§ 10 — Furnishing of information relating to provider-owned critical information infrastructure

10.—(1) The Commissioner may by notice given in the prescribed form and manner, require the owner of a provider-owned critical information infrastructure to furnish, within a reasonable period specified in the notice, the following:(a)

information on the design, configuration and security of the provider-owned critical information infrastructure;

(b)

information on the design, configuration and security of any other computer or computer system under the owner’s control that is interconnected with or that communicates with the provider-owned critical information infrastructure;

(c)

information relating to the operation of the provider-owned critical information infrastructure, and of any other computer or computer system under the owner’s control that is interconnected with or that communicates with the provider-owned critical information infrastructure;

(d)

any other information that the Commissioner may require in order to ascertain the level of cybersecurity of the provider-owned critical information infrastructure.[Act 19 of 2024 wef 31/10/2025]

(2) Any owner of a provider-owned critical information infrastructure who, without reasonable excuse, fails to comply with a notice mentioned in subsection (1) shall be guilty of an offence and shall be liable on conviction to a fine not exceeding $100,000 or to imprisonment for a term not exceeding 2 years or to both and, in the case of a continuing offence, to a further fine not exceeding $5,000 for every day or part of a day during which the offence continues after conviction.[Act 19 of 2024 wef 31/10/2025]

(3) The owner of a provider-owned critical information infrastructure to whom a notice is issued under subsection (1) is not obliged to disclose any information that is subject to any right, privilege or immunity conferred, or obligation or limitation imposed, by or under any law or rules of professional conduct in relation to the disclosure of such information, except that the performance of a contractual obligation is not an excuse for not disclosing the information.[Act 19 of 2024 wef 31/10/2025]

(4) The owner of a provider-owned critical information infrastructure is not treated as being in breach of any contractual obligation mentioned in subsection (3) for doing or omitting to do any act, if the act is done or omitted to be done with reasonable care and in good faith and for the purpose of complying with a notice issued under subsection (1).[Act 19 of 2024 wef 31/10/2025]

(5) If a material change is made by or on behalf of the owner of a provider-owned critical information infrastructure to the design, configuration, security or operation of the provider-owned critical information infrastructure after any information has been furnished to the Commissioner pursuant to a notice mentioned in subsection (1), the owner of the provider-owned critical information infrastructure must notify the Commissioner of the change not later than 30 days after the change is made.[Act 19 of 2024 wef 31/10/2025]

(6) For the purposes of subsection (5), a change is a material change if the change affects or may affect the cybersecurity of the provider-owned critical information infrastructure or the ability of the owner of the provider-owned critical information infrastructure to respond to a cybersecurity threat or incident affecting the provider-owned critical information infrastructure.[Act 19 of 2024 wef 31/10/2025]

(7) Any owner of a provider-owned critical information infrastructure who, without reasonable excuse, fails to comply with subsection (5) shall be guilty of an offence and shall be liable on conviction to a fine not exceeding $25,000 or to imprisonment for a term not exceeding 12 months or to both.[Act 19 of 2024 wef 31/10/2025]

[Act 19 of 2024 wef 31/10/2025]

—(1) The Commissioner may by notice given in the prescribed form and manner, require the owner of a provider-owned critical information infrastructure to furnish, within a reasonable period specified in the notice, the following:(a)

information on the design, configuration and security of the provider-owned critical information infrastructure;

(b)

information on the design, configuration and security of any other computer or computer system under the owner’s control that is interconnected with or that communicates with the provider-owned critical information infrastructure;

(c)

information relating to the operation of the provider-owned critical information infrastructure, and of any other computer or computer system under the owner’s control that is interconnected with or that communicates with the provider-owned critical information infrastructure;

(d)

any other information that the Commissioner may require in order to ascertain the level of cybersecurity of the provider-owned critical information infrastructure.[Act 19 of 2024 wef 31/10/2025]

(2) Any owner of a provider-owned critical information infrastructure who, without reasonable excuse, fails to comply with a notice mentioned in subsection (1) shall be guilty of an offence and shall be liable on conviction to a fine not exceeding $100,000 or to imprisonment for a term not exceeding 2 years or to both and, in the case of a continuing offence, to a further fine not exceeding $5,000 for every day or part of a day during which the offence continues after conviction.[Act 19 of 2024 wef 31/10/2025]

(3) The owner of a provider-owned critical information infrastructure to whom a notice is issued under subsection (1) is not obliged to disclose any information that is subject to any right, privilege or immunity conferred, or obligation or limitation imposed, by or under any law or rules of professional conduct in relation to the disclosure of such information, except that the performance of a contractual obligation is not an excuse for not disclosing the information.[Act 19 of 2024 wef 31/10/2025]

(4) The owner of a provider-owned critical information infrastructure is not treated as being in breach of any contractual obligation mentioned in subsection (3) for doing or omitting to do any act, if the act is done or omitted to be done with reasonable care and in good faith and for the purpose of complying with a notice issued under subsection (1).[Act 19 of 2024 wef 31/10/2025]

(5) If a material change is made by or on behalf of the owner of a provider-owned critical information infrastructure to the design, configuration, security or operation of the provider-owned critical information infrastructure after any information has been furnished to the Commissioner pursuant to a notice mentioned in subsection (1), the owner of the provider-owned critical information infrastructure must notify the Commissioner of the change not later than 30 days after the change is made.[Act 19 of 2024 wef 31/10/2025]

(6) For the purposes of subsection (5), a change is a material change if the change affects or may affect the cybersecurity of the provider-owned critical information infrastructure or the ability of the owner of the provider-owned critical information infrastructure to respond to a cybersecurity threat or incident affecting the provider-owned critical information infrastructure.[Act 19 of 2024 wef 31/10/2025]

(7) Any owner of a provider-owned critical information infrastructure who, without reasonable excuse, fails to comply with subsection (5) shall be guilty of an offence and shall be liable on conviction to a fine not exceeding $25,000 or to imprisonment for a term not exceeding 12 months or to both.[Act 19 of 2024 wef 31/10/2025]

[Act 19 of 2024 wef 31/10/2025]