Singapore: Cybersecurity (Amendment) Act provisions expanding regulatory oversight to third-party-owned infrastructure, temporary cybersecurity concern systems and entities of special cybersecurity interest entered into force

On 31 October 2025, sections 2 to 15, 18, 19, 22, 23(b), 24, 25, 28(a) to (g), 29, 31 and 32(1) to (4), (6) and (7) of the Cybersecurity (Amendment) Act 2024 entered into operation pursuant to the Cybersecurity (Amendment) Act 2024 (Commencement) Notification 2025. These amendments expand the scope of the Cybersecurity Act 2018 by extending jurisdiction to computers and computer systems located wholly outside Singapore where necessary for the continuous delivery of essential services, and update statutory definitions to include digital services, foundational digital infrastructure services, major foundational digital infrastructure service providers, virtual computers and virtual computer systems. The amendments confirm the Commissioner’s functions through the Cyber Security Agency of Singapore and enable the appointment of sector Assistant Commissioners. Parts 3A, 3B and 3C introduce regulation of designated providers responsible for third-party-owned critical information infrastructure, systems of temporary cybersecurity concern and entities of special cybersecurity interest, establishing duties relating to prescribed technical standards, cybersecurity risk assessments at least annually, audits at least every 2 years, prescribed-period incident reporting, and notifications within 7, 14 or 30 days for ownership changes, representations and material changes. Designations apply for 5 years under Parts 3A and 3C and up to 1 year under Part 3B, with authority for the Commissioner to issue directions and conduct cybersecurity exercises.