§ 7 — Designation of provider-owned critical information infrastructure

7.—(1) The Commissioner may, by written notice to the owner of a computer or computer system, designate the computer or computer system as a provider-owned critical information infrastructure for the purposes of this Act, if the Commissioner is satisfied that —(a)

the computer or computer system is necessary for the continuous delivery of an essential service, and the loss or compromise of the computer or computer system will have a debilitating effect on the availability of the essential service in Singapore; and

(b)

the computer or computer system is located wholly or partly in Singapore.[Act 19 of 2024 wef 31/10/2025]

(1A) The Commissioner may, by written notice to the owner of a computer or computer system that is located wholly outside Singapore, designate the computer or computer system as a provider‑owned critical information infrastructure for the purposes of this Act, if the Commissioner is satisfied that —(a)

the computer or computer system is necessary for the continuous delivery of an essential service, and the loss or compromise of the computer or computer system will have a debilitating effect on the availability of the essential service in Singapore; and

(b)

the computer or computer system would have been designated as a provider‑owned critical information infrastructure under subsection (1) had it been located wholly or partly in Singapore.[Act 19 of 2024 wef 31/10/2025]

(2) A notice issued under subsection (1) or (1A) must —(a)

identify the computer or computer system that is being designated as a provider-owned critical information infrastructure;[Act 19 of 2024 wef 31/10/2025]

(b)

identify the owner of the computer or computer system so designated as a provider-owned critical information infrastructure;[Act 19 of 2024 wef 31/10/2025]

(c)

inform the owner of the computer or computer system, regarding the owner’s duties and responsibilities under this Act that arise from the designation;

(d)

provide the name and contact particulars of the officer assigned by the Commissioner to supervise the provider-owned critical information infrastructure in relation to its cybersecurity;[Act 19 of 2024 wef 31/10/2025]

(e)

inform the owner of the computer or computer system that any representations against the designation are to be made to the Commissioner by a specified date, being a date not earlier than 14 days after the date of the notice; and

(f)

inform the owner of the computer or computer system that the owner may appeal to the Minister against the designation, and provide information on the applicable procedure.[Act 19 of 2024 wef 31/10/2025]

(3) Any designation under subsection (1) or (1A) has effect for a period of 5 years, unless it is withdrawn by the Commissioner before the expiry of the period.[Act 19 of 2024 wef 31/10/2025]

(4) The person who receives a notice under subsection (1) or (1A) may request the Commissioner to proceed under subsection (5) upon showing proof that —(a)

the person is not able to comply with the requirements in this Part for the reason that the person has neither effective control over the operations of the computer or computer system, nor the ability or right to carry out changes to the computer or computer system; and

(b)

another person has effective control over the operations of the computer or computer system and the ability and right to carry out changes to the computer or computer system.[Act 19 of 2024 wef 31/10/2025]

(5) If the Commissioner is satisfied that the conditions mentioned in subsection (4)(a) and (b) are met, the Commissioner may amend the notice issued to the person under subsection (1) or (1A), and address and send that amended notice to the person mentioned in subsection (4)(b).[Act 19 of 2024 wef 31/10/2025]

(6) During the period when a notice amended under subsection (5) is in effect, the provisions of this Part apply to the person mentioned in subsection (4)(b) as if every reference to the owner of a provider-owned critical information infrastructure is a reference to the person mentioned in subsection (4)(b).[Act 19 of 2024 wef 31/10/2025]

(7) Where —(a)

a notice issued under this section and amended under subsection (5) is addressed and sent to the person mentioned in subsection (4)(b); and

(b)

the person mentioned in subsection (4)(b) then ceases to have the control, ability and right mentioned in that provision,

the owner of the provider-owned critical information infrastructure must notify the Commissioner of this without delay.

[Act 19 of 2024 wef 31/10/2025]

(8) Where a provider-owned critical information infrastructure is owned by the Government and operated by a Ministry, the Permanent Secretary allocated to the Ministry who has responsibility for the provider-owned critical information infrastructure is treated as the owner of the provider-owned critical information infrastructure for the purposes of this Act.[Act 19 of 2024 wef 31/10/2025]

(9) A notice issued under this section need not be published in the Gazette.[Act 19 of 2024 wef 31/10/2025]

—(1) The Commissioner may, by written notice to the owner of a computer or computer system, designate the computer or computer system as a provider-owned critical information infrastructure for the purposes of this Act, if the Commissioner is satisfied that —(a)

the computer or computer system is necessary for the continuous delivery of an essential service, and the loss or compromise of the computer or computer system will have a debilitating effect on the availability of the essential service in Singapore; and

(b)

the computer or computer system is located wholly or partly in Singapore.[Act 19 of 2024 wef 31/10/2025]

(1A) The Commissioner may, by written notice to the owner of a computer or computer system that is located wholly outside Singapore, designate the computer or computer system as a provider‑owned critical information infrastructure for the purposes of this Act, if the Commissioner is satisfied that —(a)

the computer or computer system is necessary for the continuous delivery of an essential service, and the loss or compromise of the computer or computer system will have a debilitating effect on the availability of the essential service in Singapore; and

(b)

the computer or computer system would have been designated as a provider‑owned critical information infrastructure under subsection (1) had it been located wholly or partly in Singapore.[Act 19 of 2024 wef 31/10/2025]

(2) A notice issued under subsection (1) or (1A) must —(a)

identify the computer or computer system that is being designated as a provider-owned critical information infrastructure;[Act 19 of 2024 wef 31/10/2025]

(b)

identify the owner of the computer or computer system so designated as a provider-owned critical information infrastructure;[Act 19 of 2024 wef 31/10/2025]

(c)

inform the owner of the computer or computer system, regarding the owner’s duties and responsibilities under this Act that arise from the designation;

(d)

provide the name and contact particulars of the officer assigned by the Commissioner to supervise the provider-owned critical information infrastructure in relation to its cybersecurity;[Act 19 of 2024 wef 31/10/2025]

(e)

inform the owner of the computer or computer system that any representations against the designation are to be made to the Commissioner by a specified date, being a date not earlier than 14 days after the date of the notice; and

(f)

inform the owner of the computer or computer system that the owner may appeal to the Minister against the designation, and provide information on the applicable procedure.[Act 19 of 2024 wef 31/10/2025]

(3) Any designation under subsection (1) or (1A) has effect for a period of 5 years, unless it is withdrawn by the Commissioner before the expiry of the period.[Act 19 of 2024 wef 31/10/2025]

(4) The person who receives a notice under subsection (1) or (1A) may request the Commissioner to proceed under subsection (5) upon showing proof that —(a)

the person is not able to comply with the requirements in this Part for the reason that the person has neither effective control over the operations of the computer or computer system, nor the ability or right to carry out changes to the computer or computer system; and

(b)

another person has effective control over the operations of the computer or computer system and the ability and right to carry out changes to the computer or computer system.[Act 19 of 2024 wef 31/10/2025]

(5) If the Commissioner is satisfied that the conditions mentioned in subsection (4)(a) and (b) are met, the Commissioner may amend the notice issued to the person under subsection (1) or (1A), and address and send that amended notice to the person mentioned in subsection (4)(b).[Act 19 of 2024 wef 31/10/2025]

(6) During the period when a notice amended under subsection (5) is in effect, the provisions of this Part apply to the person mentioned in subsection (4)(b) as if every reference to the owner of a provider-owned critical information infrastructure is a reference to the person mentioned in subsection (4)(b).[Act 19 of 2024 wef 31/10/2025]

(7) Where —(a)

a notice issued under this section and amended under subsection (5) is addressed and sent to the person mentioned in subsection (4)(b); and

(b)

the person mentioned in subsection (4)(b) then ceases to have the control, ability and right mentioned in that provision,

the owner of the provider-owned critical information infrastructure must notify the Commissioner of this without delay.

[Act 19 of 2024 wef 31/10/2025]

(8) Where a provider-owned critical information infrastructure is owned by the Government and operated by a Ministry, the Permanent Secretary allocated to the Ministry who has responsibility for the provider-owned critical information infrastructure is treated as the owner of the provider-owned critical information infrastructure for the purposes of this Act.[Act 19 of 2024 wef 31/10/2025]

(9) A notice issued under this section need not be published in the Gazette.[Act 19 of 2024 wef 31/10/2025]