This page contains a list of forms prescribed under the Cybersecurity Act 2018 and Cybersecurity (Critical Information Infrastructure) Regulations 2018.  

1. Provision of information to ascertain if computer, etc., fulfils criteria of critical information infrastructure

In accordance with Section 8 of the Cybersecurity Act, the Commissioner may issue a notice to a person who appears to be exercising control over a computer or computer system to provide relevant information for the purpose of ascertaining whether the computer or computer system fulfils the criteria of a critical information infrastructure. The notice shall be issued in the format below:

Notice to Require Information Under Section 8(2) of the Cybersecurity Act 2018 [44 KB] 

The information must be given in writing in the Potential CII Information Form below: 

Potential CII Information Form [30 KB]

2. Furnishing of information relating to critical information infrastructure

In accordance with Section 10 of the Cybersecurity Act, the Commissioner may issue a notice to an owner of a critical information infrastructure to furnish information relating to critical information infrastructure. The notice shall be issued in the format below:

Notice to Require Information Under Section 10(1) of the Cybersecurity Act 2018 [47 KB]

The information must be given in writing in the CII Dossier Form below: 

CII Dossier Form [65 KB]




3. Reporting of cybersecurity incident in respect of critical information infrastructure

In accordance with Section 14(1) of the Cybersecurity Act, the owner of a critical information infrastructure must notify the Commissioner of the occurrence of any of the following, in the prescribed form and manner within the prescribed period after becoming aware of such occurrence:

(a) A prescribed cybersecurity incident in respect of the critical information infrastructure

(b) A prescribed cybersecurity incident in respect of any computer or computer system under the owner’s control that is interconnected with or that communicates with the critical information infrastructure;

(c) Any other type of cybersecurity incident in respect of the critical information infrastructure that the Commissioner has specified by written direction to the owner.

The owner of a critical information infrastructure must notify the Commissioner of the occurrence of the cybersecurity incident by calling the telephone number specified by the Commissioner. If the owner is unable to submit the details by calling the telephone number or by text message to the telephone number within a reasonable time, in accordance with Section 5(2)(b)(ii) of the Cybersecurity (Critical Information Infrastructure) Regulations 2018, the owner must submit the details of the cybersecurity incident by filling in all fields in Part 1 of the National Cyber Security Incident Reporting Form below.

For submission of details of a cybersecurity incident in accordance with Section 5(1)(b) of the Cybersecurity (Critical Information Infrastructure) Regulations 2018, the owner of a critical information infrastructure must fill in all the fields in the National Cyber Security Incident Reporting Form unless otherwise stated.

National Cyber Security Incident Reporting Form [165 KB]

IMPORTANT: Documents and forms which are incomplete or do not comply with the instructions may be rejected.