Hong Kong and Taiwan Strengthen Cybersecurity Frameworks as Regional Threats Surge to Five-Year Highs

HONG KONG – East Asian financial centers are implementing comprehensive cybersecurity legislation as cyber threats reach unprecedented levels, with Hong Kong passing its first Protection of Critical Infrastructures Computer Systems Ordinance effective January 1, 2026, while Taiwan drafts major amendments to its Personal Data Protection Act and reports indicate phishing attacks surged 108 percent in 2024 creating urgent imperatives for enhanced digital defenses.

Hong Kong's Legislative Council enacted the Protection of Critical Infrastructures Computer Systems Bill on March 19, 2025, which was gazetted as the Protection of Critical Infrastructures Computer Systems Ordinance on March 28, 2025. The Ordinance, set to take effect on January 1, 2026, aims to enhance cybersecurity standards for providers of essential services in eight sectors crucial to normal societal functioning.

The designated sectors include energy, information technology, banking and financial services, air transport, land transport, maritime transport, healthcare services, and telecommunications and broadcasting services. The Ordinance also covers critical societal or economic activities such as those managing major sports and performance venues as well as research and development parks in Hong Kong.

Critical Infrastructure is defined under two categories. The first category refers to any infrastructure essential to continuous provision in Hong Kong of essential services in the eight designated sectors. The second category will be designated by government at a later stage and includes any other infrastructure where damage, loss of functionality or data leakage may hinder or substantially affect maintenance of critical societal or economic activities.

According to the Secretary for Security, the government expects to start shortlisting designated Critical Infrastructure Operators by June 2025, though the list will not be made public to avoid them being targeted by threat actors. The new laws also capture Critical Computer Systems, defined as computer systems accessible by the CIO in or from Hong Kong and essential to core functions of critical infrastructure operated by the CIO.

Critical Infrastructure Operators must implement and submit to relevant Regulating Authorities a computer-system security management plan for protecting computer-system security of the CCS within three months after being designated as a CIO. CIOs must conduct computer-system security risk assessments within 12 months after designation and at least once every 12 months for subsequent assessments, submitting reports to the relevant Regulating Authority within three months after expiry of each required assessment period.

CIOs shall conduct computer-system security audits within 24 months of their designation date and at least once every 24 months thereafter, submitting audit reports to relevant Regulating Authorities within three months of expiry of each required audit period. The contents of computer-system security management plans are outlined in Schedule 3 of the Ordinance and must cover information related to persons responsible for managing cybersecurity, how critical systems are identified and how risks such as threats, vulnerabilities and incidents are detected and addressed.

The emergency response plan must describe the structure and responsibilities of teams handling cybersecurity incidents, define when response protocols should be activated and set out how incidents are reported, investigated and assessed. Non-compliance with the Ordinance carries steep penalties given the critical nature of protected infrastructure.

The Hong Kong Computer Emergency Response Team Coordination Centre held a media briefing in January 2025 to present the Hong Kong Cyber Security Outlook 2025 cum IoT Security Study Report on Digital Signage. The briefing summarized Hong Kong's cyber security landscape in 2024 and released security forecasts for 2025, highlighting supply chain security and AI content hijacking will become primary cyber security risks.

In 2024, HKCERT handled 12,536 security incidents, with phishing accounting for over half at 7,811 cases representing 62 percent of all incidents. This marked a 108 percent increase from 2023, with numbers rising by four digits year-over-year. From January to September 2025, HKCERT handled over 11,981 security incidents with phishing alone surging by 55 percent, signaling explosive growth in cyber threats driven by artificial intelligence.

Ir Alex Chan, General Manager of Digital Transformation Division at Hong Kong Productivity Council and HKCERT spokesperson, stated hackers are shifting focus to breaching through third parties such as suppliers, contractors or service providers. Critical infrastructure including energy, land-sea-air transportation, banking and healthcare services are potential targets. Both low-altitude economy drones and IoT devices like digital signages are at risk of attack which could have serious consequences.

Organizations and individuals must prepare by implementing appropriate cyber incident response measures, deploying suitable cybersecurity measures, conducting regular security audits and penetration testing, and understanding and preventing relevant risks. HKCERT is actively introducing AI tools to enhance threat detection. By September 2025, the system completed 2.4 billion scans, successfully identifying multiple high-risk suspicious websites.

Taiwan is simultaneously strengthening its cybersecurity and data protection frameworks. On December 20, 2024, the Preparatory Office of the Personal Data Protection Commission announced a draft amendment to the Personal Data Protection Act. The public consultation period ended on January 10, 2025, during which opinions from various sectors were received.

The main purpose of this amendment is aligning with establishment of the PDPC and granting the PDPC relevant enforcement powers, including administrative supervision over both government and non-government agencies as well as cooperation mechanisms with other competent authorities regarding supervision on non-government agencies. Main points include establishment of supervision mechanisms for government agencies and requirements for government agencies or designated non-government agencies to appoint Personal Data Protection Officers responsible for promoting and overseeing personal data protection matters.

Taiwan's cybersecurity regulatory framework is governed by the Cyber Security Management Act and Enforcement Rules, Regulations on Classification of Cyber Security Responsibility Levels and Regulations on Notification and Response of Cyber Security Incidents. These frameworks establish comprehensive requirements for organizations handling sensitive data and operating critical infrastructure.

In September 2022, the Financial Supervisory Commission received an anonymous tip-off alleging a cybersecurity breach at Shanghai Commercial & Savings Bank, leading to leakage of customer personal data. After investigation, it was confirmed the bank leaked names and ID card information of 14,000 customers. In November 2023, the FSC imposed a fine of TWD 10 million on Shanghai Bank, marking the heaviest penalty ever imposed by the FSC for a bank's personal data breach that year.

According to the FSC, deficiencies were found in the bank's customer data confidentiality and information security system including failure to establish comprehensive internal control systems, failure to establish appropriate personal computer administrator rights regulations and inadequate security protocols. The bank only clarified policy on changing personal computer administrator passwords every six months on December 15, 2022, after the incident occurred.

Taiwan joined the APEC Cross-Border Privacy Rules system in December 2018, with the Institution for Information Industry applying to be the Accountability Agent. In June 2021, the Institute for Information Industry was recognized by APEC as the Accountability Agent for CBPR verification in Taiwan for domestic enterprises. Taiwan also joined the EU-led Joint Declaration on Privacy and Protection of Personal Data in October 2022, intended to foster international cooperation promoting high data protection and privacy standards.

Theft of trade secrets or National Core Critical Technologies for use in foreign countries, China, Hong Kong or Macao is punishable by Article 13-2 of the Trade Secrets Act and Article 8 of the National Security Act. In circumstances where obtained trade secrets are intended for uses in foreign jurisdictions, China, Hong Kong or Macao, Article 13-2 regulates that actors are subject to maximum penalties of 10 years imprisonment and fines of 50 million NTD, which may increase by up to 10 times the gain obtained.

Articles 3 and 8 of the National Security Act amended in June 2022 regulate that anyone shall not steal National Core Critical Technologies and apply these technologies to conducts damaging national security, industrial competitiveness or economic development of Taiwan for foreign countries, China, Hong Kong, Macao or adversaries outside Taiwan's jurisdiction.

Looking forward, Hong Kong and Taiwan face intensifying cybersecurity challenges as threat landscapes evolve with artificial intelligence weaponization, supply chain vulnerabilities and sophisticated phishing campaigns. Both jurisdictions' new regulatory frameworks establish foundations for enhanced protection, though implementation success will depend on adequate resourcing, industry cooperation and continuous adaptation to emerging threats.

The passage of comprehensive cybersecurity legislation in Hong Kong and Taiwan reflects growing recognition across Asia that digital infrastructure protection represents not merely technical necessity but strategic imperative essential to economic stability, national security and public confidence in digital systems. The coming years will test whether regulatory frameworks translate into meaningful risk reduction and enhanced cyber resilience across critical infrastructure sectors.