Singapore: Obligation for auditors of critical information infrastructure to obtain Cyber Trust Mark Level 5 certification enters into force

On 31 December 2026, the window for compliance with the Cyber Security Agency (CSA) obligation directing Critical Information Infrastructure Auditors to have obtained the Cyber Trust Mark (CTM) Level 5 certification ends. This mandate, announced during the Ministry of Digital Development and Information (MDDI) Committee of Supply Debates in 2026 (2 March 2026), aims to establish a consistent national baseline for cybersecurity standards across organisations managing sensitive data or critical systems. The CTM serves as a tiered certification framework that validates an organisation's cybersecurity measures according to its specific risk profile. CII auditors must obtain this mark at the organisation level for systems that support its business operations/services. The policy seeks to mitigate risks within the digital supply chain and ensure that all entities with access to critical systems adhere to the same rigorous security protocols to protect against evolving threats.