Provisions in Singapore’s Cybersecurity (Amendment) Act came into force on 31 October 2025

Key Amendments in force from October 31 2025

1. Regulation of Provider-Owned CIIs and Virtual Systems

Recognising the increasing use of computer or computer systems by CII owners in their delivery of essential services, Part 3A of the 2024 Amendment Act empowers Singapore’s Commissioner of Cybersecurity (the Commissioner) to designate such virtual computers and systems as CIIs in their own right if it is satisfied that the third party owned CII (whether in Singapore or overseas[query: amend as shown or review]) is necessary for the continuous delivery of the essential service provided by that provider, and the loss or compromise of the computer or computer system will have a debilitating effect on the availability of the essential service in Singapore.

Section 3B empowers the Commissioner to require providers of essential services to supply about third‑party‑owned computers or systems information, such as regarding the system’s function, design and users, when there are reasonable grounds to believe those systems may meet the designation criteria.

Non‑compliance with Section 3B attracts penalties of up to $100,000, two years’ imprisonment, and daily fines for continuing breaches; moreover, the Commissioner may order cessation of use of the system where necessary.

2. Designation of Overseas Systems as Provider‑Owned CII

The 2024 Amendment Act’s new Section 7 enables the Commissioner to designate a computer or system located entirely outside Singapore as a provider‑owned CII if two conditions are met. First, the system must be essential to keeping an important service running in Singapore, and if it were lost or compromised it would seriously disrupt that service. Second, the system would have been designated as provider‑owned CII if it were located in Singapore. Once designated, the system becomes subject to the 2018 Act’s regulatory requirements.

3. Expansion of Reportable Cybersecurity Incidents

A “cybersecurity incident” is defined in the 2018 Act as any act or activity carried out without lawful authority on or through a computer or computer system that jeopardises or adversely affects its cybersecurity or that of another system.

The 2024 Amendment Act expands the incident reporting obligations for CII owners. Owners of CII must now report incidents that are reasonably suspected to involve:

• Advanced Persistent Threats (APTs): long-term, targeted cyberattacks in which an adversary gains and maintains covert access to a network.
• Incidents that disrupt essential services, even if they arise in non-interconnected systems under a CII owner’s control.

CII owners are required to notify the CSA within two hours of becoming aware of such incidents. This prompt reporting is intended to enhance the CSA’s situational awareness and enable co-ordinated national responses where necessary.

4. Expansion of CSA Oversight to include systems designated as “Systems of Temporary Cybersecurity Concern”

Section 17 of the 2024 Amendment Act introduces the concept of a “System of Temporary Cybersecurity Concern” (STCC). STCCs are computer systems that face heightened cybersecurity risks due to temporary events or situations, such as those supporting governmental election processes or the distribution of vaccines during a pandemic. An STCC is defined as a computer or computer system, located wholly or partly in Singapore, where there is a high risk that an unauthorised cybersecurity threat or incident could jeopardise its security, and where any loss or compromise would likely result in serious detriment to national security, defence, foreign relations, the economy, public health, public safety, or public order. The 2024 Amendment Act empowers the Commissioner to designate a computer or computer system as an STCC by issuing a written notice if these criteria are met.

During the period of designation as an STCC, STCC owners can, upon the written direction of the Commissioner, be required to:

• Implement specified cybersecurity measures, including compliance with prescribed technical standards and codes of practice.
• Appoint an auditor approved by the Commissioner to audit compliance with the Act and applicable standards.
• Report cybersecurity incidents affecting those systems.

The 2024 Amendment Act also empowers the Commissioner to obtain information to determine whether a system qualifies as an STCC, including details about the system’s function, its users, and its design.

Procedural Safeguards:

The 2024 Amendment Act outlines that if the Commissioner seeks to designate a system as an STCC, the Commissioner’s written notice must identify the system and its owner, specify the period of designation, and inform the owner of their duties under the Act. There is provision included for the Commissioner to amend the notice if the CII owner demonstrates that they do not have effective control over the system, and that another party does.

Government-Owned Systems:

Where an STCC is owned by the Government and operated by a Ministry, the Permanent Secretary responsible for the Ministry is treated as the owner for the purposes of the Act.

Penalties:

Under the 2024 Amendment Act, any owner of an STCC who, without reasonable excuse, fails to comply with the obligation to report cybersecurity incidents or implement specific cybersecurity measures will be committing an offence and, upon conviction, may be subject to a fine of up to SGD 100,000, imprisonment for up to two years, or both.

Conclusion

The 2024 amendments to Singapore’s Cybersecurity Act represent a significant strengthening of the Singapore’s cybersecurity regulatory framework, ensuring it remains responsive to the rapidly evolving cybersecurity landscape and technological advancements. These changes introduce new compliance obligations and expand regulatory oversight, particularly for organisations operating CII or systems that may be designated as STCCs. It is essential for affected organisations to review and update their cybersecurity policies, incident response plans, and internal processes to ensure full compliance with the amended requirements.

As mentioned, certain major reforms in the 2024 Amendment Act have not yet commenced, including Part 3C on “Entities of Special Cybersecurity Interest” and Part 3D on “Major Foundational Digital Infrastructure” service providers. Stakeholders should monitor future commencement notices for the enactment of these provisions.

For any assistance on understanding the impact of this update, feel free to reach out to the authors or your usual Hogan Lovells contact.

Authored by Charmian Aw and Ciara O'Leary.