Recent Updates to Hong Kong’s National Security Law

How Amended Rules Increase Risk for Foreign Companies and Their Employees Operating in Hong Kong

On March 23, 2026, the Hong Kong government, under pressure from the Chinese Communist Party (CCP), changed the implementing rules of its National Security Law in ways that should put every company that does business in, or transits through, Hong Kong on alert. Refusing to hand over passwords or provide decryption assistance to Hong Kong police is now a criminal offense—and that applies to everyone: residents, visitors, and anyone transiting Hong Kong International Airport, including U.S. citizens. Hong Kong authorities also gained expanded powers to seize and retain personal devices as evidence in national security cases.

The rule change is the latest development in a trend Strider analysts have been tracking since Hong Kong’s Article 23 passed in 2024—a steady, deliberate convergence of Hong Kong’s legal and intelligence environment with that of the People’s Republic of China (PRC). For foreign companies that have continued operating in the city without adjusting their posture, the risk is no longer theoretical.

A Law with Broad Reach

In June 2020, the PRC National People’s Congress Standing Committee (NPCSC) unanimously passed the “Law of the People’s Republic of China on Safeguarding National Security in the Hong Kong Special Administrative Region,” bypassing Hong Kong’s own legislature entirely to impose a national security law directly on the city, criminalizing secession, subversion, terrorism, and collusion with foreign forces.

Hong Kong’s Legislative Council passed Article 23 in March 2024, also known as the “Safeguarding National Security Bill,” to quell “political crimes,” including theft of state secrets and espionage. Article 23 defines “state secrets” to include any information related to a “major policy decision” or to economic, social, technological, or scientific developments—even if that information has never been officially classified. Acts of “espionage” under the law include providing “useful” information to an “external force” or colluding with such a force to publish false or misleading statements.

Like their counterparts in Mainland China, Hong Kong residents are now legally compelled to inform authorities when they suspect someone of committing an infraction. The two laws now operate in tandem, giving the PRC a comprehensive legal architecture to govern national security in Hong Kong on its own terms.

In 2024, the PRC revised its Law on Guarding State Secrets to prevent the leaking of information that could harm the CCP or benefit foreign countries or businesses. In 2023, Beijing amended its counter-espionage law to characterize information collection related to national security or national interests as an act of espionage.

The U.S. State Department expressed “deep concern” over Article 23, noting that it carries “broad implications” for Hong Kong residents as well as U.S. citizens and companies. Officials also warned that Hong Kong authorities could seek to apply the law extraterritorially.

Industries Most at Risk

Companies engaged in due diligence, business intelligence, or economic and market research face the greatest exposure. Hong Kong authorities could characterize these activities as “intelligence work” targeting “state secrets.” The PRC has already used its national security framework, the same framework that shaped Article 23, to clamp down on foreign consulting and due diligence businesses conducting investment screening, forensic accounting, or background checks.

The risks also extend to personnel. PRC intelligence services (PRCIS), including the Ministry of State Security (MSS) and Ministry of Public Security (MPS), have long operated in Hong Kong to monitor the local population and target foreign nationals. The PRCIS employs a wide range of collection methods: front organizations operating under commercial or academic cover, advanced technical surveillance, co-opted locals across service industries, targeted online outreach via professional networking platforms, and offers of paid travel or financial remuneration. Employees traveling to Hong Kong should assume that all electronic devices and communications are subject to monitoring.

The intelligence apparatus in Hong Kong also prioritizes access over ethnicity. While the PRCIS can leverage familial or cultural ties to the PRC, its primary objective is identifying any individual willing to provide information of value—regardless of background. Anyone with access to sensitive data, advanced research, or government-connected networks is a potential target.

Historical cases illustrate the point: In 2022, a former U.S. Army pilot and cleared U.S. defense contractor was sentenced to prison. Over two years, he traveled multiple times to Hong Kong to meet with PRCIS handlers, passing sensitive aviation-related material in exchange for payment. In a separate 2024 incident, a U.S. Army sergeant was charged with leaking classified information on advanced weapons systems to a foreign national claiming to live in Hong Kong, receiving a series of payments that increased as the sensitivity of the material grew.

What Companies Should Do

As Beijing tightens its control over Hong Kong, these risks will only deepen. Following Article 23’s passage, Hong Kong Chief Executive John Lee announced that the city would “actively integrate” into the PRC's “overall development” and “strengthen the flow of people, logistics, capital, and information.” The head of the German Chamber of Commerce in Hong Kong acknowledged that company executives would find it increasingly difficult to distinguish the city from the rest of the PRC.

Foreign companies operating in Hong Kong can take concrete steps to manage their exposure.

Update Policies and Procedures. The law’s deliberately vague language gives authorities wide latitude to target groups and individuals perceived as a threat to stability—whether they are doing business in or transiting through Hong Kong. Organizations should review Hong Kong-based operations and reevaluate activities that could be conflated with criminal conduct under the new framework.

Educate and Empower Personnel. Briefing leadership and staff on the risks associated with information gathering and sharing in Hong Kong can drive more cautious behavior. Engaging with groups or individuals critical of Beijing or the Hong Kong government—even casually—could raise an organization's profile and invite scrutiny by security agencies.

Conduct Thorough Due Diligence. Vetting Hong Kong-based organizations and individuals, with particular attention to their ties to Beijing, is essential. Monitoring Western sanctions lists is a baseline requirement for remaining compliant and avoiding relationships that expose technology, talent, and supply chains to unnecessary risk.

The Intelligence Dimension

Strider helps organizations understand and manage state-sponsored risks in environments like Hong Kong, where the line between commercial activity and legal liability has become dangerously thin. Tools like People Search and Insights help identify individuals’ ties to state-sponsored programs or entities, while Organizations Search enables organizations to assess third-party partners for connections to state-directed actors. Shield helps protect intellectual property by identifying higher-risk indicators associated with state-linked recruitment and technology transfer activity. Within its Intelligence Center, Strider analysts provide ongoing coverage of legislative, institutional, and operational developments that affect how organizations must think about their exposure in complex geopolitical environments.

Hong Kong’s newly amended rules of its National Security Law represent a meaningful shift in the risk calculus for foreign companies. The legal exposure, the intelligence threat, and the erosion of institutional independence demand immediate attention from any organization operating in or connected to Hong Kong.

The companies best positioned to navigate this environment will be those that treat it with the seriousness it demands—understanding the law, preparing their people, and building the intelligence capabilities needed to stay ahead.