§ 16E — Furnishing of information relating to third-party-owned critical information infrastructure

16E.—(1) A designated provider responsible for third‑party‑owned critical information infrastructure must obtain a legally binding commitment from the owner of the third‑party‑owned critical information infrastructure for which the provider is responsible for its cybersecurity, that the owner of the third‑party‑owned critical information infrastructure will —(a)

upon the request of the designated provider responsible for third‑party‑owned critical information infrastructure pursuant to a notice issued by the Commissioner under subsection (4), furnish the provider the following within a reasonable period:(i)

information on the design, configuration and security of the third-party-owned critical information infrastructure;

(ii)

information on the design, configuration and security of any other computer or computer system under the owner’s control that is interconnected with or that communicates with the third‑party‑owned critical information infrastructure;

(iii)

information relating to the operation of the third‑party‑owned critical information infrastructure, and of any other computer or computer system under the owner’s control that is interconnected with or that communicates with the third‑party‑owned critical information infrastructure;

(iv)

any other information that the Commissioner may require in order to ascertain the level of cybersecurity of the third‑party‑owned critical information infrastructure; and

(b)

notify the designated provider responsible for third‑party‑owned critical information infrastructure when a material change is made by or on behalf of the owner of the third‑party‑owned critical information infrastructure to the design, configuration, security or operation of the third‑party‑owned critical information infrastructure after any information has been furnished to the provider pursuant to a request mentioned in paragraph (a), not later than 30 days after the change is made, so that the provider may notify the Commissioner in accordance with subsection (8).

(2) Where subsection (1) is not complied with, the Commissioner may order the designated provider responsible for third‑party‑owned critical information infrastructure to cease using, directly or indirectly, the third-party-owned critical information infrastructure for which the provider is responsible for its cybersecurity.

(3) Any designated provider responsible for third‑party‑owned critical information infrastructure who, without reasonable excuse, fails to comply with an order issued under subsection (2) shall be guilty of an offence and shall be liable on conviction to a fine not exceeding $100,000 or to imprisonment for a term not exceeding 2 years or to both and, in the case of a continuing offence, to a further fine not exceeding $5,000 for every day or part of a day during which the offence continues after conviction.

(4) The Commissioner may by notice given in the prescribed form and manner, require the designated provider responsible for third‑party‑owned critical information infrastructure to furnish, within a reasonable period specified in the notice, the following:(a)

information on the design, configuration and security of the third‑party‑owned critical information infrastructure;

(b)

information on the design, configuration and security of any other computer or computer system under the owner’s control or provider’s control that is interconnected with or that communicates with the third‑party‑owned critical information infrastructure;

(c)

information relating to the operation of the third‑party‑owned critical information infrastructure, and of any other computer or computer system under the owner’s control or provider’s control that is interconnected with or that communicates with the third‑party‑owned critical information infrastructure;

(d)

any other information relating to the third‑party‑owned critical information infrastructure that the Commissioner may require in order to ascertain the level of cybersecurity of the third‑party‑owned critical information infrastructure.

(5) Any designated provider responsible for third-party-owned critical information infrastructure who, without reasonable excuse, fails to comply with a notice mentioned in subsection (4) shall be guilty of an offence and shall be liable on conviction to a fine not exceeding $100,000 or to imprisonment for a term not exceeding 2 years or to both and, in the case of a continuing offence, to a further fine not exceeding $5,000 for every day or part of a day during which the offence continues after conviction.

(6) The designated provider responsible for third‑party‑owned critical information infrastructure to whom a notice is issued under subsection (4) is not obliged to disclose any information that is subject to any right, privilege or immunity conferred, or obligation or limitation imposed, by or under any law or rules of professional conduct in relation to the disclosure of such information, except that the performance of a contractual obligation is not an excuse for not disclosing the information.

(7) The designated provider responsible for third-party-owned critical information infrastructure is not treated as being in breach of any contractual obligation mentioned in subsection (6) for doing or omitting to do any act, if the act is done or omitted to be done with reasonable care and in good faith and for the purpose of complying with a notice issued under subsection (4).

(8) If a material change is made by or on behalf of the owner of the third‑party‑owned critical information infrastructure to the design, configuration, security or operation of the third‑party‑owned critical information infrastructure after any information has been furnished to the Commissioner pursuant to a notice mentioned in subsection (4), the designated provider responsible for third‑party‑owned critical information infrastructure must notify the Commissioner of the change not later than 14 days after the provider becomes aware of it.

(9) For the purposes of subsections (1)(b) and (8), a change is a material change if the change affects or may affect the cybersecurity of the third‑party‑owned critical information infrastructure, or the ability of the owner of the third‑party‑owned critical information infrastructure or the designated provider responsible for third‑party‑owned critical information infrastructure, to respond to a cybersecurity threat or incident affecting the third‑party‑owned critical information infrastructure.

(10) Any designated provider responsible for third‑party‑owned critical information infrastructure who, without reasonable excuse, fails to comply with subsection (8) shall be guilty of an offence and shall be liable on conviction to a fine not exceeding $25,000 or to imprisonment for a term not exceeding 12 months or to both.[Act 19 of 2024 wef 31/10/2025]

—(1) A designated provider responsible for third‑party‑owned critical information infrastructure must obtain a legally binding commitment from the owner of the third‑party‑owned critical information infrastructure for which the provider is responsible for its cybersecurity, that the owner of the third‑party‑owned critical information infrastructure will —(a)

upon the request of the designated provider responsible for third‑party‑owned critical information infrastructure pursuant to a notice issued by the Commissioner under subsection (4), furnish the provider the following within a reasonable period:(i)

information on the design, configuration and security of the third-party-owned critical information infrastructure;

(ii)

information on the design, configuration and security of any other computer or computer system under the owner’s control that is interconnected with or that communicates with the third‑party‑owned critical information infrastructure;

(iii)

information relating to the operation of the third‑party‑owned critical information infrastructure, and of any other computer or computer system under the owner’s control that is interconnected with or that communicates with the third‑party‑owned critical information infrastructure;

(iv)

any other information that the Commissioner may require in order to ascertain the level of cybersecurity of the third‑party‑owned critical information infrastructure; and

(b)

notify the designated provider responsible for third‑party‑owned critical information infrastructure when a material change is made by or on behalf of the owner of the third‑party‑owned critical information infrastructure to the design, configuration, security or operation of the third‑party‑owned critical information infrastructure after any information has been furnished to the provider pursuant to a request mentioned in paragraph (a), not later than 30 days after the change is made, so that the provider may notify the Commissioner in accordance with subsection (8).

(2) Where subsection (1) is not complied with, the Commissioner may order the designated provider responsible for third‑party‑owned critical information infrastructure to cease using, directly or indirectly, the third-party-owned critical information infrastructure for which the provider is responsible for its cybersecurity.

(3) Any designated provider responsible for third‑party‑owned critical information infrastructure who, without reasonable excuse, fails to comply with an order issued under subsection (2) shall be guilty of an offence and shall be liable on conviction to a fine not exceeding $100,000 or to imprisonment for a term not exceeding 2 years or to both and, in the case of a continuing offence, to a further fine not exceeding $5,000 for every day or part of a day during which the offence continues after conviction.

(4) The Commissioner may by notice given in the prescribed form and manner, require the designated provider responsible for third‑party‑owned critical information infrastructure to furnish, within a reasonable period specified in the notice, the following:(a)

information on the design, configuration and security of the third‑party‑owned critical information infrastructure;

(b)

information on the design, configuration and security of any other computer or computer system under the owner’s control or provider’s control that is interconnected with or that communicates with the third‑party‑owned critical information infrastructure;

(c)

information relating to the operation of the third‑party‑owned critical information infrastructure, and of any other computer or computer system under the owner’s control or provider’s control that is interconnected with or that communicates with the third‑party‑owned critical information infrastructure;

(d)

any other information relating to the third‑party‑owned critical information infrastructure that the Commissioner may require in order to ascertain the level of cybersecurity of the third‑party‑owned critical information infrastructure.

(5) Any designated provider responsible for third-party-owned critical information infrastructure who, without reasonable excuse, fails to comply with a notice mentioned in subsection (4) shall be guilty of an offence and shall be liable on conviction to a fine not exceeding $100,000 or to imprisonment for a term not exceeding 2 years or to both and, in the case of a continuing offence, to a further fine not exceeding $5,000 for every day or part of a day during which the offence continues after conviction.

(6) The designated provider responsible for third‑party‑owned critical information infrastructure to whom a notice is issued under subsection (4) is not obliged to disclose any information that is subject to any right, privilege or immunity conferred, or obligation or limitation imposed, by or under any law or rules of professional conduct in relation to the disclosure of such information, except that the performance of a contractual obligation is not an excuse for not disclosing the information.

(7) The designated provider responsible for third-party-owned critical information infrastructure is not treated as being in breach of any contractual obligation mentioned in subsection (6) for doing or omitting to do any act, if the act is done or omitted to be done with reasonable care and in good faith and for the purpose of complying with a notice issued under subsection (4).

(8) If a material change is made by or on behalf of the owner of the third‑party‑owned critical information infrastructure to the design, configuration, security or operation of the third‑party‑owned critical information infrastructure after any information has been furnished to the Commissioner pursuant to a notice mentioned in subsection (4), the designated provider responsible for third‑party‑owned critical information infrastructure must notify the Commissioner of the change not later than 14 days after the provider becomes aware of it.

(9) For the purposes of subsections (1)(b) and (8), a change is a material change if the change affects or may affect the cybersecurity of the third‑party‑owned critical information infrastructure, or the ability of the owner of the third‑party‑owned critical information infrastructure or the designated provider responsible for third‑party‑owned critical information infrastructure, to respond to a cybersecurity threat or incident affecting the third‑party‑owned critical information infrastructure.

(10) Any designated provider responsible for third‑party‑owned critical information infrastructure who, without reasonable excuse, fails to comply with subsection (8) shall be guilty of an offence and shall be liable on conviction to a fine not exceeding $25,000 or to imprisonment for a term not exceeding 12 months or to both.[Act 19 of 2024 wef 31/10/2025]