§ 17 — Designation of system of temporary cybersecurity concern

17.—(1) The Commissioner may, by written notice to the owner of a computer or computer system, designate the computer or computer system as a system of temporary cybersecurity concern for the purposes of this Act, if the Commissioner is satisfied that —(a)

for a limited period —(i)

there is a high risk that a cybersecurity threat or cybersecurity incident may be carried out that will jeopardise or adversely affect, without lawful authority, the cybersecurity of the computer or computer system; and

(ii)

the loss or compromise of the computer or computer system will have a serious detrimental effect on the national security, defence, foreign relations, economy, public health, public safety or public order of Singapore; and

(b)

the computer or computer system is located wholly or partly in Singapore.

(2) A notice issued under subsection (1) must —(a)

identify the computer or computer system that is being designated as a system of temporary cybersecurity concern;

(b)

identify the owner of the computer or computer system so designated as a system of temporary cybersecurity concern;

(c)

inform the owner of the computer or computer system, regarding the owner’s duties and responsibilities under this Act that arise from the designation;

(d)

specify the first and last day of the period of designation, which must not exceed one year;

(e)

provide the name and contact particulars of the officer assigned by the Commissioner to supervise the system of temporary cybersecurity concern in relation to its cybersecurity;

(f)

inform the owner of the computer or computer system that any representations against the designation are to be made to the Commissioner by a specified date, being a date not earlier than 14 days after the date of the notice; and

(g)

inform the owner of the computer or computer system that the owner may appeal to the Minister against the designation, and provide information on the applicable procedure.

(3) Any designation under subsection (1) has effect until the end of the period of designation specified in the notice, unless it is withdrawn by the Commissioner before the expiry of the period.

(4) The person who receives a notice under subsection (1) may request the Commissioner to proceed under subsection (5) upon showing proof that —(a)

the person is not able to comply with the requirements in this Part for the reason that the person has neither effective control over the operations of the computer or computer system, nor the ability or right to carry out changes to the computer or computer system; and

(b)

another person has effective control over the operations of the computer or computer system and the ability and right to carry out changes to the computer or computer system.

(5) If the Commissioner is satisfied that the conditions mentioned in subsection (4)(a) and (b) are met, the Commissioner may amend the notice issued to the person under subsection (1), and address and send that amended notice to the person mentioned in subsection (4)(b).

(6) During the period when a notice amended under subsection (5) is in effect, the provisions of this Part apply to the person mentioned in subsection (4)(b) as if every reference to the owner of a system of temporary cybersecurity concern is a reference to the person mentioned in subsection (4)(b).

(7) Where —(a)

a notice issued under this section and amended under subsection (5) is addressed and sent to the person mentioned in subsection (4)(b); and

(b)

the person mentioned in subsection (4)(b) then ceases to have the control, ability and right mentioned in that provision,

the owner of the system of temporary cybersecurity concern must notify the Commissioner of this without delay.

(8) Where a system of temporary cybersecurity concern is owned by the Government and operated by a Ministry, the Permanent Secretary allocated to the Ministry who has responsibility for the system of temporary cybersecurity concern is treated as the owner of the system of temporary cybersecurity concern for the purposes of this Act.

(9) A notice issued under this section need not be published in the Gazette.[Act 19 of 2024 wef 31/10/2025]

—(1) The Commissioner may, by written notice to the owner of a computer or computer system, designate the computer or computer system as a system of temporary cybersecurity concern for the purposes of this Act, if the Commissioner is satisfied that —(a)

for a limited period —(i)

there is a high risk that a cybersecurity threat or cybersecurity incident may be carried out that will jeopardise or adversely affect, without lawful authority, the cybersecurity of the computer or computer system; and

(ii)

the loss or compromise of the computer or computer system will have a serious detrimental effect on the national security, defence, foreign relations, economy, public health, public safety or public order of Singapore; and

(b)

the computer or computer system is located wholly or partly in Singapore.

(2) A notice issued under subsection (1) must —(a)

identify the computer or computer system that is being designated as a system of temporary cybersecurity concern;

(b)

identify the owner of the computer or computer system so designated as a system of temporary cybersecurity concern;

(c)

inform the owner of the computer or computer system, regarding the owner’s duties and responsibilities under this Act that arise from the designation;

(d)

specify the first and last day of the period of designation, which must not exceed one year;

(e)

provide the name and contact particulars of the officer assigned by the Commissioner to supervise the system of temporary cybersecurity concern in relation to its cybersecurity;

(f)

inform the owner of the computer or computer system that any representations against the designation are to be made to the Commissioner by a specified date, being a date not earlier than 14 days after the date of the notice; and

(g)

inform the owner of the computer or computer system that the owner may appeal to the Minister against the designation, and provide information on the applicable procedure.

(3) Any designation under subsection (1) has effect until the end of the period of designation specified in the notice, unless it is withdrawn by the Commissioner before the expiry of the period.

(4) The person who receives a notice under subsection (1) may request the Commissioner to proceed under subsection (5) upon showing proof that —(a)

the person is not able to comply with the requirements in this Part for the reason that the person has neither effective control over the operations of the computer or computer system, nor the ability or right to carry out changes to the computer or computer system; and

(b)

another person has effective control over the operations of the computer or computer system and the ability and right to carry out changes to the computer or computer system.

(5) If the Commissioner is satisfied that the conditions mentioned in subsection (4)(a) and (b) are met, the Commissioner may amend the notice issued to the person under subsection (1), and address and send that amended notice to the person mentioned in subsection (4)(b).

(6) During the period when a notice amended under subsection (5) is in effect, the provisions of this Part apply to the person mentioned in subsection (4)(b) as if every reference to the owner of a system of temporary cybersecurity concern is a reference to the person mentioned in subsection (4)(b).

(7) Where —(a)

a notice issued under this section and amended under subsection (5) is addressed and sent to the person mentioned in subsection (4)(b); and

(b)

the person mentioned in subsection (4)(b) then ceases to have the control, ability and right mentioned in that provision,

the owner of the system of temporary cybersecurity concern must notify the Commissioner of this without delay.

(8) Where a system of temporary cybersecurity concern is owned by the Government and operated by a Ministry, the Permanent Secretary allocated to the Ministry who has responsibility for the system of temporary cybersecurity concern is treated as the owner of the system of temporary cybersecurity concern for the purposes of this Act.

(9) A notice issued under this section need not be published in the Gazette.[Act 19 of 2024 wef 31/10/2025]