§ 35A — Codes of practice and standards of performance

35A.—(1) The Commissioner may, from time to time —(a)

issue or approve one or more codes of practice or standards of performance for the regulation of the following persons with respect to measures to be taken by them to ensure the cybersecurity of the computers or computer systems indicated:(i)

owners of provider-owned critical information infrastructure — the provider-owned critical information infrastructure;

(ii)

designated providers responsible for third‑party‑owned critical information infrastructure — the third-party-owned critical information infrastructure for which they are responsible;

(iii)

owners of systems of temporary cybersecurity concern — the systems of temporary cybersecurity concern;

(iv)

entities of special cybersecurity interest — the systems of special cybersecurity interest in relation to which they are designated;

(v)

major foundational digital infrastructure service providers — the major foundational digital infrastructure in relation to which they are designated; and

(b)

amend or revoke any code of practice or standard of performance issued or approved under paragraph (a).

(2) If any provision in any code of practice or standard of performance is inconsistent with this Act, the provision, to the extent of the inconsistency, does not have effect.

(3) Where a code of practice or standard of performance is issued, approved, amended or revoked by the Commissioner under subsection (1), the Commissioner must —(a)

publish a notice of the issue, approval, amendment or revocation (as the case may be) in such manner as will secure adequate publicity for such issue, approval, amendment or revocation;

(b)

specify in the notice the date of the issue, approval, amendment or revocation (as the case may be); and

(c)

ensure that, so long as the code of practice or standard of performance remains in force, copies of that code or standard, and of all amendments to that code or standard, are available free of charge to a person to whom that code or standard applies.

(4) None of the following has any effect until the notice relating to it is published in accordance with subsection (3):(a)

a code of practice or standard of performance;

(b)

an amendment to a code of practice or standard of performance;

(c)

a revocation of a code of practice or standard of performance.

(5) Any code of practice or standard of performance has no legislative effect.

(6) Subject to subsections (4) and (7), every person mentioned in subsection (1) must comply with the codes of practice and standards of performance that apply to the person.

(7) The Commissioner may, either generally or for such time as the Commissioner may specify, waive the application to a person of any code of practice or standard of performance, or any part of it.[Act 19 of 2024 wef 31/10/2025]

—(1) The Commissioner may, from time to time —(a)

issue or approve one or more codes of practice or standards of performance for the regulation of the following persons with respect to measures to be taken by them to ensure the cybersecurity of the computers or computer systems indicated:(i)

owners of provider-owned critical information infrastructure — the provider-owned critical information infrastructure;

(ii)

designated providers responsible for third‑party‑owned critical information infrastructure — the third-party-owned critical information infrastructure for which they are responsible;

(iii)

owners of systems of temporary cybersecurity concern — the systems of temporary cybersecurity concern;

(iv)

entities of special cybersecurity interest — the systems of special cybersecurity interest in relation to which they are designated;

(v)

major foundational digital infrastructure service providers — the major foundational digital infrastructure in relation to which they are designated; and

(b)

amend or revoke any code of practice or standard of performance issued or approved under paragraph (a).

(2) If any provision in any code of practice or standard of performance is inconsistent with this Act, the provision, to the extent of the inconsistency, does not have effect.

(3) Where a code of practice or standard of performance is issued, approved, amended or revoked by the Commissioner under subsection (1), the Commissioner must —(a)

publish a notice of the issue, approval, amendment or revocation (as the case may be) in such manner as will secure adequate publicity for such issue, approval, amendment or revocation;

(b)

specify in the notice the date of the issue, approval, amendment or revocation (as the case may be); and

(c)

ensure that, so long as the code of practice or standard of performance remains in force, copies of that code or standard, and of all amendments to that code or standard, are available free of charge to a person to whom that code or standard applies.

(4) None of the following has any effect until the notice relating to it is published in accordance with subsection (3):(a)

a code of practice or standard of performance;

(b)

an amendment to a code of practice or standard of performance;

(c)

a revocation of a code of practice or standard of performance.

(5) Any code of practice or standard of performance has no legislative effect.

(6) Subject to subsections (4) and (7), every person mentioned in subsection (1) must comply with the codes of practice and standards of performance that apply to the person.

(7) The Commissioner may, either generally or for such time as the Commissioner may specify, waive the application to a person of any code of practice or standard of performance, or any part of it.[Act 19 of 2024 wef 31/10/2025]