OT Cybersecurity Regulation Diverges Across APAC, Forcing Global Adaptation
Asia-Pacific governments have established a fragmented landscape for operational technology (OT) cybersecurity regulations, creating compliance challenges for multinational manufacturers and service providers. Regulatory approaches range from mandatory incident reporting and resilience testing to guidance-based frameworks, resulting in significant divergence across the region.
Background
Regulatory inconsistency in APAC reflects differing national priorities and historical strategies for protecting critical infrastructure. China and Hong Kong have moved toward mandatory reporting requirements targeting OT, while countries such as Indonesia and Vietnam maintain guidance-driven approaches with limited enforcement. Concurrently, regional certification efforts and capacity-building initiatives seek to improve cross-border interoperability and resilience.
Details
China will implement Cybersecurity Incident Reporting Regulations on November 1, 2025. Critical information infrastructure operators must report serious cyber incidents within one hour; other organizations have up to four hours. Reports must include information on ransom payments. Draft amendments to China's Cybersecurity Law propose higher penalties, with possible leniency for first-time or mitigated incidents. China's Cybersecurity Incident Reporting Regulations begin November 1, 2025, requiring critical infrastructure operators to report serious incidents within one hour and non-critical operators within four hours, including ransom payment details; draft Cybersecurity Law amendments propose higher penalties but lighter treatment for certain offenders
Hong Kong's Protection of Critical Infrastructure (Computer Systems) Ordinance, enacted in March 2025 and effective in early 2026, requires designated Critical Infrastructure Operators (CIOs) to implement network monitoring, encryption, and routine risk assessments. The ordinance mandates cyber incident reporting within 12 hours for major disruptions and within 48 hours for less severe events. Hong Kong's March 2025 Protection of Critical Infrastructure Ordinance requires network monitoring, encryption, risk assessments, and incident reporting within 12 hours for major incidents and 48 hours for others
In contrast, Southeast Asian countries such as Indonesia and Vietnam focus on voluntary guidelines. Singapore's updated Cybersecurity Act 2024 emphasizes supply chain security and encourages risk assessments and use of Software Bill of Materials (SBOM) for supply chain transparency. Broader regional policies advocate security-by-design and continuous risk assessment. Singapore's Cybersecurity Act 2024 emphasizes supply chain security, risk assessment, and software bill of materials requirements
APAC nations are increasing their support for cooperation and capacity building. Australia, Japan, and ASEAN members sponsor training hubs like the ASEAN-Singapore Centre of Excellence and the ASEAN-Japan Capacity Building Center. Initiatives such as the APAC Cybersecurity Fund aim to provide cyber hygiene training for micro and small enterprises across 13 countries. APAC Cybersecurity Fund, supported by Google.org, aims to train underserved micro and small organizations in 13 APAC countries via applied research and cyber hygiene training
Outlook
Regulatory fragmentation across APAC is expected to increase demand for harmonized incident-reporting frameworks and centralized IT/OT governance. Manufacturers operating regionally may advocate for interoperable models, such as Agnostic Incident Reporting (AIR), to align local response requirements while maintaining global oversight. As regulatory enforcement increases, investments in OT network segmentation, asset discovery, and supplier security at the procurement level are likely to grow.
