Singapore: Cybersecurity (Critical Information Infrastructure) (Amendment) Regulations were adopted

On 15 October 2025, the Cybersecurity (Critical Information Infrastructure) (Amendment) Regulations 2025 were made under Sections 17(10) and 48 of the Cybersecurity Act 2018 and published in the Government Gazette. The Amendment revises definitions to cover owner-controlled interconnected and non-interconnected systems, supplier-controlled interconnected systems, and “relevant computer or computer system.” It also introduces rules specific to virtualisation locations. Incident-reporting duties are updated. Initial details must be provided “to the fullest extent practicable.” Supplementary details are required within 72 hours. A final incident report must be submitted within 30 days. The Amendment also introduces quarterly consolidated reporting for non-disruptive incidents. Escalated reporting applies within two hours, 72 hours, or 30 days when incidents affect the public, involve zero-day exploits, specified indicators of compromise, or suspected advanced persistent threats. Prescribed incident types include unauthorised access or control, malicious code, interception of communications, and denial-of-service attacks. The Regulations define “advanced persistent threat,” “indicator of compromise,” and “zero-day vulnerability,” referencing external vulnerability lists.