Subject to a vote this month at the Macau Legislative
Council (LegCo) is the Cybersecurity Bill. This Bill aims to
bring Macau up to speed as regards the protection of the
institutions and citizens of Macau against the malfunctioning
of the computer systems of the public and private entities that
operate critical infrastructures, in particular against
unauthorised actions such as hacking.
Subject to this Bill generally are all public services and
governmental institutions, and also private entities that
operate in key sectors of society. The latter includes, for
example, healthcare, banking, food and energy supply, gaming
and transportation, inter alia, irrespective of their
title (in other words, public services concessionaires, service
providers, and so on).
The Bill lays out a wide range of duties and obligations
with which the subject entities must comply. Specifically, (1)
organic obligations (for example, to create cybersecurity
management departments and provide them with adequate means);
(2) the institution of a set of procedural, preventive and
reactive obligations (for example, the drafting and
implementation of a cybersecurity management regime and
internal operational-related procedures); (3) auto-evaluation
and reports; and, (4) cooperation duties.
The breaching of such duties would result in fines, but the
defaulting entity may also be prevented from participating in
and bidding on public tenders or obtaining public subsidies or
benefits, for a period of up to two years.
The provisions of this new Bill (should it be approved by
the LegCo) will be implemented and supervised by the Commission
for Cybersecurity (chaired by the Macau Chief Executive), the
Alert and Response Centre for Cybersecurity Incidents and the
Supervising Entities of Cybersecurity.
Whereas the digital world is subject to permanent change,
the Cybersecurity Bill does not prescribe specific measures for
cyber protection, hence leaving the matter for further
regulation by the above mentioned supervising entities.
|João Nuno Riquito