§ 8 — Power to obtain information to ascertain if criteria for provider‑owned critical information infrastructure fulfilled

8.—(1) This section applies where the Commissioner has reason to believe that a computer or computer system may fulfil the criteria to be designated as a provider-owned critical information infrastructure.[Act 19 of 2024 wef 31/10/2025]

(2) The Commissioner may, by notice given in the prescribed form and manner, require any person who appears to be exercising control over the computer or computer system, to provide to the Commissioner, within a reasonable period specified in the notice, such relevant information relating to that computer or computer system as may be required by the Commissioner for the purpose of ascertaining whether the computer or computer system fulfils the criteria to be designated as a provider-owned critical information infrastructure.[Act 19 of 2024 wef 31/10/2025]

(3) Without limiting subsection (2), the Commissioner may in the notice require the person who appears to be exercising control over the computer or computer system to provide —(a)

information relating to —(i)

the function that the computer or computer system is employed to serve; and

(ii)

the person or persons who is or are, or other computer or computer systems that is or are, served by that computer or computer system;

(b)

information relating to the design of the computer or computer system; and

(c)

any other information that the Commissioner may require in order to ascertain whether the computer or computer system fulfils the criteria to be designated as a provider-owned critical information infrastructure.[Act 19 of 2024 wef 31/10/2025]

(4) Any person who, without reasonable excuse, fails to comply with a notice issued under subsection (2) shall be guilty of an offence and shall be liable on conviction to a fine not exceeding $100,000 or to imprisonment for a term not exceeding 2 years or to both and, in the case of a continuing offence, to a further fine not exceeding $5,000 for every day or part of a day during which the offence continues after conviction.

(5) Any person to whom a notice is issued under subsection (2) is not obliged to disclose any information that is subject to any right, privilege or immunity conferred, or obligation or limitation imposed, by or under any law, contract or rules of professional conduct in relation to the disclosure of such information.[Act 19 of 2024 wef 31/10/2025]

—(1) This section applies where the Commissioner has reason to believe that a computer or computer system may fulfil the criteria to be designated as a provider-owned critical information infrastructure.[Act 19 of 2024 wef 31/10/2025]

(2) The Commissioner may, by notice given in the prescribed form and manner, require any person who appears to be exercising control over the computer or computer system, to provide to the Commissioner, within a reasonable period specified in the notice, such relevant information relating to that computer or computer system as may be required by the Commissioner for the purpose of ascertaining whether the computer or computer system fulfils the criteria to be designated as a provider-owned critical information infrastructure.[Act 19 of 2024 wef 31/10/2025]

(3) Without limiting subsection (2), the Commissioner may in the notice require the person who appears to be exercising control over the computer or computer system to provide —(a)

information relating to —(i)

the function that the computer or computer system is employed to serve; and

(ii)

the person or persons who is or are, or other computer or computer systems that is or are, served by that computer or computer system;

(b)

information relating to the design of the computer or computer system; and

(c)

any other information that the Commissioner may require in order to ascertain whether the computer or computer system fulfils the criteria to be designated as a provider-owned critical information infrastructure.[Act 19 of 2024 wef 31/10/2025]

(4) Any person who, without reasonable excuse, fails to comply with a notice issued under subsection (2) shall be guilty of an offence and shall be liable on conviction to a fine not exceeding $100,000 or to imprisonment for a term not exceeding 2 years or to both and, in the case of a continuing offence, to a further fine not exceeding $5,000 for every day or part of a day during which the offence continues after conviction.

(5) Any person to whom a notice is issued under subsection (2) is not obliged to disclose any information that is subject to any right, privilege or immunity conferred, or obligation or limitation imposed, by or under any law, contract or rules of professional conduct in relation to the disclosure of such information.[Act 19 of 2024 wef 31/10/2025]