On January 1, 2026, Hong Kong implemented a Code of Practice (CoP) under the Protection of Critical Infrastructures (Computer Systems) Ordinance. This Code lays out specific requirements for critical infrastructure operators (CIOs), moving from general principles to actionable steps for compliance. The CoP is not legally binding on its own, but the Commissioner of Critical Infrastructure can issue directives based on it. Non-compliance with these directives can lead to penalties, making the CoP a key reference for CIOs looking to align with cybersecurity expectations. The CoP defines what constitutes a Critical Computer System (CCS), highlighting the need for robust cybersecurity measures. It categorizes obligations into three areas: organizational, preventive, and incident reporting/response. For organizational requirements, CIOs must maintain an active business presence in Hong Kong, not just a mailing address. The preventive obligations include notifying authorities about material changes to systems and submitting a comprehensive security management plan. The CoP specifies what qualifies as material changes, such as major software updates or significant infrastructure alterations. For incident response, the CoP mandates participation in security drills, which test a CIO's readiness for potential cyber incidents. These drills, required no more than once every two years, won't disrupt operations by involving live systems. The CoP also outlines the qualifications needed for auditors assessing compliance with security management plans and emphasizes the importance of objective audits. This structured approach aims to bolster the cybersecurity framework for critical operations in Hong Kong.