Provisions in the Cybersecurity (Amendment) Act to Come Into Force on 31 October 2025

[Singapore, 31 October 2025] Key provisions detailed in the Cybersecurity (Amendment) Act which was passed in Parliament on 7 May 2024 will commence from 31 October 2025.  

1. The Cybersecurity Act came into force in 2018 to establish a legal framework for the oversight and maintenance of national cybersecurity in Singapore. Amendments to the Act include the updating of existing regulations related to Critical Information Infrastructure (CII), and the expansion of the Cyber Security Agency of Singapore (CSA)’s oversight to cover new classes of regulated entities, such as Systems of Temporary Cybersecurity Concern (STCCs).

 Amendments to the regulation of Provider-Owned CIIs

2. Given the increasing reliance of CII owners on virtual computers and systems in the provision of essential services, the new provisions under the Act will provide the Commissioner of Cybersecurity with the regulatory powers to designate such systems as CIIs. This will ensure that these virtual computers and systems meet the necessary requirements under the Act, and in doing so better protect these critical systems.

3. The Act will expand the cybersecurity incident reporting requirements to include incidents suspected of being caused by Advanced Persistent Threats (APTs), and incidents that result in a disruption of essential services for non-interconnected systems under the CII owner’s control. CII owners will need to report such incidents to CSA within 2 hours of becoming aware of such an occurrence with the aim of enhancing CSA’s situational awareness and coordinating an appropriate national response, if required.

Expansion of CSA’s oversight to STCCs

4. STCCs are computer systems that may be of higher cybersecurity risk due to temporary events or situations. Examples include systems used to fulfil a temporal need, such as the supporting of governmental election processes or the distribution of vaccines during a pandemic.

5. The Act will now allow CSA to designate these computers or computer systems which are located wholly or partly in Singapore as an STCC for a limited period specified by the Commissioner, on the basis that there could be high risks to their cybersecurity, which could be detrimental to Singapore’s national interests. STCCs owners will be required to undertake cybersecurity measures and to report cybersecurity incidents affecting their STCCs during the limited period specified by the Commissioner.  

6. CSA will continue to provide support to stakeholders and help them familiarise and comply with the new requirements while accounting for the operating context and developments in the industry. For more information on the Cybersecurity Act, please refer to  https://www.csa.gov.sg/legislation/cybersecurity-act/.