§ 16F — Provider to ensure third‑party‑owned critical information infrastructure conforms with prescribed standards

16F.—(1) A designated provider responsible for third‑party‑owned critical information infrastructure must obtain a legally binding commitment from the owner of the third‑party‑owned critical information infrastructure, that the owner will ensure that any applicable prescribed technical or other standards relating to cybersecurity are maintained in respect of that third-party-owned critical information infrastructure.(2) Where subsection (1) is not complied with, the Commissioner may order the designated provider responsible for third‑party‑owned critical information infrastructure to cease using, directly or indirectly, the third‑party‑owned critical information infrastructure for which the provider is responsible for its cybersecurity.

(3) Where it appears to the Commissioner that —(a)

the standards mentioned in subsection (1) are not maintained in respect of the third‑party‑owned critical information infrastructure despite the issuance of directions mentioned in section 16G(2)(c) and any steps taken by the designated provider responsible for third‑party‑owned critical information infrastructure; and

(b)

there is no reasonable excuse for such failure to maintain the standards,

the Commissioner may order the designated provider responsible for third‑party‑owned critical information infrastructure to cease using, directly or indirectly, the third-party-owned critical information infrastructure for which the provider is responsible for its cybersecurity.

(4) Any designated provider responsible for third-party-owned critical information infrastructure who, without reasonable excuse, fails to comply with an order issued under subsection (2) or (3) shall be guilty of an offence and shall be liable on conviction to a fine not exceeding $100,000 or to imprisonment for a term not exceeding 2 years or to both and, in the case of a continuing offence, to a further fine not exceeding $5,000 for every day or part of a day during which the offence continues after conviction.[Act 19 of 2024 wef 31/10/2025]

—(1) A designated provider responsible for third‑party‑owned critical information infrastructure must obtain a legally binding commitment from the owner of the third‑party‑owned critical information infrastructure, that the owner will ensure that any applicable prescribed technical or other standards relating to cybersecurity are maintained in respect of that third-party-owned critical information infrastructure.

(2) Where subsection (1) is not complied with, the Commissioner may order the designated provider responsible for third‑party‑owned critical information infrastructure to cease using, directly or indirectly, the third‑party‑owned critical information infrastructure for which the provider is responsible for its cybersecurity.

(3) Where it appears to the Commissioner that —(a)

the standards mentioned in subsection (1) are not maintained in respect of the third‑party‑owned critical information infrastructure despite the issuance of directions mentioned in section 16G(2)(c) and any steps taken by the designated provider responsible for third‑party‑owned critical information infrastructure; and

(b)

there is no reasonable excuse for such failure to maintain the standards,

the Commissioner may order the designated provider responsible for third‑party‑owned critical information infrastructure to cease using, directly or indirectly, the third-party-owned critical information infrastructure for which the provider is responsible for its cybersecurity.

(4) Any designated provider responsible for third-party-owned critical information infrastructure who, without reasonable excuse, fails to comply with an order issued under subsection (2) or (3) shall be guilty of an offence and shall be liable on conviction to a fine not exceeding $100,000 or to imprisonment for a term not exceeding 2 years or to both and, in the case of a continuing offence, to a further fine not exceeding $5,000 for every day or part of a day during which the offence continues after conviction.[Act 19 of 2024 wef 31/10/2025]