§ 3 — Application of Act

3.—(1) Part 3 (except sections 7(1A) and 8) applies to any provider-owned critical information infrastructure located wholly or partly in Singapore.[Act 19 of 2024 wef 31/10/2025]

(1A) Section 7(1A) applies to any computer or computer system located wholly outside Singapore that is owned by a person in Singapore.[Act 19 of 2024 wef 31/10/2025]

(2) Section 8 applies to any computer or computer system located wholly or partly in Singapore.

(2A) Subject to subsection (2B) —(a)

Part 3A (except section 16B) applies to any provider of an essential service who is located in Singapore, and is responsible for the cybersecurity of third‑party‑owned critical information infrastructure; and

(b)

section 16B applies to any person in Singapore who appears to be a provider of an essential service for which a computer or computer system necessary for the continuous delivery of the essential service is not owned by that person.[Act 19 of 2024 wef 31/10/2025]

(2B) Part 3A does not apply to any provider of an essential service in relation to any computer or computer system which is a provider‑owned critical information infrastructure.[Act 19 of 2024 wef 31/10/2025]

(2C) Subject to subsection (2D) —(a)

Part 3B (except section 17A) applies to any system of temporary cybersecurity concern located wholly or partly in Singapore; and

(b)

section 17A applies to any computer or computer system located wholly or partly in Singapore.[Act 19 of 2024 wef 31/10/2025]

(2D) Part 3B does not apply to any computer or computer system which is a provider‑owned critical information infrastructure or a third‑party‑owned critical information infrastructure.[Act 19 of 2024 wef 31/10/2025]

(2E) Subject to subsection (2F) —(a)

Part 3C (except section 18A) applies to any entity of special cybersecurity interest incorporated or established under any written law; and

(b)

section 18A applies to any entity incorporated or established under any written law whom the Commissioner has reason to believe may fulfil the criteria to be designated as an entity of special cybersecurity interest.[Act 19 of 2024 wef 31/10/2025]

(2F) Part 3C does not apply to any entity in relation to any computer or computer system which is a provider‑owned critical information infrastructure or a third‑party‑owned critical information infrastructure.[Act 19 of 2024 wef 31/10/2025]

(2G) Subject to subsection (2H) —(a)

Part 3D (except section 18H) applies to any major foundational digital infrastructure service provider that —(i)

provides the foundational digital infrastructure service, whether from within or outside Singapore, to persons in Singapore within the meaning of section 18G; or

(ii)

provides the foundational digital infrastructure service wholly or partially from Singapore within the meaning of section 18G; and

(b)

section 18H applies to any person who appears to be a provider of a foundational digital infrastructure service, whom the Commissioner has reason to believe may fulfil the criteria to be designated as a major foundational digital infrastructure service provider.[Act 19 of 2024 wef 31/10/2025]

(2H) Part 3D does not apply to any provider of a foundational digital infrastructure service in relation to any computer or computer system which is a provider‑owned critical information infrastructure or a third‑party‑owned critical information infrastructure.[Act 19 of 2024 wef 31/10/2025]

(3) Except as provided in subsection (4), this Act binds the Government.

(4) Nothing in this Act renders the Government liable to prosecution for an offence.

(5) To avoid doubt, no person is immune from prosecution for any offence under this Act by reason that the person is a public officer or is engaged to provide services to the Government.

—(1) Part 3 (except sections 7(1A) and 8) applies to any provider-owned critical information infrastructure located wholly or partly in Singapore.[Act 19 of 2024 wef 31/10/2025]

(1A) Section 7(1A) applies to any computer or computer system located wholly outside Singapore that is owned by a person in Singapore.[Act 19 of 2024 wef 31/10/2025]

(2) Section 8 applies to any computer or computer system located wholly or partly in Singapore.

(2A) Subject to subsection (2B) —(a)

Part 3A (except section 16B) applies to any provider of an essential service who is located in Singapore, and is responsible for the cybersecurity of third‑party‑owned critical information infrastructure; and

(b)

section 16B applies to any person in Singapore who appears to be a provider of an essential service for which a computer or computer system necessary for the continuous delivery of the essential service is not owned by that person.[Act 19 of 2024 wef 31/10/2025]

(2B) Part 3A does not apply to any provider of an essential service in relation to any computer or computer system which is a provider‑owned critical information infrastructure.[Act 19 of 2024 wef 31/10/2025]

(2C) Subject to subsection (2D) —(a)

Part 3B (except section 17A) applies to any system of temporary cybersecurity concern located wholly or partly in Singapore; and

(b)

section 17A applies to any computer or computer system located wholly or partly in Singapore.[Act 19 of 2024 wef 31/10/2025]

(2D) Part 3B does not apply to any computer or computer system which is a provider‑owned critical information infrastructure or a third‑party‑owned critical information infrastructure.[Act 19 of 2024 wef 31/10/2025]

(2E) Subject to subsection (2F) —(a)

Part 3C (except section 18A) applies to any entity of special cybersecurity interest incorporated or established under any written law; and

(b)

section 18A applies to any entity incorporated or established under any written law whom the Commissioner has reason to believe may fulfil the criteria to be designated as an entity of special cybersecurity interest.[Act 19 of 2024 wef 31/10/2025]

(2F) Part 3C does not apply to any entity in relation to any computer or computer system which is a provider‑owned critical information infrastructure or a third‑party‑owned critical information infrastructure.[Act 19 of 2024 wef 31/10/2025]

(2G) Subject to subsection (2H) —(a)

Part 3D (except section 18H) applies to any major foundational digital infrastructure service provider that —(i)

provides the foundational digital infrastructure service, whether from within or outside Singapore, to persons in Singapore within the meaning of section 18G; or

(ii)

provides the foundational digital infrastructure service wholly or partially from Singapore within the meaning of section 18G; and

(b)

section 18H applies to any person who appears to be a provider of a foundational digital infrastructure service, whom the Commissioner has reason to believe may fulfil the criteria to be designated as a major foundational digital infrastructure service provider.[Act 19 of 2024 wef 31/10/2025]

(2H) Part 3D does not apply to any provider of a foundational digital infrastructure service in relation to any computer or computer system which is a provider‑owned critical information infrastructure or a third‑party‑owned critical information infrastructure.[Act 19 of 2024 wef 31/10/2025]

(3) Except as provided in subsection (4), this Act binds the Government.

(4) Nothing in this Act renders the Government liable to prosecution for an offence.

(5) To avoid doubt, no person is immune from prosecution for any offence under this Act by reason that the person is a public officer or is engaged to provide services to the Government.