The demand for satellite communications has grown rapidly in recent years, driven by their increasing use across a wide range of industries. This includes telecommunications, banking, public transport and maritime operations. With a significant portion of the Singaporean economy relying on satellite communication, it is time to consider satellites as part of the critical information infrastructure.
Under the Cybersecurity Act 2018 (Act), a computer or computer system may be designated as critical information infrastructure (CII) if it is necessary for the continuous delivery of an essential service and its loss or compromise would have a debilitating impact on the availability of that service in Singapore. Essential services recognised under the Act include telecommunications, healthcare, banking and finance and energy. The designation remains in force for 5 years, although it may be withdrawn or extended.
Systems located overseas may also be designated as CII if they play a critical role in the delivery of essential services in Singapore.
Designated CII is subject to enhanced regulatory oversight by the Commissioner of Cybersecurity (Commissioner). Among other powers, the Commissioner may require the owner of provider‑owned CII to furnish information relating to the system, including technical and operational details. Owners of provider‑owned CII are also required to conduct cybersecurity audits and risk assessments at intervals specified by the Commissioner, and to report prescribed cybersecurity incidents to the Commissioner within the applicable timelines.
Where designated CII is owned by a third party, the designated provider of essential services is responsible for the cybersecurity of the third‑party‑owned CII. In such cases, the designated provider is responsible for ensuring compliance with applicable regulatory requirements, including incident reporting and audit obligations, and for ensuring that the system conforms with any prescribed cybersecurity standards.
Satellites now form an integral part of the infrastructure supporting certain essential services in Singapore, particularly in areas such as telecommunications and national security. In critical use cases, computer systems with satellite connectivity may be designated as CII.
The Act already contemplates that critical systems can be located outside Singapore, and this regulatory flexibility allows satellites to be brought within the CII framework where appropriate. Recognising satellites as part of CII reflects the realities of modern digital and communications ecosystems. It supports a more cyber‑resilient economy by ensuring that systems essential to Singapore’s functioning are subject to appropriate cybersecurity standards, regardless of whether they are located on the ground or in space.
Satellites have a key role in the delivery of essential services in Singapore and can be designated as CII. Satellite operators and providers of essential services should therefore be familiar with the criteria for CII designation and understand the regulatory obligations that may arise where satellite‑enabled systems are considered critical.
OrionW regularly advises clients on cybersecurity and space and satellite matters. For more information about how to comply with the Cybersecurity Act 2018, or if you have questions about this article, please contact us at info@orionw.com.
Disclaimer: This article is for general information only and does not constitute legal advice.
