Singapore Cybersecurity Act 2025

1 Act Overview & Timeline

The Cybersecurity Act 2018 established Singapore's framework for protecting Critical Information Infrastructure (CII). The Cybersecurity (Amendment) Act 2024 substantially expanded this framework, with key provisions coming into force on 31 October 2025.

$100K

Max Fine

2hr

Reporting Window

New Entity Types

Legislative Timeline

Date	Milestone
2018	Original Cybersecurity Act enacted
May 2024	Cybersecurity (Amendment) Act passed in Parliament
7 May 2024	Amendment Act received Presidential assent
31 Oct 2025	Key provisions commence (Part 3A, 3B, STCC)
Pending	Part 3C (Entities of Special Cybersecurity Interest) — not yet in force
Pending	Part 3D (Major Foundational Digital Infrastructure) — not yet in force

KEY CONTEXT

The original Act only regulated CII (computers essential to vital services). The 2024 amendment significantly broadens scope — adding provider-owned CIIs, overseas CIIs, STCCs, and future categories. This is the most significant expansion of Singapore's cybersecurity regulatory perimeter since 2018.

2 Who's Affected — New Categories

1. Provider-Owned CIIs (Part 3A)

Third-party owned computers/systems used by CII owners to deliver essential services can now be designated as CIIs in their own right. This means cloud providers, managed service providers, and outsourced IT operators supporting essential services are now directly regulated.

Commissioner can designate a provider's system as a CII if it's necessary for continuous delivery of an essential service
CII owners must provide information about third-party systems (Section 3B)
Non-compliance with information requests: fine up to SGD 100,000, 2 years imprisonment, plus daily fines
Commissioner can order cessation of use of non-compliant systems

2. Overseas CIIs (Section 7)

Systems located entirely outside Singapore can now be designated as provider-owned CIIs if:

The system is essential to keeping an important service running in Singapore
Loss or compromise would seriously disrupt that service
The system would have been designated if located in Singapore

This gives Singapore extraterritorial regulatory reach — a significant development for multinational organizations and offshore cloud providers.

3. Systems of Temporary Cybersecurity Concern (STCC) — Section 17

A new category for systems facing heightened risks due to temporary events:

Examples: election infrastructure, pandemic vaccine distribution, major event support systems
High risk of unauthorized threat + serious national detriment = designation criteria
Commissioner designates via written notice with specified period
STCC owners must: implement cybersecurity measures, appoint Commissioner-approved auditor, report incidents
Penalties for non-compliance: SGD 100,000 fine, 2 years imprisonment, or both

4. Not Yet in Force

⚠️ COMING SOON

Part 3C — Entities of Special Cybersecurity Interest (ESCIs): Will extend obligations to entities that, while not operating CIIs, are significant to national cybersecurity. Commencement date pending.
Part 3D — Major Foundational Digital Infrastructure (FDI): Will regulate providers of foundational digital services (cloud, data centers, CDNs, etc.). This is the most impactful pending change for tech companies. Commencement date pending.

3 Key Obligations & Requirements

Expanded Incident Reporting

CII owners must now report incidents involving:

Advanced Persistent Threats (APTs) — long-term, targeted attacks with covert network access
Incidents disrupting essential services — even if in non-interconnected systems under the CII owner's control

⏰ REPORTING DEADLINE

CII owners must notify CSA within 2 hours of becoming aware of a reportable incident. This is one of the tightest reporting windows globally (EU NIS2: 24h early warning; Singapore: 2 hours).

Third-Party Vendor Obligations

Essential service providers must now:

Obtain legally binding commitments from IT vendors regarding security standards
Ensure vendor contracts include: information sharing obligations, material change notification, security control requirements
Conduct third-party risk assessments for all vendors supporting CIIs
Be prepared for Commissioner to order cessation of use of non-compliant vendor systems

STCC-Specific Duties

When a system is designated as an STCC, the owner must:

Implement prescribed cybersecurity measures and technical standards
Appoint a Commissioner-approved auditor to audit compliance
Report cybersecurity incidents affecting the system
Provide information about system function, design, and users

Procedural Safeguards

The designation notice must:

Identify the system and its owner
Specify the period of designation
Inform the owner of their duties
Allow for amendment if the owner demonstrates they lack effective control over the system

4 Penalties & Enforcement

Offence	Max Fine	Max Imprisonment	Daily Fine
Non-compliance with Section 3B (info request)	SGD 100,000	2 years	Yes (continuing breach)
STCC: Fail to report incidents	SGD 100,000	2 years	—
STCC: Fail to implement measures	SGD 100,000	2 years	—
CII: Fail to report within 2 hours	As per 2018 Act	As per 2018 Act	Yes
Use of system after cessation order	As per 2018 Act	As per 2018 Act	Yes

⚠️ ENFORCEMENT REALITY

SGD 100,000 fines and criminal liability are significant for SMEs. But the real business risk is the Commissioner's power to order cessation of use of non-compliant systems. If your cloud provider is designated as a provider-owned CII and you can't demonstrate compliance, you could be forced to stop using them — which is operationally devastating.

5 Bundling with ISO 9001:2026 — The Play

🎯 THE BUSINESS CASE

"While we're updating your QMS for ISO 9001:2026, let us also assess whether your cybersecurity posture aligns with the new Cybersecurity Act amendments. One review, two compliance upgrades."

Why This Works

Same client base: SMEs in energy, healthcare, transport, logistics, banking — sectors with CIIs — also need ISO 9001
Overlapping requirements: Risk assessment, document control, internal audit, management review, incident management
Timing alignment: Both transitions happening 2025-2028
Document control: Cybersecurity Act requires documented policies, procedures, and audit trails — exactly what ISO 9001's document control clause requires

Overlapping Requirements

Cybersecurity Act Requirement	ISO 9001:2026 Equivalent
Risk assessment & management	Clause 6.1 — Actions to address risks and opportunities
Documented policies & procedures	Clause 7.5 — Documented information
Internal audit / Commissioner-approved audit	Clause 9.2 — Internal audit
Management review / governance	Clause 9.3 — Management review
Incident reporting & response	Clause 8.7 — Control of nonconforming outputs
Vendor/supplier management	Clause 8.4 — Control of externally provided processes
Competence & awareness	Clause 7.2/7.3 — Competence & awareness
Continuous improvement	Clause 10 — Improvement

What You Can Offer (Without Being a Cybersecurity Expert)

Gap assessment — Identify which Cybersecurity Act provisions apply to the client
Document alignment — Update QMS documents to include cybersecurity requirements
Vendor management framework — Build the third-party risk assessment process (QMS already requires vendor controls under Clause 8.4)
Audit readiness — Prepare internal audit checklists covering both ISO and Cybersecurity Act
Referral partnership — Partner with a cybersecurity firm for technical assessment, you handle the QMS/governance layer

⚠️ BOUNDARY

You are not a cybersecurity technical assessor. Don't offer penetration testing, vulnerability assessments, or technical security architecture. Your value is in the governance, documentation, and management system integration — not the technical controls. Partner with a cybersecurity firm for the technical layer.

6 Impact on Singapore SMEs

Who Needs to Act Now

Essential service providers: Energy, water, healthcare, banking, transport, telecoms — must update vendor contracts, incident reporting, risk assessments
IT service providers to CII owners: Cloud, managed services, outsourcing — may now be directly regulated as provider-owned CIIs
Companies with overseas systems supporting SG services: Must assess if their offshore systems meet designation criteria

Who Should Prepare (But Not Panic)

SMEs not in CII sectors but handling sensitive data
Companies that might fall under Part 3C (ESCIs) or Part 3D (FDI) when those provisions commence
Organizations wanting to demonstrate cybersecurity maturity for government tenders or MNC supply chains

Common Gaps for SMEs

❌ No formal incident response plan (2-hour reporting is impossible without one)
❌ No vendor cybersecurity risk assessment process
❌ No documented cybersecurity policies or procedures
❌ No internal cybersecurity audit capability
❌ Cloud/IT vendor contracts lack security clauses
❌ Staff lack cybersecurity awareness training

💡 OPPORTUNITY ANGLE

Most Singapore SMEs in CII-adjacent sectors have zero readiness for these requirements. They don't have incident response plans, vendor risk frameworks, or cybersecurity documentation. This is where your QMS expertise intersects perfectly — because these are all management system problems, not purely technical ones. Build the framework, partner for the technical bits.

7 Sources

Cyber Security Agency of Singapore — "Provisions in the Cybersecurity (Amendment) Act to Come Into Force on 31 October 2025" (Oct 2025)
Cybersecurity (Critical Information Infrastructure) (Amendment) Regulations 2025 — Singapore Statutes Online (S678-2025)
Hogan Lovells / JDSupra — "Provisions in Singapore's Cybersecurity (Amendment) Act came into force on 31 October 2025" (Nov 2025)
AIGovHub — "Singapore Cybersecurity Act Compliance Guide 2025" (April 2026)
CSA Singapore — Cybersecurity Act legislation page
Cybersecurity (Amendment) Act 2024 (Commencement) Notification 2025 — SSO (S677-2025)

Report prepared: April 18, 2026. Information current as of research date. Parts 3C and 3D of the Amendment Act are not yet in force — monitor CSA announcements for commencement dates.