Hong Kong's Critical Infrastructure Ordinance provides opportunities for privacy professionals

Beginning 1 Jan. 2026, Hong Kong's Protection of Critical Infrastructures (Computer Systems) Ordinance, comparable to the EU NIS2 Directive and the U.K.'s forthcoming Cyber Security and Resilience Bill, will come into force. 

The ordinance will regulate critical infrastructure operators, obliging them to apply prescriptive organizational, preventative and incident reporting and response standards to protect computer systems that support critical infrastructure.

While the CI Ordinance is not in itself a privacy regulation, it was passed in early 2025, shortly after the Office of the Privacy Commissioner for Personal Data reported a roughly 30% increase in data breach notifications, and brings with it implications for privacy practitioners. 

Transitioning from principles to prescriptions

The current prevailing privacy law, the Personal Data (Privacy) Ordinance, developed originally with reference to the Organisation for Economic Co-operation and Development's Privacy Guidelines and the EU Data Protection Directive, is less prescriptive than not only the EU General Data Protection Regulation but also neighboring jurisdictions in the Greater Bay Area. In the regulator's own words, the principles of the PDPO are not "not couched in definitive terms."

The CI Ordinance, by contrast, draws closer parallels with regulations on critical infrastructure in mainland China and Macao, highlighting recent efforts to achieve greater regulatory convergence in the region. As such, a detailed look at the ordinance may already point to future regulatory convergence in the GBA and a more prescriptive environment for data protection in Hong Kong.

The new dynamics of breach reporting