§ 16G — Power of Commissioner to issue written directions

16G.—(1) The Commissioner may, if the Commissioner thinks —(a)

it is necessary or expedient for ensuring the cybersecurity of a third-party-owned critical information infrastructure or a class of third‑party‑owned critical information infrastructure; or

(b)

it is necessary or expedient for the effective administration of this Act,

issue a written direction, either of a general or specific nature, to a designated provider responsible for third‑party‑owned critical information infrastructure or a class of such providers.

(2) Without limiting subsection (1), a direction under that subsection may relate to —(a)

the action to be taken by the provider or providers in relation to a cybersecurity threat;

(b)

compliance with any code of practice or standard of performance applicable to the provider;

(c)

steps to be taken by the designated provider responsible for third‑party‑owned critical information infrastructure to require the owner of the third‑party‑owned critical information infrastructure to ensure that any prescribed technical or other standards relating to cybersecurity in respect of the third‑party‑owned critical information infrastructure are maintained;

(d)

the appointment of an auditor approved by the Commissioner to audit the provider or providers on their compliance with this Act or any code of practice or standard of performance applicable to the provider or providers; or

(e)

any other matter that the Commissioner may consider necessary or expedient to ensure the cybersecurity of the third‑party‑owned critical information infrastructure.

(3) A direction under subsection (1) must specify a deadline for compliance, and may be revoked at any time by the Commissioner.

(4) Before giving a direction under subsection (1), the Commissioner must, unless the Commissioner considers it is not practicable or desirable to do so, give notice to the person or persons to whom the Commissioner proposes to issue the direction —(a)

stating that the Commissioner proposes to issue the direction and setting out its effect; and

(b)

specifying the time within which representations or objections to the proposed direction may be made.

(5) The Commissioner must consider any representations or objections which are duly made before giving any direction.

(6) Any person who, without reasonable excuse, fails to comply with a direction under subsection (1) shall be guilty of an offence and shall be liable on conviction to a fine not exceeding $100,000 or to imprisonment for a term not exceeding 2 years or to both and, in the case of a continuing offence, to a further fine not exceeding $5,000 for every day or part of a day during which the offence continues after conviction.[Act 19 of 2024 wef 31/10/2025]

—(1) The Commissioner may, if the Commissioner thinks —(a)

it is necessary or expedient for ensuring the cybersecurity of a third-party-owned critical information infrastructure or a class of third‑party‑owned critical information infrastructure; or

(b)

it is necessary or expedient for the effective administration of this Act,

issue a written direction, either of a general or specific nature, to a designated provider responsible for third‑party‑owned critical information infrastructure or a class of such providers.

(2) Without limiting subsection (1), a direction under that subsection may relate to —(a)

the action to be taken by the provider or providers in relation to a cybersecurity threat;

(b)

compliance with any code of practice or standard of performance applicable to the provider;

(c)

steps to be taken by the designated provider responsible for third‑party‑owned critical information infrastructure to require the owner of the third‑party‑owned critical information infrastructure to ensure that any prescribed technical or other standards relating to cybersecurity in respect of the third‑party‑owned critical information infrastructure are maintained;

(d)

the appointment of an auditor approved by the Commissioner to audit the provider or providers on their compliance with this Act or any code of practice or standard of performance applicable to the provider or providers; or

(e)

any other matter that the Commissioner may consider necessary or expedient to ensure the cybersecurity of the third‑party‑owned critical information infrastructure.

(3) A direction under subsection (1) must specify a deadline for compliance, and may be revoked at any time by the Commissioner.

(4) Before giving a direction under subsection (1), the Commissioner must, unless the Commissioner considers it is not practicable or desirable to do so, give notice to the person or persons to whom the Commissioner proposes to issue the direction —(a)

stating that the Commissioner proposes to issue the direction and setting out its effect; and

(b)

specifying the time within which representations or objections to the proposed direction may be made.

(5) The Commissioner must consider any representations or objections which are duly made before giving any direction.

(6) Any person who, without reasonable excuse, fails to comply with a direction under subsection (1) shall be guilty of an offence and shall be liable on conviction to a fine not exceeding $100,000 or to imprisonment for a term not exceeding 2 years or to both and, in the case of a continuing offence, to a further fine not exceeding $5,000 for every day or part of a day during which the offence continues after conviction.[Act 19 of 2024 wef 31/10/2025]