Pursuant to the Cybersecurity Act 2018 (Commencement) Notification 2022, Part 5 of and the Second Schedule to the Cybersecurity Act 2018 (“Act”) became operative from 11 April 2022 to establish a licensing framework for cybersecurity service providers (“CSPs”). The Cybersecurity (Cybersecurity Service Providers) Regulations 2022 and the Cybersecurity (Composition of Offences) Regulations 2022 also became operative from 11 April 2022.
On 11 April 2022, the Cyber Security Agency of Singapore (“CSA”) set up the Cybersecurity Services Regulation Office (“CSRO”) to administer the licensing framework and facilitate liaisons with the industry and wider public on all licensing-related matters.
Set out below are the key features of the licensing framework for CSPs:
- Main licensing requirements: The two main requirements that CSPs must comply with under Part 5 of the Act are (i) ensuring that their key officers (i.e. any director or partner of the business entity or other person who is responsible for the management of the business entity) are fit and proper, and (ii) keeping basic records on the cybersecurity services provided for a duration of at least three years.
- Types of licensable cybersecurity services prescribed: Only penetration testing service and managed security operations centre monitoring service are prescribed as licensable cybersecurity services under the Act.
- Existing CSPs to apply for licence by 11 October 2022: Existing CSPs who are already engaged in the businesses of providing either or both licensable cybersecurity services will be given six months (i.e. by 11 October 2022) to apply for a licence. CSPs who do not apply for a licence in time will have to cease the provision of licensable cybersecurity service until a licence is obtained. Any person who engages in the business of providing any licensable cybersecurity services to another person without a licence after 11 October 2022 shall be guilty of an offence and liable on conviction to a fine not exceeding S$50,000 or to imprisonment for a term not exceeding two years or to both. However, a CSP who applies for a licence by 11 October 2022 may continue to provide its service until a decision on their licence application has been made.
- Validity of licence and fees: The licence is valid for a period of two years and the licence fees for individuals and businesses are S$500 and S$1,000 respectively. A one-time 50% waiver of the licence fees will be granted for all licence applications that are lodged within the first 12 months (i.e. before 11 April 2023) to support businesses due to the impact of Covid-19.
Further information about the licensing framework, including prescribed forms, guides and Frequently Asked Questions (FAQs) are available on the CSRO website csro.gov.sg.
While most of the provisions of the Act came into force on 31 August 2018, the operational date for the licensing framework under Part 5 of the Act was deferred to allow for further study and consultation to enhance its practicability for CSPs. For further information, please refer to our article titled “Cybersecurity Act 2018 operative from 31 August 2018 to protect critical information infrastructure against cybersecurity threats”.
From 20 September 2021 to 18 October 2021, CSA conducted a public consultation to seek feedback on the proposed licence conditions and draft subsidiary legislation in relation to the licensing framework for CSPs. The public consultation was covered in our article titled “CSA consults on licensing framework for cybersecurity service providers under Cybersecurity Act: Proposed licence conditions and regulations”. More details on the feedback received and the resulting key revisions made to the licensing framework can be found in the industry consultation closing note.