CSA First Reading of the Cybersecurity (Amendment) Bill

        The Cyber Security Agency of Singapore (CSA) is proposing to amend the Cybersecurity Act 2018 (“the Act”) through the Cybersecurity (Amendment) Bill (“the Bill”). The first reading of the Bill took place in Parliament on 3 April 2024. 

2      The Act, which came into force on 31 August 2018, establishes a legal framework for the oversight and maintenance of national cybersecurity in Singapore. This is the first time amendments to the Act have been proposed. The objective of the proposed Bill is to update the Act so that it keeps pace with the developments in the cyber threat landscape, as well as our evolving technological operating context. In the Committee of Supply debate 2024, Minister for Communications and Information Mrs Josephine Teo explained that CSA is seeking to amend the Act to reflect the increasing importance of ensuring the cybersecurity of the digital infrastructure and services that power our digital economy and enable citizens to meet their day-to-day needs, beyond the current Critical Information Infrastructure (CII) it covers today.  

3      The Bill will update existing provisions relating to cybersecurity of CII and expand CSA’s oversight to cover the cybersecurity of Systems of Temporary Cybersecurity Concern (STCCs). In addition, we will be creating two new classes of regulated entities, which will be subject to a light-touch regulatory treatment. These are Entities of Special Cybersecurity Interest (ESCI) and Foundational Digital Infrastructure (FDI). 

4      CII are computer systems that are necessary for the continuous delivery of essential services, like water, electricity, banking services and more. The key aspect of the Bill is that it will ensure that CII owners remain responsible for the cybersecurity and cyber resilience of the CII, even as they embrace new technological and business models, like the use of cloud computing.  CII owners will also be required to report more types of incidents, such as those that happen in their supply chains. This is so that CSA can have better situational awareness of the cybersecurity threats that could potentially cause disruptions to our essential services and work with CII owners more proactively to secure our essential services. 

5      There might be times where certain systems are of higher risk due to temporary events or situations. The Bill will allow CSA to proactively secure STCCs, i.e., computer systems that are critical to Singapore and are at a high risk of cyberattacks because of certain events or situations. An example of an STCC would be the temporary systems used to support the distribution of critical vaccines during a pandemic. During the COVID-19 pandemic, the vaccine distribution systems deployed by healthcare organisations around the world were targeted by malicious cyber actors. 

6      Besides CIIs, there could also be other entities that are important to Singapore. The Bill will also allow CSA to designate and regulate ESCI for cybersecurity if they hold sensitive information or perform a function of national interest, such that their disruption could cause potential adverse effects on the defence, foreign relations, economy, public health, public safety, or public order of Singapore. Examples of such entities could include autonomous universities. Since they are not CII, the obligations imposed on the ESCI will not be at the same levels as that for CIIs. 

7      Finally, the Bill will require companies that provide digital infrastructure services that are foundational to our economy or way of life (such as cloud service providers and data centres) to shoulder responsibility for the cybersecurity of such digital infrastructure. This includes adhering to cybersecurity codes and standards of practice, as well as reporting prescribed cybersecurity incidents to CSA, which will not be at the level of a CII. 

8      CSA had consulted extensively on the Bill. Stakeholder consultations began in 2022, and public consultations on the REACH website were held between 15 December 2023 and 15 January 2024. CSA took the feedback into consideration and incorporated stakeholders’ suggestions into the Bill. A summary of the feedback received, together with CSA’s Closing Note, is available on CSA’s website.  If the Bill is passed, CSA will continue to consult closely with stakeholders to operationalise the Bill. 

About the Cyber Security Agency of Singapore

Established in 2015, the Cyber Security Agency of Singapore (CSA) seeks to keep Singapore’s cyberspace safe and secure to underpin our Nation Security, power a Digital Economy and protect our Digital Way of Life. It maintains an oversight of national cybersecurity functions and works with sector leads to protect Singapore’s Critical Information Infrastructure. CSA also engages with various stakeholders to heighten cybersecurity awareness, build a vibrant cybersecurity ecosystem supported by a robust workforce, pursue international partnerships and drive regional cybersecurity capacity building programmes. CSA is part of the Prime Minister’s Office and is managed by the Ministry of Communications and Information. For more news and information, please visit www.csa.gov.sg.

About Ministry of Communications and Information

The Ministry of Communications and Information (MCI) oversees the development of the infocomm technology, cyber security, and media sectors; the national library, national archives and public libraries; as well as the Government’s information and public communication policies. MCI’s mission is to engage hearts and minds to achieve a thriving digital future for all.