The Cyber Security Agency of Singapore launched a licensing framework on 11 April 2022 requiring providers of penetration testing services or managed security operations centre monitoring services to be licensed.


Mandatory Licensing for Certain Cybersecurity Service Providers in Singapore

July 6, 2023

Note: This article was originally published on 14 April 2022 and updated on 6 July 2023.

A licensing framework adopted by the Cyber Security Agency (CSA) of Singapore in April 2022 requires certain cybersecurity service providers (CSPs) to be licensed before providing their services in Singapore.

The framework currently applies to only two types of cybersecurity services: penetration testing services and managed security operations centre monitoring services. Those services were given priority for regulation because CSPs providing those services have privileged access to their customers’ networks and sensitive information. The licence requirement does not apply to those providing these cybersecurity services only to their related companies.

Persons intending to provide a licensable cybersecurity service must first apply for and be granted a licence (unless they were providing such a service immediately before the licensing framework became effective and have qualified for a temporary exemption). Persons who provide a licensable cybersecurity service without having a temporary exemption or the necessary licence will be subject to a fine of up to S$50,000 or imprisonment of up to 2 years, or both.

Each licensable cybersecurity service requires a separate licence, so a person intending to provide both services must apply for and be granted two licences. Licences are valid for 2 years and may be renewed.

The chief criteria to determine whether an applicant should be granted a licence is whether the applicant is fit and proper. The CSA’s Cybersecurity Services Regulation Office (CSRO), which administers the licensing framework , may consider any factor it considers relevant when assessing fitness and propriety, but for an individual applicant the CSRO will first look at whether they have a criminal or civil judgment against them involving fraud, dishonesty, moral turpitude or breach of trust; whether they suffer from an unmanaged mental health condition; whether they are an undischarged bankrupt; or whether they have had a previous licence revoked. The same general criteria, to the extent relevant, apply to business applicants and to each of their officers (i.e., directors, partners, etc. and persons responsible for the management of the business).

Licensed CSPs must make records in respect of each of its customer engagements that identify the individuals (including employees) and/or businesses who provided licensed cybersecurity services on its behalf. Licensed CSPs must retain each such record for at least 3 years.

Key Takeaway

The CS Act requires providers of penetration testing services and managed security operations centre monitoring services to be licensed before providing those services in Singapore.

For More Information

OrionW regularly advises clients on data protection and cybersecurity matters. For more information about the regulation of cybersecurity in Singapore, or if you have questions about this article, or if you require assistance to submit an application for a licence to provide cybersecurity services, please contact us at

Disclaimer: This article is for general information only and does not constitute legal advice.


Subscribe to
our newsletters

To subscribe, select the newsletter options that interest you (TMT, FinTech or DPC - Data Protection and Cybersecurity) and provide your details.

  • TMT - Technology, Media and Telecommunications
  • FinTech
  • DPC - Data Protection & Cybersecurity
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.