigation or respond to the
(d) investigated threat or incident;
(c) it is not reasonably practicable to obtain a warrant in
(i) the circumstances of the case; and
(d) there are reasonable grounds to believe that it is in
(ii) the public interest to make the entry and do the
specified acts, having regard to—
(i) the potential harm that could be caused by the
investigated threat or incident to the critical
infrastructure concerned;
(ii) the potential disruption that could be caused by
the investigated threat or incident to the core
function of the infrastructure;
 ( ) Protection of Critical Infrastructures (Computer Systems) Bill

5 3 Part 5—Division 3
C3000 41 Clause 41 C3001

(iii) 34 (iii) whether or not the purposes mentioned in

section 34 could be effectively achieved if the
(iv) entry is not made and the acts are not done;
(iv) the benefits likely to accrue from making the
(v) entry and doing the acts; and
(v) the potential impact of making the entry and
doing the acts on the core function of the
(3) infrastructure and on any person who may be
affected by the entry and acts.
(3) The authorized officer entering the premises must, if
requested, produce the Commissioner’s authorization for
inspection.

3 Division 3—Supplementary Provisions

41. 41. Use of incriminating evidence in proceedings after early

interventions and computer-system security investigations
(1) (1) If a person is to give an explanation or further particulars
to an authorized officer, or to answer a question posed by
(2) such an officer, for compliance with a specified
requirement, the officer must ensure that the person has
first been informed or reminded of the limitations
(2) imposed by subsection (2) on the admissibility in evidence
of the requirement and of the explanation or particulars,
(a) or the question and answer.
(2) Despite any other provision in this Ordinance, if—
(b) (a) a person gives an explanation or further particulars
to an authorized officer, or answers a question posed
by such an officer, for compliance with a specified
requirement;
(b) the explanation, particulars or answer might tend to
incriminate the person; and
 ( ) Protection of Critical Infrastructures (Computer Systems) Bill

5 3 Part 5—Division 3
C3002 42 Clause 42 C3003

(c) (c) the person claims, before giving the explanation or

particulars, or answering the question, that the
explanation, particulars or answer might so tend,
( (3) the requirement, as well as the explanation or particulars,
) or the question and answer, are not admissible in evidence
(3) against the person in criminal proceedings in a court other
than those specified in subsection (3).
(a) 42 (3) The criminal proceedings are those in which the person is
charged with—
(b) ( 200 ) V
(a) an offence under section 42; or
(4)
(b) an offence under Part V of the Crimes Ordinance
(specified requirement) (Cap. 200).
(a) 1 2 (4) In this section—
(b) 37 38 section 37 or 38 warrant ( 37 38 ) means a warrant
37 38 (section 37 or 38 warrant) 37 issued under section 37 or 38;
38 specified requirement ( ) means a requirement—
(a) imposed under Division 1 or 2; or
(b) imposed under a section 37 or 38 warrant.

42. 5 1 2 42. Offences relating to Divisions 1 and 2 of Part 5

(1) (1) An organization commits an offence if the organization,
without reasonable excuse, fails to comply with a specified
(2) (1) requirement.
(2) For the purposes of subsection (1), the fact that complying
with a specified requirement might tend to result in self-
(3) (1) incrimination is not an excuse not to comply with the
requirement.
(a) $300,000
(3) An organization that commits an offence under subsection
(1) is liable—
(a) on summary conviction—to a fine of $300,000; or
 ( ) Protection of Critical Infrastructures (Computer Systems) Bill

5 3 Part 5—Division 3
C3004 42 Clause 42 C3005

(b) $500,000 (b) on conviction on indictment—to a fine of $500,000.

(4) (4) In this section—
(specified requirement) section 37 or 38 warrant ( 37 38 ) means a warrant
(a) 1 2 issued under section 37 or 38;
(b) 37 38 specified requirement ( ) means a requirement—
37 38 (section 37 or 38 warrant) 37 (a) imposed under Division 1 or 2; or
38 (b) imposed under a section 37 or 38 warrant.
 ( ) Protection of Critical Infrastructures (Computer Systems) Bill

6 Part 6
C3006 43 Clause 43 C3007

6 Part 6

Investigation of Offences
43. 43. Regulating authorities may direct offences to be investigated
(1) (2) (1) Subsection (2) applies if a regulating authority reasonably
suspects—
(a) (a) if the authority is the Commissioner—that an offence
under this Ordinance has been, or is being,
(b) committed; or
(b) if the authority is a designated authority—that any
(i) 7 of the following offences has been, or is being,
committed—
(ii) 18 (i) an offence under section 7 for a failure to
comply with a direction given by the authority;
(iii) (ii) an offence under section 18 for a failure to
1 2 4 1 comply with a requirement imposed by the
2 authority;
(2) (iii) an offence under Division 1 or 2 of Part 4 for a
failure to comply with a category 1 obligation
or category 2 obligation by a CI operator
regulated by the authority.
(a)
(2) The regulating authority may direct an authorized officer
of the authority to carry out an investigation into the
offence and, for this purpose, to require by written notice
(i) an organization to do one or more of the following acts—
(a) to produce, within the time and at the place specified
in the notice, any document so specified that the
officer has reasonable grounds to believe—
(i) to be relevant, or likely to be relevant, to the
investigation; and
 ( ) Protection of Critical Infrastructures (Computer Systems) Bill

6 Part 6
C3008 44 Clause 44 C3009

(ii) (ii) to be in the possession, or under the control, of

the organization, or otherwise accessible in or
(b) from Hong Kong by the organization;
(c) (b) to give an explanation or further particulars in
relation to the document;
(c) to send a representative to attend before the officer at
(d) the time and place specified in the notice, and to
answer a question relating to any matter under
investigation that is raised by the officer;
(3) (2)
(d) to answer in writing, within the time specified in the
notice, a written question relating to any matter
under investigation that is raised by the officer.
(3) If a document is produced for compliance with a
requirement imposed under subsection (2), the authorized
officer may for carrying out the investigation inspect,
make copies of, take extracts from and take possession of
the document.

44. 44. Use of incriminating evidence in proceedings after investigations

(1) 43 (1) If a person is to give an explanation or further particulars
to an authorized officer, or to answer a question posed by
such an officer, for compliance with a requirement
(2) imposed under section 43, the officer must ensure that the
person has first been informed or reminded of the
(2) limitations imposed by subsection (2) on the admissibility
in evidence of the requirement and of the explanation or
(a) 43 particulars, or the question and answer.
(2) Despite any other provision in this Ordinance, if—
(a) a person gives an explanation or further particulars
to an authorized officer, or answers a question posed
by such an officer, for compliance with a requirement
imposed under section 43;
 ( ) Protection of Critical Infrastructures (Computer Systems) Bill

6 Part 6
C3010 45 Clause 45 C3011

(b) (b) the explanation, particulars or answer might tend to

(c) incriminate the person; and
(c) the person claims, before giving the explanation or
particulars, or answering the question, that the
( (3) explanation, particulars or answer might so tend,
) the requirement, as well as the explanation or particulars,
(3) or the question and answer, are not admissible in evidence
against the person in criminal proceedings in a court other
than those specified in subsection (3).
(a) 45
(3) The criminal proceedings are those in which the person is
(b) ( 200 ) V charged with—
(a) an offence under section 45; or
(b) an offence under Part V of the Crimes Ordinance
(Cap. 200).

45. 43 45. Offence relating to section 43

(1) 43 (1) An organization commits an offence if the organization,
without reasonable excuse, fails to comply with a
(2) (1) 43 requirement imposed under section 43.
(2) For the purposes of subsection (1), the fact that complying
with a requirement imposed under section 43 might tend
(3) (1) to result in self-incrimination is not an excuse not to
comply with the requirement.
(a) $300,000
(3) An organization that commits an offence under subsection
(b) $500,000 (1) is liable—
(a) on summary conviction—to a fine of $300,000; or
(b) on conviction on indictment—to a fine of $500,000.
 ( ) Protection of Critical Infrastructures (Computer Systems) Bill

6 Part 6
C3012 46 Clause 46 C3013

46. 46. Magistrate’s warrants for entering premises or accessing

(1) electronic devices for investigations into offences
(1) Subsection (2) applies if a magistrate is satisfied by
information on oath laid by an authorized officer of a
(a) regulating authority that there are reasonable grounds to
suspect that there is, or is likely to be, anything—
(i)
(a) that—
(ii)
(i) is located on any premises; or
(b) ( ) (ii) is stored in, or accessible via, any electronic
( ) device; and
(2) (b) that is or contains, or is likely to be or to contain,
evidence of an offence being investigated under this
(2) Part (investigated offence).
(2) The magistrate may issue a warrant authorizing an
authorized officer of the regulating authority, and any
(a) other person whose assistance is necessary for the
(i) ( ) execution of the warrant, to do one or more of the
(ii) following acts for carrying out the investigation—
( ) (a) in relation to premises—
(i) to enter the premises, if necessary by force;
(b) (ii) to search for, inspect, seize and remove anything
(i) on the premises that the officer has reasonable
(ii) grounds to believe is or contains, or is likely to
be or to contain, evidence of the investigated
offence;
(b) in relation to an electronic device—
(i) to access and inspect the device;
(ii) to search for, inspect, make copies of and take
extracts from any information—
 ( ) Protection of Critical Infrastructures (Computer Systems) Bill

6 Part 6
C3014 46 Clause 46 C3015

(A) (A) that is stored in, or accessible via, the

device; and
(B) (B) that the officer has reasonable grounds to
( ) believe is or contains, or is likely to be or
(3) (2) to contain, evidence of the investigated
offence.
(a) ( (b) )7 (3) The acts specified in subsection (2) may only be done at
any time within—
(b)
(a) subject to paragraph (b), a period of 7 days; or
(b) if any longer period is specified in the warrant—such
a period,
beginning on the date of the warrant concerned.
 ( ) Protection of Critical Infrastructures (Computer Systems) Bill

7 Part 7
C3016 47 Clause 47 C3017

7 Part 7

Appeals
47. 47. Appeal panel
(1) (1) For handling appeals under this Part, there is to be an
(2) 7 2 appeal panel.
(2) Part 2 of Schedule 7 has effect with respect to the appeal
panel.

48. 48. Appeals against decisions

(1) (1) An organization aggrieved by any of the following
decisions made in relation to the organization may lodge
(a) 7 an appeal against the decision—
(b) 12 (a) a decision to give a direction under section 7;
(c) 13 (b) a decision to make a designation under section 12;
(d) 24(5) (c) a decision to make a designation under section 13;
(e) 25(4) (6) (d) a decision to impose a requirement under section
24(5);
(2) 7 3
(e) a decision to impose a requirement under section
(3) (4) (5) (1) 25(4) or (6).
(2) Part 3 of Schedule 7 has effect with respect to the appeal.
(4) (1)
(3) Subject to subsections (4) and (5), the lodging of an
appeal under subsection (1) against a decision does not by
itself operate as a stay of execution of the decision.
(4) An organization that lodges an appeal under subsection (1)
against a decision may, at any time before the appeal is
determined by the appeal board appointed for the appeal,
apply to the board for a stay of execution of the decision.
 ( ) Protection of Critical Infrastructures (Computer Systems) Bill

7 Part 7
C3018 49 Clause 49 C3019

(5) (4) (5) The appeal board must, as soon as reasonably practicable
after receiving an application under subsection (4),
(6) determine the application.
(6) The appeal board may by order grant the stay subject to
any condition as to costs, payment of money into the
board or other matters that the board considers
appropriate.

49. 49. Decisions of appeal board

(1) (1) An appeal board appointed for an appeal may—
(a) (a) confirm, vary or reverse any decision to which the
(b) appeal relates; or
(2) (b) give any direction in relation to the decision as the
board considers appropriate.
(3)
(2) The appeal board must give reasons in writing for its
decision.
(4)
(3) The appeal board must serve a copy of its decision and of
(a) ( (b) ) the reasons for its decision on the parties to the appeal.
(b) (4) The appeal board’s decision takes effect—
(a) subject to paragraph (b), immediately after the
(5) decision is made; or
(b) if the board orders that its decision is not to come
into operation until a specified date—on that date.
(6) (5) A document purporting to be a copy of a decision or
order of the appeal board and to be certified by the
chairperson of the board to be a true copy of the decision
or order is admissible in any proceedings as evidence of
the decision or order.
(6) The decision of the appeal board is final.
 ( ) Protection of Critical Infrastructures (Computer Systems) Bill

8 Part 8
C3020 50 Clause 50 C3021

8 Part 8

Miscellaneous
50. 50. Appointment of authorized officers by Commissioner
(1) (1) The Commissioner may, in writing, appoint a public
officer to perform any function conferred or imposed by
(2) this Ordinance on an authorized officer of the
Commissioner.
(3) (1)
(2) The Commissioner must provide the appointed authorized
officer with a copy of the appointment.
(3) The Commissioner may perform a function mentioned in
subsection (1) as if the Commissioner were an authorized
officer appointed under that subsection.

51. 51. Appointment of authorized officers by designated authority

(1) (1) A designated authority may, in writing, appoint—
(a) (a) a public officer;
(b) (b) a person employed—
(i) (i) by the authority; or
(ii) (ii) otherwise in connection with the authority’s
performance of a function under this
(c) Ordinance; or
(c) with the consent of the Secretary for Security, any
other person or class of persons,
(2) to perform any function conferred or imposed by this
Ordinance on an authorized officer of the authority.
(2) The designated authority must provide the appointed
authorized officer with a copy of the appointment.
 ( ) Protection of Critical Infrastructures (Computer Systems) Bill

8 Part 8
C3022 52 Clause 52 C3023

(3) (1) (3) A designated authority may perform a function mentioned

in subsection (1) as if the authority were an authorized
officer appointed under that subsection.

52. 52. Delegation of functions by Commissioner and designated

(1) authorities
(1) The Commissioner may, in writing, delegate to a public
(2) officer any of the Commissioner’s functions under this
Ordinance.
(a) (2) A designated authority may, in writing, delegate to—
(b) (a) a public officer; or
(i) (b) a person employed—
(ii) (i) by the authority; or
(ii) otherwise in connection with the authority’s
(3) (1) (2) performance of a function under this
Ordinance,
any of the authority’s functions under this Ordinance.
(3) However, the power to delegate conferred by subsection (1)
or (2) may not be delegated.

53. 53. Performance of functions

(1) (1) When performing a function under this Ordinance, a
(a) specified officer—
(b) (a) may be assisted by any person whom the officer
( ) reasonably requires; and
( ) (b) must produce evidence of the officer’s appointment
or delegation (as the case requires), and the relevant
warrant (if any), for inspection by a person who is
affected by the performance of the function and
requires to see them.
 ( ) Protection of Critical Infrastructures (Computer Systems) Bill

8 Part 8
C3024 54 Clause 54 C3025

(2) (2) In this section—

(specified officer) specified officer ( ) means—
(a) (a) an authorized officer; or
(b) 52 (b) a person to whom any function is delegated under
section 52.

54. 54. Commissioner may perform functions in respect of critical

infrastructures and CI operators regulated by designated
(1) authorities if necessary
(1) Any function that may be performed under a provision of
this Ordinance by a designated authority in respect of a
critical infrastructure that is a specified critical
infrastructure for the authority, or a CI operator regulated
(2) by the authority, may be performed by the Commissioner
as if the Commissioner were the designated authority.
(a) (2) However, the Commissioner must not perform the
function unless the Commissioner is satisfied that—
(b) (a) it is necessary to do so for the timely protection of
the critical computer systems of the critical
infrastructure concerned; or
(b) it is otherwise necessary in the public interest to do
so.

55. 55. Commissioner may exempt CI operators

(1) 1 (1) The Commissioner may, by written notice (exemption
2 3 ( ) notice), exempt a CI operator from a category 1
( ) obligation, category 2 obligation or category 3 obligation
(subject obligation) if the Commissioner is satisfied that it
(2) is in the public interest to so exempt the operator.
(2) An exemption notice is not subsidiary legislation.
 ( ) Protection of Critical Infrastructures (Computer Systems) Bill

8 Part 8
C3026 55 Clause 55 C3027

(3) (1) (3) In considering whether it is in the public interest to

exempt a CI operator under subsection (1), the
(a) Commissioner may take into account—
(a) whether the operator has done, or is doing, an act
(b) that can achieve the same purpose as the compliance
with the subject obligation; and
(i) (
) (b) whether—
(A) (i) the operator is subject to an obligation
( ) (alternative obligation) that—
(A) is imposed by or under another Ordinance,
(B) or any code of practice, direction or
requirement (however described); and
(ii)
(B) corresponds substantially to the subject
obligation; and
(4) (1)
(ii) the operator’s compliance with the alternative
(a) obligation achieves the same purpose as the
compliance with the subject obligation.
(b) (4) An exemption under subsection (1)—
(5) ( ) (a) is in force for a period the Commissioner considers
(1) appropriate and specifies in the exemption notice;
(a) and
(b) (b) is subject to any condition the Commissioner
considers appropriate.
(5) The Commissioner may, by written notice (revocation
notice), revoke an exemption under subsection (1) if the
Commissioner is satisfied that—
(a) a condition of the exemption has been contravened;
or
(b) it is no longer in the public interest to exempt the CI
operator concerned under that subsection.
 ( ) Protection of Critical Infrastructures (Computer Systems) Bill

8 Part 8
C3028 56 Clause 56 C3029

(6) (6) A revocation notice is not subsidiary legislation.

(7) (5) (7) If an exemption is revoked under subsection (5)—
(a) (a) the Commissioner must specify in the revocation
(i) ( ) notice—
(ii) ( ) (i) the date on which the revocation is to take effect
(revocation date); and
(ii) (if applicable) how and by when the CI operator
(b) is to comply with the obligation covered by the
exemption; and
(8) (b) the provision imposing the obligation is to apply, on
(1) and after the revocation date, to the operator with
(5) necessary modifications having regard to the
revocation notice.
(9) (8)
(8) The Commissioner may, by written notice, require a CI
operator to provide any information the Commissioner
reasonably considers necessary for considering whether to
exempt the operator under subsection (1) or whether to
revoke such an exemption under subsection (5).
(9) A CI operator to whom a notice is given under subsection
(8) must provide the information concerned within the
time, and in the form and way, specified in the notice.

56. 56. Designated authorities may prosecute offences

(1) (1) A designated authority may prosecute any of the following
offences in the name of the authority—
(a) 7 (a) an offence under section 7 for a failure to comply
with a direction given by the authority;
(b) 18 (b) an offence under section 18 for a failure to comply
with a requirement imposed by the authority;
 ( ) Protection of Critical Infrastructures (Computer Systems) Bill

8 Part 8
C3030 57 Clause 57 C3031

(c) (c) an offence under Division 1 or 2 of Part 4 for a

1 2 4 1 2 failure to comply with a category 1 obligation or
category 2 obligation by a CI operator regulated by
(d) the authority;
45 (d) an offence under section 45 for a failure to comply
(e) (a) (b) (c) (d) with a requirement imposed by an authorized officer
of the authority;
(2) (1)
(e) an offence of conspiracy to commit an offence
mentioned in paragraph (a), (b), (c) or (d).
(3)
(2) Any offence prosecuted under subsection (1) must be tried
(a) before a magistrate as an offence that is triable summarily.
(3) For prosecuting an offence mentioned in subsection (1)
(b) ( only, an authorized officer of the designated authority
159 ) concerned, even if the officer is not qualified to practise as
a barrister or to act as a solicitor under the Legal
Practitioners Ordinance (Cap. 159)—
(1) (a) may appear and plead before a magistrate in any case
of which the officer has charge; and
(4) (b) has, in relation to the prosecution, all the other rights
of a person qualified to practise as a barrister or to
act as a solicitor under that Ordinance.
(4) This section does not derogate from the powers of the
Secretary for Justice in respect of the prosecution of
criminal offences.

57. 57. Preservation of secrecy

(1) (1) Except in the performance of any function under this
Ordinance or for carrying into effect the provisions of this
Ordinance, a specified person—
 ( ) Protection of Critical Infrastructures (Computer Systems) Bill

8 Part 8
C3032 57 Clause 57 C3033

(a) (a) must not suffer or permit any person to have access
to any matter relating to the affairs of any person
that comes to the specified person’s knowledge in
(b) connection with the performance of any function
under this Ordinance; and
(2) (1) (b) must not communicate any such matter to any
person other than the person to whom such matter
(a) relates.
(b) (2) Despite subsection (1), a specified person may—
(a) disclose information that has already been made
(c) available to the public;
(b) disclose information for the purposes of any criminal
proceedings in Hong Kong or an investigation
conducted with a view to bringing any such
proceedings;
(d)
(c) disclose information for seeking advice from, or
giving advice by, any counsel, solicitor or other
(e) professional adviser, acting or proposing to act in a
professional capacity in connection with any matter
(3) (1) arising under this Ordinance;
(a) (4) (d) disclose information in connection with any judicial
(i) or other proceedings to which the specified person is
a party; and
(ii)
(e) disclose information in accordance with an order of
a court or tribunal, or in accordance with a law or a
requirement made under a law.
(3) Despite subsection (1), a regulating authority may—
(a) subject to subsection (4), disclose information to—
(i) the Chief Executive;
(ii) the Chief Secretary for Administration;
 ( ) Protection of Critical Infrastructures (Computer Systems) Bill

8 Part 8
C3034 57 Clause 57 C3035

(iii) (iii) the Financial Secretary;

(iv) (iv) the Secretary for Justice;
(v) (v) the Secretary for Security;
(vi) (vi) the Commissioner of Police of Hong Kong;
(vii) (vii) the Commissioner of the Independent
(viii) ( ) ( 486 ) Commission Against Corruption;
5(1) (viii) the Privacy Commissioner for Personal Data
(ix) established under section 5(1) of the Personal
Data (Privacy) Ordinance (Cap. 486);
(x) (9)
(ix) a tribunal; or
(x) a public officer authorized under subsection (9);
(b)
(b) disclose information with the consent of—
(i)
(i) the person from whom the information was
(ii) obtained or received; and
(ii) if the information does not relate to such
(c) person—the person to whom it relates; and
(c) disclose information in summary form that is so
framed as to prevent particulars relating to any
(4) person from being ascertained from it.
(3)(a)
(4) A regulating authority must not disclose information
(a) under subsection (3)(a) unless the authority is of the
opinion that—
(b) (a) the disclosure will enable or assist the recipient of the
(5) (6) (1) (2) information to perform the recipient’s functions; and
(3) ( (2)(a) (3)(c) ) (b) it is not contrary to the public interest for the
information to be so disclosed.
(5) Subject to subsection (6), if information is disclosed under
subsection (1), (2) or (3) (other than subsection (2)(a) or
(3)(c))—
 ( ) Protection of Critical Infrastructures (Computer Systems) Bill

8 Part 8
C3036 57 Clause 57 C3037

(a) (a) the person to whom the information is so disclosed;

(b) or
(b) any other person obtaining or receiving the
information from that person,
(6) (5) (5)(a) (b)
must not disclose the information to any other person.
(a) (6) Subsection (5) does not prohibit the person referred to in
subsection (5)(a) or (b) from disclosing the information to
(b) any other person if—
(c) (a) the regulating authority disclosing the information
consents to the disclosure;
(b) the information has already been made available to
the public;
(d) (c) the disclosure is for the purpose of seeking advice
from, or giving advice by, any counsel, solicitor or
other professional adviser, acting or proposing to act
(e) in a professional capacity in connection with any
matter arising under this Ordinance;
(7) (d) the disclosure is in connection with any judicial or
(a) (3) other proceedings to which the person so referred to
(b) (6)(a) is a party; or
(e) the disclosure is in accordance with an order of a
court or tribunal, or in accordance with a law or a
requirement made under a law.
(7) A regulating authority may attach any condition that it
considers appropriate to—
(a) a disclosure of information made by it under
subsection (3); or
(b) a consent granted by it under subsection (6)(a).
 ( ) Protection of Critical Infrastructures (Computer Systems) Bill

8 Part 8
C3038 57 Clause 57 C3039

(8) (1) ( 397 ) 13(3) (8) Subsection (1) does not affect section 13(3) of The
( ) ( 486 ) 44(8) Ombudsman Ordinance (Cap. 397) or section 44(8) of the
(9) (3)(a)(x) Personal Data (Privacy) Ordinance (Cap. 486).
(9) The Secretary for Security may authorize any public
(10) officer as a person to whom information may be disclosed
under subsection (3)(a)(x).
(related person)
(10) In this section—
(a)
related person ( ), in relation to a regulating
(i) authority, means—
(ii) (a) a person employed—
(i) by the authority; or
(b)
(ii) otherwise in connection with the authority’s
(i) performance of a function under this
Ordinance; or
(ii) (b) a person appointed—
(i) as a consultant, agent or adviser of the
authority for this Ordinance; or
(specified person) (ii) otherwise in connection with the authority’s
(a) performance of a function under this
(b) Ordinance;
(c) 52(1) (2) specified person ( ) means a person who is or has
been—
(d)
(a) a regulating authority;
(i)
(b) an authorized officer;
(ii)
(c) a person to whom any function is delegated under
section 52(1) or (2);
(d) a member of—
(i) a regulating authority;
(ii) the appeal panel; or
 ( ) Protection of Critical Infrastructures (Computer Systems) Bill

8 Part 8
C3040 58 Clause 58 C3041

(iii) ( (iii) a council, board, committee or other body of a

) regulating authority established or vested with
any responsibility for, or otherwise in connection
(e) with the authority’s performance of a function
under, this Ordinance;
(f)
(e) a related person of a regulating authority; or
(f) a person employed by or assisting a related person of
a regulating authority.

58. 57 58. Offences relating to section 57

(1) 57(1) (1) A person who contravenes section 57(1) commits an
(2) offence.
(a) 57(5) (2) A person commits an offence if—
(b) (a) the person discloses any information in contravention
of section 57(5); and
(i)
57(1) (2) (3) ( 57(2)(a) (3)(c) ) (b) at the time of the disclosure—
(i) the person knew, or ought to have known, that
(ii) 57(5) 57(6) the information was previously disclosed to the
person or any other person under section 57(1),
(2) or (3) (other than section 57(2)(a) or (3)(c));
and
(3) (1) (2) (ii) the person had no reasonable grounds to believe
(a) 6 6 that section 57(5) did not apply to the person by
virtue of section 57(6).
(b) $1,000,000 (3) A person who commits an offence under subsection (1) or
2 (2) is liable—
(a) on summary conviction—to a fine at level 6 and to
imprisonment for 6 months; or
(b) on conviction on indictment—to a fine of $1,000,000
and to imprisonment for 2 years.
 ( ) Protection of Critical Infrastructures (Computer Systems) Bill

8 Part 8
C3042 59 Clause 59 C3043

59. 59. Protection of informers

(1) (1) Any information on the identity of a relevant person is
not admissible in evidence in—
(a) 7 (a) any proceedings under Part 7;
(b) (b) any civil or criminal proceedings before a court; or
(c) (c) any proceedings before a tribunal.
(2) (2) In such proceedings, a witness is not obliged—
(a) to disclose the name or address of a relevant person
(a) who is not a witness in those proceedings; or
(b) (b) to state any matter that would lead, or would tend to
lead, to discovery of the name or address of a
(3) relevant person who is not a witness in those
proceedings.
(a) (3) If a book, document or paper that is in evidence, or liable
to inspection, in such proceedings contains an entry—
(b)
(a) in which a relevant person is named or described; or
( )
(b) that might lead to discovery of a relevant person,
the appeal board, court or tribunal (as the case requires)
(4) ( must cause all such passages to be concealed from view, or
) to be obliterated, so far as may be necessary to protect the
relevant person from discovery.
(a)
(4) In such proceedings, the appeal board, court or tribunal (as
the case requires) may, despite subsection (1), (2) or (3),
permit inquiry, and require full disclosure, concerning a
relevant person if—
(a) it is of the opinion that justice cannot be fully done
between the parties to the proceedings without
disclosure of the name of the relevant person; or
 ( ) Protection of Critical Infrastructures (Computer Systems) Bill

8 Part 8
C3044 60 Clause 60 C3045

(b) (5) (a) (b) in the case of a relevant person falling within
paragraph (a) of the definition of relevant person in
subsection (5), it is satisfied that the relevant person
(i) made a material statement that the relevant person—
(ii) (i) knew or believed to be false; or
(ii) did not believe to be true.
(1) (2) (3) (5) In this section—
relevant person ( ) means—
(5) (a) an informer who has given information to an
(relevant person) authorized officer with respect to an investigation
(a) 5 6 under Part 5 or 6; or
(b) a person who has assisted a regulating authority or
(b) authorized officer with respect to such an
investigation.

60. 60. Immunity

(1) (1) A person who complies with a direction or requirement
imposed by or under this Ordinance does not incur any
( civil liability, whether arising in contract, tort, defamation,
) equity or otherwise, by reason only of the compliance.
(2) (2) A person does not incur any civil liability (whether arising
in contract, tort, defamation, equity or otherwise) in
( respect of an act done, or omitted to be done, by the
person in good faith in the performance, or purported
) performance, of any function under this Ordinance.
(3) (2) (3) Subsection (2) does not affect the liability of the
Government for the act or omission.
 ( ) Protection of Critical Infrastructures (Computer Systems) Bill

8 Part 8
C3046 61 Clause 61 C3047

61. 61. Legal professional privilege

(1) (2) (1) Subject to subsection (2), this Ordinance does not affect
any claims, rights or entitlements that would, apart from
this Ordinance, arise on the ground of legal professional
(2) (1) ( privilege.
(2) Subsection (1) does not affect any requirement imposed
) under this Ordinance to disclose the name and address of
a client of a legal practitioner (whether or not the legal
practitioner is qualified in Hong Kong to practise as
counsel or to act as a solicitor).

62. 62. Production of information in information systems

(1) (1) If—
(a) (a) a person may require the production of any
(b) document under this Ordinance; and
(b) any information or matter contained in the document
is recorded otherwise than in a legible form but is
capable of being reproduced in a legible form,
(2) the person may also require the production of a
reproduction of the recording of the information or
(a) matter, or the relevant part of the recording, in a legible
(b) form.
(2) If—
(a) a person may require the production of any
document under this Ordinance; and
(b) any information or matter contained in the document
is recorded in an information system,
 ( ) Protection of Critical Infrastructures (Computer Systems) Bill

8 Part 8
C3048 63 Clause 63 C3049

the person may also require the production of a

reproduction of the recording of the information or
matter, or the relevant part of the recording, in a form
that enables the information or matter to be reproduced in
a legible form.

63. 63. Lien claimed on documents

If a person claims a lien on any document in the person’s
possession that is required to be produced under this
(a) Ordinance—
(b) (a) the lien does not affect the requirement to produce
the document;
(c) (b) no fee is payable for or in respect of the production;
and
(c) the production does not affect the lien.

64. 64. Disposal of certain property

If a regulating authority or authorized officer comes into
( 221 ) 102 possession of any property under this Ordinance, section 102
of the Criminal Procedure Ordinance (Cap. 221) applies as if—
(a) (a) the authority or officer were the police within the
(b) meaning of that section; and
(b) the property were property that had come into the
possession of the police in connection with an
offence.

65. 65. Due diligence

(1) 7 4 (1) In any legal proceedings for an offence under section 7 or
Part 4, the defendant is entitled to be acquitted if—
(a) (a) sufficient evidence is adduced to raise an issue that—
 ( ) Protection of Critical Infrastructures (Computer Systems) Bill

8 Part 8
C3050 65 Clause 65 C3051

(i) (i) the commission of the offence was due to a

cause beyond the defendant’s control; and
(ii) (ii) the defendant took all reasonable precautions
and exercised all due diligence to avoid the
(b) commission of the offence by the defendant;
and
(2) (1)
(b) the contrary is not proved by the prosecution beyond
reasonable doubt.
(a)
(2) If the defence under subsection (1) involves an allegation
(b) that the offence was due to—
(3) (a) the act or omission of another person; or
(b) reliance on information given by another person,
(3) (2)
the defendant is not, without the leave of the court,
(a) entitled to rely on the defence unless the defendant has
issued a notice in accordance with subsection (3).
(3) A notice issued for the purposes of subsection (2) must—
(b) 7
(a) identify or assist in the identification of the person
who committed the act or omission or gave the
(4) (1) information; and
( (b) be issued to the person bringing the legal proceedings
) at least 7 working days before the hearing of the
proceedings.
(4) If the defence under subsection (1) involves an allegation
that the offence was due to an act or omission of another
person, the defence is not established unless sufficient
evidence is adduced to raise an issue that the defendant
has taken all reasonable steps to secure the cooperation of
that other person in complying with the provision
concerned, having regard in particular to the steps which
the defendant took, and those which might reasonably
 ( ) Protection of Critical Infrastructures (Computer Systems) Bill

8 Part 8
C3052 66 Clause 66 C3053

have been taken by the defendant, for the purpose of

securing the cooperation of that other person.
(5) (1) (5) If the defence under subsection (1) involves an allegation
that the offence was due to reliance on information given
by another person, the defence is not established unless
(a) sufficient evidence is adduced to raise an issue that it was
reasonable in all the circumstances for the defendant to
rely on the information, having regard in particular to—
(b)
(a) the steps which the defendant took, and those which
might reasonably have been taken by the defendant,
for the purpose of verifying the information; and
(b) whether the defendant had any reason not to believe
the information.

66. 66. Reasonable excuse

(1) (1) This section applies if a provision of this Ordinance that
creates an offence makes a reference to a reasonable
(2) excuse for a contravention to which the provision relates.
(2) The reference to a reasonable excuse is to be construed as
providing for a defence to a charge in respect of the
(3) contravention to which the provision relates.
(3) A defendant is to be taken to have established that the
(a) defendant had a reasonable excuse for the contravention
if—
(b) (a) sufficient evidence is adduced to raise an issue that
the defendant had such a reasonable excuse; and
(b) the contrary is not proved by the prosecution beyond
reasonable doubt.
 ( ) Protection of Critical Infrastructures (Computer Systems) Bill

8 Part 8
C3054 67 Clause 67 C3055

67. 67. Service of notice etc.

(1) (1) Subject to the other provisions of this Ordinance, a notice
( )( ) or other document required to be given or sent (however
described) (collectively served) under or for the purposes
of this Ordinance is, in the absence of evidence to the
(a) contrary, so served if—
(i) (a) for service on a regulating authority—
(i) it is delivered by hand or sent by post to the
(ii) address of an office specified by the authority
for the purpose;
(iii) (ii) it is sent by facsimile transmission to a facsimile
number specified by the authority for the
purpose; or
(b)
(iii) it is sent in the form of an electronic record to
(i) an address in an information system specified
(A) 19 by the authority for the purpose; or
(B) ( 622 ) (b) for service on an organization—
(i) it is delivered by hand or sent by post to—
(C) ( (A) (B) ) (A) the address provided by the organization
under section 19;
(ii) (B) the address of the organization’s registered
office within the meaning of the
Companies Ordinance (Cap. 622); or
(C) (if neither of the addresses mentioned in
sub-subparagraphs (A) and (B) is available)
the organization’s last known address;
(ii) it is sent by facsimile transmission to a facsimile
number specified by the organization for the
purpose; or
 ( ) Protection of Critical Infrastructures (Computer Systems) Bill

8 Part 8
C3056 68 Clause 68 C3057

(iii) (iii) it is sent in the form of an electronic record to

an address in an information system specified
(2) by the organization for the purpose.
(address) (2) In this section—
address ( ) includes a number, or any sequence or
combination of letters, characters, numbers or symbols of
(electronic record) ( 553 ) any language, used for sending or receiving a document in
2 1)
( electronic form;
electronic record ( ) has the meaning given by section
2(1) of the Electronic Transactions Ordinance (Cap. 553).

68. 68. Certificates of designation

(1) (1) In any legal proceedings concerning a CI operator or
critical computer system, a certificate—
(a) (a) purporting to be signed by, or on behalf of, a
regulating authority; and
(b) (b) stating that—
(i) 12 (i) the organization specified in the certificate is a
CI operator designated by the authority under
(ii) section 12; or
13 (ii) the computer system specified in the certificate
is a critical computer system designated by the
authority under section 13,
(2) must be admitted in the proceedings on its production
without further proof.
(2) Until the contrary is proved, the court or appeal board
(3) concerned must presume that the certificate is signed by,
or on behalf of, the regulating authority concerned.
(3) Until the contrary is proved, the certificate is evidence of
the facts stated in it.
 ( ) Protection of Critical Infrastructures (Computer Systems) Bill

8 Part 8
C3058 69 Clause 69 C3059

(4) (4) In this section—

(legal proceedings) legal proceedings ( ) includes the proceedings of an
appeal board.

69. 69. Secretary for Security may make regulations

(1) (1) The Secretary for Security may make regulations for the
(2) better carrying out of the provisions of this Ordinance.
(2) Regulations made under this section may prescribe
(3) (2) offences for the contravention of the regulations,
$3,000,000 punishable by a fine.
$60,000 (3) For an offence punishable on summary conviction, the
maximum fine that may be prescribed under subsection (2)
(4) (2) for an offence is $3,000,000 and, in the case of a
$5,000,000 continuing offence, a further fine not exceeding $60,000
$100,000 may be prescribed for every day during which the offence
continues.
(4) For an offence punishable on conviction on indictment,
the maximum fine that may be prescribed under
subsection (2) for an offence is $5,000,000 and, in the case
of a continuing offence, a further fine not exceeding
$100,000 may be prescribed for every day during which
the offence continues.

70. 70. Amendment of Schedules

(1) (1) The Secretary for Security may by notice published in the
(2) (1) Gazette amend any of the Schedules.
(2) A notice under subsection (1) may contain incidental,
consequential, supplemental, transitional or savings
provisions that are necessary or expedient in consequence
of the notice.
 ( ) Protection of Critical Infrastructures (Computer Systems) Bill

1 Schedule 1
C3060 C3061

1 Schedule 1
[ 2 70 ] [ss. 2 & 70]

Sectors Specified for Definition of Critical Infrastructure

1. 1. Energy

2. 2. Information technology

3. 3. Banking and financial services

4. 4. Air transport

5. 5. Land transport

6. 6. Maritime transport

7. 7. Healthcare services

8. 8. Telecommunications and broadcasting services

 ( ) Protection of Critical Infrastructures (Computer Systems) Bill

2 1 Schedule 2—Part 1
C3062 C3063

2 Schedule 2
[ 25 70 ] [ss. 2, 5 & 70]

Designated Authorities and Regulated Organizations

1 Part 1

Interpretation
1. 1. In this Schedule—
(domestic free television authorized institution ( ) has the meaning given by
programme service licensee) ( section 2(1) of the Banking Ordinance (Cap. 155);
562 ) 8(1) ( 10(1) ) Cap. 106 ( 106 ) means the Telecommunications
( 2(1) Ordinance (Cap. 106);
) (
11 1 )
Cap. 106V ( 106V ) means the Telecommunications
(Carrier Licences) Regulation (Cap. 106 sub. leg. V);
(settlement institution) 584 2
Cap. 584 ( 584 ) means the Payment Systems and Stored
Value Facilities Ordinance (Cap. 584);
(system operator) 584 2
Communications Authority ( ) means the
Communications Authority established by section 3 of the
(space station carrier licence) Communications Authority Ordinance (Cap. 616);
106V 2(1)
designated system ( ) has the meaning given by section
(Monetary Authority) 2 of Cap. 584;
( 66 ) 5A
domestic free television programme service licensee (
(designated system) 584 2 ) means a holder of a licence granted
under section 8(1) of the Broadcasting Ordinance (Cap.
106 (Cap. 106) ( 106 ) 562) (whether in reliance on section 10(1) of that
106V (Cap. 106V) ( ) ( Ordinance or not), or such a licence extended or renewed
106 V) under section 11(1) of that Ordinance, to provide a
 ( ) Protection of Critical Infrastructures (Computer Systems) Bill

2 2 Schedule 2—Part 2
C3064 C3065

584 (Cap. 584) ( domestic free television programme service (as defined by
584 ) section 2(1) of that Ordinance);
(Communications Authority) Monetary Authority ( ) means the Monetary
( 616 ) 3 Authority appointed under section 5A of the Exchange
Fund Ordinance (Cap. 66);
(unified carrier licence) 106V settlement institution ( ) has the meaning given by
2(1) section 2 of Cap. 584;
(authorized institution) ( 155 ) space station carrier licence ( ) has the
2(1) meaning given by section 2(1) of Cap. 106V;
system operator ( ) has the meaning given by section
2 of Cap. 584;
unified carrier licence ( ) has the meaning given
by section 2(1) of Cap. 106V.

2 Part 2

Specifications of Designated Authorities and Regulated

Organizations

1 2 3 4 Column 1 Column 2 Column 3 Column 4

Designated Regulated
Item authority Sector organization
1. (a)
1. Monetary Banking and (a) An authorized
(b) 584 2
Authority financial services institution
(b) A licensee as
defined by
section 2 of
Cap. 584
 ( ) Protection of Critical Infrastructures (Computer Systems) Bill

2 2 Schedule 2—Part 2
C3066 C3067

1 2 3 4 Column 1 Column 2 Column 3 Column 4

Designated Regulated
Item authority Sector organization
(c)
(c) A settlement
(d) institution of
a designated
system
2. (a) (d) A system
operator of a
(b) designated
system
(c) 2. Communications Telecommunications (a) A holder of a
Authority and broadcasting unified carrier
(d) 106 services licence
13A(1) (b) A holder of a
space station
carrier licence
(c) A domestic
free television
programme
service
licensee
(d) A licensee as
defined by
section 13A(1)
of Cap. 106
 ( ) Protection of Critical Infrastructures (Computer Systems) Bill

3 1 Schedule 3—Part 1
C3068 C3069

3 Schedule 3
[ 23 27 70 ] [ss. 23, 27 & 70]

Computer-system Security Management Plans and

Emergency Response Plans

1 Part 1

General Matters
1. 1. The organization of the computer-system security management
( ) unit of the CI operator concerned, including details of the
roles and responsibilities of personnel engaged for managing
risks relating to the computer-system security of the critical
computer systems concerned (including reporting lines and
2. accountabilities).

2. The process of identifying computer systems that are essential

3. to the core function of the critical infrastructure concerned.
(a)
3. The policies and guidelines for—
(i)
(a) identifying, assessing, monitoring, responding to and
mitigating—
(ii)
(i) risks relating to the computer-system security of
(iii) critical computer systems concerned;
(ii) vulnerabilities of the systems; and
(iii) computer-system security threats and computer-
system security incidents in respect of the
systems;
 ( ) Protection of Critical Infrastructures (Computer Systems) Bill

3 1 Schedule 3—Part 1
C3070 C3071

(b) (b) detecting computer-system security threats and

computer-system security incidents in respect of the
(c) systems;
(c) controlling access to, and preventing any act done
(d) without lawful authority on, the systems;
(d) ensuring that any changes to the systems are
(e) overseen, managed and controlled;
(e) ensuring that all components of the systems are
secured, managed and controlled to protect the
(f) information stored in, transmitted or processed by,
or accessible via, them;
(f) adopting principles that prioritize and integrate
(g) security measures throughout the entire development
life cycle of the systems;
(h)
(g) ensuring the availability of the systems during
(i) 1 disruption;
2 3
(h) managing contracts and other communications with
(ii) suppliers of computer-related services and products
adopted for the systems in order to ensure that—
(i) the CI operator concerned complies with
category 1 obligations, category 2 obligations
and category 3 obligations; and
(i) 23 (ii) measures for computer-system security as
required by the operator are properly
4. implemented; and
(i) reviewing any computer-system security management
plan submitted under section 23.

4. The provision of training to personnel performing obligations

relating to the computer-system security of the critical
computer systems concerned.
 ( ) Protection of Critical Infrastructures (Computer Systems) Bill

3 2 Schedule 3—Part 2
C3072 C3073

2 Part 2

Matters relating to Emergency Response

1. 1. The structure, roles and responsibilities of a team responsible
for responding to computer-system security incidents.

2. 27(1) 2. The threshold for initiating the protocol mentioned in section

27(1).
3.
3. The procedures for reporting computer-system security
4. incidents.

4. The procedures for investigating the cause and assessing the

5. impact of computer-system security incidents.

5. A recovery plan for resuming the provision of essential services

6. by, or the normal operation of, the critical infrastructure
concerned.
7.
6. A plan for communicating with stakeholders and the general
public in respect of computer-system security incidents.
8. 27
7. The recommended post-incident measures for mitigating the
risks of, and preventing, the recurrence of computer-system
security incidents.

8. The policies and guidelines for reviewing any emergency

response plan submitted under section 27.
 ( ) Protection of Critical Infrastructures (Computer Systems) Bill

4 1 Schedule 4—Part 1
C3074 C3075

4 Schedule 4
[ 24 70 ] [ss. 24 & 70]

Matters Specified for Computer-system Security Risk

Assessments

1 Part 1

Interpretation
1. 1. In this Schedule—
(vulnerability assessment) penetration test ( ), in relation to a computer system,
means a test that—
(a) (a) simulates an attack on the system by electronic
(b) means; and
(b) aims at identifying the vulnerabilities of the system
(penetration test) through the simulated attack;
vulnerability assessment ( ), in relation to a
(a) computer system, means an assessment that—
(b) (a) systematically examines the system for known
vulnerabilities; and
(b) aims at identifying the vulnerabilities of the system
for preventing any exploitation of them.
 ( ) Protection of Critical Infrastructures (Computer Systems) Bill

4 2 Schedule 4—Part 2
C3076 C3077

2 Part 2

Matters Specified for Computer-system Security Risk

Assessments
1.
1. Vulnerability assessment of the critical computer systems
2. concerned.

3. ( 2. Penetration test of the critical computer systems concerned.

)( )
3. Identification and prioritization of risks relating to the
computer-system security of the critical computer systems
4. concerned (including any weakness relating to security control)
(a) (identified risks).

(b) 4. Determination of—

(a) the extent of the likely impact on the computer-
5. system security of the critical computer systems
concerned that may result from the identified risks;
and
(b) the level of risks that the systems can tolerate.

5. Identification of the treatment and monitoring required to deal

with the identified risks.
 ( ) Protection of Critical Infrastructures (Computer Systems) Bill

5 Schedule 5
C3078 C3079

5 Schedule 5
[ 25 70 ] [ss. 25 & 70]

Matters Specified for Computer-system Security Audits

1. 1. Verification of whether the existing protection measures in
respect of the critical computer systems concerned have been
(a) ( 23(1) performed properly, including—
) (a) whether computer-system security management plans
(b) (within the meaning of section 23(1)) are
implemented; and
(b) if so, whether the implementation is done by
2. 1 observing a relevant provision in a code of practice
or done in another way.

2. An opinion on the condition of the computer-system security

of the critical computer systems concerned based on the
verification mentioned in item 1 of this Schedule.
 ( ) Protection of Critical Infrastructures (Computer Systems) Bill

6 Schedule 6
C3080 C3081

6 Schedule 6
[ 28 70 ] [ss. 28 & 70]

28 Specified Time for Notifications under Section 28

1 2 3 Column 1 Column 2 Column 3

Item Provision Time

1. 28(2)(a) (a) 1. Section (a) If the computer-system security

28(2)(a) incident concerned has disrupted, is
disrupting or is likely to disrupt the
core function of the critical
12 infrastructure concerned—12 hours
(b) after the CI operator concerned
48 becomes aware of the incident.
(b) In any other case—48 hours after the
2. 28(3) 28(1) operator becomes aware of the
48 incident.

3. 28(4) 2. Section 48 hours after the notification concerned is

14 28(3) made under section 28(1).

3. Section 14 days after the date on which the CI

28(4) operator concerned becomes aware of the
computer-system security incident
concerned.
 ( ) Protection of Critical Infrastructures (Computer Systems) Bill

7 1 Schedule 7—Part 1
C3082 1 Section 1 C3083

7 Schedule 7
[ 2 47 48 70 ] [ss. 2, 47, 48 & 70]

Appeals

1 Part 1

Preliminary
1. 1. Interpretation
In this Schedule—
(appeal) 48 appeal ( ) means an appeal under section 48;
(legal representative) IT professional ( ) means a person who has
professional or academic qualifications, or practical
(legal professional) experience, in information technology or computer
science;
(IT professional)
legal professional ( ) means a solicitor or counsel;
legal representative ( ), in relation to a party to an
appeal, means the legal professional who represents the
party at the appeal.

2 Part 2

Appeal Panel
2. 2. Appeal panel
(1) 15 (1) The Chief Executive must appoint at least 15 individuals
whom the Chief Executive considers to be suitable for
appointment under this subsection as members of the
appeal panel.
 ( ) Protection of Critical Infrastructures (Computer Systems) Bill

7 2 Schedule 7—Part 2
C3084 2 Section 2 C3085

(2) (2) The Chief Executive must not appoint to the appeal
(a) panel—
(b) (a) a public officer; or
(i) (b) a person employed—
(ii) (i) by a regulating authority; or
(ii) otherwise in connection with the authority’s
(3) performance of a function under this or any
other Ordinance.
(4)
(3) The Chief Executive is to appoint one of the members of
(a) the appeal panel as chairperson.
(i) (4) In appointing the members of the appeal panel, the Chief
(ii) Executive must ensure that—
(a) the chairperson is—
(iii) ( 4 ) 9 (i) a former Justice of Appeal of the Court of
Appeal;
(b) 2 (ii) a former judge, a former recorder or a former
(c) 2 deputy judge of the Court of First Instance; or
(d) 2 (iii) a person eligible for appointment under section
9 of the High Court Ordinance (Cap. 4);
(5) 2 (b) at least 2 of the members are IT professionals;
(c) at least 2 of the members are legal professionals; and
(d) at least 2 of the members are neither IT professionals
nor legal professionals.
(5) Each member of the appeal panel is to be appointed for a
period of not more than 2 years, but is eligible for
reappointment.
 ( ) Protection of Critical Infrastructures (Computer Systems) Bill

7 3 1 Schedule 7—Part 3—Division 1

C3086 3 Section 3 C3087

3 Part 3

Conduct of Appeal

1 Division 1—General

3. 3. Beginning appeal
(1) (1) For lodging an appeal against a decision, a person must
lodge with the chairperson of the appeal panel a notice
(2) setting out the grounds of appeal.
(a) (2) The notice—
(b) 1 (a) must be in the form specified by the chairperson of
the appeal panel; and
(3) (2)(b) (b) must be lodged within 1 month after the date on
which the person receives notice of the decision.
(3) The chairperson of the appeal panel may in a particular
case extend the period specified in subsection (2)(b) if the
chairperson considers it appropriate to do so.

4. 4. Appointment of appeal board

(1) 3(1) (1) As soon as practicable after a notice has been lodged
under section 3(1) of this Schedule, the chairperson of the
appeal panel must appoint from the panel an appeal
(2) board to handle the appeal.
(a) (2) The appeal board is to consist of the following members—
(b) 2 (a) a chairperson;
(b) at least 2 ordinary members.
 ( ) Protection of Critical Infrastructures (Computer Systems) Bill

7 3 1 Schedule 7—Part 3—Division 1

C3088 5 Section 5 C3089

(3) (3) In appointing the members of the appeal board, the

(a) chairperson of the appeal panel must ensure that—
(b) (a) the chairperson of the board is a legal professional;
(c) (b) at least one of the ordinary members is an IT
professional;
(d) (c) at least one of the ordinary members is neither an IT
professional nor a legal professional; and
(4) (3)(d) (d) the members do not have a disclosable interest in the
decision appealed against.
(a) (4) For the purposes of subsection (3)(d), a person has a
disclosable interest in a decision if—
(i) ( )
(a) the person has, in relation to the decision—
(ii)
(i) a pecuniary interest (whether direct or indirect);
or
(b)
( ) (ii) a personal interest greater than that which the
person has as a member of the public; and
(b) the pecuniary interest or personal interest could
conflict or could reasonably be perceived to conflict
with the proper performance of the person’s
functions under this Ordinance.

5. 5. General procedures for handling appeals

(1) (1) An appeal board appointed for an appeal may—
(a) ( ) (a) determine the appeal on the basis of written
submissions only (without an oral hearing); or
(b) (b) conduct an oral hearing for determining the appeal.
 ( ) Protection of Critical Infrastructures (Computer Systems) Bill

7 3 2 Schedule 7—Part 3—Division 2

C3090 6 Section 6 C3091

(2) (2) In considering an appeal, every question before an appeal

board is to be decided by a majority of votes of the
(3) (4) 1 members voting on the question.
(4) (3) Subject to subsection (4), each member of the appeal
board has 1 vote.
(5) (4) If there is an equality of votes in respect of any question
to be decided, the chairperson of the appeal board has a
casting vote in addition to his or her original vote.
(5) Subject to the other provisions in this Schedule, the
procedures for the conduct of any hearing for an appeal,
and otherwise for handling an appeal, are to be decided
by the appeal board.

2 Division 2—Hearing
6. 6. Application
This Division applies if an appeal board conducts a hearing for
determining an appeal.

7. 7. Presiding of and quorum for hearing

(1) (1) The hearing is to be presided over by the chairperson of
(2) 3 the appeal board.
(2) The quorum for the hearing is 3 members of the appeal
(3) board or one half of the members of the board, whichever
1 is the greater.
(3) For determining the quorum, if the number of members
of the appeal board is an odd number, the number is to be
regarded as having been increased by 1.
 ( ) Protection of Critical Infrastructures (Computer Systems) Bill

7 3 2 Schedule 7—Part 3—Division 2

C3092 8 Section 8 C3093

8. 8. Date, time and place of hearing

The chairperson of the appeal board must—
(a) (a) fix the date, time and place for the hearing so that
the hearing may begin as soon as practicable; and
(b) (b) serve on the parties to the appeal a notice of the
date, time and place of the hearing.

9. 9. Proceedings of appeal board

(1) (1) The appeal board has the following powers when hearing
(a) the appeal—
(b) (a) power to take evidence on oath;
(c) ( (b) power to examine witnesses;
(c) power to receive and consider any material, whether
) by way of oral evidence, written statements,
(d) (c) documents or otherwise, and whether or not the
material would be admissible in civil or criminal
(e) proceedings;
(d) power to determine the way in which any material
(f) mentioned in paragraph (c) is received;
(e) power to award to a person the expenses that, in the
(2) board’s opinion, the person has reasonably incurred
in attending the hearing;
(f) power to make any order that may be necessary for
or ancillary to the conduct of the hearing or the
carrying out of its functions.
(2) If it appears to the appeal board that the regulating
authority concerned has reversed the decision appealed
against, the board may determine the appeal in favour of
the appellant.
 ( ) Protection of Critical Infrastructures (Computer Systems) Bill

7 3 2 Schedule 7—Part 3—Division 2

C3094 10 Section 10 C3095

(3) (3) The regulating authority may participate in the hearing

( ) through an authorized officer of the authority or a legal
(4) representative, or both.
(4) The appellant may participate in the hearing through one
(a) or more of the following persons—
(b) (a) a director of the appellant;
(c) (b) a legal representative;
(5) (c) with the consent of the appeal board—any other
person.
(5) The appeal board may make an order as to the payment
of the costs and expenses incurred in relation to the
hearing, whether by the board, any party to the appeal, or
any person attending the hearing as a witness.

10. 10. Hearing generally private

(1) (2) (1) Subject to subsection (2), the hearing is to be conducted
(2) in private.
(2) After consulting the parties to the appeal, the appeal
(3) (2) board may, by order, direct that the hearing, or any part
of the hearing, be held in public.
(a)
(3) For the purposes of subsection (2), the appeal board must
have regard to—
(b)
(a) the views or private interests of the parties to the
appeal, including any claims as to privilege; and
(b) the public interest.

11. 11. Failure of appellant to send representative to attend hearing

(1) (1) If at the time fixed for the hearing, the appellant fails to
send any representative to attend the hearing, the appeal
board may—
 ( ) Protection of Critical Infrastructures (Computer Systems) Bill

7 3 2 Schedule 7—Part 3—Division 2

C3096 11 Section 11 C3097

(a) ( (a) if it is satisfied that the failure was due to a

) reasonable ground—postpone or adjourn the hearing
for a period it considers appropriate; or
(b) ( (b) if it is satisfied that the failure was not due to any
) reasonable ground—
(i) (i) proceed to hear the appeal; or
(ii) (ii) by order, dismiss the appeal.
(2) (1)(b)(ii) (2) If an appeal is dismissed under subsection (1)(b)(ii)—
(a) 28 (a) the appellant may, within 28 days after the date on
which the order for dismissal is made, apply to the
appeal board for a review of the order by written
(b) notice lodged with the chairperson of the board; and
(b) the board may, if it is satisfied that the failure was
(3) (2)(a) due to a reasonable ground, set aside the order for
dismissal.
(4) (2)(a) (3) A notice under subsection (2)(a) must be in the form
specified by the chairperson of the appeal panel.
(4) The appellant must, as soon as practicable after a notice is
(5) (2)(b) lodged under subsection (2)(a), serve a copy of the notice
on the other parties to the appeal.
(a) (5) If the appeal board sets aside an order for dismissal under
subsection (2)(b), the chairperson of the board must—
(b) 14 (a) fix a new date, time and place for a new hearing of
the appeal so that the new hearing may begin as soon
as practicable; and
(b) serve, at least 14 days before the date so fixed, on the
parties to the appeal a notice of the date, time and
place of the new hearing.
 ( ) Protection of Critical Infrastructures (Computer Systems) Bill

7 3 2 Schedule 7—Part 3—Division 2

C3098 12 Section 12 C3099

12. 12. Privileges and immunities

(1) (1) The appeal board, when hearing the appeal, has the same
privileges and immunities as it would have if the appeal
were legal proceedings in a court.
(2) (2) A party, legal representative, witness or any other person
( ) who appears before the appeal board at the hearing has
the same privileges and immunities as the person would
have if the appeal were legal proceedings in a court.
 ( ) Protection of Critical Infrastructures (Computer Systems) Bill

Explanatory Memorandum
C3100 1 Paragraph 1 C3101

Explanatory Memorandum

The main purposes of this Bill are—

(a) (a) to protect the security of the computer systems of
(b) Hong Kong’s critical infrastructures;
(c) (b) to regulate the operators of such infrastructures; and
(c) to provide for the investigation into, and response to,
computer-system security threats and incidents in
2. 8 7 respect of such computer systems.

2. The Bill contains 8 Parts and 7 Schedules.

1 Part 1—Preliminary

3. 1 3. Clause 1 sets out the short title and provides for

commencement.
4. 2
4. Clause 2 contains the definitions for the interpretation of the
Bill. The main definitions include CI operator, code of practice,
computer-system security, computer-system security incident,
2 computer-system security management unit, computer-system
security threat, critical computer system, critical infrastructure,
(a) designated authority, regulated organization, regulating authority
and specified critical infrastructure. The clause also explains—
(b)
(a) what a reference to a critical infrastructure operated
(c)
by a CI operator means;
(b) what a reference to a CI operator regulated by a
regulating authority means; and
(c) what a reference to doing an act without lawful
authority means.
 ( ) Protection of Critical Infrastructures (Computer Systems) Bill

Explanatory Memorandum
C3102 5 Paragraph 5 C3103

5. 1 2 5. Schedule 1 specifies various sectors for the purposes of the

definition of critical infrastructure in clause 2.

2 Part 2—Regulating Authorities

6. 3 ( ) ( ) 6. Clause 3 provides for the appointment of the Commissioner of

Critical Infrastructure (Computer-system Security)
(Commissioner).
7. 4
7. Clause 4 sets out the functions of the Commissioner.
8. 5 2
8. Clause 5, together with Schedule 2, provides for the
9. 6 specification of designated authorities.

10. 7 9. Clause 6 sets out the functions of designated authorities.

10. Clause 7 empowers a regulating authority to give written

11. 8 directions to CI operators regulated by the authority.

12. 9 11. Clause 8 empowers a regulating authority to issue codes of

practice.
13. 10
12. Clause 9 provides for the use of codes of practice in legal
proceedings.

13. Clause 10 empowers a regulating authority to specify forms etc.

for the purposes of the Bill.
 ( ) Protection of Critical Infrastructures (Computer Systems) Bill

Explanatory Memorandum
C3104 14 Paragraph 14 C3105

3 Part 3—Critical Infrastructures, CI Operators and Critical Computer

Systems
1
Division 1—Ascertaining Critical Infrastructures and Designating CI
Operators and Critical Computer Systems
14. 11
14. Clause 11 provides for the ascertainment of critical
15. 12 13 infrastructures.

15. Clauses 12 and 13 provide for the designation of CI operators

2 and critical computer systems respectively.

16. 14 17 Division 2—Requiring Information

(a) 16. Clauses 14 to 17 empower a regulating authority to require

information for—
(b)
(a) ascertaining critical infrastructures;
(c)
(b) designating CI operators;
(d)
4 (c) designating critical computer systems; and
(d) better understanding critical computer systems or
17. 18 14 17 ascertaining CI operators’ compliance with
obligations under Part 4.

17. Clause 18 provides for an offence for failure to provide

information as required under clauses 14 to 17.

4 Part 4—Obligations of CI Operators

1 Division 1—Obligations relating to Organization of CI Operators

18. 19 18. Clause 19 imposes an obligation on CI operators to maintain

an office in Hong Kong.
 ( ) Protection of Critical Infrastructures (Computer Systems) Bill

Explanatory Memorandum
C3106 19 Paragraph 19 C3107

19. 20 19. Clause 20 imposes an obligation on CI operators to notify the

regulating authority that regulates the operator of any change
of the operator of a critical infrastructure.
20. 21
20. Clause 21 imposes an obligation on CI operators to maintain a
computer-system security management unit.
2
Division 2—Obligations relating to Prevention of Threats and Incidents
21. 22
21. Clause 22 imposes an obligation on CI operators to notify the
regulating authority that regulates the operator of any material
22. 23 change to critical computer systems etc.

3 22. Clause 23 imposes an obligation on CI operators to submit and

implement computer-system security management plans.
23. 24 Matters that must be covered by such plans are set out in
Schedule 3.
4
23. Clause 24 imposes an obligation on CI operators to conduct
24. 25 computer-system security risk assessments regularly. Matters
that must be covered by such assessments are set out in
5 Schedule 4.

3 24. Clause 25 imposes an obligation on CI operators to arrange to

carry out computer-system security audits regularly. Matters
25. 26 that must be covered by such audits are set out in Schedule 5.

Division 3—Obligations relating to Incident Reporting and Response

25. Clause 26 imposes an obligation on CI operators to participate

in computer-system security drills conducted by the
Commissioner if so required by the Commissioner.
 ( ) Protection of Critical Infrastructures (Computer Systems) Bill

Explanatory Memorandum
C3108 26 Paragraph 26 C3109

26. 27 26. Clause 27 imposes an obligation on CI operators to submit and

3 2 implement emergency response plans. Matters that must be
covered by such plans are set out in Part 2 of Schedule 3.
27. 28
6 27. Clause 28 imposes an obligation on CI operators to notify the
Commissioner of computer-system security incidents. Schedule
6 specifies the time within which such notifications have to be
made.

5 Part 5—Responding to Computer-system Security Threats and

Computer-system Security Incidents
28. 29 32
28. Clauses 29 to 32 provide for the early intervention of events
that have an actual adverse effect, or are likely to have an
29. 33 40 adverse effect, on the computer-system security of critical
computer systems.

30. 41 29. Clauses 33 to 40 provide for the investigation into, and

response to, computer-system security threats and computer-
system security incidents.
31. 42
30. Clause 41 provides for the use of incriminating evidence in
proceedings after early interventions and investigations.

31. Clause 42 provides for an offence for failing to comply with

requirements imposed for early interventions and investigations.

6 Part 6—Investigation of Offences

32. 43 46 32. Clauses 43 and 46 provide for the investigation of offences

under the Bill.
33. 44
33. Clause 44 provides for the use of incriminating evidence in
proceedings after investigations.
 ( ) Protection of Critical Infrastructures (Computer Systems) Bill

Explanatory Memorandum
C3110 34 Paragraph 34 C3111

34. 45 34. Clause 45 provides for an offence for failing to comply with a
requirement made for investigations.

7 Part 7—Appeals

35. 47 35. Clause 47 provides for the establishment of an appeal panel,

7 2 with details set out in Part 2 of Schedule 7.

36. 48 36. Clause 48 provides that an organization aggrieved by certain

7 3 decisions made in relation to it may lodge an appeal. The
procedures for such appeals are set out in Part 3 of Schedule 7.
37. 49
37. Clause 49 provides for the decisions for such appeals.

8 Part 8—Miscellaneous

38. 50 51 38. Clauses 50 and 51 respectively empower the Commissioner and

designated authorities to appoint authorized officers.
39. 52 53
39. Clauses 52 and 53 provide for the delegation of functions by
40. 54 the Commissioner and designated authorities.

40. Clause 54 provides that the Commissioner may perform

41. 55 4 functions in respect of critical infrastructures and CI operators
regulated by designated authorities if necessary.

42. 56 41. Clause 55 provides that the Commissioner may exempt CI

operators from any obligations under Part 4.
43. 57 58
42. Clause 56 provides that designated authorities may prosecute
offences.

43. Clauses 57 and 58 provide for the preservation of secrecy.

 ( ) Protection of Critical Infrastructures (Computer Systems) Bill

Explanatory Memorandum
C3112 44 Paragraph 44 C3113

44. 59 44. Clause 59 provides for the protection of informers.

45. 60 ( 45. Clause 60 provides for the immunity of persons who comply
) with a direction or requirement imposed by or under the Bill.

46. 61 46. Clause 61 provides that the Bill does not affect legal
professional privilege.
47. 62
47. Clause 62 provides for the production of information contained
48. 63 in information systems.

48. Clause 63 provides that a lien on any document does not affect
49. 64 any requirement to produce the document.

49. Clause 64 provides for the disposal of property that comes into
50. 65 66 the possession of a regulating authority or authorized officer
under the Bill.

51. 67 50. Clauses 65 and 66 provide for the defences of due diligence and
reasonable excuse for certain offences under the Bill.
52. 68
51. Clause 67 provides for how notices etc. are to be served.
53. 69
52. Clause 68 provides for the use of certificates of designation in
legal proceedings.
54. 70
53. Clause 69 empowers the Secretary for Security to make
regulations for the better carrying out of the provisions of the
Bill.

54. Clause 70 empowers the Secretary for Security to amend any

of the Schedules to the Bill by notice published in the Gazette.