lawpalyer logo

資料由法律人 LawPlayer整理提供·Singapore statutory provision · curated by LawPlayer

§ 2 — Interpretation

2.—(1) In this Act, unless the context otherwise requires —“Assistant Commissioner” means any Assistant Commissioner of Cybersecurity appointed under section 4(1)(b);

“assistant licensing officer” means any assistant licensing officer appointed under section 25(2);

“business entity” means —(a)

a corporation as defined in section 4(1) of the Companies Act 1967;

(b)

an unincorporated association;

(c)

a partnership; or

(d)

a limited liability partnership registered under the Limited Liability Partnerships Act 2005;

“code of practice” means any code of practice issued or approved under section 35A(1), and includes such a code of practice as may be amended from time to time;[Act 19 of 2024 wef 31/10/2025]

“Commissioner” means the Commissioner of Cybersecurity appointed under section 4(1)(a);

“computer” means an electronic, magnetic, optical, electrochemical, or other data processing device performing logical, arithmetic, or storage functions, and includes any data storage facility or communications facility directly related to or operating in conjunction with such device, but does not include such device as the Minister may, by notification in the Gazette, prescribe;

“computer program” means data representing instructions or statements that, when executed in a computer, causes the computer to perform a function;

“computer service” includes computer time, data processing and the storage or retrieval of data;

“computer system” means an arrangement of interconnected computers that is designed to perform one or more specific functions, and includes —(a)

an information technology system; and

(b)

an operational technology system such as an industrial control system, a programmable logic controller, a supervisory control and data acquisition system, or a distributed control system;

[Deleted by Act 19 of 2024 wef 31/10/2025]

“cybersecurity” means the state in which a computer or computer system is protected from unauthorised access or attack, and because of that state —(a)

the computer or computer system continues to be available and operational;

(b)

the integrity of the computer or computer system is maintained; and

(c)

the integrity and confidentiality of information stored in, processed by or transmitted through the computer or computer system is maintained;

“cybersecurity incident” means an act or activity carried out without lawful authority on or through a computer or computer system that jeopardises or adversely affects its cybersecurity or the cybersecurity of another computer or computer system;

“cybersecurity officer” means any cybersecurity officer appointed under section 4(3);

“cybersecurity program” means any computer program designed for, or purported to be designed for, ensuring or enhancing the cybersecurity of a computer or computer system;

“cybersecurity service” means a service provided by a person for reward that is intended primarily for or aimed at ensuring or safeguarding the cybersecurity of a computer or computer system belonging to another person (A), and includes the following:(a)

assessing, testing or evaluating the cybersecurity of A’s computer or computer system by searching for vulnerabilities in, and compromising, the cybersecurity defences of the computer or computer system;

(b)

conducting a forensic examination of A’s computer or computer system;

(c)

investigating and responding to a cybersecurity incident that has affected A’s computer or computer system by conducting a thorough scan and examination of the computer or computer system to identify and remove elements relating to, and identify the root cause of, the cybersecurity incident, and which involves circumventing the controls implemented in the computer or computer system;

(d)

conducting a thorough examination of A’s computer or computer system to detect any cybersecurity threat or incident that may have already penetrated the cybersecurity defences of the computer or computer system, and that may have evaded detection by conventional cybersecurity solutions;

(e)

designing, selling, importing, exporting, installing, maintaining, repairing or servicing of one or more cybersecurity solutions;

(f)

monitoring of the cybersecurity of A’s computer or computer system by acquiring, identifying and scanning information that is stored in, processed by, or transmitted through the computer or computer system for the purpose of identifying cybersecurity threats to the computer or computer system;

(g)

maintaining control of the cybersecurity of A’s computer or computer system by effecting management, operational and technical controls for the purpose of protecting the computer or computer system against any unauthorised effort to adversely affect its cybersecurity;

(h)

assessing or monitoring the compliance of an organisation with the organisation’s cybersecurity policy;

(i)

providing advice in relation to cybersecurity solutions, including —(i)

providing advice on a cybersecurity program; or

(ii)

identifying and analysing cybersecurity threats and providing advice on solutions or management strategies to minimise the risk posed by cybersecurity threats;

(j)

providing advice in relation to any practices that can enhance cybersecurity;

(k)

providing training or instruction in relation to any cybersecurity service, including the assessment of the training, instruction or competencies of another person in relation to any such activity;

“cybersecurity service provider” means a person who provides a cybersecurity service;

“cybersecurity solution” means any computer, computer system, computer program or computer service designed for, or purported to be designed for, ensuring or enhancing the cybersecurity of another computer or computer system;

“cybersecurity threat” means an act or activity (whether known or suspected) carried out on or through a computer or computer system, that may imminently jeopardise or affect adversely, without lawful authority, the cybersecurity of that or another computer or computer system;

“cybersecurity vulnerability” means any vulnerability in a computer or computer system that can be exploited by one or more cybersecurity threats;

“Deputy Commissioner” means the Deputy Commissioner of Cybersecurity appointed under section 4(1)(b);

“designated provider responsible for third‑party‑owned critical information infrastructure” means a provider of an essential service in respect of whom a designation under section 16A(1), as a provider of an essential service who is responsible for the cybersecurity of a third‑party‑owned critical information infrastructure, is in effect;[Act 19 of 2024 wef 31/10/2025]

“digital service” means any service normally provided for remuneration, that is delivered by one party to another party at the individual request of the other party, entirely through electronic means, and without needing the parties’ simultaneous physical presence, but does not include such services as the Minister may, by notification in the Gazette, prescribe;[Act 19 of 2024 wef 31/10/2025]

“entity of special cybersecurity interest” means an entity in respect of whom a designation under section 18(1) is in effect;[Act 19 of 2024 wef 31/10/2025]

“essential service” means any service essential to the national security, defence, foreign relations, economy, public health, public safety or public order of Singapore, and specified in the First Schedule;

“foundational digital infrastructure service” means any service which promotes the availability, latency, throughput or security of digital services, and is specified in the Third Schedule;[Act 19 of 2024 wef 31/10/2025]

“full-time national serviceman” means a person who is liable to render full‑time national service under section 12 of the Enlistment Act 1970;

“licence” means a licence granted or renewed under section 26;

“licensable cybersecurity service” means any cybersecurity service specified as a licensable cybersecurity service in the Second Schedule;

“licensee” means the holder of a licence;

“major foundational digital infrastructure” means the computer or computer system (or class of computers or computer systems) that is necessary for a major foundational digital infrastructure service provider’s continuous delivery of the foundational digital infrastructure service in relation to which a designation of the major foundational digital infrastructure service provider under section 18G(1) is in effect;[Act 19 of 2024 wef 31/10/2025]

“major foundational digital infrastructure service provider” means a provider of a foundational digital infrastructure service in respect of whom a designation under section 18G(1) is in effect;[Act 19 of 2024 wef 31/10/2025]

“owner”, in relation to a provider‑owned critical information infrastructure, third‑party‑owned critical information infrastructure or system of temporary cybersecurity concern —(a)

means the legal owner of the provider‑owned critical information infrastructure, third‑party‑owned critical information infrastructure or system of temporary cybersecurity concern (as the case may be); and

(b)

where the provider‑owned critical information infrastructure, third‑party‑owned critical information infrastructure or system of temporary cybersecurity concern (as the case may be) is jointly owned by more than one person, includes every joint owner;[Act 19 of 2024 wef 31/10/2025]

“provider‑owned critical information infrastructure” means a computer or a computer system in respect of which a designation under section 7(1) or (1A) is in effect;[Act 19 of 2024 wef 31/10/2025]

“standard of performance” means any standard of performance issued or approved under section 35A(1), and includes such a standard of performance as may be amended from time to time;[Act 19 of 2024 wef 31/10/2025]

“system of special cybersecurity interest” means the computer or computer system (or class of computers or computer systems) in relation to which a designation of an entity of special cybersecurity interest under section 18(1) is in effect;[Act 19 of 2024 wef 31/10/2025]

“system of temporary cybersecurity concern” means a computer or computer system in respect of which a designation under section 17(1) is in effect;[Act 19 of 2024 wef 31/10/2025]

“third‑party‑owned critical information infrastructure” means the computer or computer system in relation to which a designation of a designated provider responsible for third‑party‑owned critical information infrastructure under section 16A(1) is in effect;[Act 19 of 2024 wef 31/10/2025]

“virtual computer” means a purely digital analogue of a computer, created by the simulation of software and hardware, performing logical, arithmetic or storage functions and including communications functions, but does not include the physical computing resources used for the simulation;[Act 19 of 2024 wef 31/10/2025]

“virtual computer system” means a purely digital analogue of a computer system, created by the simulation of an arrangement of interconnected computers that is designed to perform one or more specific functions, but does not include the physical computing resources used for the simulation.[Act 19 of 2024 wef 31/10/2025]

(2) For the purposes of the definition of “cybersecurity service”, a person does not provide a cybersecurity service only because the person —(a)

sells, or sells licences for, cybersecurity programs intended to be installed by a user without the assistance of the seller for the protection of the cybersecurity of a user’s computer; or

(b)

provides services for the management of a computer network or computer system, that are aimed at ensuring the availability of or enhancing the performance of the computer network or computer system.

(3) For the purposes of this section (except the definitions of “computer”, “computer system” and “owner”), sections 3 and 43, Part 2, Part 3 (except section 7(1A)) and Parts 3A, 3B, 3C and 4 —(a)

“computer” includes a virtual computer;

(b)

“computer system” includes a virtual computer system;

(c)

“control”, in relation to a virtual computer or virtual computer system, means —(i)

having the control over the operations of the virtual computer or virtual computer system;

(ii)

having the right and ability to perform security configuration and management tasks in respect of the virtual computer or virtual computer system, including to make any modification as necessary for the cybersecurity of the virtual computer or virtual computer system; and

(iii)

where applicable, having responsibility for the security of the virtual computer or virtual computer system under a person’s contractual arrangement with a cloud computing service provider;

(d)

“owner”, in relation to a provider‑owned critical information infrastructure, third‑party‑owned critical information infrastructure or system of temporary cybersecurity concern that is a virtual computer or virtual computer system —(i)

means the person who has exclusive control of the provider‑owned critical information infrastructure, third‑party‑owned critical information infrastructure or system of temporary cybersecurity concern (as the case may be); and

(ii)

where the provider‑owned critical information infrastructure, third‑party‑owned critical information infrastructure or system of temporary cybersecurity concern (as the case may be) is jointly controlled by more than one person, includes every joint controller;

(e)

“change in the beneficial or legal ownership (including any share in such ownership)”, in relation to a provider‑owned critical information infrastructure or third‑party‑owned critical information infrastructure that is a virtual computer or virtual computer system —(i)

in a case where the virtual computer or virtual computer system is jointly controlled by more than one person — means change in any joint controller; or

(ii)

in any other case — means change in the person who has exclusive control of the virtual computer or virtual computer system; and

(f)

a virtual computer or virtual computer system is wholly or partly in Singapore if one or more of the physical computing resources deployed for the simulation of the virtual computer or virtual computer system (as the case may be) is located in Singapore.[Act 19 of 2024 wef 31/10/2025]

—(1) In this Act, unless the context otherwise requires —“Assistant Commissioner” means any Assistant Commissioner of Cybersecurity appointed under section 4(1)(b);

“assistant licensing officer” means any assistant licensing officer appointed under section 25(2);

“business entity” means —(a)

a corporation as defined in section 4(1) of the Companies Act 1967;

(b)

an unincorporated association;

(c)

a partnership; or

(d)

a limited liability partnership registered under the Limited Liability Partnerships Act 2005;

“code of practice” means any code of practice issued or approved under section 35A(1), and includes such a code of practice as may be amended from time to time;[Act 19 of 2024 wef 31/10/2025]

“Commissioner” means the Commissioner of Cybersecurity appointed under section 4(1)(a);

“computer” means an electronic, magnetic, optical, electrochemical, or other data processing device performing logical, arithmetic, or storage functions, and includes any data storage facility or communications facility directly related to or operating in conjunction with such device, but does not include such device as the Minister may, by notification in the Gazette, prescribe;

“computer program” means data representing instructions or statements that, when executed in a computer, causes the computer to perform a function;

“computer service” includes computer time, data processing and the storage or retrieval of data;

“computer system” means an arrangement of interconnected computers that is designed to perform one or more specific functions, and includes —(a)

an information technology system; and

(b)

an operational technology system such as an industrial control system, a programmable logic controller, a supervisory control and data acquisition system, or a distributed control system;

[Deleted by Act 19 of 2024 wef 31/10/2025]

“cybersecurity” means the state in which a computer or computer system is protected from unauthorised access or attack, and because of that state —(a)

the computer or computer system continues to be available and operational;

(b)

the integrity of the computer or computer system is maintained; and

(c)

the integrity and confidentiality of information stored in, processed by or transmitted through the computer or computer system is maintained;

“cybersecurity incident” means an act or activity carried out without lawful authority on or through a computer or computer system that jeopardises or adversely affects its cybersecurity or the cybersecurity of another computer or computer system;

“cybersecurity officer” means any cybersecurity officer appointed under section 4(3);

“cybersecurity program” means any computer program designed for, or purported to be designed for, ensuring or enhancing the cybersecurity of a computer or computer system;

“cybersecurity service” means a service provided by a person for reward that is intended primarily for or aimed at ensuring or safeguarding the cybersecurity of a computer or computer system belonging to another person (A), and includes the following:(a)

assessing, testing or evaluating the cybersecurity of A’s computer or computer system by searching for vulnerabilities in, and compromising, the cybersecurity defences of the computer or computer system;

(b)

conducting a forensic examination of A’s computer or computer system;

(c)

investigating and responding to a cybersecurity incident that has affected A’s computer or computer system by conducting a thorough scan and examination of the computer or computer system to identify and remove elements relating to, and identify the root cause of, the cybersecurity incident, and which involves circumventing the controls implemented in the computer or computer system;

(d)

conducting a thorough examination of A’s computer or computer system to detect any cybersecurity threat or incident that may have already penetrated the cybersecurity defences of the computer or computer system, and that may have evaded detection by conventional cybersecurity solutions;

(e)

designing, selling, importing, exporting, installing, maintaining, repairing or servicing of one or more cybersecurity solutions;

(f)

monitoring of the cybersecurity of A’s computer or computer system by acquiring, identifying and scanning information that is stored in, processed by, or transmitted through the computer or computer system for the purpose of identifying cybersecurity threats to the computer or computer system;

(g)

maintaining control of the cybersecurity of A’s computer or computer system by effecting management, operational and technical controls for the purpose of protecting the computer or computer system against any unauthorised effort to adversely affect its cybersecurity;

(h)

assessing or monitoring the compliance of an organisation with the organisation’s cybersecurity policy;

(i)

providing advice in relation to cybersecurity solutions, including —(i)

providing advice on a cybersecurity program; or

(ii)

identifying and analysing cybersecurity threats and providing advice on solutions or management strategies to minimise the risk posed by cybersecurity threats;

(j)

providing advice in relation to any practices that can enhance cybersecurity;

(k)

providing training or instruction in relation to any cybersecurity service, including the assessment of the training, instruction or competencies of another person in relation to any such activity;

“cybersecurity service provider” means a person who provides a cybersecurity service;

“cybersecurity solution” means any computer, computer system, computer program or computer service designed for, or purported to be designed for, ensuring or enhancing the cybersecurity of another computer or computer system;

“cybersecurity threat” means an act or activity (whether known or suspected) carried out on or through a computer or computer system, that may imminently jeopardise or affect adversely, without lawful authority, the cybersecurity of that or another computer or computer system;

“cybersecurity vulnerability” means any vulnerability in a computer or computer system that can be exploited by one or more cybersecurity threats;

“Deputy Commissioner” means the Deputy Commissioner of Cybersecurity appointed under section 4(1)(b);

“designated provider responsible for third‑party‑owned critical information infrastructure” means a provider of an essential service in respect of whom a designation under section 16A(1), as a provider of an essential service who is responsible for the cybersecurity of a third‑party‑owned critical information infrastructure, is in effect;[Act 19 of 2024 wef 31/10/2025]

“digital service” means any service normally provided for remuneration, that is delivered by one party to another party at the individual request of the other party, entirely through electronic means, and without needing the parties’ simultaneous physical presence, but does not include such services as the Minister may, by notification in the Gazette, prescribe;[Act 19 of 2024 wef 31/10/2025]

“entity of special cybersecurity interest” means an entity in respect of whom a designation under section 18(1) is in effect;[Act 19 of 2024 wef 31/10/2025]

“essential service” means any service essential to the national security, defence, foreign relations, economy, public health, public safety or public order of Singapore, and specified in the First Schedule;

“foundational digital infrastructure service” means any service which promotes the availability, latency, throughput or security of digital services, and is specified in the Third Schedule;[Act 19 of 2024 wef 31/10/2025]

“full-time national serviceman” means a person who is liable to render full‑time national service under section 12 of the Enlistment Act 1970;

“licence” means a licence granted or renewed under section 26;

“licensable cybersecurity service” means any cybersecurity service specified as a licensable cybersecurity service in the Second Schedule;

“licensee” means the holder of a licence;

“major foundational digital infrastructure” means the computer or computer system (or class of computers or computer systems) that is necessary for a major foundational digital infrastructure service provider’s continuous delivery of the foundational digital infrastructure service in relation to which a designation of the major foundational digital infrastructure service provider under section 18G(1) is in effect;[Act 19 of 2024 wef 31/10/2025]

“major foundational digital infrastructure service provider” means a provider of a foundational digital infrastructure service in respect of whom a designation under section 18G(1) is in effect;[Act 19 of 2024 wef 31/10/2025]

“owner”, in relation to a provider‑owned critical information infrastructure, third‑party‑owned critical information infrastructure or system of temporary cybersecurity concern —(a)

means the legal owner of the provider‑owned critical information infrastructure, third‑party‑owned critical information infrastructure or system of temporary cybersecurity concern (as the case may be); and

(b)

where the provider‑owned critical information infrastructure, third‑party‑owned critical information infrastructure or system of temporary cybersecurity concern (as the case may be) is jointly owned by more than one person, includes every joint owner;[Act 19 of 2024 wef 31/10/2025]

“provider‑owned critical information infrastructure” means a computer or a computer system in respect of which a designation under section 7(1) or (1A) is in effect;[Act 19 of 2024 wef 31/10/2025]

“standard of performance” means any standard of performance issued or approved under section 35A(1), and includes such a standard of performance as may be amended from time to time;[Act 19 of 2024 wef 31/10/2025]

“system of special cybersecurity interest” means the computer or computer system (or class of computers or computer systems) in relation to which a designation of an entity of special cybersecurity interest under section 18(1) is in effect;[Act 19 of 2024 wef 31/10/2025]

“system of temporary cybersecurity concern” means a computer or computer system in respect of which a designation under section 17(1) is in effect;[Act 19 of 2024 wef 31/10/2025]

“third‑party‑owned critical information infrastructure” means the computer or computer system in relation to which a designation of a designated provider responsible for third‑party‑owned critical information infrastructure under section 16A(1) is in effect;[Act 19 of 2024 wef 31/10/2025]

“virtual computer” means a purely digital analogue of a computer, created by the simulation of software and hardware, performing logical, arithmetic or storage functions and including communications functions, but does not include the physical computing resources used for the simulation;[Act 19 of 2024 wef 31/10/2025]

“virtual computer system” means a purely digital analogue of a computer system, created by the simulation of an arrangement of interconnected computers that is designed to perform one or more specific functions, but does not include the physical computing resources used for the simulation.[Act 19 of 2024 wef 31/10/2025]

(2) For the purposes of the definition of “cybersecurity service”, a person does not provide a cybersecurity service only because the person —(a)

sells, or sells licences for, cybersecurity programs intended to be installed by a user without the assistance of the seller for the protection of the cybersecurity of a user’s computer; or

(b)

provides services for the management of a computer network or computer system, that are aimed at ensuring the availability of or enhancing the performance of the computer network or computer system.

(3) For the purposes of this section (except the definitions of “computer”, “computer system” and “owner”), sections 3 and 43, Part 2, Part 3 (except section 7(1A)) and Parts 3A, 3B, 3C and 4 —(a)

“computer” includes a virtual computer;

(b)

“computer system” includes a virtual computer system;

(c)

“control”, in relation to a virtual computer or virtual computer system, means —(i)

having the control over the operations of the virtual computer or virtual computer system;

(ii)

having the right and ability to perform security configuration and management tasks in respect of the virtual computer or virtual computer system, including to make any modification as necessary for the cybersecurity of the virtual computer or virtual computer system; and

(iii)

where applicable, having responsibility for the security of the virtual computer or virtual computer system under a person’s contractual arrangement with a cloud computing service provider;

(d)

“owner”, in relation to a provider‑owned critical information infrastructure, third‑party‑owned critical information infrastructure or system of temporary cybersecurity concern that is a virtual computer or virtual computer system —(i)

means the person who has exclusive control of the provider‑owned critical information infrastructure, third‑party‑owned critical information infrastructure or system of temporary cybersecurity concern (as the case may be); and

(ii)

where the provider‑owned critical information infrastructure, third‑party‑owned critical information infrastructure or system of temporary cybersecurity concern (as the case may be) is jointly controlled by more than one person, includes every joint controller;

(e)

“change in the beneficial or legal ownership (including any share in such ownership)”, in relation to a provider‑owned critical information infrastructure or third‑party‑owned critical information infrastructure that is a virtual computer or virtual computer system —(i)

in a case where the virtual computer or virtual computer system is jointly controlled by more than one person — means change in any joint controller; or

(ii)

in any other case — means change in the person who has exclusive control of the virtual computer or virtual computer system; and

(f)

a virtual computer or virtual computer system is wholly or partly in Singapore if one or more of the physical computing resources deployed for the simulation of the virtual computer or virtual computer system (as the case may be) is located in Singapore.[Act 19 of 2024 wef 31/10/2025]

(2) For the purposes of the definition of “cybersecurity service”, a person does not provide a cybersecurity service only because the person —(a)

sells, or sells licences for, cybersecurity programs intended to be installed by a user without the assistance of the seller for the protection of the cybersecurity of a user’s computer; or

(b)

provides services for the management of a computer network or computer system, that are aimed at ensuring the availability of or enhancing the performance of the computer network or computer system.

(3) For the purposes of this section (except the definitions of “computer”, “computer system” and “owner”), sections 3 and 43, Part 2, Part 3 (except section 7(1A)) and Parts 3A, 3B, 3C and 4 —(a)

“computer” includes a virtual computer;

(b)

“computer system” includes a virtual computer system;

(c)

“control”, in relation to a virtual computer or virtual computer system, means —(i)

having the control over the operations of the virtual computer or virtual computer system;

(ii)

having the right and ability to perform security configuration and management tasks in respect of the virtual computer or virtual computer system, including to make any modification as necessary for the cybersecurity of the virtual computer or virtual computer system; and

(iii)

where applicable, having responsibility for the security of the virtual computer or virtual computer system under a person’s contractual arrangement with a cloud computing service provider;

(d)

“owner”, in relation to a provider‑owned critical information infrastructure, third‑party‑owned critical information infrastructure or system of temporary cybersecurity concern that is a virtual computer or virtual computer system —(i)

means the person who has exclusive control of the provider‑owned critical information infrastructure, third‑party‑owned critical information infrastructure or system of temporary cybersecurity concern (as the case may be); and

(ii)

where the provider‑owned critical information infrastructure, third‑party‑owned critical information infrastructure or system of temporary cybersecurity concern (as the case may be) is jointly controlled by more than one person, includes every joint controller;

(e)

“change in the beneficial or legal ownership (including any share in such ownership)”, in relation to a provider‑owned critical information infrastructure or third‑party‑owned critical information infrastructure that is a virtual computer or virtual computer system —(i)

in a case where the virtual computer or virtual computer system is jointly controlled by more than one person — means change in any joint controller; or

(ii)

in any other case — means change in the person who has exclusive control of the virtual computer or virtual computer system; and

(f)

a virtual computer or virtual computer system is wholly or partly in Singapore if one or more of the physical computing resources deployed for the simulation of the virtual computer or virtual computer system (as the case may be) is located in Singapore.[Act 19 of 2024 wef 31/10/2025]

本頁資料來源:Singapore Statutes Online (AGC)·整理提供:法律人 LawPlayer· lawplayer.com