OLN

OLN Marketing

Are You Ready for Madrid?

by

Are you ready for Madrid – not for a relaxing holiday or to watch your favourite football team, but to extend your trade mark (brand) protection internationally.

In this context, “Madrid” refers to the Madrid System for the International Registration of Marks, an international framework administered by the World Intellectual Property Organization (“WIPO”). The system enables the trade mark owners to seek protection in multiple jurisdictions through a single application filed in one language, under one set of fees, thereby streamlining the international filing process and reducing administrative burdens.

Madrid System and Hong Kong: Current Position

At present, it is not yet possible to designate Hong Kong under the Madrid System, nor to file an international trade mark application through the Hong Kong Trade Marks Registry. The Hong Kong Government enacted the Trade Marks (Amendment) Ordinance 2020 to establish the legal framework for implementing the Madrid Protocol, but the relevant provisions will only take effect on a date to be appointed once all necessary preparatory work has been completed.

Recent government policy updates confirm that preparatory work for Hong Kong’s participation in the Madrid Protocol remains ongoing, and that implementation will only commence after the completion of legislative, IT and related arrangements. As of early 2026, no official commencement date or target year has been announced, and there is still no confirmed timetable for when the Madrid System will be extended to Hong Kong.

In anticipation of Hong Kong’s future participation in the Madrid System, it is helpful to understand the key filing requirements.

Basic Requirements for a Madrid Application

1. Eligibility

To use the Madrid System, an applicant must have a real and effective connection with at least one Madrid member. You will qualify if you:

  • are a national of, domiciled in, or have an industrial or commercial establishment in a Madrid member; and
  • have already filed or registered a trade mark (the “basic mark”) with the IP office of that member (the “Office of Origin”).

2. Basic mark requirement

Before filing an international application, you must already have filed or registered a national or regional trade mark in your Office of Origin. This “basic mark” must:

  • be the same mark;
  • be owned by the same proprietor; and
  • cover goods and/or services that are identical to, or narrower than, those claimed in the international application.

3. International application

The international application must:

  • be filed through the Office of Origin (not sent directly to WIPO);
  • use the prescribed WIPO form MM2 or a recognised e‑filing tool such as eMadrid or the Madrid Application Assistant;
  • match the particulars of the basic mark (owner details, mark representation, goods/services); and
  • designate at least one Madrid member, with payment of the WIPO basic fee plus the relevant per‑member or per‑class fees.

4. Examination and Grant of Protection

Once your Office of Origin has certified and forwarded the international application, WIPO conducts a formalities examination only, checking fees, classification and technical compliance. If the application does not comply, WIPO issues an irregularity notice to you and the Office of Origin, usually allowing a limited period (commonly three months) to correct the deficiencies.

If the formal requirements are met, WIPO records the mark in the International Register, publishes it in the WIPO Gazette of International Marks, issues a Certificate of International Registration, and notifies each designated IP office. Each designated national or regional office then carries out its own substantive examination under local trade mark law and must grant or refuse protection within a prescribed time limit, typically 12 or 18 months from notification.

If the mark is accepted, it is protected in that jurisdiction as if registered directly at the national or regional office. If protection is provisionally refused, you may need to appoint local counsel in that jurisdiction to respond or appeal in accordance with local procedures.

How to Protect Your Trade Mark in Hong Kong Now

As Hong Kong has not yet implemented the Madrid System, trade mark protection in Hong Kong can only be obtained by filing a separate application directly with the Hong Kong Trade Marks Registry.

At this stage, Hong Kong cannot be designated in an international registration under the Madrid System, and international applications cannot be filed through the Hong Kong Registry as an Office of Origin.

Where brand owners are also seeking protection in other jurisdictions that are members of the Madrid System, they will typically need to pursue two parallel routes:

  • file a standalone local application in Hong Kong for protection in the Hong Kong market; and
  • either file separate national or regional applications in other territories, or, where available, make use of the Madrid System via an eligible Office of Origin outside Hong Kong (for example, through an associated company or establishment in a Madrid member country).

This approach reflects the current reality: Hong Kong remains a separate, locally‑filed registration, while the Madrid System may be used only for those jurisdictions where it is already in force and where the applicant otherwise meets the eligibility requirements.

Getting Ready for Madrid in Hong Kong

As Hong Kong moves toward future implementation of the Madrid Protocol, it is prudent for brand owners to ensure that their key marks are already filed and registered in Hong Kong so that they can satisfy Madrid eligibility requirements once the system becomes available locally.

Our firm would be pleased to assist you with filing and maintaining trade mark registrations in Hong Kong and with developing an international filing strategy to take full advantage of the Madrid System when it is launched here.

Disclaimer: This article is for reference only. Nothing herein shall be construed as Hong Kong legal advice or any legal advice for that matter to any person. Oldham, Li & Nie shall not be held liable for any loss and/or damage incurred by any person acting as a result of the materials contained in this article.

Hong Kong Company Re-Domiciliation Regime: A New Gateway for International Businesses

by

From 23 May 2025, Hong Kong has introduced a modern company re-domiciliation framework that allows overseas companies to relocate their place of incorporation to Hong Kong without creating a new legal entity. The initiative, implemented under the Companies (Amendment) (No. 2) Ordinance 2025, is designed to strengthen Hong Kong’s appeal as a premier international business centre and to encourage inward corporate migration.

This new regime provides a practical solution for multinational groups seeking legal certainty, tax efficiency, and continuity when restructuring their global footprint.

Overview of the Re-Domiciliation Framework

Under the Hong Kong re-domiciliation regime, an eligible foreign company may transfer its corporate domicile to Hong Kong while preserving its legal identity. The company continues uninterrupted, retaining its assets, liabilities, contractual rights, and legal proceedings.

Once approved, the re-domiciled entity is treated in the same way as a company originally incorporated in Hong Kong and becomes subject to the Companies Ordinance and other applicable local legislation.

Key Characteristics of the Regime

The regime offers several defining features that distinguish it from traditional corporate migration options:

  • Eligible Company Types
    The regime applies to non-Hong Kong companies comparable to Hong Kong private companies limited by shares, public companies limited by shares,  private unlimited companies with share capital and public unlimited companies with share capital.  Companies limited by guarantee without share capital are excluded.
  • No Economic Substance Threshold
    There is no minimum size, turnover, or sector requirement, making the regime accessible to a broad range of businesses.
  • Retention of Legal Structure
    Companies must re-domicile using their existing legal form. Conversion into a different corporate type is not permitted as part of the process.
  • Full Local Status After Migration
    Once re-domiciled, the company is regarded as a Hong Kong-incorporated entity for corporate law purposes.
  • Inbound-Only Mechanism
    The regime allows migration into Hong Kong but does not provide a statutory route for companies to migrate out.
  • Ongoing Compliance Obligations
    Re-domiciled companies must maintain a registered office in Hong Kong and comply with all applicable filing, governance, and statutory requirements.

Strategic Benefits of Re-Domiciling to Hong Kong

Re-domiciliation offers significant commercial and operational advantages:

Continuity of Business Operations

The company’s existence remains uninterrupted. There is no liquidation, asset transfer, or novation of contracts, which helps preserve commercial relationships and regulatory approvals.

Cost and Time Efficiency

By avoiding dissolution and re-incorporation, companies reduce administrative burden, professional fees, and execution risk.

Eligibility Requirements

To qualify for re-domiciliation, a company must satisfy both jurisdictional and corporate conditions.

Legal Eligibility
  • Permission Under Home Jurisdiction Law
    The laws of the company’s original jurisdiction of incorporation must allow outbound re-domiciliation (for example, permitted in the BVI and Cayman Islands but restricted in certain jurisdictions such as Bermuda).
  • Comparable Corporate Form
    The company must closely correspond to one of the eligible Hong Kong company types.
  • Operating History
    The company must have completed at least one full financial year prior to applying.
Financial and Integrity Safeguards

The regime incorporates safeguards to protect stakeholders and the integrity of the process:

  • Solvency Confirmation
    The company must not be in liquidation or receivership. Directors are required to certify solvency.
  • Good Faith Requirement
    Applications must be made genuinely and not for improper or abusive purposes.
  • Member and Creditor Protection
    Approval from at least 75% of members is required, and creditors must be formally notified of the proposed re-domiciliation.

Re-Domiciliation Application Process

When documentation is complete, the re-domiciliation procedure typically takes around two weeks.

Key documents include:

  • Proposed Articles of Association aligned with Hong Kong requirements
  • Legal opinion from the original jurisdiction confirming eligibility and compliance
  • Director’s certificate confirming solvency and good faith
  • Recent financial statements (audited or unaudited, dated within the last 12 months)
  • Prescribed application forms containing corporate particulars

Upon approval, the Companies Registry issues a Certificate of Re-Domiciliation, confirming the company’s status as a Hong Kong entity.

Following re-domiciliation, the company must:

  • Deregister from its original jurisdiction within 120 days
  • File post-registration forms reporting corporate details
  • Maintain a registered office in Hong Kong
  • Appoint a Company Secretary and a Designated Representative

Hong Kong Tax Implications

Hong Kong’s territorial tax system provides clarity and potential advantages for re-domiciled companies:

  • Profits Tax
    Only profits arising in or derived from Hong Kong are subject to tax.
  • Tax Residency and Treaties
    Re-domiciled companies are generally regarded as Hong Kong tax residents for treaty purposes, subject to meeting substance and management requirements.
  • Stamp Duty
    No stamp duty is payable on the re-domiciliation itself, although subsequent transfers of shares may attract Hong Kong stamp duty.

Considerations for Regulated Industries

Companies operating in regulated sectors—such as banking, insurance, and financial services—must engage with the relevant regulators and comply with sector-specific legislation, including licensing and approval requirements under applicable ordinances.

Early regulatory engagement is strongly recommended to avoid delays.

Who Should Consider Re-Domiciling to Hong Kong?

The Hong Kong company re-domiciliation regime is particularly attractive for:

  • Businesses with existing or planned operations in Hong Kong
  • Financial institutions and insurers seeking regulatory alignment
  • Holding companies managing investment or intellectual property structures
  • Corporate groups aiming to access Hong Kong’s extensive tax treaty network
  • Multinational enterprises adapting to evolving global tax and transparency standards

Next Steps

The re-domiciliation regime offers a flexible and business-friendly route for companies seeking a stable, internationally recognised legal base in Hong Kong.

For tailored advice on whether re-domiciliation is suitable for your organisation, and for guidance on the application process, please contact us via the enquiry form.

Disclaimer: This article is for reference only. Nothing herein shall be construed as Hong Kong legal advice or any legal advice for that matter to any person. Oldham, Li & Nie shall not be held liable for any loss and/or damage incurred by any person acting as a result of the materials contained in this article.

遺產承辦書的簽發只是開始,而非完結 ——受益權歸屬 (vesting) 的重要性

by

在香港,當一名人士去世後,其遺產並不會自動轉移予任何人。相反,法例規定必須有人獲正式授權處理死者的遺產,而該獲授權人士必須向遺囑認證處申請並取得遺產承辦書(“承辦書”)方可行使相關權力。

然而,不少人士誤以為,一旦承辦書獲得簽發,便會自動成為死者遺產的擁有人。事實上,承辦書僅標誌着遺產承辦程序的開始——而絕非終點。

本文將解釋為何在取得承辦書後,仍須採取額外程序,方能令遺產的受益權得以正式歸屬 (亦即是, 成為真正的遺產擁有人)。

1. 承辦書的法律效力是什麼?

承辦書(即遺囑認證或遺產管理書)的簽發,只授予遺囑執行人(若有遺囑的情況)或遺產管理人(若死者無遺囑的情況)(統稱為「遺產代理人」)下列法律權力,包括:

  • 識別及收集死者的遺產;
  • 支付屬於死者的債務及開支(例如喪葬費、稅款);
  • 管理、保護及在有需要時出售遺產;
  • 最終按照遺囑或無遺囑繼承法分配遺產。

換言之,承辦書僅賦予遺產代理人處理者遺產的法律權限,但並不使其取得任何遺產的受益權。遺產代理人仍須依照相關法律程序,使遺產的受益權正式歸屬於真正有權承受的人士。

2. 進行「歸屬」(Vesting)的必要性

「歸屬」(vesting)是指將遺產的受益權正式轉移予有權承受的人士的法律程序 — 無論該人士是遺囑下的受益人,或(在無遺囑的情況下)具有承受權的遺產管理人本人。

視乎資產類型,完成受益權歸屬可能需要不同正規形式的程序,包括:

  • 樓宇、土地、不動產:簽署「允許書」(assent)並向土地註冊處等相關部門更新紀錄;
  • 銀行存款或股份:向有關銀行或金融機構發出指示,辦理轉移手續;
  • 其他資產:例如轉讓合約權利、商業權益或進行實物交付等。

只有當完成整個「歸屬」程序後,有關人士方真正成為該項遺產的實質(受益)擁有人

3. 當遺產代理人同時亦為受益人時

遺產代理人同時亦為遺產受益人的情況屢見不鮮。然而,即使如此,「受益權歸屬」程序仍然必須履行。

原因在於:遺產代理人在歸屬程序完成前,僅以遺產代理人的身分持有遺產,而非以個人身分擁有該等資產。

此做法可確保:

  • 遺產帳目處理正確;
  • 保障債權人的合法權益;
  • 避免遺產被不當佔用;
  • 使遺產分配過程清晰、透明並具最終性。

取得遺囑認證書或遺產管理書固然是遺產承辦程序的重要一步,但絕非終結。

遺產代理人仍須完成「受益權歸屬」程序,方能將遺產的受益權正式轉移予相關承受人—包括受益人,或在適當情況下轉移至其本人。

區分「行政管理權」與「實質擁有權」是遺產法中的核心概念,有助確保亡者的遺產得到妥善保護及公平分配。

我們的資深律師林彩玉(Kacy Lam)在準備土地文件(包括同意書)和處理土地事務方面經驗豐富。因此,我們不僅可以協助客戶辦理遺囑認證申請,還可以協助辦理後續的產權歸屬手續。如有任何疑問,歡迎隨時與我們聯繫

免責聲明:本文僅供參考。本文內容不應被視為香港法律意見或就此向任何人提供的任何法律建議。 高李嚴律師行對任何人因依賴本文內容而遭受的任何損失和/或損害概不負責

Enduring Power of Attorney (EPOA), Committeeship, and Guardianship in Hong Kong

by

How do you protect family assets when mental health deteriorates? As life expectancy rises in Hong Kong, more and more of us are living into our golden years. But with age comes a potential decline in mental capacity. Lacking the legally required mental capacity, we are unable to engage in the most basic of financial transactions such as heading to the bank to withdraw money to pay hospital bills.

Enduring Power of Attorney (EPOA)

To avoid the situation where institutions and authorities refuse to accept your instructions on financial transactions on the basis of your lack of mental capacity, one should consider setting up an Enduring Power of Attorney (EPOA). Under the Enduring Powers of Attorney Ordinance, an EPOA allows you to choose a trusted individual to manage your property and financial affairs in the event mental incapacity sets in.

There are a few technical requirements that must be met before an EPOA becomes valid. The most important one is that the document must be witnessed by a Hong Kong solicitor and certified by a Hong Kong doctor, usually a psychiatrist, who conducts a mental capacity test and confirms that you have the requisite mental capacity to be signing over your rights to another person.

To protect your EPOA from future challenges, you should ask your solicitor if periodic assessments or renewal of the EPOA is recommended.

Committeeship

If no EPOA is in place before the person becomes mentally incapable, families will need to apply to the court for Committeeship under Part II of the Mental Health Ordinance. The application is expensive and takes a long time and every year the guardian must report to the court on monies spent.

Guardianship

Whilst the Enduring Power of Attorney deals with the financial affairs of a person, a guardianship order is focused on the welfare and day-to-day care of a mentally incapacitated person.

If you would like to have a confidential discussion about creating or challenging an EPOA, applying for guardianship, or have questions about other aspects of estate planning, please feel free to contact us. We’re here to help.

Estate Planning in Hong Kong

by

Have you made preparations to ensure your loved ones will receive the assets you worked hard to acquire? Or is this something you keep postponing? Thinking about the topic of death can feel overwhelming. However, without a Will, your assets will be distributed in accordance with Hong Kong legislation which may not reflect your wishes.

Let’s explore some critical considerations before drafting a Will.

First, you should identify the persons who will inherit. Those are the beneficiaries. It’s also vital to have a contingency plan in case one of your beneficiaries predecease you.

Secondly, select an executive will be responsible for applying to the court for probate and upon the granting of a court order, engaging in the actual distribution of your assets. For example, dealing with the banks to access items stored in safety deposit boxes and handing over cash to beneficiaries.

Additionally, you should carefully consider how and where you will store your Will.

In addition to drafting a Will, if you wish to ensure that your finances are well taken care of in the event you become mentally incapacitated, you should think about establishing an Enduring Power of Attorney (EPOA). This document is effective only during your lifetime and enables you to designate a trusted individual to manage financial matters on your behalf, such as paying hospital bills, engaging in real estate transactions, and handling other financial matters.

The reason an Enduring Power of Attorney (EPOA) is needed in the event you become mentally unable is because financial institutions and other authorities will not accept your instructions once they learn of your mental incapacity.

Ultimately, effective estate planning protects both you and your loved ones. Even with a Will in place, disputes can arise, potentially leading to lawsuits, which can drag on for years and become expensive. Often, death is an emotionally charged event and can cause people to become different from their usual selves.

If you would like to discuss how to effectively plan your Will, please feel free to reach out to us anytime.

Issues to Consider Before Signing a Service Agreement with a Critical Infrastructure Operator

by

Imagine receiving an unexpected request from the Commissioner’s Office for your firm’s network diagrams and system details. This is a pre-designation inquiry under Hong Kong’s Protection of Critical Infrastructures (Computer Systems) Ordinance (Cap. 653). The OCCICS FAQs make clear that authorities use this power to assess whether your organisation should be designated as a Critical Infrastructure Operator (CIO).

Designated CIOs must fulfil obligations under three categories: organisational, preventive, and reporting. While CIOs cannot delegate ultimate accountability (OCCICS FAQ 6), they typically work with service suppliers — cloud providers, IT vendors, managed security firms — to meet these requirements. This creates “flow-down” obligations for suppliers through detailed compliance clauses in service agreements.

Below is a comprehensive guide to eight key issues, explaining the CIO’s legal duties under the Ordinance, the supplier’s perspective, and practical negotiation points to achieve balanced terms.

1. Basic Definitions

CIOs have a legal obligation to identify and designate Critical Computer Systems (CCSs) under section 13, focusing on those where disruption would seriously affect society or the economy. They cannot delegate core accountability (OCCICS FAQ 6 stresses that outsourcing does not relieve them of responsibility).

From a supplier’s viewpoint, overly broad or ambiguous definitions can unexpectedly widen liability and compliance burdens. The Ordinance defines a”computer system” broadly as any device or group of interconnected devices that processes, stores, or transmits data electronically (s.2). A “security incident” covers any unauthorized or adverse event affecting a CCS, including breaches, malware, ransomware, or integrity compromise (s.2 and Code of Practice v1.0).

Key negotiation points: Insist on precise definitions that limit the agreement’s scope to the specific services you provide. Explicitly exclude non-relevant systems and agree on clear triggers for what constitutes a reportable incident (e.g., excluding routine hardware failures or non-cyber events). This prevents overreach and protects against unintended regulatory exposure.

2. Incident Reporting Obligations

CIOs bear the ultimate duty to report serious incidents within 12 hours and others within 48 hours (initial notification) plus a 14-day written report (Code of Practice v1.0, Category 3). They must ensure supply chain partners support this process without shifting the primary reporting burden.

Suppliers should restrict their role to prompt internal notification to the CIO, avoiding direct regulatory reporting obligations that could complicate liability.

Key negotiation points: Require the supplier to alert the CIO within a tight window (e.g., 2–4 hours) of detecting any potential incident affecting the CIO’s systems. Include detailed joint response protocols for containment, eradication, and recovery. Negotiate clear cost allocation for investigations, external forensics, or regulatory assistance, and establish mutual timelines that align with the CIO’s reporting deadlines to avoid cascading delays.

3. Limitation of Liability

CIOs face significant fines up to HK$5 million for non-compliance (s.58), so they seek strong contractual protections against supplier-related risks. Suppliers must avoid unlimited or disproportionate exposure, especially since CIOs cannot fully transfer their regulatory liability.

Key negotiation points: Aim for a reasonable overall cap, such as 1–3 times the fees paid in the preceding 12 months. Explicitly exclude indirect, consequential, or punitive losses. Carve out exceptions only for gross negligence, willful misconduct, or breach of confidentiality. Negotiate balanced clauses that reflect the CIO’s primary duty while protecting the supplier from disproportionate fallout from regulatory fines or third-party claim

4. Indemnity

CIOs must ensure preventive measures extend to the supply chain (Category 2 obligations), and they remain fully liable for overall compliance. They often demand broad indemnity covering losses, regulatory fines, or third-party claims arising from supplier breaches.
Suppliers should push for mutual indemnity and limit it to direct, proven faults to avoid one-sided exposure.

Key negotiation points: Require the CIO to indemnify the supplier for issues caused by inaccurate information, CIO-provided data errors, or CIO faults. Include coverage for defense costs and a requirement for prompt notice of claims. Negotiate evidence thresholds for indemnity triggers and reasonable caps on indemnity amounts to keep exposure proportionate and fair.

5. Data Access & Processing

CIOs must conduct annual risk assessments that include data sensitivity and interdependencies (Category 2), and comply with the Personal Data (Privacy) Ordinance (PDPO) if personal data is processed.

Suppliers should restrict access to only necessary data and ensure the CIO provides accurate, complete information for processing.

Key negotiation points: Clearly define data ownership — the CIO retains title to its data. Include strict terms for purpose limitation, data minimization, security safeguards, and secure deletion or return upon termination. Negotiate provisions for supplier assistance with data subject rights requests and regulatory data access demands, while protecting the supplier’s own proprietary processes and algorithms.

6. Confidentiality

CIOs face strict secrecy obligations on designation-related information (s.57, with fines up to HK$1 million for unauthorized disclosure). They must protect sensitive data in security plans, assessments, and incident reports.

Suppliers should allow necessary regulatory disclosures while safeguarding their own intellectual property and trade secrets.

Key negotiation points: Require non-disclosure agreements (NDAs) at the Ordinance’s level of protection. Ensure confidentiality obligations survive termination for a reasonable period. Negotiate clear exceptions for legal or regulatory requirements, with prior notice to the CIO where feasible, and reciprocal protections for supplier confidential information.

7. Termination Rights

CIOs must notify material changes, such as operator cessation or significant system alterations (Category 1), and maintain operational continuity during transitions.

Suppliers should secure payment for work already performed and avoid abrupt or punitive terminations.

Key negotiation points: The CIO shall maintain the right to immediately terminate a supply contract in case of serious incident but make sure the operation of the computer system won’t be affected. Include reasonable cure periods (e.g., 30 days) for non-serious breaches before termination can take effect. Negotiate detailed transition support provisions, including data handover, continued service during wind-down, and handling of retained data to ensure a smooth and orderly exit.

8. Audits and Inspections

CIOs are required to conduct biennial independent audits (Category 2) and must permit Commissioner inspections and investigations (Part 5 powers).

Suppliers should limit the frequency, scope, and cost burden of audits while maintaining reasonable cooperation.

Key negotiation points: Grant the CIO and regulators reasonable audit rights over relevant services. Include provisions for periodic reviews and cooperation with external auditors. Negotiate clear scope restrictions (e.g., limited to services provided), advance notice requirements, and cost reimbursement or sharing mechanisms. Include reciprocal audit rights for fairness.

Final Tip

Treat the agreement as a strategic partnership rather than a defensive document. Thoroughly document all negotiations and compliance commitments — this record can support due diligence defenses under sections 65–66 if disputes arise. As of January 13, 2026, no designations have been announced, giving suppliers valuable time to negotiate balanced, protective terms.

Ready to review your draft agreement or prepare for upcoming negotiations with a CIO? Contact Oldham Li & Nie for expert, practical guidance tailored to your business.

Summary

Service suppliers contracting with Critical Infrastructure Operators (CIOs) under Cap. 653 face significant “flow-down” compliance burdens because CIOs cannot delegate ultimate regulatory accountability. The article outlines eight critical negotiation points:

  1. Definitions
    – Insist on precise scope limitations to avoid unintended regulatory exposure for systems you don’t control.
  2. Incident Reporting
    – Commit to fast internal alerts (2-4 hours) while avoiding direct regulatory reporting duties; establish clear cost allocation for investigations.
  3. Liability Caps
    – Negotiate reasonable limits (e.g., 1-3× annual fees) excluding indirect/consequential losses, with carve-outs only for gross negligence or willful misconduct.
  4. Indemnity
    – Push for mutual indemnity with evidence thresholds and caps, ensuring the CIO indemnifies you for its own faults or bad data.
  5. Data Terms
    – Confirm CIO data ownership; require purpose limitation, security safeguards, and assistance provisions for regulatory access requests.
  6. Confidentiality
    – Align NDAs with the Ordinance’s strict secrecy rules (s.57, HK$1M fines), with carve-outs for legal/ regulatory disclosures.
  7. Termination
    – Ensure mutual rights, cure periods (e.g., 30 days), and detailed transition/data handover provisions.
  8. Audits
    – Limit audit frequency/scope; negotiate advance notice, cost sharing, and reciprocal audit rights.

With no designations yet announced as of January 13, 2026, suppliers have a narrow window to negotiate balanced terms before CIO obligations take full effect.

Disclaimer: This article is for reference only. Nothing herein shall be construed as Hong Kong legal advice or any legal advice for that matter to any person. Oldham, Li & Nie shall not be held liable for any loss and/or damage incurred by any person acting as a result of the materials contained in this article.