HKCNSA Committee Workshop Successfully Held, Focusing on Compliance Challenges Under the Critical Infrastructure Protection Law

On 21 January 2026, the Hong Kong China Network Security Association (HKCNSA) successfully held its Committee Workshop, co-organized with corporate member Bird & Bird, at Bird & Bird’s Hong Kong office. The Protection of Critical Infrastructures (Computer Systems) Ordinance (Cap. 653) came into effect on 1 January 2026. Following its commencement, government bodies and industry stakeholders began examining requirements, compliance processes, and operational arrangements. To support the sector during this initial stage, HKCNSA invited experts from the legal, financial, and cybersecurity fields to outline the regulatory framework and discuss practical preparation work.

David IP, Founding Chairman of HKCNSA, delivered the opening remarks, outlining the legislative context and objectives of the Ordinance and the Association’s role in facilitating communication between policymakers and the industry. Wilfred Ng, Partner at Bird & Bird, then provided an overview of key obligations under the Ordinance, covering supplier and subcontractor governance, criteria for determining material changes to critical computer systems, incident reporting expectations, and information provision requirements.

Wilson Tang, HKCNSA Vice President and Director of the Critical Infrastructure Committee, presented the latest developments related to the Ordinance. His remarks addressed supply chain considerations influenced by geopolitical factors and issues of system visibility and control when critical systems rely on overseas cloud services. He also elaborated on compliance clauses applicable to service providers under Annex H, highlighted OCCICS reference contract templates, and set out expectations regarding service provider capability assessments and operational compliance.

From the banking sector perspective, Isaiah Wong, Director of the Financial Services Cybersecurity Committee, explained the Hong Kong Monetary Authority (HKMA)’s draft Sectoral Code of Practice and the “One‑Stop” incident reporting arrangement. He outlined planning areas for financial institutions in 2026, including asset inventory, gap analysis, updates to risk management procedures, incident response exercises, and relevant staff training.

During the discussion and Q&A session, participants exchanged views on resource planning, supply chain oversight, documentation and process development, and audit coordination. The workshop covered legal interpretation, industry practices, and supervisory considerations, providing practical reference points for the early-stage implementation of the Ordinance.

Looking ahead, the HKCNSA will continue to organize professional seminars to facilitate information sharing and industry collaboration, supporting stakeholders as they align operations and compliance arrangements with the new regulatory framework.