§ 48 — Regulations

48.—(1) The Minister may make regulations for carrying out the purposes and provisions of this Act.(2) Without limiting subsection (1), the Minister may make regulations for or with respect to all or any of the following matters:(a)

the procedure for the designation of a provider-owned critical information infrastructure, designated provider responsible for third-party-owned critical information infrastructure, system of temporary cybersecurity concern, entity of special cybersecurity interest or major foundational digital infrastructure service provider;[Act 19 of 2024 wef 31/10/2025]

(b)

the technical or other standards relating to cybersecurity to be maintained in respect of a provider-owned critical information infrastructure, third-party-owned critical information infrastructure, system of temporary cybersecurity concern, system of special cybersecurity interest or major foundational digital infrastructure;[Act 19 of 2024 wef 31/10/2025]

(c)

the responsibilities and duties of the owner of a provider-owned critical information infrastructure or system of temporary cybersecurity concern, designated provider responsible for third-party-owned critical information infrastructure, entity of special cybersecurity interest or major foundational digital infrastructure service provider;[Act 19 of 2024 wef 31/10/2025]

(d)

the type of changes that are considered material changes to the design, configuration, security or operations of a provider-owned critical information infrastructure or a third-party-owned critical information infrastructure to be reported by the owner of the provider-owned critical information infrastructure or the designated provider responsible for third-party-owned critical information infrastructure;[Act 19 of 2024 wef 31/10/2025]

(e)

the type of cybersecurity incidents relating to —(i)

a provider-owned critical information infrastructure that are required to be reported by the owner of the provider-owned critical information infrastructure;

(ii)

a third-party-owned critical information infrastructure that are required to be reported by the designated provider responsible for third-party-owned critical information infrastructure;

(iii)

a system of temporary cybersecurity concern that are required to be reported by the owner of the system of temporary cybersecurity concern;

(iv)

a system of special cybersecurity interest that are required to be reported by the entity of special cybersecurity interest; or

(v)

a major foundational digital infrastructure that are required to be reported by the major foundational digital infrastructure service provider;[Act 19 of 2024 wef 31/10/2025]

(f)

the requirements for, and the manner for the carrying out of, cybersecurity audits and cybersecurity risk assessments required to be conducted by the owner of a provider-owned critical information infrastructure or the owner of a third-party-owned critical information infrastructure;[Act 19 of 2024 wef 31/10/2025]

(g)

the form and nature of cybersecurity exercises that may be conducted;

(h)

the class or classes of licence to be issued, and the requirements for the grant or renewal of the licence;

(i)

the conduct of licensees in carrying on their business;

(ia)

the use of any accreditation, certification or inspection mark of the Cyber Security Agency of Singapore;[Act 19 of 2024 wef 31/10/2025]

(j)

the fees to be paid in respect of any matter or thing required for the purposes of this Act, including the refund and remission (in whole or part) of such fees;

(k)

all matters and things which by this Act are required or permitted to be prescribed or which are necessary or expedient to be prescribed to give effect to this Act.

(3) Except as otherwise expressly provided in this Act, the regulations —(a)

may be of general or specific application;

(b)

may provide that any contravention of any specified provision of the regulations shall be an offence; and

(c)

may provide for penalties not exceeding a fine of $50,000 or imprisonment for a term not exceeding 12 months or both for each offence and, in the case of a continuing offence, a further penalty not exceeding a fine of 10% of the maximum fine prescribed for that offence for every day or part of a day during which the offence continues after conviction.

—(1) The Minister may make regulations for carrying out the purposes and provisions of this Act.

(2) Without limiting subsection (1), the Minister may make regulations for or with respect to all or any of the following matters:(a)

the procedure for the designation of a provider-owned critical information infrastructure, designated provider responsible for third-party-owned critical information infrastructure, system of temporary cybersecurity concern, entity of special cybersecurity interest or major foundational digital infrastructure service provider;[Act 19 of 2024 wef 31/10/2025]

(b)

the technical or other standards relating to cybersecurity to be maintained in respect of a provider-owned critical information infrastructure, third-party-owned critical information infrastructure, system of temporary cybersecurity concern, system of special cybersecurity interest or major foundational digital infrastructure;[Act 19 of 2024 wef 31/10/2025]

(c)

the responsibilities and duties of the owner of a provider-owned critical information infrastructure or system of temporary cybersecurity concern, designated provider responsible for third-party-owned critical information infrastructure, entity of special cybersecurity interest or major foundational digital infrastructure service provider;[Act 19 of 2024 wef 31/10/2025]

(d)

the type of changes that are considered material changes to the design, configuration, security or operations of a provider-owned critical information infrastructure or a third-party-owned critical information infrastructure to be reported by the owner of the provider-owned critical information infrastructure or the designated provider responsible for third-party-owned critical information infrastructure;[Act 19 of 2024 wef 31/10/2025]

(e)

the type of cybersecurity incidents relating to —(i)

a provider-owned critical information infrastructure that are required to be reported by the owner of the provider-owned critical information infrastructure;

(ii)

a third-party-owned critical information infrastructure that are required to be reported by the designated provider responsible for third-party-owned critical information infrastructure;

(iii)

a system of temporary cybersecurity concern that are required to be reported by the owner of the system of temporary cybersecurity concern;

(iv)

a system of special cybersecurity interest that are required to be reported by the entity of special cybersecurity interest; or

(v)

a major foundational digital infrastructure that are required to be reported by the major foundational digital infrastructure service provider;[Act 19 of 2024 wef 31/10/2025]

(f)

the requirements for, and the manner for the carrying out of, cybersecurity audits and cybersecurity risk assessments required to be conducted by the owner of a provider-owned critical information infrastructure or the owner of a third-party-owned critical information infrastructure;[Act 19 of 2024 wef 31/10/2025]

(g)

the form and nature of cybersecurity exercises that may be conducted;

(h)

the class or classes of licence to be issued, and the requirements for the grant or renewal of the licence;

(i)

the conduct of licensees in carrying on their business;

(ia)

the use of any accreditation, certification or inspection mark of the Cyber Security Agency of Singapore;[Act 19 of 2024 wef 31/10/2025]

(j)

the fees to be paid in respect of any matter or thing required for the purposes of this Act, including the refund and remission (in whole or part) of such fees;

(k)

all matters and things which by this Act are required or permitted to be prescribed or which are necessary or expedient to be prescribed to give effect to this Act.

(3) Except as otherwise expressly provided in this Act, the regulations —(a)

may be of general or specific application;

(b)

may provide that any contravention of any specified provision of the regulations shall be an offence; and

(c)

may provide for penalties not exceeding a fine of $50,000 or imprisonment for a term not exceeding 12 months or both for each offence and, in the case of a continuing offence, a further penalty not exceeding a fine of 10% of the maximum fine prescribed for that offence for every day or part of a day during which the offence continues after conviction.