Singapore: Cybersecurity (Critical Information Infrastructure) (Amendment) Regulations entered into force

On 31 October 2025, the Cybersecurity (Critical Information Infrastructure) (Amendment) Regulations 2025 entered into force. The Amendment revises definitions to cover owner-controlled interconnected and non-interconnected systems, supplier-controlled interconnected systems, and “relevant computer or computer system.” It also introduces rules specific to virtualisation locations. Incident-reporting duties are updated. Initial details must be provided “to the fullest extent practicable.” Supplementary details are required within 72 hours. A final incident report must be submitted within 30 days. The Amendment also introduces quarterly consolidated reporting for non-disruptive incidents. Escalated reporting applies within two hours, 72 hours, or 30 days when incidents affect the public, involve zero-day exploits, specified indicators of compromise, or suspected advanced persistent threats. Prescribed incident types include unauthorised access or control, malicious code, interception of communications, and denial-of-service attacks. The Regulations define “advanced persistent threat,” “indicator of compromise,” and “zero-day vulnerability,” referencing external vulnerability lists.