Macau: Cybersecurity rules
IFLR is part of the Delinian Group, Delinian Limited, 4 Bouverie Street, London, EC4Y 8AX, Registered in England & Wales, Company number 00954730
Copyright © Delinian Limited and its affiliated companies 2024

Accessibility | Terms of Use | Privacy Policy | Modern Slavery Statement

Macau: Cybersecurity rules

Sponsored by

Digital cybersecurity and network protection

Subject to a vote this month at the Macau Legislative Council (LegCo) is the Cybersecurity Bill. This Bill aims to bring Macau up to speed as regards the protection of the institutions and citizens of Macau against the malfunctioning of the computer systems of the public and private entities that operate critical infrastructures, in particular against unauthorised actions such as hacking.

Subject to this Bill generally are all public services and governmental institutions, and also private entities that operate in key sectors of society. The latter includes, for example, healthcare, banking, food and energy supply, gaming and transportation, inter alia, irrespective of their title (in other words, public services concessionaires, service providers, and so on).

The Bill lays out a wide range of duties and obligations with which the subject entities must comply. Specifically, (1) organic obligations (for example, to create cybersecurity management departments and provide them with adequate means); (2) the institution of a set of procedural, preventive and reactive obligations (for example, the drafting and implementation of a cybersecurity management regime and internal operational-related procedures); (3) auto-evaluation and reports; and, (4) cooperation duties.

The breaching of such duties would result in fines, but the defaulting entity may also be prevented from participating in and bidding on public tenders or obtaining public subsidies or benefits, for a period of up to two years.

The provisions of this new Bill (should it be approved by the LegCo) will be implemented and supervised by the Commission for Cybersecurity (chaired by the Macau Chief Executive), the Alert and Response Centre for Cybersecurity Incidents and the Supervising Entities of Cybersecurity.

Whereas the digital world is subject to permanent change, the Cybersecurity Bill does not prescribe specific measures for cyber protection, hence leaving the matter for further regulation by the above mentioned supervising entities.


João Nuno Riquito

Bruno Almeida

Gift this article