§ 16A — Designation of provider of essential service responsible for cybersecurity of third‑party‑owned critical information infrastructure

16A.—(1) The Commissioner may, by written notice to a provider of an essential service, designate the provider as a provider of an essential service responsible for the cybersecurity of third‑party‑owned critical information infrastructure for the purposes of this Act, if the Commissioner is satisfied that —(a)

a computer or computer system (called a third‑party‑owned critical information infrastructure) (whether located in or outside Singapore) is necessary for the continuous delivery of the essential service provided by that provider, and the loss or compromise of the computer or computer system will have a debilitating effect on the availability of the essential service in Singapore; and

(b)

the computer or computer system is not owned by the provider of the essential service.

(2) A notice issued under subsection (1) must —(a)

identify the third‑party‑owned critical information infrastructure in relation to which the provider is designated as a designated provider responsible for third‑party‑owned critical information infrastructure;

(b)

identify the provider of the essential service so designated as a designated provider responsible for third‑party‑owned critical information infrastructure;

(c)

identify the person who appears to be the owner of the third‑party‑owned critical information infrastructure;

(d)

inform the designated provider responsible for third‑party‑owned critical information infrastructure regarding the provider’s duties and responsibilities under this Act that arise from the designation;

(e)

provide the name and contact particulars of the officer assigned by the Commissioner to supervise the designated provider responsible for third‑party‑owned critical information infrastructure in relation to the cybersecurity of the third‑party‑owned critical information infrastructure;

(f)

inform the designated provider responsible for third‑party‑owned critical information infrastructure that any representations against the designation are to be made to the Commissioner by a specified date, being a date not earlier than 14 days after the date of the notice; and

(g)

inform the designated provider responsible for third‑party‑owned critical information infrastructure that the provider may appeal to the Minister against the designation, and provide information on the applicable procedure.

(3) Any designation under subsection (1) has effect for a period of 5 years, unless it is withdrawn by the Commissioner before the expiry of the period.

(4) A notice issued under this section need not be published in the Gazette.[Act 19 of 2024 wef 31/10/2025]

—(1) The Commissioner may, by written notice to a provider of an essential service, designate the provider as a provider of an essential service responsible for the cybersecurity of third‑party‑owned critical information infrastructure for the purposes of this Act, if the Commissioner is satisfied that —(a)

a computer or computer system (called a third‑party‑owned critical information infrastructure) (whether located in or outside Singapore) is necessary for the continuous delivery of the essential service provided by that provider, and the loss or compromise of the computer or computer system will have a debilitating effect on the availability of the essential service in Singapore; and

(b)

the computer or computer system is not owned by the provider of the essential service.

(2) A notice issued under subsection (1) must —(a)

identify the third‑party‑owned critical information infrastructure in relation to which the provider is designated as a designated provider responsible for third‑party‑owned critical information infrastructure;

(b)

identify the provider of the essential service so designated as a designated provider responsible for third‑party‑owned critical information infrastructure;

(c)

identify the person who appears to be the owner of the third‑party‑owned critical information infrastructure;

(d)

inform the designated provider responsible for third‑party‑owned critical information infrastructure regarding the provider’s duties and responsibilities under this Act that arise from the designation;

(e)

provide the name and contact particulars of the officer assigned by the Commissioner to supervise the designated provider responsible for third‑party‑owned critical information infrastructure in relation to the cybersecurity of the third‑party‑owned critical information infrastructure;

(f)

inform the designated provider responsible for third‑party‑owned critical information infrastructure that any representations against the designation are to be made to the Commissioner by a specified date, being a date not earlier than 14 days after the date of the notice; and

(g)

inform the designated provider responsible for third‑party‑owned critical information infrastructure that the provider may appeal to the Minister against the designation, and provide information on the applicable procedure.

(3) Any designation under subsection (1) has effect for a period of 5 years, unless it is withdrawn by the Commissioner before the expiry of the period.

(4) A notice issued under this section need not be published in the Gazette.[Act 19 of 2024 wef 31/10/2025]