Solutions to comply with Critical Infrastructures Bill (CI Bill)
Scheduled to take effect on January 1, 2026, the Protection of Critical Infrastructures (Computer Systems) Bill - commonly known as the CI Bill - marked a significant step forward strengthening cybersecurity across essential services and sectors. The CI Bill establishes a comprehensive legal framework to safeguard Critical Computer Systems (CCS) that support Hong Kong's vital infrastructure (CIs).
The legislation introduces new obligations for critical infrastructure operators (CIOs), requiring them to implement robust cybersecurity measures, report incidents, and cooperate with investigations into system threats. The CI Bill aims to ensure the resilience and security of systems vital to Hong Kong's societal and economic stability.
Offences and penalties primarily apply to organizations, with specific requirements for individual secrecy preservation. Hong Kong CI Bill's fine structure involves a tiered system, with maximum fines ranging from HK$500,000 up to HK$5 million. In case of continuing offenses, additional daily fines of up to HK$100,000 may be imposed.
• Energy
• Banking & financial services
• Healthcare services
• Telecommunication & broadcasting services
• Information technology
• Land transport
• Air transport
• Marine transport
A complete, lifecycle approach to CI Bill, making us a one-stop shop for CIOs seeking strong, compliant, and resilient security.
| Strategic Approach | Details |
|---|---|
| Regulatory gap analysis | Helps assess critical infrastructure operators (CIOs) and see whether the organizations meet their internal controls, policies and guidelines. Delivers improvement plan once the gap between regulatory controls and execution is found. |
| Strategic management planning | Provides consultation service to assist CIOs in the development of internal security management unit and companywide security management plan. |
| Multi-layered security control | Enhances vulnerability management in the identification, assessment and mitigation in network, data and application layers. |
| Risk assessment, audit and penetration testing | Delivers regular risk assessment by HGC and partners, in order to improve the weakness of CIOs in operation. Prepares security audit reports to Commissioner's Office. |
| Security monitoring & incident response | Rides on HGC next generation Security Operation Centre (SOC) to support CIOs in their daily cybersecurity operations. Helps manage incident response (IR) retainer tokens. |
| Awareness training & continuous improvement | Helps organizations maintain a strong security posture, and equips internal staff to recognize and respond to threats, such as phishing and social engineering attacks. |
