The Answer in 60 Seconds

The Cybersecurity (Amendment) Act 2024 (Act 19 of 2024) was passed by Parliament on 7 May 2024, amending the Cybersecurity Act 2018. Specified provisions commenced on 31 October 2025 by Commencement Notification 2025 (published 15 October 2025). Key changes now in force: (1) virtual computers and cloud workloads explicitly within the CII definition; (2) extraterritorial designation — a computer or system located wholly outside Singapore that is owned by a person in Singapore may be designated as Provider-Owned CII (PO CII) if it would have met CII criteria had it been located in Singapore; (3) new Part 3A — Third-Party-Owned CII (3PO CII) — the Commissioner of Cybersecurity may designate an essential service provider as responsible for the cybersecurity of a CII used by it but owned by a third party; the designated provider must obtain legally binding commitments from the third-party owner covering information rights, incident notification, cybersecurity standards, and audit cooperation; designation lasts 5 years renewable; (4) expanded incident reporting — CII owners must report prescribed incidents affecting the CII, any system under the owner's control, and any supplier systems interconnected with the CII; (5) new Part 3B — Systems of Temporary Cybersecurity Concern (STCCs); (6) expanded audit and inspection powers. Pending commencement: Part 3C (Entities of Special Cybersecurity Interest, "ESCI" — autonomous universities, sensitive-research entities) and Part 3D (Major Foundational Digital Infrastructure providers, "FDI" — cloud service providers and data-centre operators). The 11 CII sectors remain unchanged: Energy, Water, Banking and Finance, Healthcare, Land Transport, Maritime, Aviation, Info-Communications, Media, Security and Emergency Services, Government.

The Sourced Detail

The Cybersecurity (Amendment) Act 2024 substantially expands the Cybersecurity Act 2018 framework, bringing virtual systems, offshore-located but Singapore-owned systems, and third-party-owned essential-service infrastructure within the Commissioner of Cybersecurity's regulatory perimeter. The amendments respond to operational realities of cloud-hosted essential services, supply-chain dependencies, and the growing role of third-party Foundational Digital Infrastructure (cloud, data centres) in supporting critical national services.

For Singapore SMEs, the practical question is whether their systems or operations fall within the expanded CII perimeter, either by direct designation (CII owner), by section 16A designation as designated provider responsible for a 3PO CII, or (when the relevant parts commence) as an ESCI or Major FDI.

Commencement timeline

7 May 2024: Cybersecurity (Amendment) Bill passed by Parliament.

15 October 2025: Cybersecurity (Amendment) Act 2024 (Commencement) Notification 2025 published.

31 October 2025: specified provisions commenced (sections 2 to 15, 18, 19, 22, 23(b), 24, 25, 28(a) to (g), 29, 31, and 32(1) to (4), (6), and (7) of the Amendment Act).

Pending as at 15 May 2026: Part 3C (ESCI) and Part 3D (Major FDI). Future commencement notification expected.

The 11 CII sectors

The 11 CII sectors as designated by the Cybersecurity Act 2018 remain unchanged:

Energy, Water, Banking and Finance, Healthcare, Land Transport, Maritime, Aviation, Info-Communications, Media, Security and Emergency Services, Government.

CII designation under section 7 requires the computer or computer system to be necessary for the continuous delivery of an essential service in one of these 11 sectors, and the loss or compromise of which would have a debilitating effect on the availability of the essential service in Singapore.

The substantive changes in force from 31 October 2025

Change 1: Virtual computers and cloud workloads within CII definition. The amended section 7 explicitly captures virtual systems. A cloud-hosted application supporting an essential service can be designated CII even though the underlying physical infrastructure is shared. This closes a prior interpretive gap where CII designation was unclear for cloud-hosted workloads.

Change 2: Extraterritorial designation (PO CII). A computer or system located wholly outside Singapore, owned by a person in Singapore, may be designated as Provider-Owned CII (PO CII) if it would have met CII criteria had it been located in Singapore. This applies to Singapore-domiciled providers operating critical infrastructure for Singapore essential services from offshore locations (e.g., regional data centres in nearby ASEAN jurisdictions).

Change 3: New Part 3A — Third-Party-Owned CII (3PO CII). The Commissioner may designate an essential service provider (rather than the third-party owner) as responsible for the cybersecurity of a 3PO CII used by one or more essential service providers. The designated provider must obtain legally binding commitments from the third-party owner covering:

Information rights (access to system status, configuration, and incident data).

Incident notification (timely notification of cyber incidents).

Compliance with prescribed cybersecurity standards.

Audit cooperation (allowing audit and inspection as required by the Cybersecurity Act framework).

Designation under section 16A lasts 5 years, renewable for additional 5-year periods.

Change 4: Expanded incident reporting under section 14. CII owners must report prescribed cybersecurity incidents affecting:

The CII itself.

Any computer or system under the owner's control.

Any supplier system interconnected with or communicating with the CII.

The expanded reporting scope brings supply-chain incidents within the CII reporting framework. A cybersecurity incident at a CII owner's cloud provider, software vendor, or managed services partner that affects the CII must be reported.

Change 5: New Part 3B — Systems of Temporary Cybersecurity Concern (STCCs). Short-term oversight of systems elevated by temporary events. The mechanism allows the Commissioner to impose short-duration cybersecurity obligations on systems whose criticality is temporary (e.g., systems supporting a specific major event).

Change 6: Expanded audit and inspection powers. The Commissioner may order audits and inspections under the amended Act framework.

Pending commencement: Parts 3C and 3D

Part 3C — Entities of Special Cybersecurity Interest (ESCI). Entities holding sensitive information or performing functions of national interest (e.g., autonomous universities, sensitive-research entities) may be designated ESCI. Substantive obligations under Part 3C will be defined at commencement. Pending commencement as at 15 May 2026.

Part 3D — Major Foundational Digital Infrastructure providers (FDI). Cloud service providers, data centre operators, and similar providers of foundational digital infrastructure for the broader Singapore digital economy. Substantive obligations under Part 3D will be defined at commencement. Pending commencement as at 15 May 2026.

Verbatim regulatory text — primary-source routing

The primary-source URLs:

Cybersecurity Act 2018 consolidated text on SSO.

Cybersecurity (Amendment) Act 2024 (Act 19 of 2024) on SSO.

Cybersecurity (Amendment) Act 2024 (Commencement) Notification 2025 on SSO — drafter to retrieve at the time of advice.

CSA legislation page.

CSA Codes of Practice page.

Drafters and SMEs should extract verbatim:

Section 7, CA 2018 (as amended) — designation of computer or computer system as CII, including the amended scope covering virtual systems and offshore systems owned by a person in Singapore.

Section 8, CA 2018 — Code of Practice and Standards of Performance for CII owners.

Section 10, CA 2018 — duty of CII owner to notify changes.

Section 11, CA 2018 — duty to comply with codes and standards.

Section 12, CA 2018 — cybersecurity audit (at least once every two years).

Section 13, CA 2018 — cybersecurity risk assessment (at least annually).

Section 14, CA 2018 (as amended) — duty to report cybersecurity incidents, with the expanded scope from 31 October 2025.

Section 15, CA 2018 — cybersecurity exercises (Commissioner may direct).

Section 16A (new, Part 3A) — designation of designated provider responsible for 3PO CII.

Part 3B, CA 2018 — STCCs.

Part 3C, CA 2018 (pending) — ESCIs.

Part 3D, CA 2018 (pending) — Major FDI service providers.

CSA Code of Practice for Critical Information Infrastructure (current edition) at csa.gov.sg/legislation/codes-of-practice.

The substantive obligations on CII owners

A designated CII owner under section 7 is subject to:

Section 8 obligations — compliance with Code of Practice and Standards of Performance issued by the Commissioner. The Code prescribes minimum cybersecurity controls (access management, encryption, patching, logging, incident response, business continuity).

Section 10 obligations — notify the Commissioner of changes affecting the CII (system changes, operator changes, ownership changes).

Section 11 obligations — comply with codes and standards.

Section 12 obligations — undertake cybersecurity audit at least once every two years.

Section 13 obligations — undertake cybersecurity risk assessment at least annually.

Section 14 obligations (expanded from 31 October 2025) — report prescribed cybersecurity incidents within prescribed timelines.

Section 15 obligations — participate in cybersecurity exercises directed by the Commissioner.

Section 16A obligations (for designated providers of 3PO CII) — obtain and police legally binding commitments from third-party owners covering information rights, incident notification, cybersecurity standards, and audit cooperation.

The cyber insurance interaction

Singapore cyber insurance policies respond to several components of CII-related cybersecurity risk:

First-party incident response — forensic investigation, breach coach, legal counsel, public relations, technical remediation. Most policies include a 24/7 incident hotline and a panel of pre-approved vendors.

CSA-imposed remediation costs. Some wordings exclude "betterment" or "regulator-mandated remediation"; SMEs designated CII or 3PO CII designated providers must specifically test the wording. Where a Code of Practice gap requires remediation imposed by CSA, the cost may be substantial and may not be covered without explicit endorsement.

Regulatory defence costs. CSA investigations under the Cybersecurity Act and any prosecutions. Most Singapore cyber wordings include a sub-limit for regulatory defence.

CSA financial penalties. Generally not insurable to the extent treated as punitive under Singapore public-policy doctrine. The Cybersecurity Act framework includes administrative and prosecutorial penalties; the insurability of specific penalties depends on the legal characterisation of the penalty (punitive vs compensatory).

Third-party liability. Customer and downstream claims arising from cybersecurity incidents on the CII or 3PO CII.

Business interruption. Loss of gross profit and increased cost of working following a cyber-triggered operational shutdown, including regulator-mandated shutdown.

Section 16A flow-down liability. For designated providers of 3PO CII, the obligation to obtain and police binding commitments from third-party owners creates contractual liability exposure. Standard cyber wordings may not explicitly address this; coverage should be tested at placement.

Claim-time worked example

A healthcare SME ("MedTech F") operates a hospital electronic medical records application hosted on a major cloud provider's Singapore region. From 31 October 2025, the workload is potentially 3PO CII under section 16A. The Commissioner designates MedTech F as the designated provider responsible.

MedTech F's section 16A obligations:

  • Obtain legally binding commitments from the cloud provider covering: information rights; maintenance of prescribed technical standards; incident notification; audit cooperation.
  • Implement controls and monitoring per the CSA Code of Practice for the CII.
  • Report prescribed cybersecurity incidents affecting the CII, MedTech F's own systems, and any cloud-provider supplier systems interconnected with the CII (the expanded section 14 scope).

A cybersecurity incident occurs at the cloud provider affecting the CII (data exfiltration of approximately 4,200 patient records).

Response workflow:

  • Day 1: cloud provider notifies MedTech F per the binding commitment under section 16A.
  • Day 1: MedTech F's incident response engaged via cyber policy 24/7 hotline.
  • Day 1 to 3: forensic assessment confirms scope.
  • Day 3: PDPA section 26D assessment under Article 263 — notifiable data breach (medical information is significant-harm; 4,200 exceeds significant-scale threshold of 500). PDPC notification due within 3 calendar days of assessment.
  • Day 3: CSA notification under section 14 Cybersecurity Act — the incident affects the CII and a supplier system; the expanded scope captures both.
  • Days 4 to 30: forensic investigation, customer notification, regulatory engagement.

Insurance response:

  • Cyber policy responds to incident response, forensic, breach coach, legal counsel, public relations costs.
  • Notification cost cover funds the patient notification logistics.
  • Regulatory defence cover funds CSA and PDPC engagement defence.
  • Third-party liability cover responds to patient claims under PDPA section 48O and general tort.
  • Business interruption cover responds if MedTech F suspends operations during forensic investigation.
  • CSA financial penalty (if any) responds only to the extent insurable by law.
  • Cost of obtaining and policing the section 16A binding commitments is typically not covered as part of standard incident-response cover.

Common Mistakes / What Goes Wrong

  1. Assuming CII designation only applies to physical infrastructure. The 31 October 2025 amendments explicitly bring virtual systems and cloud workloads within scope. SMEs operating essential-service applications on cloud platforms can be designated.

  2. Not considering offshore-located systems. Provider-Owned CII (PO CII) designation can apply to systems located wholly outside Singapore but owned by a person in Singapore.

  3. Treating section 16A 3PO CII designation as the third-party owner's problem. Section 16A places the responsibility on the essential service provider (the SME), not the third-party owner. The SME must obtain binding commitments from the third-party owner.

  4. Underestimating expanded section 14 incident-reporting scope. From 31 October 2025, incident reporting extends to incidents affecting the CII, any system under the owner's control, and supplier systems interconnected with the CII. The scope is materially broader than pre-amendment.

  5. Buying cyber cover without testing CSA-imposed remediation cost treatment. Standard wordings may exclude "betterment" or "regulator-mandated remediation"; SMEs in CII or 3PO CII positions should specifically test and request endorsements where standard wording is silent.

  6. Failing to coordinate PDPA section 26D and Cybersecurity Act section 14 reporting. A cyber incident may trigger both regimes with different timelines and recipients. The two should be coordinated, not duplicated.

  7. Ignoring upcoming Parts 3C and 3D. ESCI and Major FDI designations are pending commencement. SMEs in autonomous universities, sensitive-research entities, cloud-service provision, and data-centre operation should monitor commencement notifications.

  8. Not maintaining the section 16A binding-commitment documentation. The binding commitments are the SME's compliance evidence. Documentation should be auditable.

  9. Treating cybersecurity audit (section 12) and risk assessment (section 13) as interchangeable. Section 12 is independent audit at least every two years. Section 13 is risk assessment at least annually. Both are required and serve different purposes.

  10. Failing to participate in cybersecurity exercises (section 15). Commissioner-directed exercises are mandatory for CII owners. Non-participation is a regulatory breach.

What This Means for Your Business

For a Singapore SME operating in or adjacent to the 11 CII sectors, the structural priority is: identify whether any system supporting essential service delivery could be designated CII; if cloud-hosted, recognise that 31 October 2025 amendments explicitly capture virtual systems; if relying on third-party-owned infrastructure for essential service delivery, prepare for potential section 16A designation as designated provider responsible.

For SMEs in healthcare, financial services, transport, and other essential-service sectors, the practical immediate step is to engage with CSA's published Code of Practice for Critical Information Infrastructure and assess compliance gaps. Even where the SME is not yet designated, the Code provides the operational baseline against which any future designation would be measured.

For SMEs supplying cloud, data-centre, or IT outsourced services to CII owners, the section 16A flow-down obligations will increasingly appear in customer contracts. Vendor SMEs should prepare standard contractual terms that align with the section 16A binding-commitment framework.

For cyber insurance procurement, the wording should explicitly address: CSA Code of Practice gap-remediation costs; incident-reporting cost cover; regulatory defence cover; section 16A flow-down liability; CSA cybersecurity audit costs; cybersecurity exercise participation costs.

Questions to Ask Your Adviser

  1. Are any of our systems supporting essential-service delivery potentially within CII designation criteria under the amended section 7 (including virtual systems and offshore systems)?
  2. If we rely on third-party-owned infrastructure for essential service delivery, could we be designated under section 16A as designated provider responsible?
  3. For our cyber policy, does the wording cover CSA-imposed remediation costs, or is this excluded as "betterment" or "regulator-mandated remediation"?
  4. Does our cyber policy respond to CSA cybersecurity audit costs and cybersecurity exercise participation costs?
  5. For section 14 expanded incident reporting from 31 October 2025, are our incident response procedures aligned with the broader scope (CII, owner's systems, supplier systems)?
  6. For section 16A flow-down obligations, do our vendor contracts include the binding-commitment framework, and does our cyber policy cover the cost of policing these commitments?
  7. Are we monitoring CSA announcements for the commencement of Parts 3C (ESCI) and 3D (Major FDI) that may bring additional SMEs within scope?

Related Information