CSA consults on proposed changes to licensing framework for cybersecurity service providers

29 October 2025

On 22 September 2025, the Cyber Security Agency of Singapore (“CSA”) launched a public consultation seeking views and comments on proposed changes to the licensing framework for cybersecurity service providers to raise baseline cybersecurity standards nationally and enhance clarity on the licensing requirements. The consultation closed on 21 October 2025.

Introduction of cyber and data hygiene requirements

CSA explains that ensuring cybersecurity service providers maintain strong internal cybersecurity and data protection standards is critical to national cyber resilience. To this end, CSA proposed that cybersecurity service provider licensees demonstrate their commitment to good cyber and data hygiene measures by obtaining mandatory hygiene certifications. This aims to: (i) ensure licensed cybersecurity service providers are committed to protecting their own networks and client data; and (ii) establish a consistent and recognised standard of trustworthiness and professional conduct.

Generally, licensees will need to obtain and maintain the following certifications for the duration of their licence:

  • minimum Cyber Trust Mark (“CTM”) Promoter (Tier 3) or its equivalent; and
  • Data Protection Trust Mark (“DPTM”) SS 714:2025 or its equivalent.

Changes to licence validity, renewal, and notification timeframes

CSA proposed the following changes to the licensing conditions, aiming to reduce regulatory friction and improve operational clarity for licensees without compromising oversight:

  • Extension of licence validity: Licence validity will be extended from two years to five years, with no change in annual fee quantum. Licences with a five-year validity will cost S$2,500 for businesses and S$1,250 for individuals, and are to be paid upon the approval of licence application and/or renewal application, as the case may be.
  • Extension of licence renewal timeframes: Currently, a licence renewal application must be made no later than two months before the licence expiry. For operational flexibility, CSA proposed to remove the two-month renewal period and allow for renewal applications to be made any time before the licence expiry.
  • Simplified notification obligations: CSA will extend the reporting window for key information changes from the current 14 calendar days to 30 calendar days. This will provide licensees with more time to report changes and bring notification timelines in alignment with that for material changes in the Cybersecurity Act 2018. Requirements to report non-material changes will be removed. These include changes in designation of the licensee and/or its officers, addresses and contact particulars, which licensees are currently required to report to CSA within 14 calendar days. Such information would be updated systematically upon renewal, given that the information does not have a material impact on the delivery of the licensed service.
  • Revision to information required in licence application: Information required for a licence application is presently listed in the Cybersecurity (Cybersecurity Service Providers) Regulations 2022. CSA proposed to remove the list from the regulations and for the information to be indicated in the electronic application service (i.e. currently, the GoBusiness Licensing portal) instead. This will allow CSA to reduce the information as necessary to streamline the application process.
  • Other operative changes: Powers that are currently duplicated across both the amended Cybersecurity Act 2018 and Conditions of Licence will be removed with no operational impact on licensees.

Implementation timeline

CSA intends to implement the changes to the licensing framework progressively from January 2026.

The cyber and data hygiene requirements will be implemented in phases to provide a gradual transition period for licensees and the wider ecosystem, including the certification bodies, to fulfil the requirements:

  • Grace period until 31 December 2026 for CTM certification: A grace period until 31 December 2026 will be given to both new licensees and those who renew their licences in 2026 to obtain the required CTM certification. Licensees may continue to provide their services until 31 December 2026 pending certification. To provide licensable services from 1 January 2027, licensees will be required to have an active CTM certification at the time of licence application or renewal.
  • Grace period until 31 December 2027 for DPTM SS 714:2025 certification: A grace period until 31 December 2027 will be given to all licensees to obtain the required DPTM SS 714:2025 certification. Licensees may continue to provide their services until 31 December 2027 pending certification. To provide licensable services from 1 January 2028, licensees will be required to have an active DPTM SS 714:2025 certification at the time of licence application or renewal.

Reference materials

The following materials are available on the REACH website www.reach.gov.sg: