Since the enactment of Singapore’s Cybersecurity Act (Act) in August 2018, the digital battlefield has transformed dramatically. The nation’s move towards digitalisation has not only spurred the growth of Singapore’s digital economy but also brought new cyber threats and challenges to the fore.

Given this, the Cyber Security Agency of Singapore (CSA) launched a public consultation on the draft Cybersecurity (Amendment) Bill (Draft Bill) on 15 December 2023 to address the evolving cyber threat landscape. The public consultation will close on 15 January 2024.

Key changes proposed in the Draft Bill

  • Introducing a new category of “non-provider-owned Critical Information Infrastructure (CII)”: The Draft Bill acknowledges the paradigm shift in the business models of essential service providers, which are increasingly leveraging third-party vendors’ computer systems rather than owning their own CIIs.

    The Draft Bill distinguishes between conventional “provider-owned CII” (Provider-owned CII) and “non-provider-owned CII” (Non-provider-owned CII).

    Under the new Part 3A of the Draft Bill, essential service providers utilizing Non-provider-owned CII will be ultimately responsible for the cybersecurity of Non-provider-owned CII. They will be required to obtain legally binding commitments from their computing vendors to ensure that they can fully meet their cybersecurity obligations under the Draft Bill.
  • Broadening incident reporting requirements for CIIs: The CSA is proposing to expand the incident reporting framework to improve its awareness of cyber threats.

    The current focus of the Act is on CIIs and their connected systems. The Draft Bill aims to go extend the notification requirements to the Commissioner of Cybersecurity (Commissioner) to include incidents involving other computer or computer system which are controlled by owners or essential service providers (as the case may be) – regardless of whether those systems are interconnected to or communicate with CIIs.
  • Widening oversight of the Commissioner beyond CII owners: The CSA proposes broadening its regulatory reach beyond owners of CIIs to include other pivotal systems that underpin Singapore’s’ cyber ecosystem. The Draft Bill introduces three new categories for CSA oversight:
    • Foundational Digital Infrastructure (FDI): This category includes digital infrastructure, namely cloud computing and data facility services that enhance the availability, latency, throughput, or security of digital services, which, while not currently designated as CII, are integral to Singapore’s technology stacks. The compromise of these FDI could have a cascading effect on a wide range of systems.

      The Commissioner will designate a provider a “major FDI service provider” if the Commissioner is satisfied that the FDI service is provided to or from Singapore, and its impairment or loss could lead to or cause disruption to a large number of businesses or organisations. If passed, these provisions are likely to affect leading data centre operators and cloud service providers in the market.
    • Entities of Special Cybersecurity Interest (ESCI): These are entities that handle sensitive data or perform critical functions for Singapore that, if disrupted, would have a significant detrimental effect on Singapore’s defence, foreign relations, economy, public health, safety, or order. For example, entities collaborating with the Singapore Government and holding sensitive data may potentially fall under the ambit of the provisions.
    • Systems of Temporary Cybersecurity Concern (STCC): These are computer systems that are temporarily critical to the nation’s interests, for instance, when they provide support for key international events like the World Economic Forum. Such systems are at heightened risk of cybersecurity threat or incident that would have a serious detrimental effect on the national security, defence, foreign relations, economy, public health, safety or order of Singapore.

      The Commissioner may designate a system as a STCC for up to one year with the option for extensions, which differs from the typical 5-year term for other designations.

      Generally speaking, regardless of categorisation, designated providers/entities under these new categories are expected to adhere to duties comparable to those imposed on CII providers, including providing the Commissioner with system information, complying with prescribed codes of practice and standards, and notifying the CSA of relevant cybersecurity incidents.

      Notably, while non-compliance with obligations concerning FDI and ESCI might result in financial penalties, the Draft Bill proposes that non-compliance in relation to an STCC would be a criminal offence.
    • Expanding jurisdiction to cover offshore CIIs and FDIs: The CSA has proposed to confer power upon the Commissioner to designate computers or computer systems as CIIs/major FDIs, even if the computer systems are located wholly outside Singapore. 

    Providers which have infrastructure offshore may soon  be caught by the expanded territorial scope if the Bill is passed unamended.

    Conclusion

    The Draft Bill represents a proactive and adaptive response by the CSA to the dynamic and rapidly evolving cybersecurity landscape and associated challenges.

    Companies in the business of digital infrastructure and systems may soon find that they will be subject to new and onerous obligations under the CSA, thereby increasing compliance cost. It is vital for businesses to remain agile and adopt proactive measures to steer through the evolving regulatory waters.

    The Draft Bill may be accessed here: cybersecurity-(amendment)-bill-2023_for-public-consultations.pdf (csa.gov.sg)

    Please contact Lauren Hurcombe (Partner) or Yue Lin Lee (Senior Associate) if you have any questions or to see what this means for your organisation.

    DLA Piper Singapore Pte. Ltd. is licensed to operate as a foreign law practice in Singapore. Where advice on Singapore law is required, we will refer the matter to and work with licensed Singapore law practices where necessary.