Policy Briefing — Singapore readies Cybersecurity Act amendments for expanded sector oversight
Singapore’s Cyber Security Agency is finalising amendments to the Cybersecurity Act to cover more critical information infrastructure, introduce new licensing classes, and mandate reporting from key digital service providers.
Executive briefing: The Cyber Security Agency of Singapore (CSA) closed consultation in May 2024 on amendments to the Cybersecurity Act 2018. Draft legislation expected to reach Parliament in late 2024 would broaden critical information infrastructure (CII) designations, add a new class licensing regime, and extend reporting obligations to providers of essential digital services.
Proposed reforms
- Expanded CII coverage. CSA plans to designate cloud infrastructure, data centres, and key digital utilities as CII, requiring risk assessments, incident reporting, and audit submissions.
- Class licensing. A new licensing class for critical information infrastructure service providers would set baseline security controls, personnel vetting, and audit frequencies.
- Digital service duties. Providers of managed security, SOC monitoring, and other essential digital services must notify CSA of significant cyber incidents and maintain service continuity plans.
Program actions
- Scope assessment. Identify Singapore operations that could fall under expanded CII definitions and align asset inventories with CSA templates.
- Licensing readiness. Prepare compliance documentation—incident runbooks, personnel vetting records, and third-party contracts—to meet new class licensing criteria.
- Incident reporting drills. Test the ability to deliver preliminary incident reports within the proposed 2-hour notification window and follow-on updates within 24 hours.