§ 16H — Change in ownership of third‑party‑owned critical information infrastructure

16H.—(1) A designated provider responsible for third‑party‑owned critical information infrastructure must obtain a legally binding commitment from the owner of the third‑party‑owned critical information infrastructure for which the provider is responsible for its cybersecurity, that the owner will notify the provider of any change in the beneficial or legal ownership (including any share in such ownership) of the third‑party‑owned critical information infrastructure, not later than 7 days after the date of that change in ownership.(2) Where subsection (1) is not complied with, the Commissioner may order the designated provider responsible for third‑party‑owned critical information infrastructure to cease using, directly or indirectly, the third‑party‑owned critical information infrastructure for which the provider is responsible for its cybersecurity.

(3) Any designated provider responsible for third‑party‑owned critical information infrastructure who, without reasonable excuse, fails to comply with an order issued under subsection (2) shall be guilty of an offence and shall be liable on conviction to a fine not exceeding $100,000 or to imprisonment for a term not exceeding 2 years or to both and, in the case of a continuing offence, to a further fine not exceeding $5,000 for every day or part of a day during which the offence continues after conviction.

(4) Where there is any change in the beneficial or legal ownership (including any share in such ownership) of a third‑party‑owned critical information infrastructure, the designated provider responsible for third-party-owned critical information infrastructure must inform the Commissioner of the change in ownership not later than 7 days after the provider becomes aware of that change in ownership.

(5) Where the criteria in section 16A(1) are no longer fulfilled, the designated provider responsible for third‑party‑owned critical information infrastructure must inform the Commissioner of the change in circumstances not later than 7 days after the date of the change in circumstances.

(6) Any person who, without reasonable excuse, fails to comply with subsection (4) or (5) shall be guilty of an offence and shall be liable on conviction to a fine not exceeding $100,000 or to imprisonment for a term not exceeding 2 years or to both.[Act 19 of 2024 wef 31/10/2025]

—(1) A designated provider responsible for third‑party‑owned critical information infrastructure must obtain a legally binding commitment from the owner of the third‑party‑owned critical information infrastructure for which the provider is responsible for its cybersecurity, that the owner will notify the provider of any change in the beneficial or legal ownership (including any share in such ownership) of the third‑party‑owned critical information infrastructure, not later than 7 days after the date of that change in ownership.

(2) Where subsection (1) is not complied with, the Commissioner may order the designated provider responsible for third‑party‑owned critical information infrastructure to cease using, directly or indirectly, the third‑party‑owned critical information infrastructure for which the provider is responsible for its cybersecurity.

(3) Any designated provider responsible for third‑party‑owned critical information infrastructure who, without reasonable excuse, fails to comply with an order issued under subsection (2) shall be guilty of an offence and shall be liable on conviction to a fine not exceeding $100,000 or to imprisonment for a term not exceeding 2 years or to both and, in the case of a continuing offence, to a further fine not exceeding $5,000 for every day or part of a day during which the offence continues after conviction.

(4) Where there is any change in the beneficial or legal ownership (including any share in such ownership) of a third‑party‑owned critical information infrastructure, the designated provider responsible for third-party-owned critical information infrastructure must inform the Commissioner of the change in ownership not later than 7 days after the provider becomes aware of that change in ownership.

(5) Where the criteria in section 16A(1) are no longer fulfilled, the designated provider responsible for third‑party‑owned critical information infrastructure must inform the Commissioner of the change in circumstances not later than 7 days after the date of the change in circumstances.

(6) Any person who, without reasonable excuse, fails to comply with subsection (4) or (5) shall be guilty of an offence and shall be liable on conviction to a fine not exceeding $100,000 or to imprisonment for a term not exceeding 2 years or to both.[Act 19 of 2024 wef 31/10/2025]