CHINAGLOBAL EDITION
HOME
NEWS
FOCUS
OPINION
GBA
VIDEO
ADVANCED
Published: 00:21, March 27, 2026
Cybersecurity regulatory framework warrants enhancement
By Bill Condon

Over recent years, cybersecurity has increasingly become a mainstream risk for economies, societies and governments. The ransomware attack on Ngong Ping 360 at the end of February shows how the threat has spread into everyday life. In a highly connected city, any organization that stores or processes data can become a target.

The number of reported cyber incidents in the city has reached record levels over the past two years, with phishing cases more than doubling and now accounting for the majority of reports. Local experts warn that artificial intelligence is making it easier to craft convincing scams, automate attacks and exploit vulnerabilities in cloud services and third-party providers. In short, threats are scaling faster than the defenses of many organizations.

Against that backdrop, the adequacy of the regulatory framework warrants examination. There has been meaningful progress with the introduction of the Protection of Critical Infrastructures (Computer Systems) Ordinance (Cap. 653), which came into force on Jan 1. It imposes binding obligations on designated operators across eight sectors — energy, information technology, banking and financial services, air transport, land transport, maritime transport, healthcare services, and telecommunications and broadcasting. Designated operators must comply with strict regulatory codes, protect critical computer systems, and report major incidents. Failure to do so can result in substantial penalties. For providers of essential services, cybersecurity is a statutory obligation.

In addition, the 2026-27 Budget highlighted the “AI vs AI” sandbox run by the Hong Kong Monetary Authority and Cyberport, which tests the secure and responsible use of AI in banking. It also earmarked HK$100 million ($12.8 million) to bring in leading technologies and accelerate the Hong Kong Special Administrative Region government’s digital transformation, and announced a new Committee on AI+ and Industry Development Strategy to guide AI-driven industrial development.

By comparison, the policy direction emerging from China’s national two sessions held earlier this month suggests a much more comprehensive approach. Cybersecurity is a core component of national security and high-quality development. The 15th Five-Year Plan places digital resilience, data governance and secure AI deployment firmly within the broader strategy of integrating development and security.

That strategic emphasis is reflected in the central government’s regulatory framework. The Cybersecurity Law and the Multi-Level Protection Scheme have adopted a tiered approach. Requirements are scaled to the importance and sensitivity of different networks. The objective is to lift baseline standards across a range of sectors, rather than reserving the strictest oversight for a small group of traditional infrastructure operators.

Hong Kong’s framework is more tightly confined. Large parts of the economy, including companies that hold substantial amounts of personal or commercially sensitive data, still rely mainly on general privacy obligations, contractual protections and internal policies. That may have been adequate in the past, but it is harder to justify when attackers increasingly target commercial networks outside tighter regulatory regimes. The result is not only uneven resilience across sectors but also results in inconsistent standards for handling data.

The relentless onslaught of cold-calling targeting Hong Kong residents highlights the problem. The constant stream of unsolicited sales calls and messages suggests that personal data is still being recycled and shared with relative ease. Poor data governance is not simply an irritation; it creates vulnerabilities that can be exploited for phishing, fraud and identity theft. This problem needs to be addressed.

If cybersecurity is to be considered a form of strategic infrastructure, baseline expectations across the broader economy may warrant reassessment. Stronger regulation and enforcement of consent, data handling, and outbound marketing should be coupled with clear consumer opt-out rights and effective penalties for abusers. Any such reforms would need to remain proportionate and risk-based, but greater certainty around minimum safeguards would benefit both businesses and consumers.

Protecting a limited group of operators is no longer enough. In a digital economy, resilience is collective, and so are vulnerabilities

Europe offers a useful reference point. The European Union’s NIS2 Directive, which came into force three years ago, widened the net. Cybersecurity is no longer confined to a small circle of traditional infrastructure providers. Energy, transport, manufacturing, and a range of digital service providers are now covered. The shift reflects a simple judgment: Resilience cannot depend on protecting only the most sensitive pressure points. It requires raising standards across the entire system.

That conclusion carries weight for Hong Kong. As a global financial center and an increasingly technology-driven economy, the city relies heavily on confidence — confidence in its markets, its data flows, and the reliability of its digital systems. As a result, cyber resilience is intertwined with economic stability and long-term prosperity. A greater emphasis on building security into every stage of digital development would enhance the city’s credibility rather than inhibit it.

It may therefore be time to look beyond a narrow definition of critical infrastructure. Businesses that hold vast amounts of data, run major digital platforms, or occupy pivotal positions in supply chains are already part of the city’s risk landscape. Clarifying what is expected of them — in practical, workable terms — would provide greater certainty for companies and stronger protection for the system as a whole. That does not mean overregulation, but it does mean being clearer about basic safeguards, incident reporting and who ultimately carries responsibility when things go wrong.

This broader perimeter also has implications for the deployment of new technologies. Security should always lie at the heart of the city’s technology strategy. As AI is deployed in finance, logistics and urban management, safeguards should be designed in, not added later. Retrofitting defenses after a breach is invariably more costly — financially and reputationally — than building them properly at the outset.

The SAR government has already recognized this principle in relation to key systems. The question now is whether this approach should be extended to the wider digital economy. At the national level, recent policy statements associated with the two sessions and the 15th Five-Year Plan cycle continue to emphasize the integration of development and security.

In practice, the distinction between “critical” and “noncritical” systems is becoming increasingly difficult to maintain. As more services move online and businesses become interdependent, it becomes harder to draw a clear line around what counts as “critical”. A disruption to one organization can quickly ripple outward. Protecting a limited group of operators is no longer enough. In a digital economy, resilience is collective, and so are vulnerabilities.

 

The author is an international partner and member of the Global Advisory Board, MilleniumAssociates AG.

The views do not necessarily reflect those of China Daily.

TOP
VISUAL NEWS
ALSO READ
More
Many misunderstand China’s ruling party
China-UK forum signals pragmatic partnership after wasted years
Workforce evolution is the true engine of HK’s digital future
Tokyo's ill-conceived policy direction laid bare
If there's a window of opportunity for peace, it's imperative that it not be squandered
HK should prioritize two major driving forces in aligning with national strategy
National-security amendments respond to evolving challenges
Why attracting talent is crucial for HK’s future
NEWS
Hong Kong
Nation
Asia
World
Business
Science
Sports
FOCUS
Life & Art
In-depth China
Quirky
Photo
Graphics
Data
Culture HK
Global Weekly
Eye on Asia
Special
From PR Newswire
OPINION
Editorials
Columnists
Joephy Chan
Bill Condon
David Cottam
Grenville Cross
Richard Cullen
Dong Yu
Michael Edesess
Wilson Lee Flores
Tom Fowdy
Fu Kin-chi
Henry Ho
Ho Lok-sang
Ken Ip
Regina Ip
Tony Kwok
Lau Siu-kai
Dominic Lee
Virginia Lee
Christine Loh
James Ockenden
Quentin Parker
Tu Haiming
Xiao Ping
Roy Ying
GBA
GBA Guide
GBA Life
GBA in Figures
GBA Pulse
VIDEO
News
Asia Featured
CDHK In-Depth
China Daily DOCS
Drone and Phone
Girl City
Peak Talk
Tech Asia
The Gold
ePaper
Hong Kong Edition
Global Weekly
More
Roundtable
Campus News Awards
Newsletter
Lifestyle Premium
Follow Us
Download Our App
CHINAGLOBAL EDITION
Copyright 1995 - 2026. All rights reserved. The content (including but not limited to text, photo, multimedia information, etc) published in this site belongs to China Daily. Without written authorization from China Daily, such content shall not be republished or used in any form.