Singapore: Cyber Security Authority (CSA) updated licensing framework for cybersecurity service providers enters into force

On 13 March 2026, the updated Licensing Framework for Cybersecurity Service Providers issued by the Cyber Security Agency of Singapore (CSA) entered into force, following the publication of the closing note to the public consultation on 13 February 2026. The framework introduces mandatory Cyber Trust Mark (CTM) certification for licensed cybersecurity service providers, extends licence validity from two years to five years, and simplifies notification obligations. The framework recognises ISO/IEC 27001 as an equivalent certification to CTM. CSA also decided not to mandate Data Protection Trustmark certification as initially proposed. The certification requirement applies to all licensees, including resellers. Existing licensees transition to the 5 year licence validity upon licence renewal.