Bill to amend Cybersecurity Law passed in Singapore


On 7 May 2024, the Cybersecurity (Amendment) Bill No. 15/2024 (“Bill”) was passed in Parliament (the Bill can be found here). The Bill proposes to amend the Cybersecurity Act 2018 (“Cybersecurity Act”), which establishes a legal framework for the oversight of Singapore’s national cybersecurity.

The objective of the Bill is to ensure the Cybersecurity Act keeps pace with developments in Singapore’s cyber threat landscape and business environment. The proposed changes follow after extensive stakeholder and public consultations that took place dating back to 2022.

Under the Bill, Critical Information Infrastructure (“CII”) owners will remain responsible for the cybersecurity and cyber resilience of the CII, even when they adopt new technology and business models (such as cloud computing).

However, CII owners will be required to report more types of incidents to the CSA to allow the authority to have better situational awareness of cybersecurity threats. This will also allow CSA to work more closely with CII owners to better secure the protection of Singapore’s essential services.

The Bill also introduces two new classes of regulated entities, which will be subject to light-touch regulatory treatment: Entities of Special Cybersecurity Interest (“ESCI”); and Foundational Digital Infrastructure (“FDI”). Under the Bill, CSA is empowered to designate and regulate ESCIs if they hold sensitive information or perform a function of national interest, such that their disruption could cause potential adverse effects on the defence, foreign relations, economy, public health, public safety, or public order of Singapore.

Furthermore, the Bill will also require companies that provide FDIs to shoulder the responsibility for the cybersecurity of such digital infrastructure. Newly added responsibilities for FDI service providers include adhering to cybersecurity codes and standards of practice, as well as reporting prescribed cybersecurity incidents to CSA.

In addition, the Bill expands CSA’s oversight of cybersecurity of Systems of Temporary Cybersecurity Concern (“STCC”). STCCs are computer systems that are critical to Singapore and are at a high risk of cyberattacks because of certain events or situations. Under the Bill, for instance, the Commissioner of the CSA will have the ability to issue written directions to owners of STCCs, where the Commissioner believes it is necessary or expedient for ensuring the STCC’s cybersecurity.

Overall, the Bill allows the Cybersecurity Act to keep pace with developments in the cyber threat landscape and also reflects the increasing importance of ensuring cybersecurity in the digital infrastructure of Singapore. As the Bill has been tabled for a second reading in the Singapore Parliament, subsequent changes or modifications to its application and enforcement are expected as the industry adapts to the new cybersecurity regulatory landscape.

To see the full text of the Bill, please click here.

The information provided above does not, and is not intended to, constitute legal advice pertaining to the amendments to the Cybersecurity Act; information, content, and materials stipulated above is based on our reading of the amendments and are for general informational purposes only.