The Security Bureau on Wednesday said it might give more time to companies providing essential services to report serious security incidents.
This came after the bureau concluded a one-month consultation exercise on a proposed new law to enhance the protection of computer systems of critical infrastructures.
There were 53 submissions and all but one supported the legislation.
The proposed new law will cover eight sectors such as banks, electricity suppliers and telecommunication services.
Operators are required to report serious security incidents within two hours under the proposed framework.
But a bureau spokesman said the period might be extended to 12 hours considering the practical difficulties.
Penalties ranging from HK$500,000 to HK$5 million will apply to organisations that fail to comply.
When the computer systems of critical infrastructures are disrupted, the government will empower a commissioner’s office to investigate and check whether it is caused by an attack, the spokesman said.
The spokesman added that if incidents such as the recent outage involving Microsoft happen again, authorities will try to find out what caused the problem.
If it is only a technical glitch, it won‘t be regulated by the new law, the spokesman said.
The government hopes to table the bill to the Legislative Council by the end of the year.