§ 14 — Duty to report cybersecurity incident in respect of provider‑owned critical information infrastructure, etc.

14.—(1) The owner of a provider-owned critical information infrastructure must notify the Commissioner of the occurrence of any of the following in the prescribed form and manner, within the prescribed period after becoming aware of such occurrence:(a)

a prescribed cybersecurity incident in respect of the provider-owned critical information infrastructure;[Act 19 of 2024 wef 31/10/2025]

(b)

a prescribed cybersecurity incident in respect of any computer or computer system under the owner’s control that is interconnected with or that communicates with the provider-owned critical information infrastructure;[Act 19 of 2024 wef 31/10/2025]

(ba)

a prescribed cybersecurity incident in respect of any other computer or computer system under the owner’s control that does not fall within paragraph (b);[Act 19 of 2024 wef 31/10/2025]

(bb)

a prescribed cybersecurity incident in respect of any computer or computer system under the control of a supplier to the owner that is interconnected with or that communicates with the provider‑owned critical information infrastructure;[Act 19 of 2024 wef 31/10/2025]

(c)

any other type of cybersecurity incident in respect of the provider-owned critical information infrastructure that the Commissioner has specified by written direction to the owner.[Act 19 of 2024 wef 31/10/2025]

(2) The owner of a provider-owned critical information infrastructure must establish such mechanisms and processes for the purposes of detecting cybersecurity threats and incidents in respect of the provider-owned critical information infrastructure, as set out in any applicable code of practice.[Act 19 of 2024 wef 31/10/2025]

(3) Any owner of a provider-owned critical information infrastructure who, without reasonable excuse, fails to comply with subsection (1) shall be guilty of an offence and shall be liable on conviction to a fine not exceeding $100,000 or to imprisonment for a term not exceeding 2 years or to both.[Act 19 of 2024 wef 31/10/2025]

[Act 19 of 2024 wef 31/10/2025]

—(1) The owner of a provider-owned critical information infrastructure must notify the Commissioner of the occurrence of any of the following in the prescribed form and manner, within the prescribed period after becoming aware of such occurrence:(a)

a prescribed cybersecurity incident in respect of the provider-owned critical information infrastructure;[Act 19 of 2024 wef 31/10/2025]

(b)

a prescribed cybersecurity incident in respect of any computer or computer system under the owner’s control that is interconnected with or that communicates with the provider-owned critical information infrastructure;[Act 19 of 2024 wef 31/10/2025]

(ba)

a prescribed cybersecurity incident in respect of any other computer or computer system under the owner’s control that does not fall within paragraph (b);[Act 19 of 2024 wef 31/10/2025]

(bb)

a prescribed cybersecurity incident in respect of any computer or computer system under the control of a supplier to the owner that is interconnected with or that communicates with the provider‑owned critical information infrastructure;[Act 19 of 2024 wef 31/10/2025]

(c)

any other type of cybersecurity incident in respect of the provider-owned critical information infrastructure that the Commissioner has specified by written direction to the owner.[Act 19 of 2024 wef 31/10/2025]

(2) The owner of a provider-owned critical information infrastructure must establish such mechanisms and processes for the purposes of detecting cybersecurity threats and incidents in respect of the provider-owned critical information infrastructure, as set out in any applicable code of practice.[Act 19 of 2024 wef 31/10/2025]

(3) Any owner of a provider-owned critical information infrastructure who, without reasonable excuse, fails to comply with subsection (1) shall be guilty of an offence and shall be liable on conviction to a fine not exceeding $100,000 or to imprisonment for a term not exceeding 2 years or to both.[Act 19 of 2024 wef 31/10/2025]

[Act 19 of 2024 wef 31/10/2025]