Singapore's cybersecurity legal framework was significantly updated in 2024, with key provisions taking effect in late 2025. For organisations providing essential services or digital infrastructure in Singapore, understanding these changes is essential. This article presents only verified facts.
The Foundation: The Cybersecurity Act 2018
The Cybersecurity Act 2018 established Singapore's statutory framework for the oversight and maintenance of national cybersecurity. Its key objective was to protect Critical Information Infrastructure (CII) — computer systems directly involved in the provision of essential services such as energy, healthcare, and transport. The Act empowered the Commissioner of Cybersecurity to respond to threats, facilitated information sharing through the Cyber Security Agency of Singapore (CSA), and introduced a light-touch licensing regime for high-risk cybersecurity service providers, such as penetration testers.
The 2024 Amendment
The Cybersecurity (Amendment) Act 2024 was passed by Singapore's Parliament on 7 May 2024 — the first update to the Cybersecurity Act since it came into force in 2018. It is recorded as Act No. 19 of 2024.
On 15 October 2025, a commencement notification was published specifying that various provisions would take effect on 31 October 2025. These provisions are now in force.
What Changed as of 31 October 2025
The amendments expand the CSA's regulatory oversight to reflect cloud computing, third-party operations, and cross-border dependencies. Key changes now in force include:
**Third-party-owned CII (3PO CII)** — A new Part 3A regulates providers of essential services who do not own the CII used to deliver those services. Previously, the Act assumed essential service providers owned their CII; the amendment addresses CII managed by third-party vendors.
**Systems of Temporary Cybersecurity Concern (STCC)** — The CSA can now designate, for a limited period, computer systems that are critical to Singapore and at high risk of cyberattack — for example, systems tied to short-term high-risk events such as elections or pandemic-response operations.
**Expanded incident reporting** — CII owners must report a wider range of cybersecurity incidents, including those affecting their supply chains.
What Is Still Pending
Some provisions of the Amendment Act remain pending and will commence by future notification. These include two new categories: Foundational Digital Infrastructure (FDI) and Entities of Special Cybersecurity Interest (ESCIs) — designated entities that store sensitive information or perform functions whose disruption would significantly harm Singapore. Notably, the list of ESCIs will not be publicly disclosed, to avoid advertising them as targets.
How Simuna Infosec Helps
The expanded framework places greater emphasis on CII owners and essential service providers demonstrating that their systems — including those operated by third parties — are secure and resilient. Our human-led security testing helps organisations understand their real exposure across their own and third-party-supported systems, providing the assurance that Singapore's strengthened framework increasingly expects.
*This article reflects publicly available information as of mid-2026. Regulatory details evolve; consult qualified legal counsel for compliance decisions.*