Open navigation
Search
Search
All expertise
Explore our breadth of expertise.
International Desks
Helping you access overseas markets with support from our country and region-specific experts
Sectors View all
Practice Areas View all
Offices
Discover the scope of our presence in the jurisdiction.
Global Reach
Learn about our capabilities beyond borders.
CMS Singapore
All insights
Leverage our expert analysis, intelligence and thought leadership for your strategic advantage.
Personalised updates
Receive tailored insights and intelligence that apply directly to your business.
Topics in focus View all
Insights by type
CMS News
Stay up to date with our growth, evolution and our many successes.
Contact us
For all general enquiries.
About CMS
CMS Careers

Select your region

International Europe Africa Asia-Pacific The Americas Middle East
Legal Update

Key Amendments to Singapore’s Cybersecurity Regime to come into effect on 31 October 2025

30 Oct 2025 Singapore 9 min read

On 15 October 2025, the Cybersecurity (Amendment) Act 2024 (Commencement) Notification 2025 was published, specifying the commencement date of 31 October 2025 for various provisions of the Cybersecurity (Amendment) Act 2024 (“Amendment Act”).  The provisions coming into force are sections 2 to 15, 18, 19, 22, 23(b), 24, 25, 28(a) to (g), 29, 31 and 32(1) to (4), (6) and (7) of the Amendment Act. The Amendment Act introduces new regulatory regimes into the Cybersecurity Act 2018 (“Principal Act”) (see our previous articles, “Singapore proposes to extend its Cybersecurity Regime” and “Singapore strengthens its Cybersecurity law”).  

Summary of the provisions in the Amendment Act coming into force

From 31 October 2025, the Amendment Act will introduce the following key aspects into the Principal Act:

  • A new Part 3A to regulate providers of essential services  who do not own the Critical Information Infrastructure (“CII”) used for the continuous delivery of the essential services they are responsible for (i.e., third-party-owned CII or “3PO CII”), including duties to obtain enforceable upstream commitments from third‑party owners, incident reporting, audit and risk assessment obligations, and the Commissioner’s power to issue certain directions in relation to the 3PO CII.
  • A new Part 3B to allow time-limited designations and regulation of systems of temporary cybersecurity concern (“STCC”), including information‑related duties, incident reporting, and the Commissioner’s power to issue certain directions in relation to STCCs.
  • Establishing monitoring powers for the licensing officer over licensed cybersecurity service providers.

Sections 2 to 7 of the Amendment Act – Application

On 31 October, the Amendment Act will formally introduce the following types of regulated infrastructure into the Principal Act, including:

  • STCC - a computer or computer system in respect of which a designation under section 17(1) of the Principal Act (as amended by the Amendment Act) is in effect. A computer or computer system will be designated as a STCC for a limited period where (a) it is critical to Singapore (i.e. its loss or compromise will have a serious detrimental effect on the national security, defence, foreign relations, economy, public health, public safety or public order of Singapore) and (b) there is a high risk of being subject to a cyberattack.
  • PO CII – a computer or computer system in respect of which a designation under section 7(1) or (1A) of the Principal Act (as amended by the Amendment Act) is in effect. A computer or computer system will be designated as a PO CII where it constitutes CII and is located wholly outside Singapore.
  • 3PO CII – a computer or computer system in relation to which a designation of a designated provider responsible for 3PO CII under section 16A(1) of the Principal Act (as amended by the Amendment Act) is in effect.  A computer or computer system will be designated as a 3PO CII regardless of where it is located where it constitutes CII and is not owned by the provider of essential services in relation to the CII. 

Sections 8 to 13 of the Amendment Act – PO CII: extraterritorial designations, renewals and strengthened directions

Part 3 of the Principal Act remains the foundational regime for PO CII, but with material enhancements:

  • Extraterritorial designation: The Commissioner may designate a computer or system located wholly outside Singapore that is owned by a person in Singapore, as PO CII if it meets the necessary criteria and would have been designated as such had it been in Singapore. This closes a geographic exposure gap for essential services reliant on offshore systems.
  • Extension of designation: The Commissioner may extend a PO CII designation for a further 5‑year period (beyond the initial 5-year designation period) if the criteria remain satisfied, ensuring continuity of oversight without interruption.
  • Directions and standards: The Commissioner’s written directions may require compliance with prescribed technical or other cybersecurity standards in respect of PO CII by the CII Owner and must specify a compliance deadline. This elevates prescribed standards alongside codes of practice and standards of performance.
  • Incident reporting scope: CII owners must report prescribed cybersecurity incidents affecting any computer / computer systems under the owner’s control and those affecting interconnected systems under the control of a supplier to the owner.
  • Audits and Inspections: The Commissioner may order or authorise audits and/or inspections to be carried out to ascertain the CII owner’s compliance with its obligations in relation to the PO CII.

Overall, these changes tighten obligations on PO CII owners and extend regulatory reach to offshore systems owned by a person in Singapore.

Section 14 of the Amendment Act – New Part 3A on 3PO CII

A notable amendment is the introduction of a regime when the essential service provider does not own the underlying CII (which is instead owned by a third party). The Commissioner may request for further information on the CII and designate such CII as 3PO CII for a period of 5 years (subject to a further extension of 5 years).

There is an obligation to secure upstream commitments in respect of 3PO CII. In particular, the designated provider must of 3PO CII obtain a legally binding commitment from the owner to:

  • Furnish specific information and to notify the provider of material changes.
  • Maintain applicable prescribed cybersecurity standards in respect of the 3PO CII.
  • Notify the provider of prescribed cybersecurity incidents affecting the 3PO CII or specified interconnected systems.
  • Ensure that  applicable prescribed technical or other standards relating to cybersecurity are maintained in respect of the 3PO CII.
  • Allow audits to be carried (at least biennially) against prescribed standards and conduct annual cybersecurity risk assessments, and provide reports within fixed timeframes.
  • Notify the provider of changes in beneficial or legal ownership within 7 days.

The provisions of the Amendment Act contains robust enforcement mechanics in relation to 3PO CII. If the provider fails to obtain the required commitments or if standards are not maintained without reasonable excuse, the Commissioner may order the provider to cease using the 3PO CII. Further, non‑compliance with the obligations constitute an offence and may lead to the imposition of sanctions.

Collectively, Part 3A expressly regulates the cybersecurity accountability of essential service providers that rely on outsourced or third‑party‑hosted critical systems. It allocates risk management “through the chain” by requiring documented, enforceable upstream commitments and empowering the Commissioner to intervene where those commitments are absent or ineffectual.

Section 15 of the Amendment Act – New Part 3B on STCCs

Part 3B provides a tool for time‑limited, risk‑sensitive regulation where there is a high risk of significant cybersecurity harm to national interests for a limited period.

  • Designation: The Commissioner may designate a computer or system located wholly or partly in Singapore as a STCC if (1) for a limited period, there is a high risk of a threat or incident jeopardising its cybersecurity, and (2) its loss or compromise would have a serious detrimental effect on national security, defence, foreign relations, economy, public health, public safety or public order.
  • Information powers: The Commissioner may require persons exercising control over the STCC to provide information to ascertain whether designation criteria are met.
  • Owner obligations: During designation, owners must furnish specified cybersecurity information (if and when required), comply with written directions, and report prescribed incidents affecting the system, interconnected systems under their control, or systems under a supplier’s control. Owners must also establish mechanisms to detect threats and incidents consistent with applicable codes.

This specialised regime enables targeted, time‑bound regulatory intervention during heightened threat windows, without formally classifying a system as CII and subjecting it to the stringent requirements under the main CII regime.

Section 18 of the Amendment Act – Licensing regime monitoring powers

To enhance supervision of licensed cybersecurity service providers under Part 5 of the Principal Act, licensing officers are now granted monitoring powers to:

  • Enter and inspect a licensee’s place of business at a reasonable time.
  • Require production of records, accounts and documents, including in legible form where stored electronically.
  • Make copies and conduct inquiries into compliance with licensing conditions and Part 5 requirements.

Other updates

A few consequential and facilitative amendments include:

  • Appeals against Decisions: A person aggrieved by certain designations, decisions, orders, directions, provisions or amendments (“Stipulation”) may appeal to the Minister within 30 days of the Stipulation and comply with the prescribed requirements for such appeals.
  • Extension of Time: Any person required to do a thing under Parts 3, 3A, 3B, 3C or 3D within a specified time may apply in writing to the Commissioner for a time extension along with the reasons accompanying such request.

What is not commencing on 31 October 2025

For completeness, certain significant reforms enacted by the Amendment are not part of this commencement. This includes Part 3C (entities of special cybersecurity interest) and Part 3D (major foundational digital infrastructure service providers).

Stakeholders should nonetheless be aware of these forthcoming regimes and track subsequent commencement notifications for the remaining provisions of the Amendment Act.

Practical implications

For organisations that provide or own computer or computer systems that are or may be designated CII or STCCs, the following priorities are recommended:

  • Map exposure: Essential service providers should identify any non‑owned systems that are necessary for their continuous delivery of essential services in Singapore and assess whether designation as a designated provider responsible for 3PO CII is likely. Where designation is plausible, begin preparing the suite of legally binding commitments required from third‑party owners, covering information rights, incident notification, standards conformance, audit cadence, risk assessments and ownership‑change notifications.
  • Strengthen incident visibility and reporting workflows: Both PO CII owners and designated providers must implement mechanisms to detect/report prescribed cybersecurity incidents.
  • Prepare for directions and changes in laws: Build internal playbooks to receive and comply with Commissioner directions and keep track of changes in cybersecurity laws and regulations.

Conclusion

The provisions of the Amendment Act commencing 31 October 2025 broadens the Principal Act’s ambit particularly to capture third‑party‑owned infrastructure on which essential services depend and deepen the operational levers available to the Commissioner across volatile risk periods. For operators of essential services and CII owners, the immediate compliance task is to align contractual, technical and governance controls to the new obligations.

Click here to refer to the Amendment Act.

The information provided above does not, and is not intended to, constitute legal advice pertaining to the Amendment Act or Principal Act; information, content, and materials stipulated above is based on our reading of the amendments and are for general informational purposes only.

More insights
TMT - Technology, Media & Telecommunications

Explore more

Publication Singapore

CMS toolkit series

02 Jul 2025 1 min read
Event Singapore

IP Insights webinar series 2026

28 Apr 2026
Expert Guide International

Data protection and cybersecurity laws in Singapore

21 min read
Back to top Back to top
You will now find all Law-Now content on CMS.law
Explore more
Law-Now, RegZone, LEXplicite and Blogtt have moved to CMS.law. Law-Now has moved to CMS.law. RegZone has moved to CMS.law. LEXplicite has moved to CMS.law. Blogtt has moved to CMS.law.
Learn more Learn more Learn more Learn more
If you want to use third party tools, please enable personalisation cookies as part of your cookie preferences. You can change this setting at any time via the button below or in our Cookie Notice.