Macau: Cybersecurity rules

Author: | Published: 8 Jul 2019
Email a friend

Please enter a maximum of 5 recipients. Use ; to separate more than one email address.

Riquito Advogados

Address

Suite 1004 AIA Tower, 251A-301 Av. Comercial de Macau
Macau SAR

Telephone

+853 2838 9918

Fax

+853 2838 9919 Visit Website

Subject to a vote this month at the Macau Legislative Council (LegCo) is the Cybersecurity Bill. This Bill aims to bring Macau up to speed as regards the protection of the institutions and citizens of Macau against the malfunctioning of the computer systems of the public and private entities that operate critical infrastructures, in particular against unauthorised actions such as hacking.

Subject to this Bill generally are all public services and governmental institutions, and also private entities that operate in key sectors of society. The latter includes, for example, healthcare, banking, food and energy supply, gaming and transportation, inter alia, irrespective of their title (in other words, public services concessionaires, service providers, and so on).

The Bill lays out a wide range of duties and obligations with which the subject entities must comply. Specifically, (1) organic obligations (for example, to create cybersecurity management departments and provide them with adequate means); (2) the institution of a set of procedural, preventive and reactive obligations (for example, the drafting and implementation of a cybersecurity management regime and internal operational-related procedures); (3) auto-evaluation and reports; and, (4) cooperation duties.

The breaching of such duties would result in fines, but the defaulting entity may also be prevented from participating in and bidding on public tenders or obtaining public subsidies or benefits, for a period of up to two years.

The provisions of this new Bill (should it be approved by the LegCo) will be implemented and supervised by the Commission for Cybersecurity (chaired by the Macau Chief Executive), the Alert and Response Centre for Cybersecurity Incidents and the Supervising Entities of Cybersecurity.

Whereas the digital world is subject to permanent change, the Cybersecurity Bill does not prescribe specific measures for cyber protection, hence leaving the matter for further regulation by the above mentioned supervising entities.

João Nuno Riquito Bruno Almeida