Hong Kong’s proposed cybercrime reform – What businesses need to know

In January 2026, the Law Reform Commission of Hong Kong published its report on Cyber-Dependent Crimes and Jurisdictional Issues (the "Report"), following a consultation paper issued in July 2022. The Report recommends introducing bespoke cybercrime legislation to supplement the existing computer related offences under the Crimes Ordinance (Cap. 200) ("CO") and the Telecommunications Ordinance (Cap. 106), together with enhanced penalties and extraterritorial jurisdiction to strengthen enforcement. To mitigate the risk of criminalising otherwise legitimate conduct, the Report also recommends introducing several new statutory defences.

While these recommendations may evolve as the study progresses and may take some time before implementation, they represent a positive step towards modernising Hong Kong’s cybercrime framework. At the same time, to avoid being unwarily caught by the broadened criminal offences, businesses should stay abreast of legislative developments and continue to review their policies on cybersecurity, data storage/dissemination, use of AI and related operational practices.

At a glance: The five new proposed offences

Apart from the proposed offence of illegal interception of computer data, the Report recommends establishing both a basic and an aggravated form for each of the five offences. Note that:

• Basic offences are triable summarily and carry a recommended maximum sentence of two years’ imprisonment.
• Aggravated offences are triable only on indictment and, for most offences, attract a maximum sentence of 14 years’ imprisonment.
• However, for the aggravated offences of illegal interference with computer data and illegal interference with computer systems, the Report recommends a maximum penalty of life imprisonment, reflecting the potential severe consequences of such conduct.

Key procedural changes

Expanded extraterritorial jurisdiction

The Report recommends extending the jurisdiction of Hong Kong courts to prosecute cybercrime offences committed overseas where a sufficient connection to Hong Kong exists, such as:

• cases where the victim is connected to Hong Kong (e.g. a Hong Kong resident or a company carrying on business in Hong Kong);
• the victim was physically present in Hong Kong when the offence was committed;
• the target computer, program or data is in Hong Kong; or
• the conduct causes or threatens serious damage to Hong Kong's infrastructure, public authorities, or security.

Extended limitation period

The Report also recommends extending the limitation period for summary offences from six months to two years, starting from the date on which the offence was discovered.

Practical takeaways

The Report marks only the first phase of a three-stage study on cybercrime. As such, these recommendations may evolve as the study progresses and take time to come into effect. For example, what is unclear is the extent (if any) to which the proposed reforms intend to address the regrettably common cybercrime scenario in which both the victim and fraudster are outside Hong Kong but stolen monies are routed through a Hong Kong bank account as the initial steps towards putting those assets out of the reach of the victim.

Nevertheless, the reforms, if implemented, could provide the enforcement authorities with more flexibility and ammunition to take action against a broader range of cybercrimes. The proposed extended extra-territorial effect could also provide assistance to businesses or individuals in Hong Kong who fall victims to cybercriminals located outside the jurisdiction.

At the same time, the proposed reforms would significantly broaden the scope criminal liability and potentially expose legitimate businesses and individuals to heightened compliance risks.

To mitigate these risks, businesses operating in or with Hong Kong should proactively review their cybersecurity policies, particularly around storage, distribution, and interception of data, including both employee and customer information. Businesses should also remain especially attuned to compliance risks arising from the implementation of AI and other emerging technologies. Strengthening internal governance and safeguards now will reduce exposure as the legislative landscape continues to evolve.

Authored by Eugene Low, Byron Phillips, Tommy Liu, Catharine Lau, and Camilla Cerruti.