Singapore: Cyber Security Authority (CSA) closes public consultation on updated licensing framework for cybersecurity service providers

On 21 October 2025, the Cyber Security Agency of Singapore (CSA) closes public consultation on proposed updates to the Licensing Framework for Cybersecurity Service Providers. The proposal would apply to companies providing licensable cybersecurity services, such as managed security operations centre monitoring, penetration testing and cybersecurity monitoring services. It would introduce mandatory Cyber Trust Mark (CTM) certification and extend licence validity to 5 years, while also simplifying notification obligations. While respondents expressed support for the proposed changes, they also raised concerns regarding the recognition of equivalent certifications, the applicability of certification requirements to certain service types and the compliance burden for smaller providers. In response, the CSA clarified that, at present, ISO/IEC 27001 remains the only recognised equivalent certification to the CTM, but that additional certifications may be reviewed in the future. The CSA also decided not to mandate Data Protection Trustmark certification, as had initially been proposed. The CSA stated that the certification requirements would apply to all licensees, including resellers, and indicated that alternative compliance approaches for smaller providers might be considered. The CSA will review consultation feedback before finalising the revised licensing conditions.