CSA publishes closing note to consultation on licensing framework for cybersecurity service providers: Allen & Gledhill

25 May 2026

On 25 February 2026, the Cyber Security Agency of Singapore (“CSA”) published its closing note to the consultation on the licensing framework for cybersecurity service providers.

Background

CSA conducted a public consultation on the proposed changes to the licensing framework from 22 September 2025 to 21 October 2025. The proposed changes seek to (i) raise baseline cybersecurity standards nationally; and (ii) enhance clarity on the licensing requirements. More information on the consultation is set out in our article “CSA consults on proposed changes to licensing framework for cybersecurity service providers”.

CSA’s closing note addressed key points of feedback received from respondents, comprising cybersecurity service providers, industry associations, cloud service providers, and technology companies.

Implementation of changes

CSA will proceed to implement the proposed changes to the licensing framework, taking into account the feedback received. Annex B to the closing note provides the updated licence conditions which will apply to all existing licensees, new licence applications and/or licence renewals following this review. For existing licensees, the licence conditions took effect 30 days from the publication of the closing note. Existing licensees will transition to the five-year licence term upon renewal and the licence conditions will be published on the website of the Cybersecurity Services Regulation Office www.csro.gov.sg, including the process for assessment of equivalent certifications.

Key points of feedback received

Feedback on the proposed Cyber Trust mark (“CTM”) and Data Protection Trustmark (“DPTM”) certification requirements focused primarily on the following key areas:

Recognition of equivalent certifications: CSA assessed that ISO/IEC 27001 remains the only recognised equivalent for CTM for now, as it is an international information security standard. The other types of cybersecurity certification, such as Service Organization Control 2 Type II, rely on audit assessment which can vary in scope and rigour, making it challenging to ensure consistent regulatory compliance with the standards across all licensees. CSA will progressively review additional certifications and add them to the list, if appropriate.
Applicability of DPTM to certain service categories: CSA clarified that the DPTM certification requirement is intended for licensed cybersecurity service providers, which are Managed Security Operations Centre (“MSOC”) monitoring service and penetration testing (“PT”) service providers only. The requirement is not intended for cloud service providers.

CSA will not require licensees to achieve DPTM as a mandatory requirement. This is in recognition that CTM Promoter (Tier 3) certification already includes data protection measures and access to client’s personal data may be limited for MSOC and PT service providers. CSA assesses that MSOC and PT licensees providing these services may have access to privileged data in the course of their services and should therefore demonstrate their commitment to good data protection practices and compliance with the Personal Data Protection Act 2012 and/or other applicable data protection laws.

Requirements for resellers: CSA clarified that the licensing framework applies to all entities providing the licensable services, regardless of their business model. Resellers who are licensed to provide licensable cybersecurity services are subject to the same certification requirements as other licensees.
Impact on small providers and individual licensees: Following feedback, CSA will study the possibility of introducing alternative compliance routes to reduce the administrative burden on smaller providers and individual licensees. However, CSA maintains that all licensees should achieve a minimum level of cyber hygiene posture regardless of firm size, and the CTM Promoter (Tier 3) certification was assessed to be proportionate to licensees’ risk profile. CSA will also work with certification bodies to ensure that individual licensees can achieve the CTM Promoter (Tier 3) certification.

For parity, the CTM certification scope is the same for business and individual licensees in that (i) the certification must cover the environment (people, processes, and technology) supporting the delivery of licensed services; and (ii) certification bodies must be accredited by the Singapore Accreditation Council or equivalent national accreditation bodies.

Changes to licence validity and notification timeframes

CSA will proceed with the proposed extension of licence validity to five years and simplification of notification obligations, including the removal of the requirement to report non-material changes and the extension of the window for reporting key information changes from 14 to 30 calendar days.

Following suggestions on automating updates using data from the Accounting and Corporate Regulatory Authority and SingPass-based declarations, CSA will explore opportunities to streamline processes through integration with other government digital services where feasible.

Implementation timeline

Licensees will have a grace period until 31 December 2026 to obtain CTM Promoter (Tier 3) certification. Thereafter, licensees would be required to have an active CTM certification during licence application and/or renewal. CSA will not mandate DPTM certification at this point and the proposed timeline to obtain DPTM certification by end-2027 will not be implemented.

Reference materials

The closing note is available on the CSA website www.csa.gov.sg.