How Cymulate Supports Hong Kong's 2025 Protection of Critical Infrastructure Ordinance

In March 2025, Hong Kong's Protection of Critical Infrastructure (Computer System) Ordinance was enacted and will go into effect in 2026.  

Critical infrastructure (CI) operators, referring to designated critical infrastructure organizations, face a range of new cybersecurity requirements. These obligations aim to protect the city's essential services from cyber threats by mandating rigorous cybersecurity risk assessments, audits, emergency response plans and more. The primary goal is to minimize essential services disruption from cyberattacks. 

Cymulate is uniquely positioned to help CI Operators meet these requirements effectively and efficiently. Here’s how Cymulate supports organizations in achieving full compliance with the ordinance. 

Demonstrating Compliance with Security Requirements 

The 2025 CII Ordinance mandates a series of assessments, audits and ongoing security management activities which includes penetration testing. Cymulate enables organizations to demonstrate compliance through its exposure management platform, which executes real-world attack tests using the latest threat intelligence to determine if security controls are mitigating these attacks.  Effectively, this serves as continuous automated penetration testing. The continuous piece is critical to demonstrate and ensure threat resilience due to evolving threats and dynamic business and user needs.  Testing results include documented evidence of security control effectiveness. 

• Section 24: Obligation to conduct computer-system security risk assessments 
• Section 25: Obligation to carry out computer-system security audits 
• Schedule 4 & 5: Specifies what must be covered in risk assessments and audits 

By running simulations and generating dashboards and detailed reports, Cymulate delivers organizations documentation for both compliance and risk mitigation efforts, providing proof of due diligence during regulatory reviews. 

Validating Security Controls Effectiveness 

The ordinance emphasizes the ongoing management of security controls for critical systems. 

• Section 21(1)(a): Obligation to manage the computer-system security of critical computer systems 
• Section 23: Requires submission and implementation of a computer-system security management plan 

The Cymulate platform, powered with breach and attack simulation (BAS), integrates and validates the effectiveness of security technologies across device, network, application, data and cloud – verifying whether there is existing prevention and/or detection in place for executed attack tests. This gives CI operators visibility into their exposures/security gaps and supports CI Operators in showing regulators the effectiveness and resilience of their deployed security technologies. 

Identifying and Addressing Vulnerabilities 

The CI Bill requires CI operators to conduct yearly risk assessments to identify system weaknesses that can exploited, prioritize these risks, determine the impacts, understand risk tolerance and develop remediation plans. 

• Section 24: Requires CI Operators to conduct yearly risk assessments  
• Schedule 4: Outlines the components for the risk assessment and the required steps CI operators are required to take for identified vulnerabilities and risks. 

With automated exposure management, Cymulate integrates with vulnerability management and asset discovery tools to provide a holistic view of all exposures. This asset exposure data is correlated with threat intelligence, business context and existing prevention and detection findings to calculate true risk scores so CI operators can focus on their exploitable gaps – their most critical risks – to improve threat resilience. This continuously uncovers exploitable vulnerabilities using safe, controlled attack simulation and allows CI Operators to effectively prioritize and remediate with automation before real attackers can exploit them. 

Within the platform, Cymulate offers Custom Attacks that streamline the creation of relevant, sophisticated attack simulations. With a user-friendly platform, security teams can quickly build, customize and reuse advanced individual or chained attack simulations. 

Risk Assessment with Real-World Simulations 

Understanding theoretical risks isn't enough. Cymulate shows how real threats behave in your environment, providing an evidence-based picture of your current security posture and gaps. 

• Section 24: Risk assessments must consider potential threats and system vulnerabilities 
• Schedule 4: Requires vulnerability and impact assessments 

With attack scenarios tailored to emerging threats, Cymulate enables organizations to quantify their risk exposure. Its Phishing Simulation Add-on plays a vital role by assessing employee susceptibility to social engineering, one of the most common attack vectors. 

These phishing campaigns measure employee risk exposure, directly contributing to the required assessment under Section 24 and Schedule 4. 

Cymulate also offers Attack Path Discovery to safely test for lateral movement, uncover hidden attack paths and identify real-world exposures. It delivers actionable visibility into security gaps — prioritizing remediation based on actual risk, not assumptions. This way you'll validate whether or not attackers can successfully move across your network, compromise user credentials and access sensitive data. 

Incident Response Readiness Testing 

To comply with emergency preparedness mandates, CI Operators must regularly test their incident response capabilities. 

• Section 27: Requires submission and implementation of an emergency response plan 
• Schedule 3: Defines the policies and incident handling guidelines required 

Attack Simulation from Cymulate evaluates how well incident response plans hold up under pressure. By simulating a ransomware outbreak, privilege escalation or lateral movement, Cymulate helps uncover gaps in detection, response and recovery — allowing CI Operators to enhance their playbooks accordingly. 

Enhancing Cybersecurity Awareness & Training 

Simulations not only assess infrastructure but also serve as training tools. They provide real-time feedback and educational value to SOC teams and broader security personnel. 

Cymulate empowers security teams with: 

• Insight into real-world attack paths 
• Understanding of attack detection and response weaknesses 
• Awareness of human factors in phishing and social engineering scenarios 

This aligns with the ordinance’s overarching goal of raising cybersecurity maturity across all levels of an organization. 

Continuous Improvement of Security Posture 

Compliance is not a one-time event. The CII Ordinance encourages ongoing improvement of cybersecurity frameworks and controls. 

Cymulate supports this by: 

• Continuously testing existing and newly deployed controls 
• Providing prioritized remediation guidance 
• Monitoring for security drift and reporting on trends 
• Delivering metrics and dashboards for executives and regulators alike 

By identifying where CI Operators are most vulnerable with actionable dashboards and remediation guidance, Cymulate ensures that organizations not only meet the baseline for compliance, but also continuously evolve their posture to stay ahead of adversaries. This complies with the CI Bill to minimize service disruption from cyberattacks. 

Final Thoughts 

Hong Kong’s 2025 CII Ordinance places cybersecurity at the core of national resilience. As CI Operators race to meet the technical and procedural requirements of the law,  Cymulate offers a practical, powerful toolkit easy to implement and execute for achieving and maintaining compliance. With ease of use and AI and automated features, Cymulate makes automated exposure validation achievable for all organization sizes and technical maturity levels. 

From risk assessments and automated vulnerability assessments (Section 24) to audits (Section 25), from security management plans (Section 23) to incident response readiness (Section 27) Cymulate supports the full compliance lifecycle with real-world simulations, actionable insights and measurable outcomes. 

For CI Operators in Hong Kong, Cymulate isn't just a compliance enabler — it's a strategic cybersecurity partner for the future. 

If you’re looking for more information on the ordinance, we can help. 

Join Ensign and Cymulate for a focused 40-minute session on September 26 at 11 am HKT designed for cybersecurity leaders, compliance owners and CII operators across the Greater China Region. 

In this session, you’ll learn: 

• Ensign’s latest insights from the Cyber Threat Landscape 2025 report 
• How organizations in Hong Kong can prepare using MITRE ATT&CK 
• What “threat-informed defense” means for CII operators, today 

Register for this session today.