§ 16B — Power to obtain information to ascertain if criteria for designated provider responsible for cybersecurity of third‑party‑owned critical information infrastructure fulfilled

16B.—(1) This section applies where the Commissioner has reason to believe that a computer or computer system may fulfil the criteria in section 16A(1).(2) The Commissioner may, by notice given in the prescribed form and manner, require any person who appears to be a provider of an essential service for which a computer or computer system necessary for the continuous delivery of the essential service is not owned by the person, to provide to the Commissioner, within a reasonable period specified in the notice, such relevant information relating to that computer or computer system that is within that person’s knowledge or which the person can reasonably obtain, as may be required by the Commissioner for the purpose of ascertaining whether the computer or computer system fulfils the criteria in section 16A(1).

(3) Without limiting subsection (2), the Commissioner may in the notice require the person to provide —(a)

information relating to —(i)

the function that the computer or computer system is employed to serve; and

(ii)

the person or persons who is or are, or other computer or computer systems that is or are, served by that computer or computer system;

(b)

information relating to the design of the computer or computer system; and

(c)

any other information that the Commissioner may require in order to ascertain whether the computer or computer system fulfils the criteria in section 16A(1).

(4) Any person who, without reasonable excuse, fails to comply with a notice issued under subsection (2) shall be guilty of an offence and shall be liable on conviction to a fine not exceeding $100,000 or to imprisonment for a term not exceeding 2 years or to both and, in the case of a continuing offence, to a further fine not exceeding $5,000 for every day or part of a day during which the offence continues after conviction.

(5) Where a person fails to comply with a notice under subsection (2), and the computer or computer system in relation to which the notice was issued appears to be necessary for the delivery of an essential service provided by the person, the Commissioner may order the person to cease using, directly or indirectly, the computer or computer system in relation to which the notice was issued.

(6) Any person who, without reasonable excuse, fails to comply with an order issued under subsection (5) shall be guilty of an offence and shall be liable on conviction to a fine not exceeding $100,000 or to imprisonment for a term not exceeding 2 years or to both and, in the case of a continuing offence, to a further fine not exceeding $5,000 for every day or part of a day during which the offence continues after conviction.

(7) Any person to whom a notice is issued under subsection (2) is not obliged to disclose any information that is subject to any right, privilege or immunity conferred, or obligation or limitation imposed, by or under any law, contract or rules of professional conduct in relation to the disclosure of such information.[Act 19 of 2024 wef 31/10/2025]

—(1) This section applies where the Commissioner has reason to believe that a computer or computer system may fulfil the criteria in section 16A(1).

(2) The Commissioner may, by notice given in the prescribed form and manner, require any person who appears to be a provider of an essential service for which a computer or computer system necessary for the continuous delivery of the essential service is not owned by the person, to provide to the Commissioner, within a reasonable period specified in the notice, such relevant information relating to that computer or computer system that is within that person’s knowledge or which the person can reasonably obtain, as may be required by the Commissioner for the purpose of ascertaining whether the computer or computer system fulfils the criteria in section 16A(1).

(3) Without limiting subsection (2), the Commissioner may in the notice require the person to provide —(a)

information relating to —(i)

the function that the computer or computer system is employed to serve; and

(ii)

the person or persons who is or are, or other computer or computer systems that is or are, served by that computer or computer system;

(b)

information relating to the design of the computer or computer system; and

(c)

any other information that the Commissioner may require in order to ascertain whether the computer or computer system fulfils the criteria in section 16A(1).

(4) Any person who, without reasonable excuse, fails to comply with a notice issued under subsection (2) shall be guilty of an offence and shall be liable on conviction to a fine not exceeding $100,000 or to imprisonment for a term not exceeding 2 years or to both and, in the case of a continuing offence, to a further fine not exceeding $5,000 for every day or part of a day during which the offence continues after conviction.

(5) Where a person fails to comply with a notice under subsection (2), and the computer or computer system in relation to which the notice was issued appears to be necessary for the delivery of an essential service provided by the person, the Commissioner may order the person to cease using, directly or indirectly, the computer or computer system in relation to which the notice was issued.

(6) Any person who, without reasonable excuse, fails to comply with an order issued under subsection (5) shall be guilty of an offence and shall be liable on conviction to a fine not exceeding $100,000 or to imprisonment for a term not exceeding 2 years or to both and, in the case of a continuing offence, to a further fine not exceeding $5,000 for every day or part of a day during which the offence continues after conviction.

(7) Any person to whom a notice is issued under subsection (2) is not obliged to disclose any information that is subject to any right, privilege or immunity conferred, or obligation or limitation imposed, by or under any law, contract or rules of professional conduct in relation to the disclosure of such information.[Act 19 of 2024 wef 31/10/2025]