Amendments to Cybersecurity Act 2018 to update provisions related to critical information infrastructure and systems of temporary cybersecurity concern in force on 31 October 2025

24 October 2025

With effect from 31 October 2025, certain provisions of the Cybersecurity (Amendment) Act 2024 will come into force to implement changes to the Cybersecurity Act 2018 (“Act”) so that it keeps pace with developments in the cyber threat landscape as well as the evolving technological operating context. Among other things, changes are made to better regulate critical information infrastructure (“CII”) so that they continue to be secure and resilient against cyber threats, and to introduce new provisions to regulate owners of designated systems of temporary cybersecurity concern.

Set out below are highlights of some of the changes coming into force on 31 October 2025:

Adapting to shifts in the operating context

• Extend the meaning of “computer” and “computer system” in specified portions of the Act to include “virtual computers” and “virtual computer systems”. Previously, the definitions of “computer” and “computer system” were predicated on them being physical computers built out of dedicated physical hardware, such as hard disk drives, and memory and processor chips. The new definitions make it clear that where virtualised CII are concerned, the CII owner is responsible for the cybersecurity of such systems, and not other parties that supply the underlying physical infrastructure (which may be easily replaced).
• New Part 3A of the Act regulates designated providers of essential services who rely on CII owned by third parties, for the continuous delivery of essential services (such designated provider known as the “provider of an essential service responsible for the cybersecurity of third‑party‑owned critical information infrastructure”). This will deal with situations where a provider of an essential service could leverage a computer system owned by a third party, because it could be more effective or efficient to do so. Before the Commissioner of Cybersecurity (“Commissioner”) can make such a designation, the Commissioner must be satisfied that a third-party-owned CII (whether located in or outside Singapore) is necessary for the continuous delivery of the essential service provided by that provider, and the loss or compromise of the third-party-owned CII will have a debilitating effect on the availability of the essential service in Singapore. Designated providers of essential services remain responsible for the cybersecurity and cyber resilience of the computer systems they rely on to deliver the essential services they provide, and must ensure that the systems they rely on can meet comparable cybersecurity standards and requirements of a CII through legally-binding commitments, such as contracts.
• New section 7(1A) allows the Cyber Security Agency of Singapore (“CSA”) to deal with situations where a CII is supporting an essential service from overseas. Section 7(1A) allows CSA to designate and regulate such computer or computer systems that are located wholly outside Singapore as a provider-owned CII under the Act, if the computer or computer system is necessary for the continuous delivery of an essential service and the computer or computer system would have been designated as a provider-owned CII under section 7(1) had it been located wholly or partly in Singapore. Note that the new section 7(1A) will not enable the Commissioner to take any enforcement action outside Singapore.
• CII owners under Part 3 are required to additionally report to the Commissioner incidents that affect: (i) other computers or computer systems under the owner’s control that are not interconnected with and do not communicate with the provider-owned CII; and (ii) computers or computer systems under the control of a supplier to the owner that are interconnected or communicate with the provider-owned CII.
• New Part 3B regulates computer or computer systems that, for a time-limited period, are at high risk of cyber-attacks, and if compromised would have a serious detrimental effect on Singapore’s national interests (such designated computer or computer systems known as “Systems of Temporary Cybersecurity Concern” (“STCC”)). Before the Commissioner can designate a system as an STCC, the Commissioner must be satisfied that, for a limited period, the system is at a high risk of a cybersecurity threat or incident; and the loss or compromise of the system will have a serious detrimental effect on the national security, defence, foreign relations, economy, public health, public safety, or public order of Singapore. Given that STCCs are critical systems when they are set up, Part 3B imposes on STCC owners cybersecurity obligations similar to those for CII owners, where practicable. Part 3B allows CSA to be proactive in raising the cybersecurity posture of the STCC, depending on the operating context and the time period for which the STCC is needed.
• New section 35B extends the appeal avenues currently available to those designated as CII owners under the Act to designated providers of essential services under Part 3A and STCC owners, among others.

Strengthening the administration of the Act

Changes have also been made to strengthen the administration of the Act to address operational challenges faced by CSA:

• Section 15(4) of the Act has been amended to empower CSA to inspect the provider-owned CII if it appears to the Commissioner that the CII owner has not complied with its obligations or has provided information requested under section 10 of the Act that is false, misleading, inaccurate, or incomplete. This will improve CSA’s ability to enforce the Act against recalcitrant CII owners regulated under Part 3.
• Licensing officers have monitoring powers over persons who provide licensable cybersecurity services under Part 5. The new provisions give CSA powers of entry and inspection, and to require the production of records, accounts, and documents from licensed cybersecurity service providers. Non-compliance with such requirements without reasonable excuse will be a criminal offence.
• It is an offence for any person to use CSA’s gazetted symbols or representations without the Commissioner’s prior written permission.
• The Commissioner may grant an extension of time to any person required to do any action under relevant parts of the Act, as long as the Commissioner is satisfied that there are good reasons to do so.

Changes to Act that are not in force

The Cybersecurity (Amendment) Act 2024 will make other amendments to the Act which have yet to come in force. These include:

• New Part C to the Act: New Part 3C will be introduced to allow CSA to regulate designated entities that could be particularly attractive targets for malicious threat actors, because the entity stores sensitive information in a computer or computer system under its control, or uses a computer or computer system under its control to perform a function which, if disrupted, would have a significant detrimental effect on Singapore’s defence, foreign relations, economy, public health, public safety, or public order (such designated entities known as “Entities of Special Cybersecurity Interest” (“ESCIs”)). The list of entities designated as ESCIs will not be disclosed publicly to avoid inadvertently advertising these entities as worthy targets to malicious actors.
• New Part D to the Act: New Part 3D will be introduced to allow CSA to regulate designated major Foundational Digital Infrastructure (“FDI”) service providers. These are entities that serve a large number of businesses or organisations. Smaller players, who are more sensitive to regulatory costs, will not be regulated. These major FDI service providers must be providers of FDI services specified in the new Third Schedule. For a start, the Third Schedule will cover cloud computing services and data centre facility services. These major FDI service providers will be required to report prescribed cybersecurity incidents that result in a disruption or degradation of their FDI service in Singapore, or have a significant impact on their business operations in Singapore.
• Revised penalty regime: The Commissioner will have the flexibility to bring an action in court for civil penalties with the Public Prosecutor’s consent. In making a recommendation to the Public Prosecutor, CSA will consider a range of factors including the risks created by the non- compliance, the egregiousness, and the facts of the case. Currently, non-compliance with statutory obligations in relation to CII is enforced through criminal penalties.

Reference materials

The following materials are available from Singapore Statutes Online www.sso.agc.gov.sg:

• Cybersecurity (Amendment) Act 2024
• Cybersecurity (Amendment) Act 2024 (Commencement) Notification 2025