Protection of Critical Infrastructures (Computer Systems) Ordinance

What's in need now?

Hong Kong is fortifying its digital backbone. The Protection of Critical Infrastructures (Computer Systems) Ordinance (the "CI Ordinance") represents a pivotal shift in cybersecurity regulation for critical infrastructure operators (CIOs). Set to take effect in January 2026, it establishes a mandatory, comprehensive framework aimed at enhancing the city’s resilience against cyber threats and safeguarding critical infrastructure (CIs).

Crucially, the ordinance moves beyond guidelines to legally enforceable obligations, ensuring CIOs achieve a robust security posture against evolving cyber threats.

Are you prepared for the key compliance milestones?

The path to CI ordinance compliance is structured and time-bound. While the CI Ordinance takes effect in 2026, the designation of Phase 1 CIOs will be assigned by first half of 2026. Preparation must begin now to ensure a seamless transition.

Your Roadmap to Compliance:

• Now: Conduct a Compliance Gap Analysis

Begin immediately to identify gaps and allow ample time for remediation before the Ordinance is enforced.

• Before 2026: Remediate Identified Gaps

Address deficiencies with higher priorities / risks uncovered in your gap analysis to achieve compliance ahead of the effective date. Prepare roadmap to pave out remediation timeframe and follow through with enhancements.

• After Designation: Ongoing Compliance

Upon your official designation as a CIO, a new timeline is activated:

o   Within 3 Months: Submit your Security Management Plan and Emergency Response Plan.

o   Within 12 Months: Submit your first Risk Assessment Report (recurring every 12 months).

o   Within 24 Months: Submit your first Computer System Security Audit Report (recurring every 24 months).

o   Within 1 Month: Report any Major Material Change after it occurs.

How Can Deloitte Help?

Our Deloitte Cyber professional team has the experience and knowledge to get you prepared for compliance with the CI Ordinance. Our service offerings are designed to address its core requirements directly.

We provide end-to-end support to navigate the CI Ordinance seamlessly:

• CI Ordinance Gap Analysis & Remediation Roadmap
• Computer-system Security Management Plan & Emergency Response Plan Development
• Operating Model Advisory and Organization Transformation Services
• Computer-system Security Risk Assessments (Vulnerability & Penetration Testing)
• SOC Services for 24/7 monitoring and incident response

The CI Ordinance will impact a wide range of CIOs. Contact our Deloitte Cyber Team to begin your compliance journey.