Forms
Provides forms related to cybersecurity legislation, supporting compliance and reporting requirements under Singapore’s Cybersecurity Act.
IMPORTANT: Documents and forms which are incomplete or do not comply with the instructions may be rejected.
This page contains a list of forms prescribed under the Cybersecurity Act 2018 and Cybersecurity (Critical Information Infrastructure) Regulations 2018.
1. Provision of information to ascertain if computer, etc., fulfils criteria of critical information infrastructure
In accordance with Section 8 of the Cybersecurity Act, the Commissioner may issue a notice to a person who appears to be exercising control over a computer or computer system to provide relevant information for the purpose of ascertaining whether the computer or computer system fulfils the criteria of a critical information infrastructure. The notice shall be issued in the format below:
2. Furnishing of information relating to critical information infrastructure
In accordance with Section 10 of the Cybersecurity Act, the Commissioner may issue a notice to an owner of a critical information infrastructure to furnish information relating to critical information infrastructure. The notice shall be issued in the format below:
3. Reporting of cybersecurity incident in respect of critical information infrastructure
3.1 In accordance with Section 14(1) of the Cybersecurity Act, the owner of a provider-owned critical information infrastructure1 must notify the Commissioner of the occurrence of any of the following, in the prescribed form and manner within the prescribed period after becoming aware of such occurrence:
(a) a prescribed cybersecurity incident in respect of the provider-owned critical information infrastructure (see para 3.2 – 3.4);
(b) a prescribed cybersecurity incident in respect of any computer or computer system under the owner’s control that is interconnected with or that communicates with the provider-owned critical information infrastructure (see para 3.2 – 3.4);
(c) a prescribed cybersecurity incident in respect of any other computer or computer system under the owner’s control that does not fall within paragraph (b) (see para 3.2 – 3.5);
(d) a prescribed cybersecurity incident in respect of any computer or computer system under the control of a supplier to the owner that is interconnected with or that communicates with the provider-owned critical information infrastructure (see para 3.2 – 3.4).
1 Existing critical information infrastructure designated under the Cybersecurity Act 2018 has been renamed to provider-owned critical information infrastructure to differentiate them from the new third-party-owned critical information infrastructure under Part 3A of the Cybersecurity (Amendment) Act 2024.
3.2 The owner of a provider-owned critical information infrastructure must notify the Commissioner of the occurrence of the cybersecurity incident within 2 hours from awareness of an incident by calling the telephone number specified by the Commissioner in the National Cybersecurity Incident Response Framework (NCIRF) document. If the owner is unable to submit the details by calling or by text, the owner must submit the details of the cybersecurity incident by filling in all fields in Part 1 of the National Cyber Security Incident Reporting Form below to the email address specified.
3.3 For submission of supplementary details of a cybersecurity incident within 72 hours after becoming aware of the occurrence of the incident, the owner of a provider-owned critical information infrastructure must submit the details required in Part 1 and Part 2 of the National Cyber Security Incident Reporting Form below to CSA.
3.4 The owner of a provider-owned critical information infrastructure must submit a final report within 30 days after submission of the supplementary details. The final report containing a detailed description of the incident should be sent to the email address specified.
3.5 The owner of a provider-owned critical information infrastructure must notify the Commissioner of the occurrence of the cybersecurity incident by submitting a consolidated quarterly report. This report should include, to the fullest extent practicable, details such as but not limited to, the date and time of the incidents, the name and description of the affected systems, the nature and description of the incidents, etc. The report must notify cybersecurity incidents that occurred during that quarter, and must be submitted no later than the end of the 3rd working day following the end of the quarter (i.e. If the end of the quarter falls on a Friday, then the report is due no later than Wednesday of the following week. If the end of the quarter falls on a Monday, and Wednesday is a public holiday, then the report is due no later than Friday of the same week. A quarter is defined as the period that falls in the listed calendar months, i.e. January – March, April – June, July – September, and October – December.) This quarterly report shall be submitted in the format below:
4. Reporting of cybersecurity incident for designated provider responsible for third-party-owned critical information infrastructure (PES)
4.1 In accordance with Section 16I(4) of the Cybersecurity Act, the designated provider responsible for third-party-owned critical information infrastructure (CII) must notify the Commissioner of the occurrence of a prescribed cybersecurity incident on the third-party owned CII or a system interconnected with the CII (under the owner’s control or provider’s control) after becoming aware of the incident from the third-party owner of the critical information infrastructure.
4.1.1 Verbal notification within 2 hours after becoming aware of the occurrence of the incident. The provider may call or text the telephone number specified by the Commissioner in the National Cyber Incident Reporting Framework (NCIRF) document. If the provider is unable to submit the details by calling or by text, the provider must submit the details of the cybersecurity incident by filling in all fields in Part 1 of the National Cyber Security Incident Reporting Form below to the email address specified.
4.1.2 Supplementary details via written notification within 72 hours after becoming aware of the incident. The provider must submit the details required in Part 1 and Part 2 of the National Cyber Security Incident Reporting Form below to CSA via email.
4.1.3 Final report within 30 days after submission of written notification. The provider must submit a final report containing a detailed description of the incident to the email address specified.
4.2 If a prescribed cybersecurity incident occurs on other systems under the provider’s control, that does not result in any disruption or degradation to the continuous delivery, in Singapore, of the essential service for which the third-party-owned CII is designated, the provider must notify the Commissioner of the occurrence of the incident in a consolidated quarterly report. The report must notify cybersecurity incidents that occurred during that quarter, and must be submitted no later than the end of the 3rd working day following the end of the quarter (i.e. If the end of the quarter falls on a Friday, then the report is due no later than Wednesday of the following week. If the end of the quarter falls on a Monday, and Wednesday is a public holiday, then the report is due no later than Friday of the same week. A quarter is defined as the period that falls in the listed calendar months, i.e. January – March, April – June, July – September, and October – December.) The quarterly report shall be submitted via email in the format below:
