What is the Singapore Cybersecurity Act?

The Singapore Cybersecurity Act is Singapore’s primary law for strengthening national cyber resilience and national cybersecurity. First enacted as the Cybersecurity Act 2018, this legislation establishes a comprehensive legal framework for preventing, managing, and responding to cybersecurity threats, with a focus on Critical Information Infrastructure (CII) and specific cybersecurity services. The Act is administered by the Cyber Security Agency of Singapore (CSA), the cybersecurity agency responsible for oversight and enforcement.

In 2024, Parliament passed the Cybersecurity (Amendment) Act 2024, which introduces key updates to the legal framework to address today’s hybrid and cloud-first environments. A commencement notification published on 15 October 2025 brought a slate of provisions into force on 31 October 2025, sharpening rules on incident reporting and clarifying accountability for externally hosted or overseas systems that support essential services.

Why the Act Exists

Cyber incidents can disrupt critical infrastructure, including power, water, transportation, healthcare, banking and digital public services. The Act gives CSA expanded regulatory powers to coordinate national responses, require information for investigations, and direct remedial measures where a serious and imminent threat exists. These powers are designed to prevent cybersecurity incidents that could compromise critical infrastructure and pose a threat to Singapore’s national interests. The Act also imposes obligations on Critical Information Infrastructure (CII) owners and establishes a licensing framework for certain cybersecurity service providers, aiming to address evolving cyber threats.

Scope: What Systems the Act Covers

At its core, the Act regulates critical information infrastructures (CIIs) that support essential services in Singapore. The designation process identifies which computers or computer systems, including both physical and virtual environments, qualify as CIIs. Once a system is designated as CII, its owner must meet codes of practice, standards of performance, cybersecurity requirements, risk management requirements, and incident reporting duties. The 2024 amendments expand and refine this regime to reflect cloud computing, third-party operations, and cross-border dependencies. The Act now explicitly covers third-party-owned CII systems, ensuring that CIIs managed by third-party vendors, including those hosted overseas, are subject to regulatory oversight. This includes third-party-owned CIIs, expanding accountability for systems managed by external vendors. The Act addresses systems under the owner’s control, even if they are managed externally, and imposes obligations on third-party vendors to comply with cybersecurity requirements for all relevant computer systems.

Tip: If your business includes systems that may be designated as CII, align your controls with sector codes and CSA expectations. For implementation support across APAC, see our page on IT Security Services.

Key duties for CII owners

• Meet codes of practice and standards. CSA can issue sector-specific codes, known as the applicable code, that CII owners must implement and maintain. Adhering to the applicable code is essential for compliance, and maintaining strong cyber hygiene is a key best practice for both CII owners and their vendors.
• Report notifiable incidents to CSA. CII owners have reporting obligations under the Act and must promptly report incidents to CSA when an incident materially impacts the delivery or security of the essential service. This includes the duty to report cybersecurity incidents, even those affecting third-party or interconnected systems. Owners must additionally report incidents that impact related or external systems under their control. The Act defines specific types of incidents as a prescribed cybersecurity incident or prescribed cybersecurity incidents, which must be reported within specified timeframes. After the initial notification, owners are required to provide supplementary details about the incident, affected systems, and remedial actions taken.
• Undergo audits and inspections. CSA may require audits or technical assessments to verify compliance. CII owners must also conduct regular risk assessments of their systems and vendors to proactively identify and address vulnerabilities.
• Manage third-party and overseas environments. Amendments clarify that accountability remains with the CII owner, even when essential-service systems are hosted or operated by vendors or located overseas. Contracts should embed equivalent safeguards and audit rights, including legally binding commitments with vendors. CII owners are obligated to obtain legally binding commitments from third-party vendors to ensure compliance with cybersecurity standards and regulatory requirements.

What changed in 2024–2025

The Cybersecurity (Amendment) Act 2024, passed on 7 May 2024, introduces key changes that modernise the framework and provide new or clarified tools for CSA and regulated entities. A commencement notification brought specified provisions into force on 31 October 2025. Legal updates summarise the following practical shifts:

• Clearer coverage of externally or overseas-hosted systems that support essential services. Owners remain responsible for maintaining comparable security standards and visibility across borders and suppliers.
• Enhanced incident reporting expectations for CII owners, with more explicit triggers and timelines highlighted in agency and firm guidance. The amendments clarify the obligation to report any cybersecurity incident, including a cybersecurity incident in respect of systems that support essential services, and expand the scope to cover cybersecurity incidents that may adversely affect or adversely affect the confidentiality, integrity, or availability of critical systems.
• Additional regulatory tools to address systems that present temporary or event-driven cybersecurity concerns, enabling time-bound oversight where risk spikes. The commissioner of cybersecurity is now empowered to issue written directions and issue written directions to regulated entities, including CII owners, ESCIs, FDIs, and STCCs, to ensure compliance with cybersecurity standards and incident reporting requirements.

The new civil penalty regime and civil penalty regime introduced by the amendments allow the CSA to impose civil penalties and a civil penalty as an alternative or supplement to criminal prosecution. These civil penalties can include a financial penalty of up to 10% of a company’s annual turnover or a specified monetary amount, depending on the severity and duration of the contravention. Criminal penalties remain available for serious breaches of the Act.

Failure to comply with reporting or other obligations without a reasonable excuse can result in enforcement action, including financial penalties. The amendments also address data portability as part of broader data protection obligations, reflecting the evolving landscape of data management and breach response.

These updates reflect the reality that essential services increasingly rely on multi-cloud architectures, managed services, and global supply chains.

Cybersecurity Act vs. Computer Misuse Act

The Computer Misuse Act (CMA) is a criminal law that targets offences such as unauthorised access and data interference. The Cybersecurity Act is a regulatory law that governs infrastructure protection, compliance duties, and incident reporting. Both Acts are part of Singapore’s broader cybersecurity laws landscape, which establishes legal frameworks for critical infrastructure, data protection, and cybersecurity incident responses. Many organisations will care about both, but they serve different purposes.

Practical compliance steps for organisations

Even if you are not a designated CII owner, aligning with the Act’s expectations builds resilience and speeds regulator engagement during major incidents.

1. Determine your exposure. Map essential services you deliver or support, including workloads hosted by third parties or overseas. Identify where the Act could apply through supplier or architecture choices.
2. Build an incident reporting playbook. Define thresholds and evidence capture, establish communication paths to CSA and sector leads, and rehearse your process so notification is not delayed. Commentaries on the amendments emphasize the need for more explicit and timely reporting.
3. Align contracts. Bake in breach notification, log retention, regulator access, and audit rights. Require vendors to maintain controls equivalent to those required by your own obligations.
4. Benchmark against codes and standards. Use sector codes of practice and CSA expectations to drive gap analyses and remediation plans. Maintain records for audits and inspections.
5. Verify licensing. Confirm that penetration testing and SOC monitoring providers hold the required licences, and that methodologies and data handling meet your risk appetite.
6. Exercise your response. Tabletop scenarios with executives, operations, and key suppliers help reduce time to contain, notify, and recover.

The Singapore Cybersecurity Act in procurement and projects

Treat the Singapore Cybersecurity Act requirements as non-functional requirements when planning projects that touch essential services. This mindset helps teams make early architecture and supplier decisions that preserve visibility, control, and compliance downstream:

• Observability and evidence. Ensure logging, telemetry, and forensics can survive cross-border hosting and vendor-managed SOCs.
• Access and control. Define who can issue directions during incidents and how those directions propagate across vendors and cloud platforms.
• Resilience and recovery. Test failover, data integrity, backup recovery point objectives, and communication channels that support regulator-grade reporting.

How EIRE Systems can help

EIRE Systems partners with regulated and critical environments across APAC to translate the Act’s requirements into practical, auditable controls. We help teams:

• Interpret how the 2024–2025 amendments affect their mix of on-premises, cloud, and managed services
• Build reporting pipelines and playbooks that meet CSA expectations without slowing operations
• Embed contractual protections and verification mechanisms for vendor and overseas hosting
• Validate license status and quality for penetration testing and SOC monitoring providers

Turn compliance requirements into a competitive edge

Speak with our cybersecurity specialists to assess your organisation’s posture, map obligations, and prioritise next steps that reduce risk and strengthen resilience. Contact us today.

Sources:

• Baker McKenzie. (2024, May 7). Singapore: Parliament passes Cybersecurity (Amendment) Bill on 7 May 2024.https://insightplus.bakermckenzie.com/bm/technology-media-telecommunications_1/singapore-parliament-passes-cybersecurity-amendment-bill-on-7-may-2024
• Cyber Security Agency of Singapore. (n.d.). Apply for licence. Singapore Cybersecurity Services Regulation Office. https://www.csro.gov.sg/how-to/apply-for-licence/
• Legislation Division, Attorney-General’s Chambers. (2018). Cybersecurity Act 2018 (No. 9 of 2018). Singapore Statutes Online.https://sso.agc.gov.sg/Act/CA2018
• Legislation Division, Attorney-General’s Chambers. (2024, July 4). Cybersecurity (Amendment) Act 2024. Singapore Statutes Online.https://sso.agc.gov.sg/Acts-Supp/19-2024/Published/20240704
• Legislation Division, Attorney-General’s Chambers. (2025, Oct 15). Cybersecurity (Amendment) Act 2024 (Commencement) Notification 2025. Singapore Statutes Online.https://sso.agc.gov.sg/SL-Supp/S677-2025/Published/20251015
• Singapore Statutes Online. (1993). Computer Misuse Act 1993.https://sso.agc.gov.sg/Act/CMA1993