The Cybersecurity Act 2018 (Act) is Singapore’s primary cybersecurity legislation. It establishes the framework for the management of cyber threats, regulates certain cybersecurity services, and designates the Cyber Security Agency of Singapore (CSA) as the national cybersecurity regulator.
The Commissioner of Cybersecurity (i.e., the head of CSA) may designate a computer system as critical information infrastructure (CII) where the system is essential to the continuous delivery of an essential service (such as telecommunications, healthcare, banking and finance, and energy), and its loss or compromise will have a debilitating effect on the availability of such essential service in Singapore.
Importantly, a system can be designated as CII even if it is located outside Singapore, provided it is critical to the delivery of an essential service in Singapore. The designation is effective for 5 years, although it can be withdrawn or extended.
Designated CII systems are subject to heightened cybersecurity oversight. Owners must comply with requirements such as providing technical information to regulators, conducting regular cybersecurity audits and risk assessments, and reporting certain cyber incidents.
Where a CII system is owned by a third party, the provider of the essential service may still be held responsible for ensuring that the system meets regulatory requirements and prescribed cybersecurity standards.
Where a computer system faces a high but temporary cybersecurity risk, and its loss or compromise would have a serious detrimental impact on Singapore’s national security, defence, foreign relations, economy, public health, public safety, or public order, the Commissioner of Cybersecurity may designate it as a system of temporary cybersecurity concern. Such designation is for 1 year, unless withdrawn or extended.
Systems designated as temporary cybersecurity concerns are subject to similar obligations to those imposed on designated CII systems.
The provision of managed security operations centre monitoring service and penetration testing service requires a cybersecurity service provider licence (CSP Licence) issued by the Cybersecurity Services Regulation Office.
To obtain a CSP Licence, the applicant must be fit and proper, including having no convictions or adverse civil judgments involving fraud, dishonesty, or breach of fiduciary duty, and not being subject to liquidation or windingup proceedings. The applicant must also have an active Cyber Trust Mark (CTM) Promoter (Tier 3) or equivalent certification that covers the environment (e.g., people, processes and technology) supporting the delivery of the licensed cybersecurity services.
The Act imposes meaningful obligations on organisations delivering essential services in Singapore, including where their critical systems are located overseas. Understanding whether your systems could be designated as CII (or a temporary cybersecurity concern), and whether your services require a CSP Licence, is increasingly important for both compliance and risk management. Organisations should assess governance, contractual controls, incident reporting readiness, and audit/risk assessment coverage across their technology stack and supplier ecosystem.
If you would like support in assessing your exposure under the Act or strengthening your compliance roadmap, our team would be pleased to assist.
OrionW regularly advises clients on cybersecurity matters. For more information on how to comply with the Cybersecurity Act 2018, or if you have questions about this article, please contact us at info@orionw.com.
Disclaimer: This article is for general information only and does not constitute legal advice.
