Information and Communications Technology (ICT) Equipment and Systems

Responsible Authority:

Office of the Telecommunications Authority
Office of the Government Chief Information Officer (in respect of recognition of certification authorities)

Ordinance(s)/Regulation(s) and Brief Description:

The Telecommunications Ordinance (Cap 106) outlines the competition safeguard, interconnection and access arrangements to telecommunications services, licensing procedures and the powers of the Telecommunications Authority over certain technical areas. In particular, under section 32D and 32E of the Ordinance, the Telecommunications Authority may prescribe standards and specifications as well as the certification requirements for telecommunications equipment for certain purposes.

The Electronic Transactions Ordinance (Cap 553) (ETO) was enacted in 2000 to provide a legal regime for conducting secure electronic transactions. The ETO, as amended in June 2004, gives electronic records and signatures the same legal status as that of their paper-based counterparts and provides a voluntary recognition scheme for certification authorities (CAs). A signature requirement under a rule of law is met by any form of electronic signature where no government entity is involved, subject to conditions as to reliability and appropriateness in relation to specific circumstances and consent of parties concerned. For signature requirement in transactions under a rule of law involving government entities, digital signature is required.

Under the voluntary recognition scheme for CAs, CAs may apply to the Government Chief Information Officer (GCIO) for recognition on a voluntary basis. Recognition will only be granted to those CAs that meet the trustworthiness standard and other requirements of the Government. In accordance with the ETO, all recognized CAs have to comply with the requirements of the Code of Practice for Recognized Certification Authorities (Code of Practice) published by the GCIO.

Conformity Assessment Mechanism:

Pre-market certification:

Telecommunications Equipment

The certification requirement of telecommunications equipment is divided into two parts, namely Voluntary Certification Scheme (VCS) and Compulsory Certification Scheme (CCS). Certification of telecommunications equipment under VCS is voluntary. However, manufacturers and suppliers should ensure that their equipment complies with relevant specifications. The telecommunications equipment under the CCS must be certified by the Telecommunications Authority before it can be connected to the public telecommunications network, marketed or used.

Electronic Transactions

Under the ETO, there is no mandatory licensing requirement for CAs to operate in Hong Kong, China. CAs may apply to GCIO for recognition on a voluntary basis. Application for recognition as a recognized CA is a two-stage process. During the first stage, an applicant applies to GCIO for approval to engage an independent assessor for the preparation of an assessment report. During the second stage, the applicant submits an application for recognition as a recognized CA, and furnishes GCIO with the required particulars and documents including the assessment report and a statutory declaration.

A recognized CA may apply to GCIO for recognition of its digital certificates. An application for recognition of certificates may be submitted simultaneously with an initial application for recognition as a recognized CA, or may be submitted after the initial application.

The list of CAs and their digital certificates that have been granted recognition under the ETO is published in the disclosure record maintained by GCIO for the recognized CAs.

Post-market surveillance:

Telecommunications Equipment

The Telecommunications Authority acts on complaints and conduct sample checks to ensure compliance.

Electronic Transactions

As required under the ETO, a recognized CA shall furnish to the GCIO with an assessment report and a statutory declaration at least once every 12 months. In addition, a recognized CA may also be required to furnish to the GCIO with assessment report and statutory declaration regarding major changes that have occurred or will occur. Assessment report shall be prepared by an independent assessor approved by the GCIO and shall contain an assessment with regard to the recognized CA's compliance with those provisions of the ETO and the Code of Practice concerning trustworthiness of the recognized CA's systems and operation. Statutory declaration is to be made by a responsible officer of the recognized CA in respect of the recognized CA's compliance with other relevant provisions of the ETO and the Code of Practice.

A recognized CA shall submit progress reports to GCIO at 6-month intervals containing the information including the number of digital certificates issued, its performance against its stated service levels, changes in organisational structure or systems, and actions taken by the recognized CA to address recommendation(s) made in an assessment report submitted by the recognized CA to GCIO.

GCIO may suspend or revoke the recognition of are cognized CA or its recognized certificates in the event that the recognized CA has failed to comply with relevant provisions of the ETO or the Code of Practice.

Standards: