§ 16K — Duty to notify material change to legally binding commitment

16K.—(1) If a material change is made to a legally binding commitment that was obtained by a designated provider responsible for third‑party‑owned critical information infrastructure for the purpose of meeting a requirement under section 16E(1), 16F(1), 16H(1), 16I(1) or 16J(1), the designated provider responsible for third‑party‑owned critical information infrastructure must notify the Commissioner of the change not later than 14 days after the change is made.(2) For the purposes of subsection (1), a change is a material change if the change affects the ability of the designated provider responsible for third‑party‑owned critical information infrastructure to obtain the performance, by the owner of the third‑party‑owned critical information infrastructure, of the actions committed in accordance with the legally binding commitment.

(3) Any designated provider responsible for third‑party‑owned critical information infrastructure who, without reasonable excuse, fails to comply with subsection (1) shall be guilty of an offence and shall be liable on conviction to a fine not exceeding $25,000 or to imprisonment for a term not exceeding 12 months or to both.[Act 19 of 2024 wef 31/10/2025]

—(1) If a material change is made to a legally binding commitment that was obtained by a designated provider responsible for third‑party‑owned critical information infrastructure for the purpose of meeting a requirement under section 16E(1), 16F(1), 16H(1), 16I(1) or 16J(1), the designated provider responsible for third‑party‑owned critical information infrastructure must notify the Commissioner of the change not later than 14 days after the change is made.

(2) For the purposes of subsection (1), a change is a material change if the change affects the ability of the designated provider responsible for third‑party‑owned critical information infrastructure to obtain the performance, by the owner of the third‑party‑owned critical information infrastructure, of the actions committed in accordance with the legally binding commitment.

(3) Any designated provider responsible for third‑party‑owned critical information infrastructure who, without reasonable excuse, fails to comply with subsection (1) shall be guilty of an offence and shall be liable on conviction to a fine not exceeding $25,000 or to imprisonment for a term not exceeding 12 months or to both.[Act 19 of 2024 wef 31/10/2025]