Cybersecurity Act 2018

Source: Singapore Statutes Online | Archived by Legal Wires

Cybersecurity Act 2018
2020 REVISED EDITION
This revised edition incorporates all amendments up to and including 1 December 2021 and comes into operation on 31 December 2021
An Act to require or authorise the taking of measures to prevent, manage and respond to cybersecurity threats and incidents, to regulate certain persons in relation to the cybersecurity of certain computers or computer systems, to regulate cybersecurity service providers, and for matters related thereto.
[Act 19 of 2024 wef 31/10/2025]
[31 August 2018: Except sections 24 to 35 and the Second Schedule ]
PART 1
PRELIMINARY
Short title and commencement
1.—(1)  This Act is the Cybersecurity Act 2018.
(2)  Part 5 and the Second Schedule come into operation on a date that the Minister appoints by notification in the Gazette.
Interpretation
2.—(1)  In this Act, unless the context otherwise requires —
“Assistant Commissioner” means any Assistant Commissioner of Cybersecurity appointed under section 4(1)(b);
“assistant licensing officer” means any assistant licensing officer appointed under section 25(2);
“business entity” means —
(a)a corporation as defined in section 4(1) of the Companies Act 1967;
(b)an unincorporated association;
(c)a partnership; or
(d)a limited liability partnership registered under the Limited Liability Partnerships Act 2005;
“code of practice” means any code of practice issued or approved under section 35A(1), and includes such a code of practice as may be amended from time to time;
[Act 19 of 2024 wef 31/10/2025]
“Commissioner” means the Commissioner of Cybersecurity appointed under section 4(1)(a);
“computer” means an electronic, magnetic, optical, electrochemical, or other data processing device performing logical, arithmetic, or storage functions, and includes any data storage facility or communications facility directly related to or operating in conjunction with such device, but does not include such device as the Minister may, by notification in the Gazette, prescribe;
“computer program” means data representing instructions or statements that, when executed in a computer, causes the computer to perform a function;
“computer service” includes computer time, data processing and the storage or retrieval of data;
“computer system” means an arrangement of interconnected computers that is designed to perform one or more specific functions, and includes —
(a)an information technology system; and
(b)an operational technology system such as an industrial control system, a programmable logic controller, a supervisory control and data acquisition system, or a distributed control system;
[Deleted by Act 19 of 2024 wef 31/10/2025]
“cybersecurity” means the state in which a computer or computer system is protected from unauthorised access or attack, and because of that state —
(a)the computer or computer system continues to be available and operational;
(b)the integrity of the computer or computer system is maintained; and
(c)the integrity and confidentiality of information stored in, processed by or transmitted through the computer or computer system is maintained;
“cybersecurity incident” means an act or activity carried out without lawful authority on or through a computer or computer system that jeopardises or adversely affects its cybersecurity or the cybersecurity of another computer or computer system;
“cybersecurity officer” means any cybersecurity officer appointed under section 4(3);
“cybersecurity program” means any computer program designed for, or purported to be designed for, ensuring or enhancing the cybersecurity of a computer or computer system;
“cybersecurity service” means a service provided by a person for reward that is intended primarily for or aimed at ensuring or safeguarding the cybersecurity of a computer or computer system belonging to another person (A), and includes the following:
(a)assessing, testing or evaluating the cybersecurity of A’s computer or computer system by searching for vulnerabilities in, and compromising, the cybersecurity defences of the computer or computer system;
(b)conducting a forensic examination of A’s computer or computer system;
(c)investigating and responding to a cybersecurity incident that has affected A’s computer or computer system by conducting a thorough scan and examination of the computer or computer system to identify and remove elements relating to, and identify the root cause of, the cybersecurity incident, and which involves circumventing the controls implemented in the computer or computer system;
(d)conducting a thorough examination of A’s computer or computer system to detect any cybersecurity threat or incident that may have already penetrated the cybersecurity defences of the computer or computer system, and that may have evaded detection by conventional cybersecurity solutions;
(e)designing, selling, importing, exporting, installing, maintaining, repairing or servicing of one or more cybersecurity solutions;
(f)monitoring of the cybersecurity of A’s computer or computer system by acquiring, identifying and scanning information that is stored in, processed by, or transmitted through the computer or computer system for the purpose of identifying cybersecurity threats to the computer or computer system;
(g)maintaining control of the cybersecurity of A’s computer or computer system by effecting management, operational and technical controls for the purpose of protecting the computer or computer system against any unauthorised effort to adversely affect its cybersecurity;
(h)assessing or monitoring the compliance of an organisation with the organisation’s cybersecurity policy;
(i)providing advice in relation to cybersecurity solutions, including —
(i)providing advice on a cybersecurity program; or
(ii)identifying and analysing cybersecurity threats and providing advice on solutions or management strategies to minimise the risk posed by cybersecurity threats;
(j)providing advice in relation to any practices that can enhance cybersecurity;
(k)providing training or instruction in relation to any cybersecurity service, including the assessment of the training, instruction or competencies of another person in relation to any such activity;
“cybersecurity service provider” means a person who provides a cybersecurity service;
“cybersecurity solution” means any computer, computer system, computer program or computer service designed for, or purported to be designed for, ensuring or enhancing the cybersecurity of another computer or computer system;
“cybersecurity threat” means an act or activity (whether known or suspected) carried out on or through a computer or computer system, that may imminently jeopardise or affect adversely, without lawful authority, the cybersecurity of that or another computer or computer system;
“cybersecurity vulnerability” means any vulnerability in a computer or computer system that can be exploited by one or more cybersecurity threats;
“Deputy Commissioner” means the Deputy Commissioner of Cybersecurity appointed under section 4(1)(b);
“designated provider responsible for third‑party‑owned critical information infrastructure” means a provider of an essential service in respect of whom a designation under section 16A(1), as a provider of an essential service who is responsible for the cybersecurity of a third‑party‑owned critical information infrastructure, is in effect;
[Act 19 of 2024 wef 31/10/2025]
“digital service” means any service normally provided for remuneration, that is delivered by one party to another party at the individual request of the other party, entirely through electronic means, and without needing the parties’ simultaneous physical presence, but does not include such services as the Minister may, by notification in the Gazette, prescribe;
[Act 19 of 2024 wef 31/10/2025]
“entity of special cybersecurity interest” means an entity in respect of whom a designation under section 18(1) is in effect;
[Act 19 of 2024 wef 31/10/2025]
“essential service” means any service essential to the national security, defence, foreign relations, economy, public health, public safety or public order of Singapore, and specified in the First Schedule;
“foundational digital infrastructure service” means any service which promotes the availability, latency, throughput or security of digital services, and is specified in the Third Schedule;
[Act 19 of 2024 wef 31/10/2025]
“full-time national serviceman” means a person who is liable to render full‑time national service under section 12 of the Enlistment Act 1970;
“licence” means a licence granted or renewed under section 26;
“licensable cybersecurity service” means any cybersecurity service specified as a licensable cybersecurity service in the Second Schedule;
“licensee” means the holder of a licence;
“major foundational digital infrastructure” means the computer or computer system (or class of computers or computer systems) that is necessary for a major foundational digital infrastructure service provider’s continuous delivery of the foundational digital infrastructure service in relation to which a designation of the major foundational digital infrastructure service provider under section 18G(1) is in effect;
[Act 19 of 2024 wef 31/10/2025]
“major foundational digital infrastructure service provider” means a provider of a foundational digital infrastructure service in respect of whom a designation under section 18G(1) is in effect;
[Act 19 of 2024 wef 31/10/2025]
“owner”, in relation to a provider‑owned critical information infrastructure, third‑party‑owned critical information infrastructure or system of temporary cybersecurity concern —
(a)means the legal owner of the provider‑owned critical information infrastructure, third‑party‑owned critical information infrastructure or system of temporary cybersecurity concern (as the case may be); and
(b)where the provider‑owned critical information infrastructure, third‑party‑owned critical information infrastructure or system of temporary cybersecurity concern (as the case may be) is jointly owned by more than one person, includes every joint owner;
[Act 19 of 2024 wef 31/10/2025]
“provider‑owned critical information infrastructure” means a computer or a computer system in respect of which a designation under section 7(1) or (1A) is in effect;
[Act 19 of 2024 wef 31/10/2025]
“standard of performance” means any standard of performance issued or approved under section 35A(1), and includes such a standard of performance as may be amended from time to time;
[Act 19 of 2024 wef 31/10/2025]
“system of special cybersecurity interest” means the computer or computer system (or class of computers or computer systems) in relation to which a designation of an entity of special cybersecurity interest under section 18(1) is in effect;
[Act 19 of 2024 wef 31/10/2025]
“system of temporary cybersecurity concern” means a computer or computer system in respect of which a designation under section 17(1) is in effect;
[Act 19 of 2024 wef 31/10/2025]
“third‑party‑owned critical information infrastructure” means the computer or computer system in relation to which a designation of a designated provider responsible for third‑party‑owned critical information infrastructure under section 16A(1) is in effect;
[Act 19 of 2024 wef 31/10/2025]
“virtual computer” means a purely digital analogue of a computer, created by the simulation of software and hardware, performing logical, arithmetic or storage functions and including communications functions, but does not include the physical computing resources used for the simulation;
[Act 19 of 2024 wef 31/10/2025]
“virtual computer system” means a purely digital analogue of a computer system, created by the simulation of an arrangement of interconnected computers that is designed to perform one or more specific functions, but does not include the physical computing resources used for the simulation.
[Act 19 of 2024 wef 31/10/2025]
(2)  For the purposes of the definition of “cybersecurity service”, a person does not provide a cybersecurity service only because the person —
(a)sells, or sells licences for, cybersecurity programs intended to be installed by a user without the assistance of the seller for the protection of the cybersecurity of a user’s computer; or
(b)provides services for the management of a computer network or computer system, that are aimed at ensuring the availability of or enhancing the performance of the computer network or computer system.
(3)  For the purposes of this section (except the definitions of “computer”, “computer system” and “owner”), sections 3 and 43, Part 2, Part 3 (except section 7(1A)) and Parts 3A, 3B, 3C and 4 —
(a)“computer” includes a virtual computer;
(b)“computer system” includes a virtual computer system;
(c)“control”, in relation to a virtual computer or virtual computer system, means —
(i)having the control over the operations of the virtual computer or virtual computer system;
(ii)having the right and ability to perform security configuration and management tasks in respect of the virtual computer or virtual computer system, including to make any modification as necessary for the cybersecurity of the virtual computer or virtual computer system; and
(iii)where applicable, having responsibility for the security of the virtual computer or virtual computer system under a person’s contractual arrangement with a cloud computing service provider;
(d)“owner”, in relation to a provider‑owned critical information infrastructure, third‑party‑owned critical information infrastructure or system of temporary cybersecurity concern that is a virtual computer or virtual computer system —
(i)means the person who has exclusive control of the provider‑owned critical information infrastructure, third‑party‑owned critical information infrastructure or system of temporary cybersecurity concern (as the case may be); and
(ii)where the provider‑owned critical information infrastructure, third‑party‑owned critical information infrastructure or system of temporary cybersecurity concern (as the case may be) is jointly controlled by more than one person, includes every joint controller;
(e)“change in the beneficial or legal ownership (including any share in such ownership)”, in relation to a provider‑owned critical information infrastructure or third‑party‑owned critical information infrastructure that is a virtual computer or virtual computer system —
(i)in a case where the virtual computer or virtual computer system is jointly controlled by more than one person — means change in any joint controller; or
(ii)in any other case — means change in the person who has exclusive control of the virtual computer or virtual computer system; and
(f)a virtual computer or virtual computer system is wholly or partly in Singapore if one or more of the physical computing resources deployed for the simulation of the virtual computer or virtual computer system (as the case may be) is located in Singapore.
[Act 19 of 2024 wef 31/10/2025]
Application of Act
3.—(1)  Part 3 (except sections 7(1A) and 8) applies to any provider-owned critical information infrastructure located wholly or partly in Singapore.
[Act 19 of 2024 wef 31/10/2025]
(1A)  Section 7(1A) applies to any computer or computer system located wholly outside Singapore that is owned by a person in Singapore.
[Act 19 of 2024 wef 31/10/2025]
(2)  Section 8 applies to any computer or computer system located wholly or partly in Singapore.
(2A)  Subject to subsection (2B) —
(a)Part 3A (except section 16B) applies to any provider of an essential service who is located in Singapore, and is responsible for the cybersecurity of third‑party‑owned critical information infrastructure; and
(b)section 16B applies to any person in Singapore who appears to be a provider of an essential service for which a computer or computer system necessary for the continuous delivery of the essential service is not owned by that person.
[Act 19 of 2024 wef 31/10/2025]
(2B)  Part 3A does not apply to any provider of an essential service in relation to any computer or computer system which is a provider‑owned critical information infrastructure.
[Act 19 of 2024 wef 31/10/2025]
(2C)  Subject to subsection (2D) —
(a)Part 3B (except section 17A) applies to any system of temporary cybersecurity concern located wholly or partly in Singapore; and
(b)section 17A applies to any computer or computer system located wholly or partly in Singapore.
[Act 19 of 2024 wef 31/10/2025]
(2D)  Part 3B does not apply to any computer or computer system which is a provider‑owned critical information infrastructure or a third‑party‑owned critical information infrastructure.
[Act 19 of 2024 wef 31/10/2025]
(2E)  Subject to subsection (2F) —
(a)Part 3C (except section 18A) applies to any entity of special cybersecurity interest incorporated or established under any written law; and
(b)section 18A applies to any entity incorporated or established under any written law whom the Commissioner has reason to believe may fulfil the criteria to be designated as an entity of special cybersecurity interest.
[Act 19 of 2024 wef 31/10/2025]
(2F)  Part 3C does not apply to any entity in relation to any computer or computer system which is a provider‑owned critical information infrastructure or a third‑party‑owned critical information infrastructure.
[Act 19 of 2024 wef 31/10/2025]
(2G)  Subject to subsection (2H) —
(a)Part 3D (except section 18H) applies to any major foundational digital infrastructure service provider that —
(i)provides the foundational digital infrastructure service, whether from within or outside Singapore, to persons in Singapore within the meaning of section 18G; or
(ii)provides the foundational digital infrastructure service wholly or partially from Singapore within the meaning of section 18G; and
(b)section 18H applies to any person who appears to be a provider of a foundational digital infrastructure service, whom the Commissioner has reason to believe may fulfil the criteria to be designated as a major foundational digital infrastructure service provider.
[Act 19 of 2024 wef 31/10/2025]
(2H)  Part 3D does not apply to any provider of a foundational digital infrastructure service in relation to any computer or computer system which is a provider‑owned critical information infrastructure or a third‑party‑owned critical information infrastructure.
[Act 19 of 2024 wef 31/10/2025]
(3)  Except as provided in subsection (4), this Act binds the Government.
(4)  Nothing in this Act renders the Government liable to prosecution for an offence.
(5)  To avoid doubt, no person is immune from prosecution for any offence under this Act by reason that the person is a public officer or is engaged to provide services to the Government.
PART 2
ADMINISTRATION
Appointment of Commissioner of Cybersecurity and other officers
4.—(1)  The Minister may appoint, from public officers or employees of a statutory body under the charge of the Minister —
(a)a Commissioner of Cybersecurity; and
(b)a Deputy Commissioner and one or more Assistant Commissioners of Cybersecurity, to assist the Commissioner in the discharge of the Commissioner’s duties and functions.
(2)  The Minister may appoint as an Assistant Commissioner under subsection (1)(b) in respect of a provider‑owned critical information infrastructure or a system of temporary cybersecurity concern —
(a)a public officer of another Ministry; or
(b)an employee of a statutory body under the charge of another Minister,
where that other Ministry or statutory body has supervisory or regulatory responsibility over an industry or a sector to which the owner of the provider‑owned critical information infrastructure or the system of temporary cybersecurity concern (as the case may be) belongs.
[Act 19 of 2024 wef 31/10/2025]
(2A)  The Minister may appoint as an Assistant Commissioner under subsection (1)(b) in respect of a designated provider responsible for third‑party‑owned critical information infrastructure, an entity of special cybersecurity interest or a major foundational digital infrastructure service provider —
(a)a public officer of another Ministry; or
(b)an employee of a statutory body under the charge of another Minister,
where that other Ministry or statutory body has supervisory or regulatory responsibility over an industry or a sector to which the designated provider responsible for third‑party‑owned critical information infrastructure, entity of special cybersecurity interest or major foundational digital infrastructure service provider (as the case may be) belongs.
[Act 19 of 2024 wef 31/10/2025]
(3)  The Commissioner may in writing appoint such number of public officers as cybersecurity officers as the Commissioner thinks necessary for carrying this Act into effect.
(4)  Subject to any general or special directions of the Minister, the Commissioner is responsible for the administration of this Act, and has and may perform such duties and functions as are imposed, and exercise such powers as are conferred, upon the Commissioner by this Act.
(5)  The Deputy Commissioner has and may exercise all the powers, duties and functions of the Commissioner except those exercisable under section 7, 9, 9A, 16A, 16C, 16D, 17, 17B, 17C, 18, 18B, 18C, 18G, 18I or 18J.
[Act 19 of 2024 wef 31/10/2025]
(6)  Subject to such conditions or limitations as the Commissioner may specify, an Assistant Commissioner or a cybersecurity officer has and may exercise all the powers, duties and functions of the Commissioner as may be delegated to that Assistant Commissioner or cybersecurity officer in writing, except —
(a)in the case of an Assistant Commissioner, those powers, duties or functions exercisable under this subsection, or section 6, 7, 9, 9A, 16A, 16C, 16D, 17, 17B, 17C, 18, 18B, 18C, 18G, 18I, 18J, 20(5), 37A or 37C; and
[Act 19 of 2024 wef 31/10/2025]
(b)in the case of a cybersecurity officer, those powers, duties or functions exercisable under this subsection, or section 6, 6A, 7, 9, 9A, 12, 16A, 16C, 16D, 16G, 17, 17B, 17C, 17E, 18, 18B, 18C, 18E, 18G, 18I, 18J, 18L, 20(5), 35A, 37A or 37C.
[Act 19 of 2024 wef 31/10/2025]
Duties and functions of Commissioner
5.—(1)  The Commissioner has the following duties and functions:
(a)to oversee and promote the cybersecurity of computers and computer systems in Singapore;
(b)to advise the Government or any other public authority on national needs and policies in respect of cybersecurity matters generally;
(c)to monitor cybersecurity threats, whether such cybersecurity threats occur in or outside Singapore;
(d)to respond to cybersecurity incidents that threaten the national security, defence, economy, foreign relations, public health, public order or public safety, or any essential services, of Singapore, whether such cybersecurity incidents occur in or outside Singapore;
(e)to identify and designate provider‑owned critical information infrastructure or systems of temporary cybersecurity concern, and to regulate owners of provider‑owned critical information infrastructure or systems of temporary cybersecurity concern with regard to the cybersecurity of the provider‑owned critical information infrastructure or systems of temporary cybersecurity concern;
[Act 19 of 2024 wef 31/10/2025]
(ea)to identify and designate designated providers responsible for third‑party‑owned critical information infrastructure, entities of special cybersecurity interest or major foundational digital infrastructure service providers, and to regulate those providers or entities with regard to the cybersecurity of the third‑party‑owned critical information infrastructure, system of special cybersecurity interest or major foundational digital infrastructure;
[Act 19 of 2024 wef 31/10/2025]
(f)to establish cybersecurity codes of practice and standards of performance for implementation by owners of provider‑owned critical information infrastructure or systems of temporary cybersecurity concern, or by designated providers responsible for third‑party‑owned critical information infrastructure, entities of special cybersecurity interest or major foundational digital infrastructure service providers;
[Act 19 of 2024 wef 31/10/2025]
(g)to represent the Government on cybersecurity issues internationally;
(h)to cooperate with computer emergency response teams (CERTs) of other countries or territories on cybersecurity incidents;
(i)to develop and promote the cybersecurity services industry in Singapore;
(j)to license and establish standards in relation to cybersecurity service providers;
(k)to establish standards within Singapore in relation to cybersecurity products or services, and the recommended level of cybersecurity of computer hardware or software, including certification or accreditation schemes or international certification schemes;
[Act 19 of 2024 wef 31/10/2025]
(l)to promote, develop, maintain and improve competencies and professional standards of persons working in the field of cybersecurity;
(m)to support the advancement of technology, and research and development relating to cybersecurity;
(n)to promote awareness of the need for and the importance of cybersecurity in Singapore;
(o)to perform such other functions and discharge such other duties as may be conferred on the Commissioner under any other written law.
[Act 19 of 2024 wef 31/10/2025]
(2)  The office of the Commissioner is to be known as the Cyber Security Agency of Singapore.
[Act 19 of 2024 wef 31/10/2025]
Appointment of authorised officers
6.—(1)  The Commissioner may, after consulting the Minister, in writing appoint any of the following as an authorised officer to assist the Commissioner in exercising the powers under Part 4:
(a)a public officer of another Ministry;
(b)an employee of any statutory body;
(c)an auxiliary police officer appointed under the Police Force Act 2004.
(2)  In exercising any of the powers of enforcement under Part 4, an authorised officer must, on demand, produce to the person against whom the authorised officer is acting the authority issued to the authorised officer by the Commissioner.
(3)  Every authorised officer appointed under subsection (1)(b) or (c) is deemed to be a public servant for the purpose of the Penal Code 1871.
Cyber Security Agency of Singapore’s symbols, etc.
6A.—(1)  The Commissioner has the exclusive right to the use of one or more symbols or representations of the Cyber Security Agency of Singapore as the Commissioner may select or devise (each called in this section the Cyber Security Agency of Singapore’s symbol or representation), and to display or exhibit those symbols or representations in connection with the Cyber Security Agency of Singapore’s activities or affairs.
(2)  The Commissioner must publish any symbol or representation mentioned in subsection (1) in the Gazette.
(3)  A person who —
(a)uses, without the Commissioner’s prior written permission, a symbol or representation that is identical to the Cyber Security Agency of Singapore’s symbol or representation; or
(b)uses a symbol or representation that so resembles the Cyber Security Agency of Singapore’s symbol or representation as to deceive or cause confusion, or to be likely to deceive or to cause confusion,
shall be guilty of an offence and shall be liable on conviction to a fine not exceeding $5,000 or to imprisonment for a term not exceeding 6 months or to both.
[Act 19 of 2024 wef 31/10/2025]
PART 3
PROVIDER-OWNED CRITICAL INFORMATION INFRASTRUCTURE
[Act 19 of 2024 wef 31/10/2025]
Designation of provider-owned critical information infrastructure
7.—(1)  The Commissioner may, by written notice to the owner of a computer or computer system, designate the computer or computer system as a provider-owned critical information infrastructure for the purposes of this Act, if the Commissioner is satisfied that —
(a)the computer or computer system is necessary for the continuous delivery of an essential service, and the loss or compromise of the computer or computer system will have a debilitating effect on the availability of the essential service in Singapore; and
(b)the computer or computer system is located wholly or partly in Singapore.
[Act 19 of 2024 wef 31/10/2025]
(1A)  The Commissioner may, by written notice to the owner of a computer or computer system that is located wholly outside Singapore, designate the computer or computer system as a provider‑owned critical information infrastructure for the purposes of this Act, if the Commissioner is satisfied that —
(a)the computer or computer system is necessary for the continuous delivery of an essential service, and the loss or compromise of the computer or computer system will have a debilitating effect on the availability of the essential service in Singapore; and
(b)the computer or computer system would have been designated as a provider‑owned critical information infrastructure under subsection (1) had it been located wholly or partly in Singapore.
[Act 19 of 2024 wef 31/10/2025]
(2)  A notice issued under subsection (1) or (1A) must —
(a)identify the computer or computer system that is being designated as a provider-owned critical information infrastructure;
[Act 19 of 2024 wef 31/10/2025]
(b)identify the owner of the computer or computer system so designated as a provider-owned critical information infrastructure;
[Act 19 of 2024 wef 31/10/2025]
(c)inform the owner of the computer or computer system, regarding the owner’s duties and responsibilities under this Act that arise from the designation;
(d)provide the name and contact particulars of the officer assigned by the Commissioner to supervise the provider-owned critical information infrastructure in relation to its cybersecurity;
[Act 19 of 2024 wef 31/10/2025]
(e)inform the owner of the computer or computer system that any representations against the designation are to be made to the Commissioner by a specified date, being a date not earlier than 14 days after the date of the notice; and
(f)inform the owner of the computer or computer system that the owner may appeal to the Minister against the designation, and provide information on the applicable procedure.
[Act 19 of 2024 wef 31/10/2025]
(3)  Any designation under subsection (1) or (1A) has effect for a period of 5 years, unless it is withdrawn by the Commissioner before the expiry of the period.
[Act 19 of 2024 wef 31/10/2025]
(4)  The person who receives a notice under subsection (1) or (1A) may request the Commissioner to proceed under subsection (5) upon showing proof that —
(a)the person is not able to comply with the requirements in this Part for the reason that the person has neither effective control over the operations of the computer or computer system, nor the ability or right to carry out changes to the computer or computer system; and
(b)another person has effective control over the operations of the computer or computer system and the ability and right to carry out changes to the computer or computer system.
[Act 19 of 2024 wef 31/10/2025]
(5)  If the Commissioner is satisfied that the conditions mentioned in subsection (4)(a) and (b) are met, the Commissioner may amend the notice issued to the person under subsection (1) or (1A), and address and send that amended notice to the person mentioned in subsection (4)(b).
[Act 19 of 2024 wef 31/10/2025]
(6)  During the period when a notice amended under subsection (5) is in effect, the provisions of this Part apply to the person mentioned in subsection (4)(b) as if every reference to the owner of a provider-owned critical information infrastructure is a reference to the person mentioned in subsection (4)(b).
[Act 19 of 2024 wef 31/10/2025]
(7)  Where —
(a)a notice issued under this section and amended under subsection (5) is addressed and sent to the person mentioned in subsection (4)(b); and
(b)the person mentioned in subsection (4)(b) then ceases to have the control, ability and right mentioned in that provision,
the owner of the provider-owned critical information infrastructure must notify the Commissioner of this without delay.
[Act 19 of 2024 wef 31/10/2025]
(8)  Where a provider-owned critical information infrastructure is owned by the Government and operated by a Ministry, the Permanent Secretary allocated to the Ministry who has responsibility for the provider-owned critical information infrastructure is treated as the owner of the provider-owned critical information infrastructure for the purposes of this Act.
[Act 19 of 2024 wef 31/10/2025]
(9)  A notice issued under this section need not be published in the Gazette.
[Act 19 of 2024 wef 31/10/2025]
Power to obtain information to ascertain if criteria for provider‑owned critical information infrastructure fulfilled
8.—(1)  This section applies where the Commissioner has reason to believe that a computer or computer system may fulfil the criteria to be designated as a provider-owned critical information infrastructure.
[Act 19 of 2024 wef 31/10/2025]
(2)  The Commissioner may, by notice given in the prescribed form and manner, require any person who appears to be exercising control over the computer or computer system, to provide to the Commissioner, within a reasonable period specified in the notice, such relevant information relating to that computer or computer system as may be required by the Commissioner for the purpose of ascertaining whether the computer or computer system fulfils the criteria to be designated as a provider-owned critical information infrastructure.
[Act 19 of 2024 wef 31/10/2025]
(3)  Without limiting subsection (2), the Commissioner may in the notice require the person who appears to be exercising control over the computer or computer system to provide —
(a)information relating to —
(i)the function that the computer or computer system is employed to serve; and
(ii)the person or persons who is or are, or other computer or computer systems that is or are, served by that computer or computer system;
(b)information relating to the design of the computer or computer system; and
(c)any other information that the Commissioner may require in order to ascertain whether the computer or computer system fulfils the criteria to be designated as a provider-owned critical information infrastructure.
[Act 19 of 2024 wef 31/10/2025]
(4)  Any person who, without reasonable excuse, fails to comply with a notice issued under subsection (2) shall be guilty of an offence and shall be liable on conviction to a fine not exceeding $100,000 or to imprisonment for a term not exceeding 2 years or to both and, in the case of a continuing offence, to a further fine not exceeding $5,000 for every day or part of a day during which the offence continues after conviction.
(5)  Any person to whom a notice is issued under subsection (2) is not obliged to disclose any information that is subject to any right, privilege or immunity conferred, or obligation or limitation imposed, by or under any law, contract or rules of professional conduct in relation to the disclosure of such information.
[Act 19 of 2024 wef 31/10/2025]
Withdrawal of designation of provider-owned critical information infrastructure
9.  The Commissioner may, by written notice, withdraw the designation of any provider-owned critical information infrastructure at any time if the Commissioner is of the opinion that the computer or computer system no longer fulfils the criteria to be designated as a provider-owned critical information infrastructure.
[Act 19 of 2024 wef 31/10/2025]
Extension of designation of provider‑owned critical information infrastructure
9A.—(1)  At any time before the expiry of the designation of a provider‑owned critical information infrastructure, the Commissioner may, by written notice, extend the designation of the provider‑owned critical information infrastructure, if the Commissioner is of the opinion that the computer or computer system continues to fulfil the criteria to be designated as a provider‑owned critical information infrastructure.
(2)  Any extension of a designation under subsection (1) has effect for a period of 5 years starting from the expiry of the earlier designation, unless the designation is withdrawn by the Commissioner before the extension takes effect or before the expiry of the period of extension.
[Act 19 of 2024 wef 31/10/2025]
Furnishing of information relating to provider-owned critical information infrastructure
10.—(1)  The Commissioner may by notice given in the prescribed form and manner, require the owner of a provider-owned critical information infrastructure to furnish, within a reasonable period specified in the notice, the following:
(a)information on the design, configuration and security of the provider-owned critical information infrastructure;
(b)information on the design, configuration and security of any other computer or computer system under the owner’s control that is interconnected with or that communicates with the provider-owned critical information infrastructure;
(c)information relating to the operation of the provider-owned critical information infrastructure, and of any other computer or computer system under the owner’s control that is interconnected with or that communicates with the provider-owned critical information infrastructure;
(d)any other information that the Commissioner may require in order to ascertain the level of cybersecurity of the provider-owned critical information infrastructure.
[Act 19 of 2024 wef 31/10/2025]
(2)  Any owner of a provider-owned critical information infrastructure who, without reasonable excuse, fails to comply with a notice mentioned in subsection (1) shall be guilty of an offence and shall be liable on conviction to a fine not exceeding $100,000 or to imprisonment for a term not exceeding 2 years or to both and, in the case of a continuing offence, to a further fine not exceeding $5,000 for every day or part of a day during which the offence continues after conviction.
[Act 19 of 2024 wef 31/10/2025]
(3)  The owner of a provider-owned critical information infrastructure to whom a notice is issued under subsection (1) is not obliged to disclose any information that is subject to any right, privilege or immunity conferred, or obligation or limitation imposed, by or under any law or rules of professional conduct in relation to the disclosure of such information, except that the performance of a contractual obligation is not an excuse for not disclosing the information.
[Act 19 of 2024 wef 31/10/2025]
(4)  The owner of a provider-owned critical information infrastructure is not treated as being in breach of any contractual obligation mentioned in subsection (3) for doing or omitting to do any act, if the act is done or omitted to be done with reasonable care and in good faith and for the purpose of complying with a notice issued under subsection (1).
[Act 19 of 2024 wef 31/10/2025]
(5)  If a material change is made by or on behalf of the owner of a provider-owned critical information infrastructure to the design, configuration, security or operation of the provider-owned critical information infrastructure after any information has been furnished to the Commissioner pursuant to a notice mentioned in subsection (1), the owner of the provider-owned critical information infrastructure must notify the Commissioner of the change not later than 30 days after the change is made.
[Act 19 of 2024 wef 31/10/2025]
(6)  For the purposes of subsection (5), a change is a material change if the change affects or may affect the cybersecurity of the provider-owned critical information infrastructure or the ability of the owner of the provider-owned critical information infrastructure to respond to a cybersecurity threat or incident affecting the provider-owned critical information infrastructure.
[Act 19 of 2024 wef 31/10/2025]
(7)  Any owner of a provider-owned critical information infrastructure who, without reasonable excuse, fails to comply with subsection (5) shall be guilty of an offence and shall be liable on conviction to a fine not exceeding $25,000 or to imprisonment for a term not exceeding 12 months or to both.
[Act 19 of 2024 wef 31/10/2025]
[Act 19 of 2024 wef 31/10/2025]
11.  [Deleted by Act 19 of 2024 wef 31/10/2025]
Power of Commissioner to issue written directions
12.—(1)  The Commissioner may, if the Commissioner thinks —
(a)it is necessary or expedient for ensuring the cybersecurity of a provider-owned critical information infrastructure or a class of provider-owned critical information infrastructure; or
(b)it is necessary or expedient for the effective administration of this Act,
issue a written direction, either of a general or specific nature, to the owner of a provider-owned critical information infrastructure or a class of such owners.
[Act 19 of 2024 wef 31/10/2025]
(2)  Without limiting subsection (1), a direction under that subsection may relate to —
(a)the action to be taken by the owner or owners in relation to a cybersecurity threat;
(aa)compliance with any prescribed technical or other standards relating to cybersecurity in respect of the provider‑owned critical information infrastructure;
[Act 19 of 2024 wef 31/10/2025]
(b)compliance with any code of practice or standard of performance applicable to the owner;
(c)the appointment of an auditor approved by the Commissioner to audit the owner or owners on their compliance with this Act or any code of practice or standard of performance applicable to the owner or owners; or
(d)any other matters that the Commissioner may consider necessary or expedient to ensure the cybersecurity of the provider-owned critical information infrastructure.
[Act 19 of 2024 wef 31/10/2025]
(3)  A direction under subsection (1) must specify a deadline for compliance, and may be revoked at any time by the Commissioner.
[Act 19 of 2024 wef 31/10/2025]
(4)  Before giving a direction under subsection (1), the Commissioner must, unless the Commissioner considers that it is not practicable or desirable to do so, give notice to the person or persons whom the Commissioner proposes to issue the direction —
(a)stating that the Commissioner proposes to issue the direction and setting out its effect; and
(b)specifying the time within which representations or objections to the proposed direction may be made.
(5)  The Commissioner must consider any representations or objections which are duly made before giving any direction.
(6)  Any person who, without reasonable excuse, fails to comply with a direction under subsection (1) shall be guilty of an offence and shall be liable on conviction to a fine not exceeding $100,000 or to imprisonment for a term not exceeding 2 years or to both and, in the case of a continuing offence, to a further fine not exceeding $5,000 for every day or part of a day during which the offence continues after conviction.
Change in ownership of provider-owned critical information infrastructure
13.—(1)  Where there is any change in the beneficial or legal ownership (including any share in such ownership) of a provider-owned critical information infrastructure, the relevant person must inform the Commissioner of the change in ownership not later than 7 days after the date of that change in ownership.
[Act 19 of 2024 wef 31/10/2025]
(2)  Any person who, without reasonable excuse, fails to comply with subsection (1) shall be guilty of an offence and shall be liable on conviction to a fine not exceeding $100,000 or to imprisonment for a term not exceeding 2 years or to both.
(3)  In subsection (1), the relevant person is —
(a)in the case of a transfer of the whole of the legal ownership of the provider-owned critical information infrastructure to another person — the person who was the owner of the provider-owned critical information infrastructure before the change in ownership; or
[Act 19 of 2024 wef 31/10/2025]
(b)in any other case, an owner of the provider-owned critical information infrastructure.
[Act 19 of 2024 wef 31/10/2025]
[Act 19 of 2024 wef 31/10/2025]
Duty to report cybersecurity incident in respect of provider‑owned critical information infrastructure, etc.
14.—(1)  The owner of a provider-owned critical information infrastructure must notify the Commissioner of the occurrence of any of the following in the prescribed form and manner, within the prescribed period after becoming aware of such occurrence:
(a)a prescribed cybersecurity incident in respect of the provider-owned critical information infrastructure;
[Act 19 of 2024 wef 31/10/2025]
(b)a prescribed cybersecurity incident in respect of any computer or computer system under the owner’s control that is interconnected with or that communicates with the provider-owned critical information infrastructure;
[Act 19 of 2024 wef 31/10/2025]
(ba)a prescribed cybersecurity incident in respect of any other computer or computer system under the owner’s control that does not fall within paragraph (b);
[Act 19 of 2024 wef 31/10/2025]
(bb)a prescribed cybersecurity incident in respect of any computer or computer system under the control of a supplier to the owner that is interconnected with or that communicates with the provider‑owned critical information infrastructure;
[Act 19 of 2024 wef 31/10/2025]
(c)any other type of cybersecurity incident in respect of the provider-owned critical information infrastructure that the Commissioner has specified by written direction to the owner.
[Act 19 of 2024 wef 31/10/2025]
(2)  The owner of a provider-owned critical information infrastructure must establish such mechanisms and processes for the purposes of detecting cybersecurity threats and incidents in respect of the provider-owned critical information infrastructure, as set out in any applicable code of practice.
[Act 19 of 2024 wef 31/10/2025]
(3)  Any owner of a provider-owned critical information infrastructure who, without reasonable excuse, fails to comply with subsection (1) shall be guilty of an offence and shall be liable on conviction to a fine not exceeding $100,000 or to imprisonment for a term not exceeding 2 years or to both.
[Act 19 of 2024 wef 31/10/2025]
[Act 19 of 2024 wef 31/10/2025]
Cybersecurity audits and risk assessments of provider‑owned critical information infrastructure
15.—(1)  The owner of a provider-owned critical information infrastructure must —
(a)at least once every 2 years (or at such higher frequency as may be directed by the Commissioner in any particular case), starting from the date of the notice issued under section 7, cause an audit of the compliance of the provider-owned critical information infrastructure with this Act, any prescribed technical or other standards relating to cybersecurity that are to be maintained in respect of the provider‑owned critical information infrastructure, and the applicable codes of practice and standards of performance, to be carried out by an auditor approved or appointed by the Commissioner; and
[Act 19 of 2024 wef 31/10/2025]
(b)at least once a year, starting from the date of the notice issued under section 7, conduct a cybersecurity risk assessment of the provider-owned critical information infrastructure in the prescribed form and manner.
[Act 19 of 2024 wef 31/10/2025]
(2)  The owner of the provider-owned critical information infrastructure must, not later than 30 days after the completion of the audit mentioned in subsection (1)(a) or the cybersecurity risk assessment mentioned in subsection (1)(b), furnish a copy of the report of the audit or assessment to the Commissioner.
[Act 19 of 2024 wef 31/10/2025]
(3)  Where it appears to the Commissioner from the report of an audit furnished under subsection (2), that any aspect of the audit was not carried out satisfactorily, the Commissioner may direct the owner of the provider-owned critical information infrastructure to cause the auditor to carry out that aspect of the audit again.
[Act 19 of 2024 wef 31/10/2025]
(4)  Where it appears to the Commissioner that —
(a)the owner of a provider‑owned critical information infrastructure has not complied with a provision of this Act, a prescribed technical or other standard relating to cybersecurity, or an applicable code of practice or standard of performance; or
(b)any information provided by the owner of a provider‑owned critical information infrastructure under section 10 is false, misleading, inaccurate or incomplete,
the Commissioner may for the purpose of ascertaining the owner’s compliance with this Act, a prescribed technical or other standard relating to cybersecurity, or an applicable code of practice or standard of performance, or ascertaining the accuracy or completeness of the information (as the case may be) —
(c)by order require an audit in respect of the provider‑owned critical information infrastructure to be carried out by an auditor appointed by the Commissioner, and the cost of such audit must be borne by the owner; or
(d)authorise the Deputy Commissioner, an Assistant Commissioner, a cybersecurity officer or an authorised officer to carry out an inspection of the provider‑owned critical information infrastructure.
[Act 19 of 2024 wef 31/10/2025]
(5)  Where it appears to the Commissioner, from the report of a cybersecurity risk assessment furnished under subsection (2), that the assessment was not carried out satisfactorily, the Commissioner may either —
(a)direct the owner of the provider-owned critical information infrastructure to carry out further steps to evaluate the level of cybersecurity of the provider-owned critical information infrastructure; or
[Act 19 of 2024 wef 31/10/2025]
(b)appoint a cybersecurity service provider to conduct another cybersecurity risk assessment of the provider-owned critical information infrastructure, and the cost of such assessment must be borne by the owner.
[Act 19 of 2024 wef 31/10/2025]
(6)  Where the owner of a provider-owned critical information infrastructure has notified the Commissioner under section 10(5) of a material change made to the design, configuration, security or operation of the provider-owned critical information infrastructure, or the Commissioner otherwise becomes aware of such material change having been made, the Commissioner may by written notice direct the owner to carry out another audit or cybersecurity risk assessment in addition to the audit or cybersecurity risk assessment mentioned in subsection (1).
[Act 19 of 2024 wef 31/10/2025]
(7)  Any owner of a provider-owned critical information infrastructure who —
(a)without reasonable excuse, fails to comply with subsection (1);
(b)fails to comply with the Commissioner’s direction under subsection (3), (5)(a) or (6); or
(c)obstructs or prevents an audit mentioned in subsection (4) or a cybersecurity risk assessment mentioned in subsection (5)(b) from being carried out,
shall be guilty of an offence and shall be liable on conviction to a fine not exceeding $100,000 or to imprisonment for a term not exceeding 2 years or to both and, in the case of a continuing offence, to a further fine not exceeding $5,000 for every day or part of a day during which the offence continues after conviction.
[Act 19 of 2024 wef 31/10/2025]
(8)  Any owner of a provider-owned critical information infrastructure who, without reasonable excuse, fails to comply with subsection (2) shall be guilty of an offence and shall be liable on conviction to a fine not exceeding $25,000 or to imprisonment for a term not exceeding 12 months or to both and, in the case of a continuing offence, to a further fine not exceeding $2,500 for every day or part of a day during which the offence continues after conviction.
[Act 19 of 2024 wef 31/10/2025]
[Act 19 of 2024 wef 31/10/2025]
Cybersecurity exercises
16.—(1)  The Commissioner may conduct cybersecurity exercises for the purpose of testing the state of readiness of owners of different provider-owned critical information infrastructure in responding to significant cybersecurity incidents.
[Act 19 of 2024 wef 31/10/2025]
(2)  An owner of a provider-owned critical information infrastructure must participate in a cybersecurity exercise if directed in writing to do so by the Commissioner.
[Act 19 of 2024 wef 31/10/2025]
(3)  Any person who, without reasonable excuse, fails to comply with a direction under subsection (2) shall be guilty of an offence and shall be liable on conviction to a fine not exceeding $100,000.
PART 3A
PROVIDERS OF ESSENTIAL SERVICE RESPONSIBLE
FOR CYBERSECURITY OF THIRD‑PARTY‑OWNED
CRITICAL INFORMATION INFRASTRUCTURE
[Act 19 of 2024 wef 31/10/2025]
Designation of provider of essential service responsible for cybersecurity of third‑party‑owned critical information infrastructure
16A.—(1)  The Commissioner may, by written notice to a provider of an essential service, designate the provider as a provider of an essential service responsible for the cybersecurity of third‑party‑owned critical information infrastructure for the purposes of this Act, if the Commissioner is satisfied that —
(a)a computer or computer system (called a third‑party‑owned critical information infrastructure) (whether located in or outside Singapore) is necessary for the continuous delivery of the essential service provided by that provider, and the loss or compromise of the computer or computer system will have a debilitating effect on the availability of the essential service in Singapore; and
(b)the computer or computer system is not owned by the provider of the essential service.
(2)  A notice issued under subsection (1) must —
(a)identify the third‑party‑owned critical information infrastructure in relation to which the provider is designated as a designated provider responsible for third‑party‑owned critical information infrastructure;
(b)identify the provider of the essential service so designated as a designated provider responsible for third‑party‑owned critical information infrastructure;
(c)identify the person who appears to be the owner of the third‑party‑owned critical information infrastructure;
(d)inform the designated provider responsible for third‑party‑owned critical information infrastructure regarding the provider’s duties and responsibilities under this Act that arise from the designation;
(e)provide the name and contact particulars of the officer assigned by the Commissioner to supervise the designated provider responsible for third‑party‑owned critical information infrastructure in relation to the cybersecurity of the third‑party‑owned critical information infrastructure;
(f)inform the designated provider responsible for third‑party‑owned critical information infrastructure that any representations against the designation are to be made to the Commissioner by a specified date, being a date not earlier than 14 days after the date of the notice; and
(g)inform the designated provider responsible for third‑party‑owned critical information infrastructure that the provider may appeal to the Minister against the designation, and provide information on the applicable procedure.
(3)  Any designation under subsection (1) has effect for a period of 5 years, unless it is withdrawn by the Commissioner before the expiry of the period.
(4)  A notice issued under this section need not be published in the Gazette.
[Act 19 of 2024 wef 31/10/2025]
Power to obtain information to ascertain if criteria for designated provider responsible for cybersecurity of third‑party‑owned critical information infrastructure fulfilled
16B.—(1)  This section applies where the Commissioner has reason to believe that a computer or computer system may fulfil the criteria in section 16A(1).
(2)  The Commissioner may, by notice given in the prescribed form and manner, require any person who appears to be a provider of an essential service for which a computer or computer system necessary for the continuous delivery of the essential service is not owned by the person, to provide to the Commissioner, within a reasonable period specified in the notice, such relevant information relating to that computer or computer system that is within that person’s knowledge or which the person can reasonably obtain, as may be required by the Commissioner for the purpose of ascertaining whether the computer or computer system fulfils the criteria in section 16A(1).
(3)  Without limiting subsection (2), the Commissioner may in the notice require the person to provide —
(a)information relating to —
(i)the function that the computer or computer system is employed to serve; and
(ii)the person or persons who is or are, or other computer or computer systems that is or are, served by that computer or computer system;
(b)information relating to the design of the computer or computer system; and
(c)any other information that the Commissioner may require in order to ascertain whether the computer or computer system fulfils the criteria in section 16A(1).
(4)  Any person who, without reasonable excuse, fails to comply with a notice issued under subsection (2) shall be guilty of an offence and shall be liable on conviction to a fine not exceeding $100,000 or to imprisonment for a term not exceeding 2 years or to both and, in the case of a continuing offence, to a further fine not exceeding $5,000 for every day or part of a day during which the offence continues after conviction.
(5)  Where a person fails to comply with a notice under subsection (2), and the computer or computer system in relation to which the notice was issued appears to be necessary for the delivery of an essential service provided by the person, the Commissioner may order the person to cease using, directly or indirectly, the computer or computer system in relation to which the notice was issued.
(6)  Any person who, without reasonable excuse, fails to comply with an order issued under subsection (5) shall be guilty of an offence and shall be liable on conviction to a fine not exceeding $100,000 or to imprisonment for a term not exceeding 2 years or to both and, in the case of a continuing offence, to a further fine not exceeding $5,000 for every day or part of a day during which the offence continues after conviction.
(7)  Any person to whom a notice is issued under subsection (2) is not obliged to disclose any information that is subject to any right, privilege or immunity conferred, or obligation or limitation imposed, by or under any law, contract or rules of professional conduct in relation to the disclosure of such information.
[Act 19 of 2024 wef 31/10/2025]
Withdrawal of designation of designated provider responsible for third-party-owned critical information infrastructure
16C.  The Commissioner may, by written notice, withdraw the designation of any designated provider responsible for third-party-owned critical information infrastructure at any time if the Commissioner is of the opinion that the criteria in section 16A(1) are no longer fulfilled.
[Act 19 of 2024 wef 31/10/2025]
Extension of designation of designated provider responsible for third-party-owned critical information infrastructure
16D.—(1)  At any time before the expiry of the designation of a designated provider responsible for third-party-owned critical information infrastructure, the Commissioner may, by written notice, extend the designation of the designated provider responsible for third-party-owned critical information infrastructure, if the Commissioner is of the opinion that the criteria in section 16A(1) continue to be fulfilled.
(2)  Any extension of a designation under subsection (1) has effect for a period of 5 years starting from the expiry of the earlier designation, unless the designation is withdrawn by the Commissioner before the extension takes effect or before the expiry of the period of extension.
[Act 19 of 2024 wef 31/10/2025]
Furnishing of information relating to third-party-owned critical information infrastructure
16E.—(1)  A designated provider responsible for third‑party‑owned critical information infrastructure must obtain a legally binding commitment from the owner of the third‑party‑owned critical information infrastructure for which the provider is responsible for its cybersecurity, that the owner of the third‑party‑owned critical information infrastructure will —
(a)upon the request of the designated provider responsible for third‑party‑owned critical information infrastructure pursuant to a notice issued by the Commissioner under subsection (4), furnish the provider the following within a reasonable period:
(i)information on the design, configuration and security of the third-party-owned critical information infrastructure;
(ii)information on the design, configuration and security of any other computer or computer system under the owner’s control that is interconnected with or that communicates with the third‑party‑owned critical information infrastructure;
(iii)information relating to the operation of the third‑party‑owned critical information infrastructure, and of any other computer or computer system under the owner’s control that is interconnected with or that communicates with the third‑party‑owned critical information infrastructure;
(iv)any other information that the Commissioner may require in order to ascertain the level of cybersecurity of the third‑party‑owned critical information infrastructure; and
(b)notify the designated provider responsible for third‑party‑owned critical information infrastructure when a material change is made by or on behalf of the owner of the third‑party‑owned critical information infrastructure to the design, configuration, security or operation of the third‑party‑owned critical information infrastructure after any information has been furnished to the provider pursuant to a request mentioned in paragraph (a), not later than 30 days after the change is made, so that the provider may notify the Commissioner in accordance with subsection (8).
(2)  Where subsection (1) is not complied with, the Commissioner may order the designated provider responsible for third‑party‑owned critical information infrastructure to cease using, directly or indirectly, the third-party-owned critical information infrastructure for which the provider is responsible for its cybersecurity.
(3)  Any designated provider responsible for third‑party‑owned critical information infrastructure who, without reasonable excuse, fails to comply with an order issued under subsection (2) shall be guilty of an offence and shall be liable on conviction to a fine not exceeding $100,000 or to imprisonment for a term not exceeding 2 years or to both and, in the case of a continuing offence, to a further fine not exceeding $5,000 for every day or part of a day during which the offence continues after conviction.
(4)  The Commissioner may by notice given in the prescribed form and manner, require the designated provider responsible for third‑party‑owned critical information infrastructure to furnish, within a reasonable period specified in the notice, the following:
(a)information on the design, configuration and security of the third‑party‑owned critical information infrastructure;
(b)information on the design, configuration and security of any other computer or computer system under the owner’s control or provider’s control that is interconnected with or that communicates with the third‑party‑owned critical information infrastructure;
(c)information relating to the operation of the third‑party‑owned critical information infrastructure, and of any other computer or computer system under the owner’s control or provider’s control that is interconnected with or that communicates with the third‑party‑owned critical information infrastructure;
(d)any other information relating to the third‑party‑owned critical information infrastructure that the Commissioner may require in order to ascertain the level of cybersecurity of the third‑party‑owned critical information infrastructure.
(5)  Any designated provider responsible for third-party-owned critical information infrastructure who, without reasonable excuse, fails to comply with a notice mentioned in subsection (4) shall be guilty of an offence and shall be liable on conviction to a fine not exceeding $100,000 or to imprisonment for a term not exceeding 2 years or to both and, in the case of a continuing offence, to a further fine not exceeding $5,000 for every day or part of a day during which the offence continues after conviction.
(6)  The designated provider responsible for third‑party‑owned critical information infrastructure to whom a notice is issued under subsection (4) is not obliged to disclose any information that is subject to any right, privilege or immunity conferred, or obligation or limitation imposed, by or under any law or rules of professional conduct in relation to the disclosure of such information, except that the performance of a contractual obligation is not an excuse for not disclosing the information.
(7)  The designated provider responsible for third-party-owned critical information infrastructure is not treated as being in breach of any contractual obligation mentioned in subsection (6) for doing or omitting to do any act, if the act is done or omitted to be done with reasonable care and in good faith and for the purpose of complying with a notice issued under subsection (4).
(8)  If a material change is made by or on behalf of the owner of the third‑party‑owned critical information infrastructure to the design, configuration, security or operation of the third‑party‑owned critical information infrastructure after any information has been furnished to the Commissioner pursuant to a notice mentioned in subsection (4), the designated provider responsible for third‑party‑owned critical information infrastructure must notify the Commissioner of the change not later than 14 days after the provider becomes aware of it.
(9)  For the purposes of subsections (1)(b) and (8), a change is a material change if the change affects or may affect the cybersecurity of the third‑party‑owned critical information infrastructure, or the ability of the owner of the third‑party‑owned critical information infrastructure or the designated provider responsible for third‑party‑owned critical information infrastructure, to respond to a cybersecurity threat or incident affecting the third‑party‑owned critical information infrastructure.
(10)  Any designated provider responsible for third‑party‑owned critical information infrastructure who, without reasonable excuse, fails to comply with subsection (8) shall be guilty of an offence and shall be liable on conviction to a fine not exceeding $25,000 or to imprisonment for a term not exceeding 12 months or to both.
[Act 19 of 2024 wef 31/10/2025]
Provider to ensure third‑party‑owned critical information infrastructure conforms with prescribed standards
16F.—(1)  A designated provider responsible for third‑party‑owned critical information infrastructure must obtain a legally binding commitment from the owner of the third‑party‑owned critical information infrastructure, that the owner will ensure that any applicable prescribed technical or other standards relating to cybersecurity are maintained in respect of that third-party-owned critical information infrastructure.
(2)  Where subsection (1) is not complied with, the Commissioner may order the designated provider responsible for third‑party‑owned critical information infrastructure to cease using, directly or indirectly, the third‑party‑owned critical information infrastructure for which the provider is responsible for its cybersecurity.
(3)  Where it appears to the Commissioner that —
(a)the standards mentioned in subsection (1) are not maintained in respect of the third‑party‑owned critical information infrastructure despite the issuance of directions mentioned in section 16G(2)(c) and any steps taken by the designated provider responsible for third‑party‑owned critical information infrastructure; and
(b)there is no reasonable excuse for such failure to maintain the standards,
the Commissioner may order the designated provider responsible for third‑party‑owned critical information infrastructure to cease using, directly or indirectly, the third-party-owned critical information infrastructure for which the provider is responsible for its cybersecurity.
(4)  Any designated provider responsible for third-party-owned critical information infrastructure who, without reasonable excuse, fails to comply with an order issued under subsection (2) or (3) shall be guilty of an offence and shall be liable on conviction to a fine not exceeding $100,000 or to imprisonment for a term not exceeding 2 years or to both and, in the case of a continuing offence, to a further fine not exceeding $5,000 for every day or part of a day during which the offence continues after conviction.
[Act 19 of 2024 wef 31/10/2025]
Power of Commissioner to issue written directions
16G.—(1)  The Commissioner may, if the Commissioner thinks —
(a)it is necessary or expedient for ensuring the cybersecurity of a third-party-owned critical information infrastructure or a class of third‑party‑owned critical information infrastructure; or
(b)it is necessary or expedient for the effective administration of this Act,
issue a written direction, either of a general or specific nature, to a designated provider responsible for third‑party‑owned critical information infrastructure or a class of such providers.
(2)  Without limiting subsection (1), a direction under that subsection may relate to —
(a)the action to be taken by the provider or providers in relation to a cybersecurity threat;
(b)compliance with any code of practice or standard of performance applicable to the provider;
(c)steps to be taken by the designated provider responsible for third‑party‑owned critical information infrastructure to require the owner of the third‑party‑owned critical information infrastructure to ensure that any prescribed technical or other standards relating to cybersecurity in respect of the third‑party‑owned critical information infrastructure are maintained;
(d)the appointment of an auditor approved by the Commissioner to audit the provider or providers on their compliance with this Act or any code of practice or standard of performance applicable to the provider or providers; or
(e)any other matter that the Commissioner may consider necessary or expedient to ensure the cybersecurity of the third‑party‑owned critical information infrastructure.
(3)  A direction under subsection (1) must specify a deadline for compliance, and may be revoked at any time by the Commissioner.
(4)  Before giving a direction under subsection (1), the Commissioner must, unless the Commissioner considers it is not practicable or desirable to do so, give notice to the person or persons to whom the Commissioner proposes to issue the direction —
(a)stating that the Commissioner proposes to issue the direction and setting out its effect; and
(b)specifying the time within which representations or objections to the proposed direction may be made.
(5)  The Commissioner must consider any representations or objections which are duly made before giving any direction.
(6)  Any person who, without reasonable excuse, fails to comply with a direction under subsection (1) shall be guilty of an offence and shall be liable on conviction to a fine not exceeding $100,000 or to imprisonment for a term not exceeding 2 years or to both and, in the case of a continuing offence, to a further fine not exceeding $5,000 for every day or part of a day during which the offence continues after conviction.
[Act 19 of 2024 wef 31/10/2025]
Change in ownership of third‑party‑owned critical information infrastructure
16H.—(1)  A designated provider responsible for third‑party‑owned critical information infrastructure must obtain a legally binding commitment from the owner of the third‑party‑owned critical information infrastructure for which the provider is responsible for its cybersecurity, that the owner will notify the provider of any change in the beneficial or legal ownership (including any share in such ownership) of the third‑party‑owned critical information infrastructure, not later than 7 days after the date of that change in ownership.
(2)  Where subsection (1) is not complied with, the Commissioner may order the designated provider responsible for third‑party‑owned critical information infrastructure to cease using, directly or indirectly, the third‑party‑owned critical information infrastructure for which the provider is responsible for its cybersecurity.
(3)  Any designated provider responsible for third‑party‑owned critical information infrastructure who, without reasonable excuse, fails to comply with an order issued under subsection (2) shall be guilty of an offence and shall be liable on conviction to a fine not exceeding $100,000 or to imprisonment for a term not exceeding 2 years or to both and, in the case of a continuing offence, to a further fine not exceeding $5,000 for every day or part of a day during which the offence continues after conviction.
(4)  Where there is any change in the beneficial or legal ownership (including any share in such ownership) of a third‑party‑owned critical information infrastructure, the designated provider responsible for third-party-owned critical information infrastructure must inform the Commissioner of the change in ownership not later than 7 days after the provider becomes aware of that change in ownership.
(5)  Where the criteria in section 16A(1) are no longer fulfilled, the designated provider responsible for third‑party‑owned critical information infrastructure must inform the Commissioner of the change in circumstances not later than 7 days after the date of the change in circumstances.
(6)  Any person who, without reasonable excuse, fails to comply with subsection (4) or (5) shall be guilty of an offence and shall be liable on conviction to a fine not exceeding $100,000 or to imprisonment for a term not exceeding 2 years or to both.
[Act 19 of 2024 wef 31/10/2025]
Duty to report cybersecurity incident in respect of third‑party‑owned critical information infrastructure, etc.
16I.—(1)  A designated provider responsible for third‑party‑owned critical information infrastructure must obtain a legally binding commitment from the owner of the third‑party‑owned critical information infrastructure for which the provider is responsible for its cybersecurity, that the owner of the third-party-owned critical information infrastructure will notify the provider of the occurrence of any of the following within the prescribed period after becoming aware of such occurrence:
(a)a prescribed cybersecurity incident in respect of the third‑party‑owned critical information infrastructure;
(b)a prescribed cybersecurity incident in respect of any computer or computer system under the owner’s control that is interconnected with or that communicates with the third‑party‑owned critical information infrastructure;
(c)any other type of cybersecurity incident in respect of the third‑party‑owned critical information infrastructure that the Commissioner has specified by written direction to the designated provider responsible for third-party-owned critical information infrastructure.
(2)  Where subsection (1) is not complied with, the Commissioner may order the designated provider responsible for third‑party‑owned critical information infrastructure to cease using, directly or indirectly, the third-party-owned critical information infrastructure for which the provider is responsible for its cybersecurity.
(3)  Any designated provider responsible for third‑party‑owned critical information infrastructure who, without reasonable excuse, fails to comply with an order issued under subsection (2) shall be guilty of an offence and shall be liable on conviction to a fine not exceeding $100,000 or to imprisonment for a term not exceeding 2 years or to both and, in the case of a continuing offence, to a further fine not exceeding $5,000 for every day or part of a day during which the offence continues after conviction.
(4)  The designated provider responsible for third‑party‑owned critical information infrastructure must notify the Commissioner of the occurrence of any of the following in the prescribed form and manner, within the prescribed period after becoming aware of such occurrence:
(a)a prescribed cybersecurity incident in respect of the third‑party‑owned critical information infrastructure;
(b)a prescribed cybersecurity incident in respect of any computer or computer system under the owner’s control or the provider’s control, that is interconnected with or that communicates with the third-party-owned critical information infrastructure;
(c)a prescribed cybersecurity incident in respect of any other computer or computer system under the provider’s control that does not fall within paragraph (b);
(d)any other type of cybersecurity incident in respect of the third-party-owned critical information infrastructure that the Commissioner has specified by written direction to the designated provider responsible for third-party-owned critical information infrastructure.
(5)  The designated provider responsible for third-party-owned critical information infrastructure must establish such mechanisms and processes for the purposes of becoming aware of any cybersecurity threats and incidents in respect of the third-party-owned critical information infrastructure, as set out in any applicable code of practice.
(6)  Any designated provider responsible for third-party-owned critical information infrastructure who, without reasonable excuse, fails to comply with subsection (4) shall be guilty of an offence and shall be liable on conviction to a fine not exceeding $100,000 or to imprisonment for a term not exceeding 2 years or to both.
[Act 19 of 2024 wef 31/10/2025]
Cybersecurity audits and risk assessments of third‑party‑owned critical information infrastructure
16J.—(1)  A designated provider responsible for third-party-owned critical information infrastructure must obtain a legally binding commitment from the owner of the third-party-owned critical information infrastructure for which the provider is responsible for its cybersecurity, that the owner of the third‑party‑owned critical information infrastructure will —
(a)at least once every 2 years (or at such higher frequency as the Commissioner may require in any particular case by written notice to the provider), starting from the date of the notice issued under section 16A(1), cause an audit of the adherence of the third-party-owned critical information infrastructure to any prescribed technical or other standards relating to cybersecurity that are to be maintained in respect of the third‑party‑owned critical information infrastructure, to be carried out by an auditor approved by the Commissioner;
(b)at least once a year, starting from the date of the notice issued under section 16A(1), conduct a cybersecurity risk assessment of the third‑party‑owned critical information infrastructure in the prescribed form or manner;
(c)furnish a copy of the report of any audit mentioned in paragraph (a), and the report of any cybersecurity risk assessment mentioned in paragraph (b), to the provider, not later than 30 days after the completion of the audit or assessment (as the case may be);
(d)carry out again any aspect of an audit mentioned in paragraph (a) as required by the provider pursuant to a direction from the Commissioner under subsection (6);
(e)cause an audit in respect of the third-party-owned critical information infrastructure to be carried out by an auditor approved by the Commissioner, as required by the provider pursuant to a direction from the Commissioner under subsection (7);
(f)carry out further steps to evaluate the level of cybersecurity of the third‑party‑owned critical information infrastructure, or cause another cybersecurity risk assessment of the third‑party‑owned critical information infrastructure to be conducted by a cybersecurity service professional approved by the Commissioner, as required by the provider pursuant to a direction from the Commissioner under subsection (8); and
(g)carry out another audit or cybersecurity risk assessment in addition to the audit or cybersecurity risk assessment mentioned in paragraphs (a) and (b), as required by the provider pursuant to a direction from the Commissioner under subsection (9).
(2)  Where subsection (1) is not complied with, the Commissioner may order the designated provider responsible for third‑party‑owned critical information infrastructure to cease using, directly or indirectly, the third‑party‑owned critical information infrastructure for which the provider is responsible for its cybersecurity.
(3)  Any designated provider responsible for third-party-owned critical information infrastructure who, without reasonable excuse, fails to comply with an order issued under subsection (2) shall be guilty of an offence and shall be liable on conviction to a fine not exceeding $100,000 or to imprisonment for a term not exceeding 2 years or to both and, in the case of a continuing offence, to a further fine not exceeding $5,000 for every day or part of a day during which the offence continues after conviction.
(4)  The designated provider responsible for third-party-owned critical information infrastructure must obtain from the owner each report of an audit and each report of a cybersecurity risk assessment mentioned in subsection (1)(c).
(5)  The designated provider responsible for third‑party‑owned critical information infrastructure must, not later than 14 days after receiving from the owner a report of an audit or a cybersecurity risk assessment, furnish a copy of the report of the audit or assessment to the Commissioner.
(6)  Where it appears to the Commissioner from the report of an audit furnished under subsection (5), that any aspect of the audit was not carried out satisfactorily, the Commissioner may direct the designated provider responsible for third‑party‑owned critical information infrastructure to require the owner of the third‑party‑owned critical information infrastructure to carry out that aspect of the audit again.
(7)  Where it appears to the Commissioner that —
(a)the third‑party‑owned critical information infrastructure is not in conformity with any prescribed technical or other standard relating to cybersecurity that is to be maintained in respect of the third‑party‑owned critical information infrastructure; or
(b)any information furnished by the designated provider responsible for third‑party‑owned critical information infrastructure under section 16E is false, misleading, inaccurate or incomplete,
the Commissioner may for the purpose of ascertaining the third‑party‑owned critical information infrastructure’s conformity with the applicable prescribed technical or other standard relating to cybersecurity, or ascertaining the accuracy or completeness of the information (as the case may be), direct the provider to require the owner of the third‑party‑owned critical information infrastructure to cause an audit in respect of the third‑party‑owned critical information infrastructure to be carried out by an auditor approved by the Commissioner.
(8)  Where it appears to the Commissioner, from the report of a cybersecurity risk assessment furnished under subsection (5), that the assessment was not carried out satisfactorily, the Commissioner may direct the designated provider responsible for third‑party‑owned critical information infrastructure to require the owner of the third‑party‑owned critical information infrastructure to either —
(a)carry out further steps to evaluate the level of cybersecurity of the third‑party‑owned critical information infrastructure; or
(b)cause another cybersecurity risk assessment of the third‑party‑owned critical information infrastructure to be conducted by a cybersecurity service professional approved by the Commissioner.
(9)  Where the designated provider responsible for third‑party‑owned critical information infrastructure has notified the Commissioner under section 16E(8) of a material change made to the design, configuration, security or operation of the third‑party‑owned critical information infrastructure, or the Commissioner otherwise becomes aware of such material change having been made, the Commissioner may by written notice direct the provider to require the owner of the third‑party‑owned critical information infrastructure to carry out another audit or cybersecurity risk assessment in addition to the audit or cybersecurity risk assessment mentioned in subsection (1)(a) or (b).
(10)  Any designated provider responsible for third‑party‑owned critical information infrastructure who —
(a)without reasonable excuse, fails to comply with subsection (4);
(b)without reasonable excuse, fails to comply with the Commissioner’s direction under subsection (6), (7), (8)(a) or (b) or (9); or
(c)obstructs or prevents an audit mentioned in subsection (7) or a cybersecurity risk assessment mentioned in subsection (8)(b) from being carried out, or impedes the effectiveness of such an audit or cybersecurity risk assessment carried out,
shall be guilty of an offence and shall be liable on conviction to a fine not exceeding $100,000 or to imprisonment for a term not exceeding 2 years or to both and, in the case of a continuing offence, to a further fine not exceeding $5,000 for every day or part of a day during which the offence continues after conviction.
(11)  Any designated provider responsible for third‑party‑owned critical information infrastructure who, without reasonable excuse, fails to comply with subsection (5) shall be guilty of an offence and shall be liable on conviction to a fine not exceeding $25,000 or to imprisonment for a term not exceeding 12 months or to both and, in the case of a continuing offence, to a further fine not exceeding $2,500 for every day or part of a day during which the offence continues after conviction.
[Act 19 of 2024 wef 31/10/2025]
Duty to notify material change to legally binding commitment
16K.—(1)  If a material change is made to a legally binding commitment that was obtained by a designated provider responsible for third‑party‑owned critical information infrastructure for the purpose of meeting a requirement under section 16E(1), 16F(1), 16H(1), 16I(1) or 16J(1), the designated provider responsible for third‑party‑owned critical information infrastructure must notify the Commissioner of the change not later than 14 days after the change is made.
(2)  For the purposes of subsection (1), a change is a material change if the change affects the ability of the designated provider responsible for third‑party‑owned critical information infrastructure to obtain the performance, by the owner of the third‑party‑owned critical information infrastructure, of the actions committed in accordance with the legally binding commitment.
(3)  Any designated provider responsible for third‑party‑owned critical information infrastructure who, without reasonable excuse, fails to comply with subsection (1) shall be guilty of an offence and shall be liable on conviction to a fine not exceeding $25,000 or to imprisonment for a term not exceeding 12 months or to both.
[Act 19 of 2024 wef 31/10/2025]
Cybersecurity exercises
16L.—(1)  The Commissioner may conduct cybersecurity exercises for the purpose of testing the state of readiness of different designated providers responsible for third‑party‑owned critical information infrastructure in responding to significant cybersecurity incidents.
(2)  A designated provider responsible for third‑party‑owned critical information infrastructure must participate in a cybersecurity exercise if directed in writing to do so by the Commissioner.
(3)  Any person who, without reasonable excuse, fails to comply with a direction under subsection (2) shall be guilty of an offence and shall be liable on conviction to a fine not exceeding $100,000.
[Act 19 of 2024 wef 31/10/2025]
PART 3B
SYSTEMS OF TEMPORARY CYBERSECURITY CONCERN
[Act 19 of 2024 wef 31/10/2025]
Designation of system of temporary cybersecurity concern
17.—(1)  The Commissioner may, by written notice to the owner of a computer or computer system, designate the computer or computer system as a system of temporary cybersecurity concern for the purposes of this Act, if the Commissioner is satisfied that —
(a)for a limited period —
(i)there is a high risk that a cybersecurity threat or cybersecurity incident may be carried out that will jeopardise or adversely affect, without lawful authority, the cybersecurity of the computer or computer system; and
(ii)the loss or compromise of the computer or computer system will have a serious detrimental effect on the national security, defence, foreign relations, economy, public health, public safety or public order of Singapore; and
(b)the computer or computer system is located wholly or partly in Singapore.
(2)  A notice issued under subsection (1) must —
(a)identify the computer or computer system that is being designated as a system of temporary cybersecurity concern;
(b)identify the owner of the computer or computer system so designated as a system of temporary cybersecurity concern;
(c)inform the owner of the computer or computer system, regarding the owner’s duties and responsibilities under this Act that arise from the designation;
(d)specify the first and last day of the period of designation, which must not exceed one year;
(e)provide the name and contact particulars of the officer assigned by the Commissioner to supervise the system of temporary cybersecurity concern in relation to its cybersecurity;
(f)inform the owner of the computer or computer system that any representations against the designation are to be made to the Commissioner by a specified date, being a date not earlier than 14 days after the date of the notice; and
(g)inform the owner of the computer or computer system that the owner may appeal to the Minister against the designation, and provide information on the applicable procedure.
(3)  Any designation under subsection (1) has effect until the end of the period of designation specified in the notice, unless it is withdrawn by the Commissioner before the expiry of the period.
(4)  The person who receives a notice under subsection (1) may request the Commissioner to proceed under subsection (5) upon showing proof that —
(a)the person is not able to comply with the requirements in this Part for the reason that the person has neither effective control over the operations of the computer or computer system, nor the ability or right to carry out changes to the computer or computer system; and
(b)another person has effective control over the operations of the computer or computer system and the ability and right to carry out changes to the computer or computer system.
(5)  If the Commissioner is satisfied that the conditions mentioned in subsection (4)(a) and (b) are met, the Commissioner may amend the notice issued to the person under subsection (1), and address and send that amended notice to the person mentioned in subsection (4)(b).
(6)  During the period when a notice amended under subsection (5) is in effect, the provisions of this Part apply to the person mentioned in subsection (4)(b) as if every reference to the owner of a system of temporary cybersecurity concern is a reference to the person mentioned in subsection (4)(b).
(7)  Where —
(a)a notice issued under this section and amended under subsection (5) is addressed and sent to the person mentioned in subsection (4)(b); and
(b)the person mentioned in subsection (4)(b) then ceases to have the control, ability and right mentioned in that provision,
the owner of the system of temporary cybersecurity concern must notify the Commissioner of this without delay.
(8)  Where a system of temporary cybersecurity concern is owned by the Government and operated by a Ministry, the Permanent Secretary allocated to the Ministry who has responsibility for the system of temporary cybersecurity concern is treated as the owner of the system of temporary cybersecurity concern for the purposes of this Act.
(9)  A notice issued under this section need not be published in the Gazette.
[Act 19 of 2024 wef 31/10/2025]
Power to obtain information to ascertain if criteria for system of temporary cybersecurity concern fulfilled
17A.—(1)  This section applies where the Commissioner has reason to believe that a computer or computer system may fulfil the criteria to be designated as a system of temporary cybersecurity concern.
(2)  The Commissioner may, by notice given in the prescribed form and manner, require any person who appears to be exercising control over the computer or computer system, to provide to the Commissioner, within a reasonable period specified in the notice, such relevant information relating to that computer or computer system as may be required by the Commissioner for the purpose of ascertaining whether the computer or computer system fulfils the criteria to be designated as a system of temporary cybersecurity concern.
(3)  Without limiting subsection (2), for the purpose of ascertaining whether the computer or computer system fulfils the criteria to be designated as a system of temporary cybersecurity concern, the Commissioner may in the notice require the person who appears to be exercising control over the computer or computer system to provide —
(a)information relating to —
(i)the function that the computer or computer system is employed to serve; and
(ii)the person or persons who is or are, or other computer or computer systems that is or are, served by that computer or computer system;
(b)information relating to the design of the computer or computer system; and
(c)any other information that the Commissioner may require in order to ascertain whether the computer or computer system fulfils the criteria to be designated as a system of temporary cybersecurity concern.
(4)  Any person who, without reasonable excuse, fails to comply with a notice issued under subsection (2) shall be guilty of an offence and shall be liable on conviction to a fine not exceeding $100,000 or to imprisonment for a term not exceeding 2 years or to both and, in the case of a continuing offence, to a further fine not exceeding $5,000 for every day or part of a day during which the offence continues after conviction.
(5)  Any person to whom a notice is issued under subsection (2) is not obliged to disclose any information that is subject to any right, privilege or immunity conferred, or obligation or limitation imposed, by or under any law, contract or rules of professional conduct in relation to the disclosure of such information.
[Act 19 of 2024 wef 31/10/2025]
Withdrawal of designation of system of temporary cybersecurity concern
17B.  The Commissioner may, by written notice, withdraw the designation of a system of temporary cybersecurity concern at any time if the Commissioner is of the opinion that the computer or computer system no longer fulfils the criteria to be designated as a system of temporary cybersecurity concern.
[Act 19 of 2024 wef 31/10/2025]
Extension of designation of system of temporary cybersecurity concern
17C.—(1)  At any time before the expiry of the designation of a system of temporary cybersecurity concern, the Commissioner may, by written notice, extend the designation of the system of temporary cybersecurity concern, if the Commissioner is of the opinion that the computer or computer system continues to fulfil the criteria to be designated as a system of temporary cybersecurity concern.
(2)  Any extension of a designation under subsection (1) has effect for the period stated in the notice in subsection (1) (which must not exceed one year for each extension), starting from the expiry of the earlier designation, unless the designation is withdrawn by the Commissioner before the extension takes effect or before the expiry of the period of extension.
[Act 19 of 2024 wef 31/10/2025]
Furnishing of information relating to system of temporary cybersecurity concern
17D.—(1)  The Commissioner may by notice given in the prescribed form and manner, require the owner of a system of temporary cybersecurity concern to furnish, within a reasonable period specified in the notice, the following:
(a)information on the design, configuration and security of the system of temporary cybersecurity concern;
(b)information on the design, configuration and security of any other computer or computer system under the owner’s control that is interconnected with or that communicates with the system of temporary cybersecurity concern;
(c)information relating to the operation of the system of temporary cybersecurity concern, and of any other computer or computer system under the owner’s control that is interconnected with or that communicates with the system of temporary cybersecurity concern;
(d)any other information that the Commissioner may require in order to ascertain the level of cybersecurity of the system of temporary cybersecurity concern.
(2)  Any owner of a system of temporary cybersecurity concern who, without reasonable excuse, fails to comply with a notice mentioned in subsection (1) shall be guilty of an offence and shall be liable on conviction to a fine not exceeding $100,000 or to imprisonment for a term not exceeding 2 years or to both and, in the case of a continuing offence, to a further fine not exceeding $5,000 for every day or part of a day during which the offence continues after conviction.
(3)  The owner of a system of temporary cybersecurity concern to whom a notice is issued under subsection (1) is not obliged to disclose any information that is subject to any right, privilege or immunity conferred, or obligation or limitation imposed, by or under any law or rules of professional conduct in relation to the disclosure of such information, except that the performance of a contractual obligation is not an excuse for not disclosing the information.
(4)  The owner of a system of temporary cybersecurity concern is not treated as being in breach of any contractual obligation mentioned in subsection (3) for doing or omitting to do any act, if the act is done or omitted to be done with reasonable care and in good faith and for the purpose of complying with a notice issued under subsection (1).
[Act 19 of 2024 wef 31/10/2025]
Power of Commissioner to issue written directions
17E.—(1)  The Commissioner may, if the Commissioner thinks —
(a)it is necessary or expedient for ensuring the cybersecurity of a system of temporary cybersecurity concern or a class of systems of temporary cybersecurity concern; or
(b)it is necessary or expedient for the effective administration of this Act,
issue a written direction, either of a general or specific nature, to the owner of a system of temporary cybersecurity concern or a class of such owners.
(2)  Without limiting subsection (1), a direction under that subsection may relate to —
(a)the action to be taken by the owner or owners in relation to a cybersecurity threat;
(b)compliance with any prescribed technical or other standards relating to cybersecurity in respect of the system of temporary cybersecurity concern;
(c)compliance with any code of practice or standard of performance applicable to the owner;
(d)the appointment of an auditor approved by the Commissioner to audit the owner or owners on their compliance with this Act or any code of practice or standard of performance applicable to the owner or owners; or
(e)any other matter that the Commissioner may consider necessary or expedient to ensure the cybersecurity of the system of temporary cybersecurity concern.
(3)  A direction under subsection (1) must specify a deadline for compliance, and may be revoked at any time by the Commissioner.
(4)  Before giving a direction under subsection (1), the Commissioner must, unless the Commissioner considers that it is not practicable or desirable to do so, give notice to the person or persons to whom the Commissioner proposes to issue the direction —
(a)stating that the Commissioner proposes to issue the direction and setting out its effect; and
(b)specifying the time within which representations or objections to the proposed direction may be made.
(5)  The Commissioner must consider any representations or objections which are duly made before giving any direction.
(6)  Any person who, without reasonable excuse, fails to comply with a direction under subsection (1) shall be guilty of an offence and shall be liable on conviction to a fine not exceeding $100,000 or to imprisonment for a term not exceeding 2 years or to both and, in the case of a continuing offence, to a further fine not exceeding $5,000 for every day or part of a day during which the offence continues after conviction.
[Act 19 of 2024 wef 31/10/2025]
Duty to report cybersecurity incident in respect of system of temporary cybersecurity concern, etc.
17F.—(1)  The owner of a system of temporary cybersecurity concern must notify the Commissioner of the occurrence of any of the following in the prescribed form and manner, within the prescribed period after becoming aware of such occurrence:
(a)a prescribed cybersecurity incident in respect of the system of temporary cybersecurity concern;
(b)a prescribed cybersecurity incident in respect of any computer or computer system under the owner’s control that is interconnected with or that communicates with the system of temporary cybersecurity concern;
(c)a prescribed cybersecurity incident in respect of any computer or computer system under the control of a supplier to the owner that is interconnected with or that communicates with the system of temporary cybersecurity concern.
(2)  The owner of a system of temporary cybersecurity concern must establish such mechanisms and processes for the purposes of detecting cybersecurity threats and incidents in respect of the system of temporary cybersecurity concern, as set out in any applicable code of practice.
(3)  Any owner of a system of temporary cybersecurity concern who, without reasonable excuse, fails to comply with subsection (1) shall be guilty of an offence and shall be liable on conviction to a fine not exceeding $100,000 or to imprisonment for a term not exceeding 2 years or to both.
[Act 19 of 2024 wef 31/10/2025]
18.  [Deleted by Act 19 of 2024 wef 31/10/2025]
PART 4
RESPONSES TO CYBERSECURITY
THREATS AND INCIDENTS
Powers to investigate and prevent cybersecurity incidents, etc.
19.—(1)  Where information regarding a cybersecurity threat or incident has been received by the Commissioner, the Commissioner may exercise, or may authorise the Deputy Commissioner, an Assistant Commissioner, a cybersecurity officer or an authorised officer to exercise, such of the powers mentioned in subsection (2) as are necessary to investigate the cybersecurity threat or incident, for the purpose of —
(a)assessing the impact or potential impact of the cybersecurity threat or incident;
(b)preventing any or further harm arising from the cybersecurity incident; or
(c)preventing a further cybersecurity incident from arising from that cybersecurity threat or incident.
(2)  The powers mentioned in subsection (1) are the following:
(a)require, by written notice, any person to attend at such reasonable time and at such place as may be specified by the incident response officer, to answer any question or to provide a signed written statement concerning the cybersecurity threat or incident;
(b)require, by written notice, any person to produce to the incident response officer any physical or electronic record, or document, or a copy of the record or document, that is in the possession of that person, or to provide the incident response officer with any information, which the incident response officer considers to be related to any matter relevant to the investigation;
(c)without giving any fee or reward, inspect, copy or take extracts from such record or document or copy of the record or document mentioned in paragraph (b);
(d)examine orally any person who appears to be acquainted with the facts and circumstances relating to the cybersecurity threat or incident, and reduce to writing any statement made by the person so examined.
(3)  The incident response officer must specify in the notice mentioned in subsection (2)(b) —
(a)the time and place at which any record, document or copy is to be produced or any information is to be provided; and
(b)the manner and form in which it is to be produced or provided.
(4)  A statement made by a person examined under this section must —
(a)be reduced to writing;
(b)be read over to the person;
(c)if the person does not understand English, be interpreted for the person in a language that he or she understands; and
(d)after correction (if necessary), be signed by that person.
(5)  If any person fails to comply with a written notice under subsection (2)(a), the incident response officer may report such failure to a Magistrate who may then issue an order for the person to attend before the Commissioner, at a time and place specified in the order, to answer any question or provide a signed written statement concerning the cybersecurity threat or incident.
(6)  Any person examined under this section or to whom a notice under subsection (2) or an order under subsection (5) is issued is not obliged to disclose any information that is subject to any right, privilege or immunity conferred, or obligation or limitation imposed, by or under any law or rules of professional conduct in relation to the disclosure of such information, except that the performance of a contractual obligation is not an excuse for not disclosing the information.
(7)  The person examined under this section or to whom a notice under subsection (2) or an order under subsection (5) is issued, is not treated as being in breach of any contractual obligation mentioned in subsection (6) for doing or omitting to do any act, if the act is done or omitted to be done with reasonable care and in good faith and for the purpose of answering any question asked during the examination or complying with the notice or order.
(8)  Any person who —
(a)wilfully misstates or without reasonable excuse refuses to give any information, provide any statement or produce any record, document or copy required of the person by an incident response officer under subsection (2); or
(b)without reasonable excuse, fails to comply with an order issued by a Magistrate under subsection (5),
shall be guilty of an offence and shall be liable on conviction to a fine not exceeding $5,000 or to imprisonment for a term not exceeding 6 months or to both.
(9)  In this section and sections 20, 21 and 22, “incident response officer” means the Commissioner, the Deputy Commissioner or any Assistant Commissioner, cybersecurity officer or authorised officer exercising the powers under this section or section 20, as the case may be.
Powers to investigate and prevent serious cybersecurity incidents, etc.
20.—(1)  Where the Commissioner receives information regarding a cybersecurity threat or incident which satisfies the severity threshold in subsection (3), the Commissioner may exercise, or may authorise the Deputy Commissioner, an Assistant Commissioner, a cybersecurity officer or an authorised officer to exercise, such of the powers mentioned in subsection (2) as are necessary to investigate the cybersecurity threat or incident, for the purpose of —
(a)assessing the impact or potential impact of the cybersecurity threat or incident;
(b)eliminating the cybersecurity threat or otherwise preventing any or further harm arising from the cybersecurity incident; or
(c)preventing a further cybersecurity incident.
(2)  The powers mentioned in subsection (1) are the following:
(a)any power mentioned in section 19(2)(a), (b), (c) or (d);
(b)direct, by written notice, any person to carry out such remedial measures, or to cease carrying on such activities, as may be specified to the person, in relation to a computer or computer system that the incident response officer has reasonable cause to suspect is or was affected by the cybersecurity incident, in order to minimise cybersecurity vulnerabilities in the computer or computer system;
Examples
 Examples of remedial measures include —
(a)the removal of malicious software from the computer;
(b)the installation of software updates to address cybersecurity vulnerabilities;
(c)temporarily disconnecting infected computers from a computer network until paragraph (a) or (b) is carried out; and
(d)the redirection of malicious data traffic towards a designated computer or computer system.
(c)require the owner of a computer or computer system to take any action to assist with the investigation, including but not limited to —
(i)preserving the state of the computer or computer system by not using it;
(ii)monitoring the computer or computer system for a specified period of time;
(iii)performing a scan of the computer or computer system to detect cybersecurity vulnerabilities and to assess the manner and extent that the computer or computer system is affected by the cybersecurity incident; and
(iv)allowing the incident response officer to connect any equipment to the computer or computer system, or install on the computer or computer system any computer program, as is necessary for the purpose of the investigation;
(d)after giving reasonable notice to the owner or occupier of any premises, enter those premises if the incident response officer reasonably suspects that there is within the premises a computer or computer system that is or was affected by the cybersecurity incident;
(e)access, inspect and check the operation of a computer or computer system that the incident response officer has reasonable cause to suspect is or was affected by the cybersecurity incident, or use or cause to be used any such computer or computer system to search any data contained in or available to such computer or computer system;
(f)perform a scan of a computer or computer system to detect cybersecurity vulnerabilities in the computer or computer system;
(g)take a copy of, or extracts from, any electronic record or computer program contained in a computer that the incident response officer has reasonable cause to suspect is or was affected by the cybersecurity incident;
(h)subject to subsection (5), with the owner’s consent, take possession of any computer or other equipment for the purpose of carrying out further examination or analysis.
(3)  A cybersecurity threat or incident satisfies the severity threshold mentioned in subsection (1) if —
(a)it creates a risk of significant harm being caused to a provider-owned critical information infrastructure;
[Act 19 of 2024 wef 31/10/2025]
(b)it creates a risk of disruption to the provision of an essential service;
(c)it creates a threat to the national security, defence, foreign relations, economy, public health, public safety or public order of Singapore; or
(d)the cybersecurity threat or incident is of a severe nature, in terms of the severity of the harm that may be caused to persons in Singapore or the number of computers or value of the information put at risk, whether or not the computers or computer systems put at risk are themselves provider-owned critical information infrastructure.
[Act 19 of 2024 wef 31/10/2025]
(4)  An incident response officer exercising the power mentioned in subsection (2)(e) may require any assistance the incident response officer needs to gain such access from —
(a)any person whom the incident response officer reasonably suspects uses or has used the computer or computer system; or
(b)any person having charge of, or who is otherwise concerned with the operation of, such computer or computer system.
(5)  Where the owner of the computer or other equipment does not consent to the exercise of the power mentioned in subsection (2)(h), the power may be exercised if the Commissioner is satisfied that —
(a)the exercise of the power is necessary for the purposes of the investigation;
(b)there is no less disruptive method of achieving the purpose of the investigation; and
(c)after consultation with the owner, and having regard to the importance of the computer or other equipment to the business or operational needs of the owner, the benefit from the exercise of the power outweighs the detriment caused to the owner,
and the Commissioner has issued to the incident response officer a written authorisation to exercise the power.
(6)  The incident response officer must, immediately after the completion of the further examination or analysis on the computer or other equipment which was taken into possession in exercise of the power mentioned in subsection (2)(h), return the computer or other equipment to the owner.
(7)  Any person who —
(a)in relation to an investigation under this section, wilfully misstates or without reasonable excuse refuses to give any information, provide any statement or produce any record, document or copy required of the person by the incident response officer under section 19(2);
(b)in relation to an investigation under this section, without reasonable excuse, fails to comply with an order issued by a Magistrate under section 19(5);
(c)without reasonable excuse, fails to comply with a direction or requirement of an incident response officer under subsection (2)(b) or (c); or
(d)without reasonable excuse, fails to comply with a lawful demand of an incident response officer made in the discharge of the incident response officer’s duties under this section,
shall be guilty of an offence and shall be liable on conviction to a fine not exceeding $25,000 or to imprisonment for a term not exceeding 2 years or to both.
Production of identification card by incident response officer
21.  Every incident response officer, when exercising any of the powers under this Part, must declare the incident response officer’s office and must, on demand, produce to any person affected by the exercise of that power such identification card as the Commissioner may direct to be carried by the incident response officer when exercising such power.
Appointment of cybersecurity technical experts
22.—(1)  The Commissioner may in writing appoint any of the following as a cybersecurity technical expert for a specified period to assist any incident response officer in the course of an investigation under section 19 or 20:
(a)a public officer or an employee of a statutory body;
(b)an individual (who is not a public officer or an employee of a statutory body) with suitable qualifications or experience to properly perform the role of a cybersecurity technical expert;
(c)a full-time national serviceman enlisted in any force constituted under the Singapore Armed Forces Act 1972 or in the Special Constabulary constituted under section 66 of the Police Force Act 2004.
(2)  The role of a cybersecurity technical expert is to provide such advice of a technical nature, as the incident response officer may require in the course of an investigation under section 19 or 20.
(3)  The Commissioner may, for any reason that appears to the Commissioner to be sufficient, at any time revoke an individual’s appointment as a cybersecurity technical expert.
(4)  The Commissioner must issue to each cybersecurity technical expert an identification card, which must be carried at all times by the cybersecurity technical expert when performing the role of a cybersecurity technical expert.
(5)  A cybersecurity technical expert whose appointment as such ceases must return any identification card issued to the cybersecurity technical expert under subsection (4) to the Commissioner.
Emergency cybersecurity measures and requirements
23.—(1)  The Minister may, if satisfied that it is necessary for the purposes of preventing, detecting or countering any serious and imminent threat to —
(a)the provision of any essential service; or
(b)the national security, defence, foreign relations, economy, public health, public safety or public order of Singapore,
by a certificate under the Minister’s hand, authorise or direct any person or organisation specified in the certificate (called in this section the specified person) to take such measures or comply with such requirements as may be necessary to prevent, detect or counter any threat to a computer or computer system or any class of computers or computer systems.
(2)  The measures and requirements mentioned in subsection (1) may include, without limitation —
(a)the exercise by the specified person of the powers in sections 39(1)(a) and (b) and (2)(a) and (b) and 40(2)(a), (b) and (c) of the Criminal Procedure Code 2010;
(b)requiring or authorising the specified person to direct another person to provide any information that is necessary to identify, detect or counter any such threat, including —
(i)information relating to the design, configuration or operation of any computer, computer program or computer system; and
(ii)information relating to the cybersecurity of any computer, computer program or computer system;
(c)providing to the Minister or the Commissioner any information (including real‑time information) obtained from any computer controlled or operated by the specified person, or obtained by the specified person from another person pursuant to a measure or requirement under paragraph (b), that is necessary to identify, detect or counter any such threat, including —
(i)information relating to the design, configuration or operation of any computer, computer program or computer system; and
(ii)information relating to the cybersecurity of any computer, computer program or computer system; and
(d)providing to the Minister or the Commissioner a report of a breach or an attempted breach of cybersecurity of a description specified in the certificate under subsection (1), relating to any computer controlled or operated by the specified person.
(3)  Any measure or requirement mentioned in subsection (1), and any direction given by a specified person for the purpose of taking any such measure or complying with any such requirement —
(a)does not confer any right to the production of, or of access to, information subject to legal privilege; and
(b)subject to paragraph (a), has effect despite any obligation or limitation imposed or right, privilege or immunity conferred by or under any law, contract or rules of professional conduct, including any restriction on the disclosure of information imposed by law, contract or rules of professional conduct.
(4)  A specified person who, without reasonable excuse, fails to take any measure or comply with any requirement directed by the Minister under subsection (1) shall be guilty of an offence and shall be liable on conviction to a fine not exceeding $50,000 or to imprisonment for a term not exceeding 10 years or to both.
(5)  Any person who, without reasonable excuse —
(a)obstructs a specified person in the taking of any measure or in complying with any requirement under subsection (1); or
(b)fails to comply with any direction given by a specified person for the purpose of the specified person taking any such measure or complying with any such requirement,
shall be guilty of an offence and shall be liable on conviction to a fine not exceeding $50,000 or to imprisonment for a term not exceeding 10 years or to both.
(6)  No civil or criminal liability is incurred by —
(a)a specified person for doing or omitting to do any act if the specified person had done or omitted to do the act in good faith and for the purpose of or as a result of taking any measure or complying with any requirement under subsection (1); or
(b)a person for doing or omitting to do any act if the person had done or omitted to do the act in good faith and for the purpose of or as a result of complying with a direction given by a specified person for the purpose of taking any such measure or complying with any such requirement.
(7)  The following persons are not considered to be in breach of any restriction upon the disclosure of information imposed by law, contract or rules of professional conduct:
(a)a specified person who, in good faith, obtains any information for the purpose of taking any measure under subsection (1) or complying with any requirement under that subsection, or who discloses any information to the Minister or the Commissioner, in compliance with any requirement under that subsection;
(b)a person who, in good faith, obtains any information, or discloses any information to a specified person, in compliance with a direction given by the specified person for the purpose of taking any measure under subsection (1) or complying with any requirement under that subsection.
(8)  The following persons, namely:
(a)a specified person to whom a person has provided information in compliance with a direction given by the specified person for the purpose of taking any measure under subsection (1) or complying with any requirement under that subsection;
(b)a person to whom a specified person provides information in compliance with any requirement under subsection (1),
must not use or disclose the information, except —
(c)with the written permission of the person from whom the information was obtained or, where the information is the confidential information of a third person, with the written permission of the third person;
(d)for the purpose of preventing, detecting or countering a threat to a computer, computer system or class of computers or computer systems;
(e)to disclose to any police officer or other law enforcement authority any information which discloses the commission of an offence under this Act or any other written law; or
(f)in compliance with a requirement of a court or the provisions of this Act or any other written law.
(9)  Any person who contravenes subsection (8) shall be guilty of an offence and shall be liable on conviction to a fine not exceeding $10,000 or to imprisonment for a term not exceeding 12 months or to both.
(10)  Where an offence is disclosed in the course of or pursuant to the exercise of any power under this section —
(a)no information for that offence may be admitted in evidence in any civil or criminal proceedings; and
(b)no witness in any civil or criminal proceedings is obliged —
(i)to disclose the name, address or other particulars of any informer who has given information with respect to that offence; or
(ii)to answer any question if the answer would lead, or would tend to lead, to the discovery of the name, address or other particulars of the informer.
(11)  If any book, document, data or computer output which is admitted in evidence or liable to inspection in any civil or criminal proceedings contains any entry in which any informer is named or described or which may lead to the informer’s discovery, the court must cause those entries to be concealed from view or to be obliterated so far as may be necessary to protect the informer from discovery.
PART 5
CYBERSECURITY SERVICE PROVIDERS
No person to provide licensable cybersecurity service without licence
24.—(1)  Except under and in accordance with a cybersecurity service provider’s licence granted or renewed under section 26, no person —
(a)may engage in the business of providing any licensable cybersecurity service to other persons; or
(b)being a person who is in the business of providing a licensable cybersecurity service, may advertise, or in any way hold out, that the person provides, or is willing to provide, the licensable cybersecurity service.
(2)  Any person who contravenes subsection (1) shall be guilty of an offence and shall be liable on conviction to a fine not exceeding $50,000 or to imprisonment for a term not exceeding 2 years or to both.
(3)  Subsection (1) does not apply to the provision of a cybersecurity service by a company to its related company.
(4)  In this section, “related company” has the meaning given by section 6 of the Companies Act 1967.
Licensing officer and assistant licensing officers
25.—(1)  For the purposes of this Part, the Commissioner is the licensing officer and the officer responsible for the administration of this Part.
(2)  The licensing officer may appoint such number of assistant licensing officers as are necessary to assist the licensing officer in carrying out the licensing officer’s functions and duties under this Part.
(3)  Only public officers may be appointed as assistant licensing officers.
(4)  The functions and duties conferred on the licensing officer by this Part may be performed by any assistant licensing officer and such performance is subject to the direction and control of the licensing officer.
(5)  The Minister may from time to time give to the licensing officer such directions, not inconsistent with the provisions of this Part, as the Minister may consider necessary for carrying out the provisions of this Part, and the licensing officer must comply with any direction so given.
Grant and renewal of licence
26.—(1)  An application for the grant or renewal of a licence must be —
(a)made to the licensing officer in such form or manner as may be prescribed;
(b)accompanied by the prescribed fee (if any); and
(c)in the case of an application for the renewal of a licence, made not later than one month or any other period before the expiry of the licence (called in this section the renewal period) that may be prescribed.
(2)  An applicant for the grant or renewal of a licence must, at the licensing officer’s request, provide such further information or evidence that the licensing officer may require to decide the application.
(3)  Upon receipt of an application under subsection (1), the licensing officer may —
(a)grant or renew the licence applied for; or
(b)refuse the application.
(4)  Subject to the provisions of this Act, an applicant of an application under subsection (1) is eligible for the grant or renewal of the licence if, and only if —
(a)the applicant has paid the prescribed fee (if any); and
(b)the applicant satisfies any other requirements that may be prescribed for such grant or renewal.
(5)  Without affecting subsection (4), the licensing officer may refuse to grant a licence to a person or renew the licence of a person if, in the licensing officer’s opinion —
(a)where the person is an individual, the individual is not a fit and proper person to hold or to continue to hold the licence;
(b)where the person is a business entity, the business entity is not a fit and proper person to hold or to continue to hold the licence; or
(c)it is not in the public interest to grant or renew the licence, or the grant or renewal of the licence may pose a threat to national security.
(6)  Where a person submits an application for the renewal of the person’s licence before the start of the renewal period, the licence continues in force until the date on which the licence is renewed or the application for its renewal is refused, as the case may be.
(7)  Any person who, in making an application for the grant or renewal of a licence —
(a)makes any statement or furnishes any particulars, information or document which the person knows to be false or does not believe to be true; or
(b)furnishes any information which the person knows or has reason to believe is misleading in a material particular,
shall be guilty of an offence and shall be liable on conviction to a fine not exceeding $10,000 or to imprisonment for a term not exceeding 12 months or to both.
(8)  In deciding for the purposes of this section whether an individual or a business entity is a fit and proper person to hold or continue to hold a licence, the licensing officer may take into account any matter the licensing officer considers relevant, including any of the following:
(a)in the case of an individual —
(i)that the individual has been convicted in Singapore or elsewhere of any offence involving fraud, dishonesty or moral turpitude;
(ii)that the individual has had a judgment entered against the individual in civil proceedings that involves a finding of fraud, dishonesty or breach of fiduciary duty on the part of the individual;
(iii)that the individual is or was suffering from a mental disorder;
(iv)that the individual is an undischarged bankrupt or has entered into a composition with the creditors of the individual; or
(v)that the individual has had a licence revoked by the licensing officer previously;
(b)in the case of a business entity —
(i)that the business entity has been convicted in Singapore or elsewhere of any offence involving fraud, dishonesty or moral turpitude;
(ii)that the business entity has had a judgment entered against the business entity in civil proceedings that involves a finding of fraud, dishonesty or breach of fiduciary duty on the part of the business entity;
(iii)that any officer of the business entity is not a fit and proper person to be an officer of a business entity holding the licence;
(iv)that the business entity is in liquidation or is the subject of a winding up order, or there is a receiver appointed in relation to the business entity, or the business entity has entered into a composition or scheme of arrangement with the creditors of the business entity; or
(v)that the business entity has had a licence revoked by the licensing officer previously.
(9)  In deciding, for the purposes of subsection (8)(b)(iii), whether an officer of a business entity is a fit and proper person to be an officer of a business entity holding a licence, the licensing officer may take into account any matter the licensing officer considers relevant, including any of the matters in subsection (8)(a)(i) to (v) with each reference to the individual substituted with a reference to the officer.
(10)  In this section, “officer of a business entity” means any director or partner of the business entity or other person who is responsible for the management of the business entity.
Conditions of licence
27.—(1)  The licensing officer may grant a licence to an applicant, or renew an applicant’s licence, subject to such conditions as the licensing officer thinks fit to impose.
(2)  For the purpose of subsection (1), the licensing officer may specify —
(a)conditions applicable to all licensees;
(b)conditions applicable to a specified class of licensees; or
(c)conditions applicable to a specified licensee only.
(3)  The licensing officer may at any time add to, modify or revoke any condition of a licence imposed under subsection (1).
(4)  Before making any modification to the conditions of a licence, the licensing officer must give notice to the licensee concerned —
(a)stating that the licensing officer proposes to make the modification in the manner specified in the notice; and
(b)specifying the time (being not less than 14 days after the date of service of the notice) within which written representations with respect to the proposed modification may be made.
(5)  Upon receipt of any written representation mentioned in subsection (4)(b), the licensing officer must consider the representation and may —
(a)reject the representation; or
(b)withdraw or amend the proposed modification whether in accordance with the representation or otherwise,
and, in either case (except where the proposed modification is withdrawn), must issue a written direction to the licensee concerned requiring that effect be given within a reasonable time to the proposed modification specified in the notice or to such modification as amended.
Form and validity of licence
28.—(1)  A licence must —
(a)be in such form as the licensing officer may determine; and
(b)contain the conditions subject to which it is granted.
(2)  A licence is in force for such period (not exceeding 5 years) as the licensing officer may specify in the licence, starting from the date of its issue.
(3)  A licence that is renewed continues in force for such period (not exceeding 5 years) as the licensing officer may specify in writing to the licensee, starting from the date immediately following that on which (but for its renewal) the licence would have expired.
Duty to keep records
29.—(1)  A licensee must —
(a)in relation to each occasion on which the licensee is engaged to provide its cybersecurity service, keep a record of the following information:
(i)the name and address of the person engaging the licensee for the service;
(ii)the name of the person providing the service on behalf of the licensee;
(iii)the date on which the service is provided;
(iv)details of the type of service provided;
(v)any other particulars that may be prescribed; and
(b)retain every such record for a period of not less than 3 years after the date of the occasion to which the record relates.
(2)  Every licensee must furnish to the licensing officer such records at such time, in such format and through such medium (whether electronic or otherwise) as the licensing officer may require.
(3)  If a licensee —
(a)knowingly makes a record that —
(i)is false or misleading; or
(ii)omits any matter or thing without which the record is misleading; and
(b)furnishes the record to the licensing officer following a requirement under subsection (2),
the licensee shall be guilty of an offence and shall be liable on conviction to a fine not exceeding $10,000 or to imprisonment for a term not exceeding 12 months or to both.
(4)  Subsection (3) does not apply if the record is not false or misleading in a material particular.
Monitoring powers of licensing officer
29A.—(1)  The licensing officer has, for the purposes of the execution of this Part, power to do all or any of the following:
(a)to enter, inspect and examine at a reasonable time the place of business of a licensee;
(b)to require a licensee to produce any records, accounts and documents kept by the licensee within such reasonable time as is specified by the licensing officer;
(c)to inspect, examine and make copies of any records, accounts and documents so produced;
(d)to make such inquiry as may be necessary to ascertain whether a licensee has complied with any condition of a licence, or any provisions of this Part.
(2)  Where any records, accounts and documents mentioned in subsection (1) are kept in electronic form, then —
(a)the power of the licensing officer in subsection (1)(b) to require any records, accounts or documents to be produced for inspection includes the power to require a copy of the records, accounts or documents to be made available for inspection in legible form (and subsection (1)(c) is to accordingly apply in relation to any copy so made available); and
(b)the power of the licensing officer under subsection (1)(c) to inspect any records, accounts or documents includes the power to require any person on the premises in question to give the licensing officer such assistance as he or she may reasonably require to enable him or her —
(i)to inspect and make copies of the records, accounts or documents in legible form or to make records of information contained in them; or
(ii)to inspect and check the operation of any computer, and any associated apparatus or material, that is or has been in use in connection with the keeping of the records, accounts or documents.
(3)  Any person who, without reasonable excuse, fails to comply with any requirement imposed under this section shall be guilty of an offence and shall be liable on conviction to a fine not exceeding $10,000 or to imprisonment for a term not exceeding 12 months or to both.
[Act 19 of 2024 wef 31/10/2025]
Revocation or suspension of licence
30.—(1)  Subject to subsection (4), the licensing officer may by order revoke any licence if the licensing officer is satisfied that —
(a)the licensee has failed to comply with any condition to which the licence is subject;
(b)the licence had been obtained by fraud or misrepresentation;
(c)a circumstance existed at the time the licence was granted or renewed that the licensing officer was unaware of, which would have required or permitted the licensing officer to refuse to grant or renew the licensee’s licence if the licensing officer had been aware of the circumstance at that time;
(d)the licensee has ceased to carry on in Singapore the business for which the licensee is licensed;
(e)the licensee has been declared bankrupt or has gone into compulsory or voluntary liquidation other than for the purpose of amalgamation or reconstruction;
(f)the licensee has been convicted of an offence under this Act, or an offence involving fraud, dishonesty or moral turpitude;
(g)the licensee is no longer a fit and proper person to continue to hold the licence; or
(h)it is undesirable in the public interest for the licensee to continue to carry on the business of a licensee.
(2)  Subject to subsection (4), the licensing officer may, in any case in which the licensing officer considers that no cause of sufficient gravity for revoking any licence exists, by order —
(a)suspend the licence for a period not exceeding 6 months;
(b)censure the licensee concerned; or
(c)impose any other conditions that the licensing officer considers appropriate.
(3)  The licensing officer must give the licensee written notice of —
(a)the licensing officer’s intention to exercise any power under subsection (1) or (2); and
(b)the date on which the licensing officer intends to exercise the power.
(4)  The licensing officer must not, during a period of 14 days after the licensing officer informs the licensee of such intention, exercise any power under subsection (1) or (2) unless the licensee concerned is given an opportunity to be heard, whether in person or by a representative and whether in writing or otherwise.
(5)  Where the licensing officer has by order revoked a licence under subsection (1) or made any order under subsection (2) in respect of a licensee, the licensing officer must serve on the licensee concerned a notice of the order.
(6)  An order under subsection (1) or (2) by the licensing officer revoking or suspending a licence —
(a)takes effect immediately upon service of the notice of the order under subsection (5), in a case where the licensing officer states in the order that it is undesirable in the public interest for the licensee to continue to carry on the licensee’s business as a licensee; and
(b)in any other case, takes effect at the end of 14 days after the service of the notice of the order on the licensee under subsection (5).
(7)  In any proceedings under this section consequent upon the conviction of a licensee for a criminal offence, the licensing officer must accept the licensee’s conviction as final.
(8)  In deciding for the purposes of this section whether a licensee is a fit and proper person to continue to hold a licence, the licensing officer may take into account any matter the licensing officer considers relevant, including any matter mentioned in section 26(8).
Unlicensed cybersecurity service provider not to recover fees, etc.
31.  Any person who provides any licensable cybersecurity service is not entitled to bring any proceeding in any court to recover any commission, fee, gain or reward for the service provided unless, at the time of providing the service, the person is the holder of a valid cybersecurity service provider’s licence.
Financial penalty
32.—(1)  This section applies where a licensee —
(a)contravenes a provision of this Part, which contravention is not an offence; or
(b)fails to comply with any condition imposed by the licensing officer on the licence.
(2)  On the occurrence of a contravention or failure to comply mentioned in subsection (1), the licensing officer may, in addition to or instead of taking any action under section 30(1) or (2), order the licensee to pay a financial penalty of an amount not exceeding $10,000 for each contravention or failure to comply, but not exceeding in the aggregate $50,000.
(3)  The order mentioned in subsection (2) must specify the date by which the financial penalty is to be paid.
Licensing officer to give opportunity to make representations before ordering financial penalty
33.—(1)  Subsections (2) to (6) apply before the licensing officer makes an order under section 32(2).
(2)  The licensing officer must give the licensee written notice of —
(a)the licensing officer’s intention to make the order under section 32(2); and
(b)the date on which the licensing officer intends to make the order.
(3)  The date mentioned in subsection (2)(b) must not be earlier than 21 days after the date of the written notice in subsection (2).
(4)  The licensee may make representations to the licensing officer at any time before the date mentioned in subsection (2)(b).
(5)  The licensing officer must consider any representation made by the licensee before the date mentioned in subsection (2)(b).
(6)  The licensing officer must, on or after the date mentioned in subsection (2)(b), give the licensee written notice of the licensing officer’s final decision.
Recovery of financial penalties
34.—(1)  Any person who fails to pay any financial penalty imposed by the licensing officer by the date specified in the order under section 32(2) or where there is an appeal to the Minister, by the date specified by the Minister, is liable to pay to the licensing officer interest on the amount unpaid at the same rate as for a judgment debt.
(2)  Any financial penalty payable pursuant to an order under section 32(2), and any interest under subsection (1), is recoverable by the licensing officer, or any person duly authorised by the licensing officer to act on his or her behalf, as a debt due to the Government.
(3)  The licensing officer may, in any case in which the licensing officer thinks fit, waive, remit or refund in whole or in part any financial penalty imposed or any interest due on any financial penalty.
(4)  Any financial penalty and any interest on any financial penalty collected under this section must be paid into the Consolidated Fund.
(5)  In any proceedings for the recovery of any financial penalty or interest due on any financial penalty which any person is liable to pay, a certificate purporting to be under the hand of the licensing officer certifying the amount of the financial penalty or interest due on the financial penalty that is payable by the person is prima facie evidence of the facts stated in the certificate.
Appeal to Minister
35.—(1)  Any person whose application for a licence or for the renewal of a licence has been refused by the licensing officer may, within the relevant period after being notified of such refusal, appeal against the refusal in the prescribed manner to the Minister.
(2)  Where a licence is granted or renewed by the licensing officer subject to conditions or where any condition is added or modified under section 27(3), the licensee concerned may, within the relevant period after being notified of such conditions, addition or modification, appeal against the conditions in the prescribed manner to the Minister.
(3)  If the licensing officer has made any order under section 30(1) or (2) in respect of any licensee, the licensee may, within the relevant period after being served with the notice of the order, appeal against the order in the prescribed manner to the Minister.
(4)  Any person aggrieved by the licensing officer’s order under section 32(2) may, within the relevant period after being notified of the order, appeal against the order in the prescribed manner to the Minister.
(5)  In any appeal under this section against an order of the licensing officer made consequent upon the conviction of the licensee for a criminal offence, the Minister must accept the licensee’s conviction as final.
(6)  An appeal under this section against a decision of the licensing officer (except an order mentioned in section 30(6)(b) or 32(2)) does not affect the effect of the decision appealed against or prevent the taking of action to implement the decision and the decision appealed against must be complied with until the determination of the appeal.
(7)  The decision of the Minister on an appeal under this section is final.
(8)  In this section, “relevant period” means 14 days or such longer period as the Minister allows in a particular case, whether allowed before or after the end of the 14 days.
PART 6
GENERAL
Codes of practice and standards of performance
35A.—(1)  The Commissioner may, from time to time —
(a)issue or approve one or more codes of practice or standards of performance for the regulation of the following persons with respect to measures to be taken by them to ensure the cybersecurity of the computers or computer systems indicated:
(i)owners of provider-owned critical information infrastructure — the provider-owned critical information infrastructure;
(ii)designated providers responsible for third‑party‑owned critical information infrastructure — the third-party-owned critical information infrastructure for which they are responsible;
(iii)owners of systems of temporary cybersecurity concern — the systems of temporary cybersecurity concern;
(iv)entities of special cybersecurity interest — the systems of special cybersecurity interest in relation to which they are designated;
(v)major foundational digital infrastructure service providers — the major foundational digital infrastructure in relation to which they are designated; and
(b)amend or revoke any code of practice or standard of performance issued or approved under paragraph (a).
(2)  If any provision in any code of practice or standard of performance is inconsistent with this Act, the provision, to the extent of the inconsistency, does not have effect.
(3)  Where a code of practice or standard of performance is issued, approved, amended or revoked by the Commissioner under subsection (1), the Commissioner must —
(a)publish a notice of the issue, approval, amendment or revocation (as the case may be) in such manner as will secure adequate publicity for such issue, approval, amendment or revocation;
(b)specify in the notice the date of the issue, approval, amendment or revocation (as the case may be); and
(c)ensure that, so long as the code of practice or standard of performance remains in force, copies of that code or standard, and of all amendments to that code or standard, are available free of charge to a person to whom that code or standard applies.
(4)  None of the following has any effect until the notice relating to it is published in accordance with subsection (3):
(a)a code of practice or standard of performance;
(b)an amendment to a code of practice or standard of performance;
(c)a revocation of a code of practice or standard of performance.
(5)  Any code of practice or standard of performance has no legislative effect.
(6)  Subject to subsections (4) and (7), every person mentioned in subsection (1) must comply with the codes of practice and standards of performance that apply to the person.
(7)  The Commissioner may, either generally or for such time as the Commissioner may specify, waive the application to a person of any code of practice or standard of performance, or any part of it.
[Act 19 of 2024 wef 31/10/2025]
Appeal to Minister against decision, etc., under Parts 3, 3A, 3B, 3C and 3D, etc.
35B.—(1)  This section applies to appeals to the Minister against any decision, order or written direction of the Commissioner under Part 3, 3A, 3B, 3C or 3D set out in subsection (2), or any code of practice or standard of performance issued, approved or amended by the Commissioner.
(2)  A person who is aggrieved by —
(a)the decision of the Commissioner to issue a notice under —
(i)section 7(1) or (1A) designating the provider‑owned critical information infrastructure as such;
(ii)section 16A(1) designating the designated provider responsible for third-party-owned critical information infrastructure as such;
(iii)section 17(1) designating the system of temporary cybersecurity concern as such;
(iv)section 18(1) designating the entity of special cybersecurity interest as such; or
(v)section 18G(1) designating the major foundational digital infrastructure service provider as such;
(b)the decision of the Commissioner to issue a notice under —
(i)section 9A(1) extending the designation of the provider-owned critical information infrastructure as such;
(ii)section 16D(1) extending the designation of the designated provider responsible for third‑party‑owned critical information infrastructure as such;
(iii)section 17C(1) extending the designation of the system of temporary cybersecurity concern as such;
(iv)section 18C(1) extending the designation of the entity of special cybersecurity interest as such; or
(v)section 18J(1) extending the designation of the major foundational digital infrastructure service provider as such;
(c)an order of the Commissioner under section 16B(5), 16E(2), 16F(2) or (3), 16H(2), 16I(2) or 16J(2);
(d)a written direction of the Commissioner under section 12(1), 16(2), 16G(1), 16L(2), 17E(1), 18E(1) or 18L(1); or
(e)any provision in any code of practice or standard of performance issued or approved by the Commissioner that applies to the person, or any amendment made to it,
may appeal to the Minister against the decision, order, direction, provision or amendment in the manner prescribed.
(3)  An appeal under subsection (2) must be made within 30 days after the date of the notice, order or direction, or the issue, approval or amendment (as the case may be) of the code of practice or standard of performance (as the case may be) or such longer period as the Minister allows in a particular case (whether allowed before or after the end of the 30 days).
(4)  Any person who makes an appeal to the Minister under subsection (2) must, within the period specified in subsection (3) —
(a)state as concisely as possible the circumstances under which the appeal arises, and the issues and grounds for the appeal; and
(b)submit to the Minister all relevant facts, evidence and arguments for the appeal.
(5)  Where an appeal has been made to the Minister under subsection (2), the Minister may require —
(a)any party to the appeal; and
(b)any person who is not a party to the appeal but appears to the Minister to have information that is relevant to the matters appealed against,
to provide the Minister with all such information as the Minister may require, whether for the purpose of deciding if an Appeals Advisory Panel should be established or for determining the appeal, and any person so required must provide the information in such manner and within such period as may be specified by the Minister.
(6)  The Minister may dismiss an appeal of an appellant who fails to comply with subsection (4) or (5).
(7)  Unless otherwise provided by this Act or allowed by the Minister, where an appeal is lodged under this section, the decision, order, direction or other thing appealed against must be complied with until the determination of the appeal.
(8)  The Minister may determine an appeal under this section —
(a)by confirming, varying or reversing a decision, notice, order, direction, provision of a code of practice or standard of performance, or an amendment to such code or standard; or
(b)by directing the Commissioner to reconsider the Commissioner’s decision, notice, order, direction or provision of a code of practice or standard of performance, as the case may be.
(9)  Before determining an appeal under subsection (8), the Minister may consult any Appeals Advisory Panel established for the purpose of advising the Minister in respect of the appeal but, in making such determination, is not bound by the advice of the Panel.
(10)  The decision of the Minister in any appeal is final.
(11)  The Minister may make regulations in respect of the manner in which an appeal may be made to, and the procedure to be adopted in the hearing of any appeal by, the Minister under this section.
[Act 19 of 2024 wef 31/10/2025]
Appeals Advisory Panel
35C.—(1)  Where the Minister considers that an appeal lodged under section 35B(2) involves issues the resolution or understanding of which require particular technical skills or specialised knowledge, the Minister may establish an Appeals Advisory Panel to provide advice to the Minister in respect of the appeal.
(2)  For the purposes of establishing an Appeals Advisory Panel, the Minister may do all or any of the following:
(a)determine, and from time to time vary, the terms of reference of the Appeals Advisory Panel;
(b)appoint persons possessing particular technical skills or specialised knowledge to be the chairperson and other members of an Appeals Advisory Panel;
(c)at any time remove the chairperson or other member of an Appeals Advisory Panel from such office;
(d)determine any other matter which the Minister considers incidental to or expedient for the proper and efficient conduct of business by the Appeals Advisory Panel.
(3)  An Appeals Advisory Panel may regulate its proceedings in such manner as it considers appropriate, subject to the following:
(a)the quorum for a meeting of the Appeals Advisory Panel is a majority of its members;
(b)a decision supported by a majority of the votes cast at a meeting of the Appeals Advisory Panel at which a quorum is present is the decision of that Panel.
(4)  The remuneration and allowances (if any) of a member of an Appeals Advisory Panel is to be determined by the Minister.
(5)  An Appeals Advisory Panel is independent in the performance of its functions.
[Act 19 of 2024 wef 31/10/2025]
Offences by corporations
36.—(1)  Where, in a proceeding for an offence under this Act, it is necessary to prove the state of mind of a corporation in relation to a particular conduct, evidence that —
(a)an officer, employee or agent of the corporation engaged in that conduct within the scope of his or her actual or apparent authority; and
(b)the officer, employee or agent had that state of mind,
is evidence that the corporation had that state of mind.
(2)  Where a corporation commits an offence under this Act, a person —
(a)who is —
(i)an officer of the corporation, or a member of the corporation (in the case where the affairs of the corporation are managed by its members); or
(ii)an individual involved in the management of the corporation and in a position to influence the conduct of the corporation in relation to the commission of the offence; and
(b)who —
(i)consented or connived, or conspired with others, to effect the commission of the offence;
(ii)is in any other way, whether by act or omission, knowingly concerned in, or is party to, the commission of the offence by the corporation; or
(iii)knew or ought reasonably to have known that the offence by the corporation (or an offence of the same type) would be or is being committed, and failed to take all reasonable steps to prevent or stop the commission of that offence,
shall be guilty of that same offence as is the corporation, and shall be liable on conviction to be punished accordingly.
(3)  A person mentioned in subsection (2) may rely on a defence that would be available to the corporation if it were charged with the offence with which the person is charged and, in doing so, the person bears the same burden of proof that the corporation would bear.
(4)  To avoid doubt, this section does not affect the application of —
(a)Chapters 5 and 5A of the Penal Code 1871; or
(b)the Evidence Act 1893 or any other law or practice regarding the admissibility of evidence.
(5)  To avoid doubt, subsection (2) also does not affect the liability of the corporation for an offence under this Act, and applies whether or not the corporation is convicted of the offence.
(6)  In this section —
“corporation” includes a limited liability partnership within the meaning of section 2(1) of the Limited Liability Partnerships Act 2005;
“officer”, in relation to a corporation, means any director, partner, chief executive, manager, secretary or other similar officer of the corporation, and includes —
(a)any person purporting to act in any such capacity; and
(b)for a corporation whose affairs are managed by its members, any of those members as if the member were a director of the corporation;
“state of mind” of a person includes —
(a)the knowledge, intention, opinion, belief or purpose of the person; and
(b)the person’s reasons for the intention, opinion, belief or purpose.
Offences by unincorporated associations or partnerships
37.—(1)  Where, in a proceeding for an offence under this Act, it is necessary to prove the state of mind of an unincorporated association or a partnership in relation to a particular conduct, evidence that —
(a)an employee or agent of the unincorporated association or the partnership engaged in that conduct within the scope of his or her actual or apparent authority; and
(b)the employee or agent had that state of mind,
is evidence that the unincorporated association or partnership had that state of mind.
(2)  Where an unincorporated association or a partnership commits an offence under this Act, a person —
(a)who is —
(i)an officer of the unincorporated association or a member of its governing body;
(ii)a partner in the partnership; or
(iii)an individual involved in the management of the unincorporated association or the partnership and in a position to influence the conduct of that unincorporated association or that partnership in relation to the commission of the offence; and
(b)who —
(i)consented or connived, or conspired with others, to effect the commission of the offence;
(ii)is in any other way, whether by act or omission, knowingly concerned in, or is party to, the commission of the offence by the unincorporated association or the partnership; or
(iii)knew or ought reasonably to have known that the offence by the unincorporated association or the partnership (or an offence of the same type) would be or is being committed, and failed to take all reasonable steps to prevent or stop the commission of that offence,
shall be guilty of the same offence as is that unincorporated association or that partnership, and shall be liable on conviction to be punished accordingly.
(3)  A person mentioned in subsection (2) may rely on a defence that would be available to the unincorporated association or the partnership if it were charged with the offence with which the person is charged and, in doing so, the person bears the same burden of proof as that unincorporated association or that partnership would bear.
(4)  To avoid doubt, this section does not affect the application of —
(a)Chapters 5 and 5A of the Penal Code 1871; or
(b)the Evidence Act 1893 or any other law or practice regarding the admissibility of evidence.
(5)  To avoid doubt, subsection (2) also does not affect the liability of an unincorporated association or a partnership for an offence under this Act, and applies whether or not that unincorporated association or that partnership is convicted of the offence.
(6)  In this section —
“officer”, in relation to an unincorporated association (other than a partnership), means the president, the secretary, or any member of the committee of the unincorporated association, and includes —
(a)any person holding a position analogous to that of president, secretary or member of a committee of the unincorporated association; and
(b)any person purporting to act in any such capacity;
“partner” includes a person purporting to act as a partner;
“state of mind” of a person includes —
(a)the knowledge, intention, opinion, belief or purpose of the person; and
(b)the person’s reasons for the intention, opinion, belief or purpose.
Powers of investigation
38.—(1)  An investigation officer authorised by the Commissioner may, in relation to any offence under this Act (except any offence under section 23) or any regulations made under this Act, on declaration of the investigation officer’s office and production to the person against whom the investigation officer is acting such identification card as the Commissioner may direct to be carried —
(a)require any person whom the investigation officer reasonably believes to have committed that offence to furnish evidence of the person’s identity;
(b)require, by written notice, any person whom the investigation officer reasonably believes has —
(i)any information; or
(ii)any document in the person’s custody or control,
that is relevant to the investigation, to furnish that information or document within the time and manner specified in the written notice;
(c)require, by written order, the attendance before the investigation officer of any person within the limits of Singapore who, from any information given or otherwise obtained by the investigation officer, appears to be acquainted with the facts or circumstances of the case; or
(d)examine orally any person who appears to be acquainted with the facts or circumstances of the case —
(i)whether before or after that person or anyone else is charged with an offence in connection with the case; and
(ii)whether or not that person is to be called as a witness in any inquiry, trial or other proceedings in connection with the case.
(2)  The person mentioned in subsection (1)(d) is bound to state truly the facts and circumstances with which the person is acquainted concerning the case, except that the person need not say anything that might expose the person to a criminal charge, penalty or forfeiture.
(3)  A statement made by a person examined under subsection (1)(d) must —
(a)be reduced to writing;
(b)be read over to the person;
(c)if the person does not understand English, be interpreted to the person in a language that the person understands; and
(d)after correction (if necessary), be signed by the person.
(4)  If any person fails to attend as required by an order under subsection (1)(c), the investigation officer may report such failure to a Magistrate who may then issue a warrant to secure the attendance of that person as required by the order.
(5)  An investigation officer may, without payment, take possession or make copies of any document (or any part of it) furnished under subsection (1), for further investigation.
(6)  Any person who —
(a)refuses to give access to, or assaults, obstructs, hinders or delays, an investigation officer in the discharge of the investigation officer’s duties under this Act;
(b)wilfully misstates or without lawful excuse refuses to give any information or produce any document required by an investigation officer under subsection (1); or
(c)fails to comply with a lawful demand of an investigation officer in the discharge of the investigation officer’s duties under this Act,
shall be guilty of an offence and shall be liable on conviction to a fine not exceeding $20,000 or to imprisonment for a term not exceeding 12 months or to both.
(7)  In this section and section 39, “investigation officer” means the Deputy Commissioner, or any Assistant Commissioner or cybersecurity officer authorised by the Commissioner, exercising the powers of investigation under this section or section 39.
Power to enter premises under warrant
39.—(1)  A Magistrate may, on the application of an investigation officer, issue a warrant in respect of any premises if the Magistrate is satisfied that there are reasonable grounds to suspect that there is on the premises any document —
(a)which has been required by an investigation officer under section 38 to be furnished, but has not been furnished in compliance with that requirement; or
(b)which, if required by an investigation officer under section 38 to be furnished, will be concealed, removed, tampered with or destroyed.
(2)  If the Magistrate is also satisfied that there are reasonable grounds to suspect that there is on those premises any other document that relates to any matter relevant to the investigation concerned, the Magistrate may direct that the powers exercisable under the warrant extend to that other document.
(3)  A warrant under subsection (1) may authorise a named investigation officer, and any other officer whom the Commissioner has authorised in writing to accompany the investigation officer —
(a)to enter and search the premises specified in the warrant, using such force as is reasonably necessary for the purpose;
(b)to take possession of, make copies of, or secure against interference, any document (or any part of it) that appears to be a document mentioned in subsection (1) or (2) (called in this section the relevant document);
(c)to require any person on the premises to provide an explanation of any relevant document or, where applicable, to state, to the best of that person’s knowledge and belief, where the relevant document may be found; and
(d)to require any relevant document that is stored in electronic form and accessible at the premises to be produced in a form that —
(i)can be taken away; and
(ii)is visible and legible.
(4)  The warrant continues in force until the end of the period of one month beginning on the day on which it is issued.
(5)  If the owner or occupier of the premises is present when the investigation officer proposes to execute the warrant, the investigation officer must —
(a)identify himself or herself to the owner or occupier;
(b)show the owner or occupier proof of the identity and authorisation of the investigation officer; and
(c)give the owner or occupier a copy of the warrant.
(6)  If there is no one at the premises when the investigation officer proposes to execute the warrant, the investigation officer must, before executing it —
(a)take such steps as are reasonable in all the circumstances to inform the owner or occupier of the premises of the intended entry into the premises; and
(b)where the owner or occupier is so informed, give the owner or occupier or the legal or other representative of the owner or occupier a reasonable opportunity to be present when the warrant is executed.
(7)  If the investigation officer is unable to inform the owner or occupier of the premises of the intended entry into the premises, the investigation officer must, when executing the warrant, leave a copy of it in a prominent place on the premises.
(8)  The investigation officer must —
(a)prepare and sign a list of all documents and other things taken under subsection (3)(b) and (d) in execution of the warrant; and
(b)give a copy of the list to the owner or occupier of the premises or the legal or other representative of the owner or occupier.
(9)  On leaving the premises after executing the warrant, the investigation officer must, if the premises are unoccupied or the owner or occupier of the premises is temporarily absent, leave the premises as effectively secured as the investigation officer found them.
(10)  In this section —
“occupier”, in relation to any premises specified in a warrant under subsection (1), means a person whom the investigation officer named in the warrant reasonably believes to be the occupier of those premises;
“premises” includes any building, structure, vehicle, vessel or aircraft.
Jurisdiction of court
40.  Despite any provision to the contrary in the Criminal Procedure Code 2010, a District Court has jurisdiction to try any offence under this Act and has power to impose the full penalty or punishment in respect of the offence.
Composition of offences
41.—(1)  The Commissioner or any Assistant Commissioner authorised by the Commissioner may compound any offence under this Act that is prescribed as a compoundable offence by collecting from a person reasonably suspected of having committed the offence a sum not exceeding the lower of the following:
(a)one half of the amount of the maximum fine that is prescribed for the offence;
(b)a sum of $5,000.
(2)  Where any offence is compoundable under this section, the abetment of or a conspiracy to commit the offence, or an attempt to commit the offence when the attempt is itself an offence, may be compounded in like manner.
(3)  On payment of the sum of money, no further proceedings may be taken against that person in respect of the offence.
(4)  All sums collected under this section must be paid into the Consolidated Fund.
Extension of time
41A.—(1)  A person who, in any particular case, is unable to do any thing that the person is required to do under Part 3, 3A, 3B, 3C or 3D (including any direction or order issued under those Parts) within the time specified for it may apply in writing to the Commissioner for an extension of time.
(2)  The Commissioner may grant an extension of time (whether for the same or less than the period of extension applied for), upon being satisfied that there are good reasons to do so.
[Act 19 of 2024 wef 31/10/2025]
Service of documents
42.—(1)  A document that is permitted or required by this Act to be served on a person may be served as described in this section.
(2)  A document permitted or required by this Act to be served on an individual may be served —
(a)by giving it to the individual personally;
(b)by sending it by prepaid registered post to the address specified by the individual for the service of documents or, if no address is so specified, the individual’s residential address or business address;
(c)by leaving it at the individual’s residential address with an adult apparently resident there, or at the individual’s business address with an adult apparently employed there;
(d)by affixing a copy of the document in a conspicuous place at the individual’s residential address or business address;
(e)by sending it by fax to the fax number last known to the person giving or serving the document as the fax number for the service of documents on the individual; or
(f)by sending it by email to the individual’s email address.
(3)  A document permitted or required by this Act to be served on a partnership (other than a limited liability partnership) may be served —
(a)by giving it to any partner or other like officer of the partnership;
(b)by leaving it at, or by sending it by prepaid registered post to, the partnership’s business address;
(c)by sending it by fax to the fax number used at the partnership’s business address; or
(d)by sending it by email to the partnership’s email address.
(4)  A document permitted or required by this Act to be served on a body corporate (including a limited liability partnership) or an unincorporated association may be served —
(a)by giving it to the secretary or other like officer of the body corporate or unincorporated association, or the limited liability partnership’s manager;
(b)by leaving it at, or by sending it by prepaid registered post to, the body corporate’s or unincorporated association’s registered office or principal office in Singapore;
(c)by sending it by fax to the fax number used at the body corporate’s or unincorporated association’s registered office or principal office in Singapore; or
(d)by sending it by email to the body corporate’s or unincorporated association’s email address.
(5)  Service of a document under this section takes effect —
(a)if the document is sent by fax and a notification of successful transmission is received, on the day of transmission;
(b)if the document is sent by email, at the time that the email becomes capable of being retrieved by the person; and
(c)if the document is sent by prepaid registered post, 2 days after the day the document was posted (even if it is returned undelivered).
(6)  This section does not apply to documents to be served in proceedings in court.
(7)  In this section —
“business address” means —
(a)in the case of an individual, the individual’s usual or last known place of business in Singapore; or
(b)in the case of a partnership (other than a limited liability partnership), the partnership’s principal or last known place of business in Singapore;
“email address” means the last email address given by the addressee concerned to the person giving or serving the document as the email address for the service of documents under this Act;
“residential address” means an individual’s usual or last known place of residence in Singapore.
Preservation of secrecy
43.—(1)  Subject to subsections (3) and (7), every specified person must preserve, and aid in preserving, the secrecy of —
(a)all matters relating to a computer or computer system of any person;
(b)all matters relating to the business, commercial or official affairs of any person;
(c)all matters that have been identified as confidential under subsection (5); and
(d)all matters relating to the identity of persons furnishing information to any specified person,
that may come to the specified person’s knowledge in the performance of his or her functions or the discharge of his or her duties under this Act.
(2)  The specified person must not communicate any matter mentioned in subsection (1) to any person, except insofar as such communication —
(a)is necessary for the performance of any such function or the discharge of any such duty; or
(b)is lawfully required by any court, or lawfully required or allowed by or under this Act or any other written law.
(3)  This section does not apply to any information provided in compliance with a direction or requirement under section 23.
(4)  Any person who fails to comply with subsection (1) or (2) shall be guilty of an offence and shall be liable on conviction to a fine not exceeding $10,000 or to imprisonment for a term not exceeding 12 months or to both.
(5)  Any person, when furnishing any information to a specified person, may identify information that the person claims to be confidential information.
(6)  Every claim made under subsection (5) must be supported by a written statement giving reasons why the information is confidential.
(7)  Despite subsection (1), the Commissioner may disclose any information relating to any matter mentioned in subsection (1) in any of the following circumstances:
(a)where the written consent of the person to whom the information relates has been obtained;
(b)for the purposes of —
(i)a prosecution under this Act;
(ii)subject to subsection (8), enabling the Commissioner to give effect to any provision of this Act;
(iii)enabling the Commissioner to investigate a suspected offence under this Act or to enforce a provision of this Act;
(iv)disclosing to any police officer any information which discloses the commission of an offence under the Computer Misuse Act 1993; or
(v)complying with such provision of an agreement between Singapore and a country or territory outside Singapore (called in this section a foreign country) as may be prescribed, where the conditions specified in subsection (9) are satisfied.
(8)  If the Commissioner is considering whether to disclose any information under subsection (7)(b)(ii), the Commissioner must have regard to —
(a)the need to exclude, so far as is practicable, information the disclosure of which would in his or her opinion be contrary to the public interest;
(b)the need to exclude, so far as is practicable —
(i)commercial information the disclosure of which would, or might, in his or her opinion, significantly harm the legitimate business interests of the undertaking to which it relates; or
(ii)information relating to the private affairs of an individual the disclosure of which would, or might, in his or her opinion, significantly harm the individual’s interest; and
(c)the extent to which the disclosure is necessary for the purposes for which the Commissioner is proposing to make the disclosure.
(9)  The conditions mentioned in subsection (7)(b)(v) are —
(a)the information or documents requested by the foreign country are available to the Commissioner;
(b)unless the Government otherwise allows, the foreign country undertakes to keep the information or documents given confidential at all times; and
(c)the disclosure of the information or documents is not likely to be contrary to the public interest.
(10)  In this section, “specified person” means a person who is or has been —
(a)the Commissioner, the Deputy Commissioner, an Assistant Commissioner, a cybersecurity officer or a person appointed or employed to assist the Commissioner;
(b)an authorised officer appointed under section 6;
(c)a member of an Appeals Advisory Panel established under section 35C;
[Act 19 of 2024 wef 31/10/2025]
(d)a cybersecurity technical expert appointed under section 22;
(e)an assistant licensing officer; or
(f)the Minister, or a person appointed or employed to assist the Minister.
Protection from personal liability
44.—(1)  No liability shall lie against the Commissioner, the Deputy Commissioner, an Assistant Commissioner, a cybersecurity officer, an authorised officer appointed under section 6, an assistant licensing officer, a member of an Appeals Advisory Panel established under section 35C or any other person acting under the direction of the Commissioner who, acting in good faith and with reasonable care, does or omits to do anything in —
(a)the exercise or purported exercise of any power under this Act; or
(b)the performance or purported performance of any function or duty under this Act.
[Act 19 of 2024 wef 31/10/2025]
(2)  Where the Commissioner provides a service to the public whereby information is supplied to the public pursuant to any written law, neither the Commissioner nor any person acting under the direction of the Commissioner who is involved in the supply of such information is liable for any loss or damage suffered by any person by reason of any error or omission of whatever nature appearing in the information or however caused, if the error or omission was made in good faith and despite the exercise of reasonable care in the ordinary course of the discharge of the duties of the Commissioner or such person.
Protection of informers
45.—(1)  No witness in any proceedings for an offence under Part 3, 3A, 3B, 3C or 3D, or for a civil penalty under section 37A or 37C, is obliged or permitted —
(a)to disclose the name, address or other particulars of an informer who has given information with respect to that offence, or the substance of the information received from the informer; or
(b)to answer any question if the answer would lead, or would tend to lead, to the discovery of the name, address or other particulars of the informer.
[Act 19 of 2024 wef 31/10/2025]
(2)  If any document which is in evidence or liable to inspection in any proceedings mentioned in subsection (1) contains any entry in which any informer is named or described or which might lead to the informer’s discovery, the court must cause the entry to be concealed from view or to be obliterated so far only as may be necessary to protect the informer from discovery.
(3)  If, during any proceedings —
(a)the court, after full inquiry into the case, believes that the informer wilfully made in the informer’s complaint a material statement which the informer knew or believed to be false or did not believe to be true; or
(b)the court is of the opinion that justice cannot be fully done between the parties to the proceedings without the discovery of the informer,
it is lawful for the court to require the production of the original complaint, if in writing, and permit inquiry, and require full disclosure of the informer.
General exemption
46.—(1)  The Minister may, by order in the Gazette, exempt any person or any class of persons from all or any of the provisions of this Act, either generally or in a particular case and subject to such conditions as may be prescribed.
(2)  If any exemption is granted under subsection (1) with conditions, the exemption operates only if the conditions are complied with.
Amendment of Schedules
47.—(1)  The Minister may at any time, by order in the Gazette, amend the First or Second Schedule.
(2)  The Minister may, in any order made under subsection (1), make such transitional, incidental, consequential or supplementary provision as may be necessary or expedient.
(3)  Any order made under subsection (1) must be presented to Parliament as soon as possible after publication in the Gazette.
Regulations
48.—(1)  The Minister may make regulations for carrying out the purposes and provisions of this Act.
(2)  Without limiting subsection (1), the Minister may make regulations for or with respect to all or any of the following matters:
(a)the procedure for the designation of a provider-owned critical information infrastructure, designated provider responsible for third-party-owned critical information infrastructure, system of temporary cybersecurity concern, entity of special cybersecurity interest or major foundational digital infrastructure service provider;
[Act 19 of 2024 wef 31/10/2025]
(b)the technical or other standards relating to cybersecurity to be maintained in respect of a provider-owned critical information infrastructure, third-party-owned critical information infrastructure, system of temporary cybersecurity concern, system of special cybersecurity interest or major foundational digital infrastructure;
[Act 19 of 2024 wef 31/10/2025]
(c)the responsibilities and duties of the owner of a provider-owned critical information infrastructure or system of temporary cybersecurity concern, designated provider responsible for third-party-owned critical information infrastructure, entity of special cybersecurity interest or major foundational digital infrastructure service provider;
[Act 19 of 2024 wef 31/10/2025]
(d)the type of changes that are considered material changes to the design, configuration, security or operations of a provider-owned critical information infrastructure or a third-party-owned critical information infrastructure to be reported by the owner of the provider-owned critical information infrastructure or the designated provider responsible for third-party-owned critical information infrastructure;
[Act 19 of 2024 wef 31/10/2025]
(e)the type of cybersecurity incidents relating to —
(i)a provider-owned critical information infrastructure that are required to be reported by the owner of the provider-owned critical information infrastructure;
(ii)a third-party-owned critical information infrastructure that are required to be reported by the designated provider responsible for third-party-owned critical information infrastructure;
(iii)a system of temporary cybersecurity concern that are required to be reported by the owner of the system of temporary cybersecurity concern;
(iv)a system of special cybersecurity interest that are required to be reported by the entity of special cybersecurity interest; or
(v)a major foundational digital infrastructure that are required to be reported by the major foundational digital infrastructure service provider;
[Act 19 of 2024 wef 31/10/2025]
(f)the requirements for, and the manner for the carrying out of, cybersecurity audits and cybersecurity risk assessments required to be conducted by the owner of a provider-owned critical information infrastructure or the owner of a third-party-owned critical information infrastructure;
[Act 19 of 2024 wef 31/10/2025]
(g)the form and nature of cybersecurity exercises that may be conducted;
(h)the class or classes of licence to be issued, and the requirements for the grant or renewal of the licence;
(i)the conduct of licensees in carrying on their business;
(ia)the use of any accreditation, certification or inspection mark of the Cyber Security Agency of Singapore;
[Act 19 of 2024 wef 31/10/2025]
(j)the fees to be paid in respect of any matter or thing required for the purposes of this Act, including the refund and remission (in whole or part) of such fees;
(k)all matters and things which by this Act are required or permitted to be prescribed or which are necessary or expedient to be prescribed to give effect to this Act.
(3)  Except as otherwise expressly provided in this Act, the regulations —
(a)may be of general or specific application;
(b)may provide that any contravention of any specified provision of the regulations shall be an offence; and
(c)may provide for penalties not exceeding a fine of $50,000 or imprisonment for a term not exceeding 12 months or both for each offence and, in the case of a continuing offence, a further penalty not exceeding a fine of 10% of the maximum fine prescribed for that offence for every day or part of a day during which the offence continues after conviction.
Saving and transitional provisions
49.—(1)  Despite anything in this Act, any person who, immediately before the date of commencement of Part 5, is engaged in the business of providing a licensable cybersecurity service, may continue to engage in that business —
(a)for 6 months starting on the date of commencement of Part 5; and
(b)if, within the period in paragraph (a), the person applies for a licence under section 26, until the earlier of the following:
(i)the date on which the licensing officer grants the licence to the person;
(ii)the date that the application is finally refused or withdrawn.
(2)  For a period of 2 years after the date of commencement of any provision of this Act, the Minister may, by regulations, prescribe such additional provisions of a saving or transitional nature consequent on the enactment of that provision as the Minister may consider necessary or expedient.
[51
FIRST SCHEDULE
Sections 2(1) and 47(1)
Essential services
Services relating to energy
1.Electricity generation, electricity transmission or electricity distribution services
2.Services for the supply or transmission of natural gas for electricity generation
Services relating to info-communications
3.Fixed telephony services
4.Mobile telephony services
5.Broadband internet access services
6.National domain name registry services
Services relating to water
7.Water supply services
8.Services relating to collection and treatment of used water
9.Services relating to management of stormwater
Services relating to healthcare
10.Acute hospital care services
11.Services relating to disease surveillance and response
Services relating to banking and finance
12.Banking services, including cash withdrawal and deposits, corporate lending, treasury management, and payment services
13.Payments clearing and settlement services
14.Securities trading, clearing, settlement and depository services
15.Derivatives trading, clearing and settlement services
16.Services relating to maintenance of monetary and financial stability
17.Currency issuance
18.Services relating to cash management and payments for the Government
Services relating to security and emergency services
19.Civil defence services
20.Police and security services
21.Immigration services
22.Registration services under the National Registration Act 1965
23.Prison security and rehabilitation services
Services relating to aviation
24.Air navigation services
25.Airport passenger control and operations
26.Airport baggage and cargo handling operations
27.Aerodrome operations
28.Flight operations of aircraft
Services relating to land transport
29.Rapid transit systems operated under a licence granted under the Rapid Transit Systems Act 1995
30.Bus services operated under a bus service licence granted under the Bus Services Industry Act 2015
31.Monitoring and management of rapid transit systems operated under a licence granted under the Rapid Transit Systems Act 1995
32.Monitoring and management of bus services operated under a bus service licence granted under the Bus Services Industry Act 2015
33.Monitoring and management of road traffic
Services relating to maritime
34.Monitoring and management of shipping traffic
35.Container terminal operations
36.General and bulk cargo terminal operations
37.Cruise and ferry passenger terminal operations
38.Pilotage, towage and water supply
39.Bunker supply
40.Salvage operations
41.Passenger ferry operations
Services relating to functioning of Government
42.Services relating to the electronic delivery of Government services to the public
43.Services relating to the electronic processing of internal Government functions
Services relating to media
44.Services relating to broadcasting of free-to-air television and radio
45.Services relating to publication of newspapers
46.Security printing services
SECOND SCHEDULE
Sections 2(1) and 47(1)
Licensable cybersecurity services
1.  The following cybersecurity services are licensable cybersecurity services for the purposes of this Act:
(a)managed security operations centre (SOC) monitoring service;
(b)penetration testing service.
2.  In this Schedule —
“computer” includes a virtual computer;
[Act 19 of 2024 wef 31/10/2025]
“computer system” includes a virtual computer system;
[Act 19 of 2024 wef 31/10/2025]
“managed security operations centre (SOC) monitoring service” means a service for the monitoring of the level of cybersecurity of a computer or computer system of another person by acquiring, identifying and scanning information that is stored in, processed by, or transmitted through the computer or computer system for the purpose of identifying cybersecurity threats to the computer or computer system;
“penetration testing service” means a service for assessing, testing or evaluating the level of cybersecurity of a computer or computer system, by searching for vulnerabilities in, and compromising, the cybersecurity defences of the computer or computer system, and includes any of the following activities:
(a)determining the cybersecurity vulnerabilities of a computer or computer system, and demonstrating how such vulnerabilities may be exploited and taken advantage of;
(b)determining or testing the organisation’s ability to identify and respond to cybersecurity incidents through simulation of attempts to penetrate the cybersecurity defences of the computer or computer system;
(c)identifying and quantifying the cybersecurity vulnerabilities of a computer or computer system, indicating vulnerabilities and providing appropriate mitigation procedures required to eliminate vulnerabilities or to reduce vulnerabilities to an acceptable level of risk;
(d)utilising social engineering to assess the level of vulnerability of an organisation to cybersecurity threats.

LEGISLATIVE HISTORY

Cybersecurity Act 2018

 

This Legislative History is a service provided by the Law Revision Commission on a best-efforts basis. It is not part of the Act.
1.  
Act 9 of 2018—Cybersecurity Act 2018
Bill
:
2/2018
First Reading
:
8 January 2018
Second and Third Readings
:
5 February 2018
Commencement
:
31 August 2018 (except sections 24 to 35 and the Second Schedule)
2.  
2020 Revised Edition—Cybersecurity Act 2018
Operation
:
31 December 2021
3.  
Act 9 of 2018—Cybersecurity Act 2018
Bill
:
2/2018
First Reading
:
8 January 2018
Second and Third Readings
:
5 February 2018
Commencement
:
11 April 2022 (Part 5 and the Second Schedule)
4.  
Act 19 of 2024—Cybersecurity (Amendment) Act 2024
(Amendments made by the above Act)
Bill
:
15/2024
First Reading
:
3 April 2024
Second and Third Readings
:
7 May 2024
Commencement
:
31 October 2025

Abbreviations

 
(updated on 29 August 2022)
G.N.
Gazette Notification
G.N. Sp.
Gazette Notification (Special Supplement)
L.A.
Legislative Assembly
L.N.
Legal Notification (Federal/Malaysian)
M.
Malaya/Malaysia (including Federated Malay States, Malayan Union, Federation of Malaya and Federation of Malaysia)
Parl.
Parliament
S
Subsidiary Legislation
S.I.
Statutory Instrument (United Kingdom)
S (N.S.)
Subsidiary Legislation (New Series)
S.S.G.G.
Straits Settlements Government Gazette
S.S.G.G. (E)
Straits Settlements Government Gazette (Extraordinary)

COMPARATIVE TABLE

Cybersecurity Act 2018

This Act has undergone renumbering in the 2020 Revised Edition. This Comparative Table is provided to help readers locate the corresponding provisions in the last Revised Edition.

2020 Ed.
Act 9 of 2018
1—(1) and (2)
1
[Omitted as having had effect]
49
[Omitted as having had effect]
50—(1)
[Omitted as having had effect]
    (2)
[Omitted as having had effect]
    (3)
[Omitted as having had effect]
    (4)
[Omitted as having had effect]
    (5)
[Omitted as having had effect]
    (6)
[Omitted as having had effect]
    (7)
[Omitted as having had effect]
    (8)
[Omitted as having had effect]
    (9)
[Omitted as having had effect]
    (10)
[Omitted as having had effect]
    (11)
[Omitted as having had effect]
    (12)
[Omitted as having had effect]
    (13)
49
51

Archived for legal research. Authoritative version at sso.agc.gov.sg.