Cybersecurity Act 2018

Sections (72)

Click a section to view its full text and cited judgments.

• § 1 — Short title and commencement

  1.—(1) This Act is the Cybersecurity Act 2018.(2) Part 5 and the Second Schedule come into operation on a date that the Minister appoints by notification in the Gazette. —(1) This Act is the Cybersecurity Act 2018. (2) Part 5 and the Second Schedule come into operation on a date that the Minister a

• § 10 — Furnishing of information relating to provider-owned critical information infrastructure

  10.—(1) The Commissioner may by notice given in the prescribed form and manner, require the owner of a provider-owned critical information infrastructure to furnish, within a reasonable period specified in the notice, the following:(a) information on the design, configuration and security of the pro

• § 12 — Power of Commissioner to issue written directions

  12.—(1) The Commissioner may, if the Commissioner thinks —(a) it is necessary or expedient for ensuring the cybersecurity of a provider-owned critical information infrastructure or a class of provider-owned critical information infrastructure; or (b) it is necessary or expedient for the effective a

• § 13 — Change in ownership of provider-owned critical information infrastructure

  13.—(1) Where there is any change in the beneficial or legal ownership (including any share in such ownership) of a provider-owned critical information infrastructure, the relevant person must inform the Commissioner of the change in ownership not later than 7 days after the date of that change in o

• § 14 — Duty to report cybersecurity incident in respect of provider‑owned critical information infrastructure, etc.

  14.—(1) The owner of a provider-owned critical information infrastructure must notify the Commissioner of the occurrence of any of the following in the prescribed form and manner, within the prescribed period after becoming aware of such occurrence:(a) a prescribed cybersecurity incident in respect

• § 15 — Cybersecurity audits and risk assessments of provider‑owned critical information infrastructure

  15.—(1) The owner of a provider-owned critical information infrastructure must —(a) at least once every 2 years (or at such higher frequency as may be directed by the Commissioner in any particular case), starting from the date of the notice issued under section 7, cause an audit of the compliance o

• § 16 — Cybersecurity exercises

  16.—(1) The Commissioner may conduct cybersecurity exercises for the purpose of testing the state of readiness of owners of different provider-owned critical information infrastructure in responding to significant cybersecurity incidents.[Act 19 of 2024 wef 31/10/2025] (2) An owner of a provider-own

• § 16A — Designation of provider of essential service responsible for cybersecurity of third‑party‑owned critical information infrastructure

  16A.—(1) The Commissioner may, by written notice to a provider of an essential service, designate the provider as a provider of an essential service responsible for the cybersecurity of third‑party‑owned critical information infrastructure for the purposes of this Act, if the Commissioner is satisfi

• § 16B — Power to obtain information to ascertain if criteria for designated provider responsible for cybersecurity of third‑party‑owned critical information infrastructure fulfilled

  16B.—(1) This section applies where the Commissioner has reason to believe that a computer or computer system may fulfil the criteria in section 16A(1).(2) The Commissioner may, by notice given in the prescribed form and manner, require any person who appears to be a provider of an essential service

• § 16C — Withdrawal of designation of designated provider responsible for third-party-owned critical information infrastructure

  16C. The Commissioner may, by written notice, withdraw the designation of any designated provider responsible for third-party-owned critical information infrastructure at any time if the Commissioner is of the opinion that the criteria in section 16A(1) are no longer fulfilled.[Act 19 of 2024 wef 31

• § 16D — Extension of designation of designated provider responsible for third-party-owned critical information infrastructure

  16D.—(1) At any time before the expiry of the designation of a designated provider responsible for third-party-owned critical information infrastructure, the Commissioner may, by written notice, extend the designation of the designated provider responsible for third-party-owned critical information

• § 16E — Furnishing of information relating to third-party-owned critical information infrastructure

  16E.—(1) A designated provider responsible for third‑party‑owned critical information infrastructure must obtain a legally binding commitment from the owner of the third‑party‑owned critical information infrastructure for which the provider is responsible for its cybersecurity, that the owner of the

• § 16F — Provider to ensure third‑party‑owned critical information infrastructure conforms with prescribed standards

  16F.—(1) A designated provider responsible for third‑party‑owned critical information infrastructure must obtain a legally binding commitment from the owner of the third‑party‑owned critical information infrastructure, that the owner will ensure that any applicable prescribed technical or other stan

• § 16G — Power of Commissioner to issue written directions

  16G.—(1) The Commissioner may, if the Commissioner thinks —(a) it is necessary or expedient for ensuring the cybersecurity of a third-party-owned critical information infrastructure or a class of third‑party‑owned critical information infrastructure; or (b) it is necessary or expedient for the effe

• § 16H — Change in ownership of third‑party‑owned critical information infrastructure

  16H.—(1) A designated provider responsible for third‑party‑owned critical information infrastructure must obtain a legally binding commitment from the owner of the third‑party‑owned critical information infrastructure for which the provider is responsible for its cybersecurity, that the owner will n

• § 16I — Duty to report cybersecurity incident in respect of third‑party‑owned critical information infrastructure, etc.

  16I.—(1) A designated provider responsible for third‑party‑owned critical information infrastructure must obtain a legally binding commitment from the owner of the third‑party‑owned critical information infrastructure for which the provider is responsible for its cybersecurity, that the owner of the

• § 16J — Cybersecurity audits and risk assessments of third‑party‑owned critical information infrastructure

  16J.—(1) A designated provider responsible for third-party-owned critical information infrastructure must obtain a legally binding commitment from the owner of the third-party-owned critical information infrastructure for which the provider is responsible for its cybersecurity, that the owner of the

• § 16K — Duty to notify material change to legally binding commitment

  16K.—(1) If a material change is made to a legally binding commitment that was obtained by a designated provider responsible for third‑party‑owned critical information infrastructure for the purpose of meeting a requirement under section 16E(1), 16F(1), 16H(1), 16I(1) or 16J(1), the designated provi

• § 16L — Cybersecurity exercises

  16L.—(1) The Commissioner may conduct cybersecurity exercises for the purpose of testing the state of readiness of different designated providers responsible for third‑party‑owned critical information infrastructure in responding to significant cybersecurity incidents.(2) A designated provider respo

• § 17 — Designation of system of temporary cybersecurity concern

  17.—(1) The Commissioner may, by written notice to the owner of a computer or computer system, designate the computer or computer system as a system of temporary cybersecurity concern for the purposes of this Act, if the Commissioner is satisfied that —(a) for a limited period —(i) there is a high r

• § 17A — Power to obtain information to ascertain if criteria for system of temporary cybersecurity concern fulfilled

  17A.—(1) This section applies where the Commissioner has reason to believe that a computer or computer system may fulfil the criteria to be designated as a system of temporary cybersecurity concern.(2) The Commissioner may, by notice given in the prescribed form and manner, require any person who ap

• § 17B — Withdrawal of designation of system of temporary cybersecurity concern

  17B. The Commissioner may, by written notice, withdraw the designation of a system of temporary cybersecurity concern at any time if the Commissioner is of the opinion that the computer or computer system no longer fulfils the criteria to be designated as a system of temporary cybersecurity concern.

• § 17C — Extension of designation of system of temporary cybersecurity concern

  17C.—(1) At any time before the expiry of the designation of a system of temporary cybersecurity concern, the Commissioner may, by written notice, extend the designation of the system of temporary cybersecurity concern, if the Commissioner is of the opinion that the computer or computer system conti

• § 17D — Furnishing of information relating to system of temporary cybersecurity concern

  17D.—(1) The Commissioner may by notice given in the prescribed form and manner, require the owner of a system of temporary cybersecurity concern to furnish, within a reasonable period specified in the notice, the following:(a) information on the design, configuration and security of the system of t

• § 17E — Power of Commissioner to issue written directions

  17E.—(1) The Commissioner may, if the Commissioner thinks —(a) it is necessary or expedient for ensuring the cybersecurity of a system of temporary cybersecurity concern or a class of systems of temporary cybersecurity concern; or (b) it is necessary or expedient for the effective administration of

• § 17F — Duty to report cybersecurity incident in respect of system of temporary cybersecurity concern, etc.

  17F.—(1) The owner of a system of temporary cybersecurity concern must notify the Commissioner of the occurrence of any of the following in the prescribed form and manner, within the prescribed period after becoming aware of such occurrence:(a) a prescribed cybersecurity incident in respect of the s

• § 19 — Powers to investigate and prevent cybersecurity incidents, etc.

  19.—(1) Where information regarding a cybersecurity threat or incident has been received by the Commissioner, the Commissioner may exercise, or may authorise the Deputy Commissioner, an Assistant Commissioner, a cybersecurity officer or an authorised officer to exercise, such of the powers mentioned

• § 2 — Interpretation

  2.—(1) In this Act, unless the context otherwise requires —“Assistant Commissioner” means any Assistant Commissioner of Cybersecurity appointed under section 4(1)(b); “assistant licensing officer” means any assistant licensing officer appointed under section 25(2); “business entity” means —(a) a c

• § 20 — Powers to investigate and prevent serious cybersecurity incidents, etc.

  20.—(1) Where the Commissioner receives information regarding a cybersecurity threat or incident which satisfies the severity threshold in subsection (3), the Commissioner may exercise, or may authorise the Deputy Commissioner, an Assistant Commissioner, a cybersecurity officer or an authorised offi

• § 21 — Production of identification card by incident response officer

  21. Every incident response officer, when exercising any of the powers under this Part, must declare the incident response officer’s office and must, on demand, produce to any person affected by the exercise of that power such identification card as the Commissioner may direct to be carried by the i

• § 22 — Appointment of cybersecurity technical experts

  22.—(1) The Commissioner may in writing appoint any of the following as a cybersecurity technical expert for a specified period to assist any incident response officer in the course of an investigation under section 19 or 20:(a) a public officer or an employee of a statutory body; (b) an individual

• § 23 — Emergency cybersecurity measures and requirements

  23.—(1) The Minister may, if satisfied that it is necessary for the purposes of preventing, detecting or countering any serious and imminent threat to —(a) the provision of any essential service; or (b) the national security, defence, foreign relations, economy, public health, public safety or publ

• § 24 — No person to provide licensable cybersecurity service without licence

  24.—(1) Except under and in accordance with a cybersecurity service provider’s licence granted or renewed under section 26, no person —(a) may engage in the business of providing any licensable cybersecurity service to other persons; or (b) being a person who is in the business of providing a licen

• § 25 — Licensing officer and assistant licensing officers

  25.—(1) For the purposes of this Part, the Commissioner is the licensing officer and the officer responsible for the administration of this Part.(2) The licensing officer may appoint such number of assistant licensing officers as are necessary to assist the licensing officer in carrying out the lice

• § 26 — Grant and renewal of licence

  26.—(1) An application for the grant or renewal of a licence must be —(a) made to the licensing officer in such form or manner as may be prescribed; (b) accompanied by the prescribed fee (if any); and (c) in the case of an application for the renewal of a licence, made not later than one month or

• § 27 — Conditions of licence

  27.—(1) The licensing officer may grant a licence to an applicant, or renew an applicant’s licence, subject to such conditions as the licensing officer thinks fit to impose.(2) For the purpose of subsection (1), the licensing officer may specify —(a) conditions applicable to all licensees; (b) cond

• § 28 — Form and validity of licence

  28.—(1) A licence must —(a) be in such form as the licensing officer may determine; and (b) contain the conditions subject to which it is granted. (2) A licence is in force for such period (not exceeding 5 years) as the licensing officer may specify in the licence, starting from the date of its is

• § 29 — Duty to keep records

  29.—(1) A licensee must —(a) in relation to each occasion on which the licensee is engaged to provide its cybersecurity service, keep a record of the following information:(i) the name and address of the person engaging the licensee for the service; (ii) the name of the person providing the service

• § 29A — Monitoring powers of licensing officer

  29A.—(1) The licensing officer has, for the purposes of the execution of this Part, power to do all or any of the following:(a) to enter, inspect and examine at a reasonable time the place of business of a licensee; (b) to require a licensee to produce any records, accounts and documents kept by th

• § 3 — Application of Act

  3.—(1) Part 3 (except sections 7(1A) and 8) applies to any provider-owned critical information infrastructure located wholly or partly in Singapore.[Act 19 of 2024 wef 31/10/2025] (1A) Section 7(1A) applies to any computer or computer system located wholly outside Singapore that is owned by a person

• § 30 — Revocation or suspension of licence

  30.—(1) Subject to subsection (4), the licensing officer may by order revoke any licence if the licensing officer is satisfied that —(a) the licensee has failed to comply with any condition to which the licence is subject; (b) the licence had been obtained by fraud or misrepresentation; (c) a circ

• § 31 — Unlicensed cybersecurity service provider not to recover fees, etc.

  31. Any person who provides any licensable cybersecurity service is not entitled to bring any proceeding in any court to recover any commission, fee, gain or reward for the service provided unless, at the time of providing the service, the person is the holder of a valid cybersecurity service provid

• § 32 — Financial penalty

  32.—(1) This section applies where a licensee —(a) contravenes a provision of this Part, which contravention is not an offence; or (b) fails to comply with any condition imposed by the licensing officer on the licence. (2) On the occurrence of a contravention or failure to comply mentioned in subs

• § 33 — Licensing officer to give opportunity to make representations before ordering financial penalty

  33.—(1) Subsections (2) to (6) apply before the licensing officer makes an order under section 32(2).(2) The licensing officer must give the licensee written notice of —(a) the licensing officer’s intention to make the order under section 32(2); and (b) the date on which the licensing officer inten

• § 34 — Recovery of financial penalties

  34.—(1) Any person who fails to pay any financial penalty imposed by the licensing officer by the date specified in the order under section 32(2) or where there is an appeal to the Minister, by the date specified by the Minister, is liable to pay to the licensing officer interest on the amount unpai

• § 35 — Appeal to Minister

  35.—(1) Any person whose application for a licence or for the renewal of a licence has been refused by the licensing officer may, within the relevant period after being notified of such refusal, appeal against the refusal in the prescribed manner to the Minister.(2) Where a licence is granted or ren

• § 35A — Codes of practice and standards of performance

  35A.—(1) The Commissioner may, from time to time —(a) issue or approve one or more codes of practice or standards of performance for the regulation of the following persons with respect to measures to be taken by them to ensure the cybersecurity of the computers or computer systems indicated:(i) own

• § 35B — Appeal to Minister against decision, etc., under Parts 3, 3A, 3B, 3C and 3D, etc.

  35B.—(1) This section applies to appeals to the Minister against any decision, order or written direction of the Commissioner under Part 3, 3A, 3B, 3C or 3D set out in subsection (2), or any code of practice or standard of performance issued, approved or amended by the Commissioner.(2) A person who

• § 35C — Appeals Advisory Panel

  35C.—(1) Where the Minister considers that an appeal lodged under section 35B(2) involves issues the resolution or understanding of which require particular technical skills or specialised knowledge, the Minister may establish an Appeals Advisory Panel to provide advice to the Minister in respect of

• § 36 — Offences by corporations

  36.—(1) Where, in a proceeding for an offence under this Act, it is necessary to prove the state of mind of a corporation in relation to a particular conduct, evidence that —(a) an officer, employee or agent of the corporation engaged in that conduct within the scope of his or her actual or apparent

• § 37 — Offences by unincorporated associations or partnerships

  37.—(1) Where, in a proceeding for an offence under this Act, it is necessary to prove the state of mind of an unincorporated association or a partnership in relation to a particular conduct, evidence that —(a) an employee or agent of the unincorporated association or the partnership engaged in that

• § 38 — Powers of investigation

  38.—(1) An investigation officer authorised by the Commissioner may, in relation to any offence under this Act (except any offence under section 23) or any regulations made under this Act, on declaration of the investigation officer’s office and production to the person against whom the investigatio

• § 39 — Power to enter premises under warrant

  39.—(1) A Magistrate may, on the application of an investigation officer, issue a warrant in respect of any premises if the Magistrate is satisfied that there are reasonable grounds to suspect that there is on the premises any document —(a) which has been required by an investigation officer under s

• § 4 — Appointment of Commissioner of Cybersecurity and other officers

  4.—(1) The Minister may appoint, from public officers or employees of a statutory body under the charge of the Minister —(a) a Commissioner of Cybersecurity; and (b) a Deputy Commissioner and one or more Assistant Commissioners of Cybersecurity, to assist the Commissioner in the discharge of the Co

• § 40 — Jurisdiction of court

  40. Despite any provision to the contrary in the Criminal Procedure Code 2010, a District Court has jurisdiction to try any offence under this Act and has power to impose the full penalty or punishment in respect of the offence.

• § 41 — Composition of offences

  41.—(1) The Commissioner or any Assistant Commissioner authorised by the Commissioner may compound any offence under this Act that is prescribed as a compoundable offence by collecting from a person reasonably suspected of having committed the offence a sum not exceeding the lower of the following:(

• § 41A — Extension of time

  41A.—(1) A person who, in any particular case, is unable to do any thing that the person is required to do under Part 3, 3A, 3B, 3C or 3D (including any direction or order issued under those Parts) within the time specified for it may apply in writing to the Commissioner for an extension of time.(2)

• § 42 — Service of documents

  42.—(1) A document that is permitted or required by this Act to be served on a person may be served as described in this section.(2) A document permitted or required by this Act to be served on an individual may be served —(a) by giving it to the individual personally; (b) by sending it by prepaid

• § 43 — Preservation of secrecy

  43.—(1) Subject to subsections (3) and (7), every specified person must preserve, and aid in preserving, the secrecy of —(a) all matters relating to a computer or computer system of any person; (b) all matters relating to the business, commercial or official affairs of any person; (c) all matters

• § 44 — Protection from personal liability

  44.—(1) No liability shall lie against the Commissioner, the Deputy Commissioner, an Assistant Commissioner, a cybersecurity officer, an authorised officer appointed under section 6, an assistant licensing officer, a member of an Appeals Advisory Panel established under section 35C or any other pers

• § 45 — Protection of informers

  45.—(1) No witness in any proceedings for an offence under Part 3, 3A, 3B, 3C or 3D, or for a civil penalty under section 37A or 37C, is obliged or permitted —(a) to disclose the name, address or other particulars of an informer who has given information with respect to that offence, or the substanc

• § 46 — General exemption

  46.—(1) The Minister may, by order in the Gazette, exempt any person or any class of persons from all or any of the provisions of this Act, either generally or in a particular case and subject to such conditions as may be prescribed.(2) If any exemption is granted under subsection (1) with condition

• § 47 — Amendment of Schedules

  47.—(1) The Minister may at any time, by order in the Gazette, amend the First or Second Schedule.(2) The Minister may, in any order made under subsection (1), make such transitional, incidental, consequential or supplementary provision as may be necessary or expedient. (3) Any order made under sub

• § 48 — Regulations

  48.—(1) The Minister may make regulations for carrying out the purposes and provisions of this Act.(2) Without limiting subsection (1), the Minister may make regulations for or with respect to all or any of the following matters:(a) the procedure for the designation of a provider-owned critical info

• § 49 — Saving and transitional provisions

  49.—(1) Despite anything in this Act, any person who, immediately before the date of commencement of Part 5, is engaged in the business of providing a licensable cybersecurity service, may continue to engage in that business —(a) for 6 months starting on the date of commencement of Part 5; and (b)

• § 5 — Duties and functions of Commissioner

  5.—(1) The Commissioner has the following duties and functions:(a) to oversee and promote the cybersecurity of computers and computer systems in Singapore; (b) to advise the Government or any other public authority on national needs and policies in respect of cybersecurity matters generally; (c) t

• § 6 — Appointment of authorised officers

  6.—(1) The Commissioner may, after consulting the Minister, in writing appoint any of the following as an authorised officer to assist the Commissioner in exercising the powers under Part 4:(a) a public officer of another Ministry; (b) an employee of any statutory body; (c) an auxiliary police off

• § 6A — Cyber Security Agency of Singapore’s symbols, etc.

  6A.—(1) The Commissioner has the exclusive right to the use of one or more symbols or representations of the Cyber Security Agency of Singapore as the Commissioner may select or devise (each called in this section the Cyber Security Agency of Singapore’s symbol or representation), and to display or

• § 7 — Designation of provider-owned critical information infrastructure

  7.—(1) The Commissioner may, by written notice to the owner of a computer or computer system, designate the computer or computer system as a provider-owned critical information infrastructure for the purposes of this Act, if the Commissioner is satisfied that —(a) the computer or computer system is

• § 8 — Power to obtain information to ascertain if criteria for provider‑owned critical information infrastructure fulfilled

  8.—(1) This section applies where the Commissioner has reason to believe that a computer or computer system may fulfil the criteria to be designated as a provider-owned critical information infrastructure.[Act 19 of 2024 wef 31/10/2025] (2) The Commissioner may, by notice given in the prescribed for

• § 9 — Withdrawal of designation of provider-owned critical information infrastructure

  9. The Commissioner may, by written notice, withdraw the designation of any provider-owned critical information infrastructure at any time if the Commissioner is of the opinion that the computer or computer system no longer fulfils the criteria to be designated as a provider-owned critical informati

• § 9A — Extension of designation of provider‑owned critical information infrastructure

  9A.—(1) At any time before the expiry of the designation of a provider‑owned critical information infrastructure, the Commissioner may, by written notice, extend the designation of the provider‑owned critical information infrastructure, if the Commissioner is of the opinion that the computer or comp