Editor's note: The IAPP is policy neutral. We publish contributed opinion and analysis pieces to enable our members to hear a broad spectrum of views in our domains.
Beginning 1 Jan. 2026, Hong Kong's Protection of Critical Infrastructures (Computer Systems) Ordinance, comparable to the EU NIS2 Directive and the U.K.'s forthcoming Cyber Security and Resilience Bill, will come into force.
The ordinance will regulate critical infrastructure operators, obliging them to apply prescriptive organizational, preventative and incident reporting and response standards to protect computer systems that support critical infrastructure.
While the CI Ordinance is not in itself a privacy regulation, it was passed in early 2025, shortly after the Office of the Privacy Commissioner for Personal Data reported a roughly 30% increase in data breach notifications, and brings with it implications for privacy practitioners.
Transitioning from principles to prescriptions
The current prevailing privacy law, the Personal Data (Privacy) Ordinance, developed originally with reference to the Organisation for Economic Co-operation and Development's Privacy Guidelines and the EU Data Protection Directive, is less prescriptive than not only the EU General Data Protection Regulation but also neighboring jurisdictions in the Greater Bay Area. In the regulator's own words, the principles of the PDPO are not "not couched in definitive terms."
The CI Ordinance, by contrast, draws closer parallels with regulations on critical infrastructure in mainland China and Macao, highlighting recent efforts to achieve greater regulatory convergence in the region. As such, a detailed look at the ordinance may already point to future regulatory convergence in the GBA and a more prescriptive environment for data protection in Hong Kong.
The new dynamics of breach reporting
The most explicit impact of the CI Ordinance on the privacy landscape is the potential for data breach reporting by proxy. Although encouraged by the regulator and considered best practice, there is currently no legal requirement for personal data breaches to be reported to Hong Kong's PCPD.
Under the new ordinance, operators in scope will be required to notify the new commissioner of critical infrastructure, to be created under the ordinance, when a computer security incident involving a critical infrastructure they operate has occurred. The commissioner for critical infrastructure may in turn disclose relevant incidents directly to the privacy commissioner, triggering their enforcement rights.
In this regard, Hong Kong is beginning to take a similar approach to other jurisdictions in recognizing the overlap between digital regulations, most recently demonstrated in the European Commission's Digital Omnibus proposing a "single-entry point" for reporting incidents under NIS2, the Digital Operational Resilience Act and the GDPR.
While the new ordinance's legislative intent is to nudge CIOs to enhance their security postures, these standards are no longer solely about building trust with customers and consumers, and instead have become compliance nonnegotiables.
This changes the calculus for CIOs when it comes to deciding whether to voluntarily report data breaches to the PCPD. While reporting is still not obliged, from January 2026 there will be an increased likelihood of the details of a breach ending up on the privacy commissioner's desk via the commissioner for critical infrastructure.
From an accountability perspective, this will certainly encourage CIOs to follow the PCPD's existing advice on breach reporting and possibly further normalize such reporting among organizations not in scope of the CI Ordinance.
Leveraging existing frameworks
The backdrop of this evolving landscape provides an opportunity to revisit, streamline and harmonize compliance practices.
Multinationals in scope of the ordinance that are already operating in Europe may be best positioned to adapt to their new obligations having experienced the arrival of NIS2 in the last two years.
CIOs with a presence in Macao and Singapore, especially, will also find major chunks of their frameworks for compliance with the cybersecurity regulations of those jurisdictions can adequately cover many of the obligations imposed by the ordinance.
Obligations demanding privacy stakeholders' particular attention are included in Division 2 — Obligations relating to Prevention of Threats and Incidents, and Division 3 — Obligations relating to Incident Reporting and Response.
Again, while the ordinance is not specific to matters concerning personal data, the policy adaptation it is expected to precipitate generates several opportunities to roll privacy compliance into broader processes.
Future-proofing compliance and the role of privacy
With further convergence of privacy regulation in the GBA inevitable, participating in CI Ordinance readiness efforts is a chance to reduce the duplication of work for individual privacy practitioners and their organizations.
Unified incident response procedures will maximize collaboration between security and privacy teams, while internal and external audit resources can be leveraged for assurance that the organization is fulfilling its duties under the PDPO's Security Principle and the newly mandated risk assessments can directly inform privacy impact assessments in line with the Collection, Purpose and Means Principle.
The CI Ordinance provides a rare opportunity for privacy professionals at critical infrastructure operators to piggyback off emerging legislative requirements to demonstrate their value not only in privacy compliance, but also wider digital risk assurance. The privacy function within each CIO should therefore ensure its involvement when security and governance teams are devising and implementing their roadmaps for compliance.
Peter Carberry, CIPP/E, CIPP/US, CIPM, FIP, is a senior information governance officer.
