Cybersecurity Act 2024 Amendment First-Year Compliance Review

The Answer in 60 Seconds

The Cybersecurity Act 2018, as amended by the Cybersecurity (Amendment) Act 2024, had most of its amending provisions come into force on 31 October 2025, expanding the framework administered by the Cyber Security Agency of Singapore (CSA). Key expansions: Systems of Temporary Cybersecurity Concern (STCC) capturing systems facing heightened risk during major events / major government activities, Entities of Special Cybersecurity Interest (ESCI), and Foundational Digital Infrastructure (FDI) such as major cloud and data-centre providers — though the FDI regime (Part 3D) had not yet commenced as of 31 October 2025 and awaits a later commencement notification. The Amendment also expanded reporting / cybersecurity audit obligations. The first six months of operation has surfaced operational and insurance considerations. For Singapore SMEs operating CII or other designated scope: 2-hour incident reporting, specific cybersecurity audit cycles, specific incident response infrastructure, and specific Cyber Liability with regulatory defence cover are operational requirements. For SMEs outside designated scope, the framework still influences market standards — Cyber Liability terms, panel response, and specific industry expectations have evolved.

The Sourced Detail

The 2024 Amendment to the Cybersecurity Act represents the most substantial expansion of Singapore's cybersecurity framework since the Act's 2018 introduction. The first months of operation have demonstrated CSA's regulatory approach and surfaced operational considerations for SMEs.

The framework expansion

Per the Cybersecurity Act 2018 with 2024 Amendments:

Existing scope (pre-2024 Amendment):

• Critical Information Infrastructure (CII)

• 11 sectors designated (energy, water, banking, healthcare, transport, telecom, etc.)

• Specific incident reporting

Post-2024 Amendment additions:

1. Foundational Digital Infrastructure (FDI):

A new regulatory category for major digital infrastructure services — principally cloud computing services and data-centre facility services — that much of the economy depends on:

• Specific digital infrastructure underlying broader operations

• Operational operational standards

The FDI regime (Part 3D of the Act) had not commenced as of 31 October 2025 and awaits a separate commencement notification; FDI obligations are not yet live.

Operational implications (once commenced):

• Specific cybersecurity standards
• Reporting obligations
• Operational compliance frameworks

2. Entities of Special Cybersecurity Interest (ESCI):

Entities that hold sensitive information, or perform a function, whose disruption would have a significant detrimental effect on national interests — even where they are not CII.

3. Systems of Temporary Cybersecurity Concern (STCC):

For systems supporting:

• Major events (e.g. National Day, F1, major sporting events)

Operational implications:

• Specific event-period elevated standards

• Operational coordination

4. Expanded reporting:

• Specific 2-hour reporting for designated infrastructure
• Operational incident categories

5. Specific cybersecurity audit:

• Specific audit cycles for designated infrastructure
• Operational operational standards

First-year compliance observations

CSA enforcement focus:

In the first six months of the 2024 Amendment operation, CSA has emphasised:

1. CII, STCC and ESCI designation and scope clarification:

   • Operational scope determination
   • Commercial relationship clarification
   • Operational operational standards

2. Incident reporting compliance:

   • 2-hour reporting compliance
   • Specific incident scope and classification
   • Operational operational sophistication

3. Cybersecurity audit compliance:

   • Specific audit cycles
   • Operational findings remediation
   • Operational scope

4. Operational standards:

   • Operational risk management
   • Operational incident response
   • Operational considerations

Operational implications for designated infrastructure

For Singapore SMEs operating CII / STCC / ESCI scope:

Foundational compliance:

• Specific CSA designation engagement

• Operational operational standards

• Operational operational sophistication

Specific incident response infrastructure:

• 24/7 detection and response capability
• Operational 2-hour reporting capability
• Operational incident response panel
• Operational operational considerations

Specific cybersecurity audit:

• Specific designated audit cycle

• Operational findings remediation

• Operational operational standards

Specific risk management:

• Specific risk assessments
• Operational operational standards
• Operational operational scope
• Operational operational sophistication

Specific implications for SMEs outside designated scope

Even for SMEs outside CII / STCC / ESCI scope:

Market standards influence:

The framework influences broader market expectations:

• Customer expectations for cybersecurity
• Operational commercial relationships
• Operational commercial standards
• Operational operational sophistication

Insurance market influence:

Cyber Liability market terms have evolved:

• Specific underwriting expectations
• Operational operational standards expected
• Operational incident response capability

Specific industry expectations:

For specific industries (financial services, healthcare, technology, professional services):

• Specific industry-specific standards
• Operational commercial relationships
• Operational operational standards

The 2-hour reporting framework

For designated CII:

Per CSA framework:

Reportable incidents:

• Specific cybersecurity incidents per scope definition

• Operational impact

• Operational operational sophistication

2-hour clock:

• Reporting within 2 hours of detection
• Operational sophistication required
• Operational incident response infrastructure

Operational operational implications:

• 24/7 detection capability foundational
• Operational incident response team availability
• Operational operational standards
• Operational operational considerations

Insurance implications

For designated infrastructure operators:

Specific Cyber Liability scope:

• Comprehensive Cyber with substantial limits
• Specific regulatory defence cover
• Specific 2-hour reporting coordination

Specific limit considerations:

For CII and other designated operators:

• Substantial limits typical (S$10M-S$50M+)
• Specific tower structures common (see Article 167)

Specific incident response panel:

• 24/7 panel access
• Operational 2-hour reporting capability
• Operational operational considerations
• Operational operational standards

Specific industry observations

Financial services:

• Specific MAS-coordinated framework
• Operational operational sophistication

Healthcare:

• Specific HCSA-coordinated framework
• Operational operational sophistication

Telecom:

• Specific IMDA-coordinated framework
• Operational operational sophistication

Energy / utilities:

• Specific EMA-coordinated framework
• Operational operational sophistication

Transport:

• Specific LTA / CAAS-coordinated framework
• Operational operational sophistication

Commercial considerations for cross-border operations

For Singapore SMEs with cross-border digital operations:

Specific framework coordination:

• Singapore Cybersecurity Act
• Specific cross-border data protection (PDPA, GDPR, etc.)
• Operational cross-border incident reporting

Operational sophistication:

• Multi-jurisdictional incident response
• Operational cross-border legal frameworks

Operational discipline

For all SMEs:

Risk management foundation:

• Specific risk assessments

• Operational operational sophistication

Specific incident response:

• Pre-arranged panel

• Operational operational standards

• Operational operational scope

Specific staff awareness:

• Specific cybersecurity training
• Operational incident reporting awareness
• Operational operational standards
• Operational operational scope

What's likely in years 2-3

Continued framework evolution:

CSA has indicated continued framework evolution, including the later commencement of the FDI (Part 3D) regime. Operational operational standards expected to mature.

Specific industry-specific guidance:

Specific industry-specific guidance expected to issue. Operational scope.

Specific case law evolution:

The first year has not yet generated significant published case law on Cybersecurity Act-specific disputes. Specific case law expected to emerge.

Specific market standard evolution:

Cyber Liability market standards continue to evolve. Operational considerations.

Common Mistakes / What Goes Wrong

1. CII / STCC / ESCI designation scope unclear. operational compliance gap.
2. 2-hour reporting capability inadequate. Direct compliance breach risk.
3. Cybersecurity audit cycle compliance gap.
4. No incident response panel pre-engagement. Operational sophistication gap.
5. Cyber Liability inadequate for designated infrastructure.
6. No regulatory defence cover. Operational sophistication gap.
7. No 24/7 detection capability for designated scope. Operational sophistication gap.
8. No staff awareness for incident reporting.
9. Specific cross-border operations without coordinated framework.
10. Assuming the FDI regime is already in force. The Part 3D provisions for major Foundational Digital Infrastructure providers had not commenced as of 31 October 2025.

What This Means for Your Business

For Singapore SMEs evaluating Cybersecurity Act compliance:

1. For CII / STCC / ESCI designated scope, comprehensive compliance is foundational. No workarounds.

2. For SMEs outside designated scope, market standards still apply. Specific commercial expectations.

3. 2-hour reporting requires 24/7 detection capability. Operational sophistication.

4. Cybersecurity audit cycle compliance. Operational standards.

5. Comprehensive Cyber Liability with regulatory defence cover. Specific designated infrastructure scope.

6. Pre-arranged incident response panel. Operational sophistication.

7. The FDI regime is not yet live — monitor CSA for the commencement of the Part 3D provisions if you operate cloud or data-centre services.

8. For specific industries, sector-specific guidance.

The Cybersecurity Act framework continues to evolve. First-year operation has clarified operational requirements; the FDI regime and further industry-specific guidance are still to come.

Questions to Ask Your Adviser

1. For my organisation profile, what CSA framework applies (CII, STCC, ESCI, or none)?
2. How does my Cyber Liability address regulatory defence and 2-hour reporting?
3. For incident response, what 24/7 panel capability is appropriate?
4. For my industry, what sector-specific guidance applies?
5. As the framework evolves — including the FDI commencement — what compliance evolution should I plan for?

Related Information

• Cybersecurity Act 2018 (with 2024 Amendments): What Singapore CII Owners and Service Providers Need to Know
• Our Systems Are Locked and the Attackers Want Bitcoin — What Do I Do Now?
• Cyber Liability Single Policy vs Tower Primary + Excess Structure: When Does Tower Make Sense?

Published 5 May 2026. Source verified 5 May 2026. COVA is an introducer under MAS Notice FAA-N02. We do not recommend insurance products. We provide factual information sourced from primary regulators and route you to a licensed IFA who can match a policy to your specific situation.