Singapore: Obligation for owners of critical information infrastructure to obtain Cyber Trust Mark Level 5 certification enters into force

On 31 December 2027, the window for compliance with the Cyber Security Agency (CSA) obligation directing Critical Information Infrastructure Owners (CIIOs) to have obtained the Cyber Trust Mark (CTM) Level 5 certification for non-CII systems ends. This mandate, announced during the Ministry of Digital Development and Information (MDDI) Committee of Supply Debates in 2026 (2 March 2026), aims to establish a consistent national baseline for cybersecurity standards across organisations managing sensitive data or critical systems. The CTM serves as a tiered certification framework that validates an organisation's cybersecurity measures according to its specific risk profile. Under these regulations, CIIOs must ensure that the systems under their control that support business services meet the highest tier of the certification, Level 5. The framework incorporates standards for emerging risks, including cloud security, operational technology (OT) security, and Artificial Intelligence (AI) security. This initiative is part of a broader regulatory effort that also imposes deadlines on other entities; for instance, auditors and licensed cybersecurity service providers face earlier compliance dates in 2026. The policy seeks to mitigate risks within the digital supply chain and ensure that all entities with access to critical systems adhere to the same rigorous security protocols to protect against evolving threats.