Statute Details
- Title: Computer Misuse Act 1993 (CMA1993)
- Full Title: An Act to make provision for securing computer material against unauthorised access or modification, for preventing abuse of the national digital identity service, and for matters related thereto.
- Act Type: Act of Parliament
- Status: Current version as at 26 Mar 2026 (per provided extract)
- Revisions: 2020 Revised Edition; further amendments including Act 16 of 2023 (effective 08 Feb 2024) and Act 21 of 2025 (effective 30 Dec 2025)
- Structure (as provided): Part 1 (Preliminary), Part 2 (Offences), Part 3 (Miscellaneous and General)
- Core Offence Provisions: ss 3–12
- Key Procedural/General Provisions: ss 13–20
- Schedules: First Schedule (national digital identity service definitions), Second Schedule (scam offences)
What Is This Legislation About?
The Computer Misuse Act 1993 (“CMA”) is Singapore’s principal statute criminalising harmful or unauthorised conduct involving computers and computer services. In plain terms, it targets behaviours such as hacking (unauthorised access), tampering (unauthorised modification), and interference with services (obstruction). It also addresses unauthorised interception and disclosure of access credentials, reflecting the reality that many cyber offences succeed through stolen passwords, access codes, or other credentials.
Beyond general computer misuse, the CMA has a specific policy focus on protecting Singapore’s “national digital identity service”. The Act creates additional offences relating to the disclosure of passwords/access codes and the supply of another person’s credentials in connection with that national digital identity service. This is designed to reduce identity fraud and account takeovers that often rely on compromising identity credentials.
Finally, the CMA includes offence definitions and concepts that are drafted broadly enough to cover modern computing environments. For example, the definition of “computer” is technology-neutral and includes electronic, magnetic, optical, electrochemical, and other data processing devices, as well as interconnected devices and associated storage/communications facilities. This breadth helps ensure that the law remains applicable as technology evolves.
What Are the Key Provisions?
1. Foundational definitions and the meaning of “unauthorised access”. Part 1 sets the interpretive groundwork. Section 2 defines key terms such as “computer”, “data”, “program”, “computer service”, “intercept”, and “damage”. It also defines “national digital identity service” by reference to the First Schedule, and “scam offence” by reference to the Second Schedule. These definitions matter because they determine the scope of criminal liability.
Section 2 also clarifies when access is “unauthorised”. In substance, access is unauthorised if the person is not entitled to control access of the kind in question and does not have consent to access from the person who is entitled. This consent-based approach is important for practitioners: it means that “authorisation” is not merely about whether a person believed they had permission; it depends on entitlement and consent from the proper controlling party.
2. Core offences in Part 2 (ss 3–7). The CMA’s offence architecture begins with general cyber misuse offences. While the extract provided lists the headings, the practitioner will recognise the typical structure: (i) unauthorised access to computer material (s 3); (ii) unauthorised access with intent to commit or facilitate another offence (s 4); (iii) unauthorised modification of computer material (s 5); (iv) unauthorised use or interception of a computer service (s 6); and (v) unauthorised obstruction of use of a computer (s 7).
These provisions collectively cover the main categories of conduct seen in investigations: gaining entry to systems, using or intercepting services, altering data or programs, and disrupting availability. For example, “obstruction” offences are particularly relevant to denial-of-service style conduct or other interference that prevents legitimate use. Section 2’s definition of “damage” (including impairment to integrity or availability of data/programs/systems, and threats to public health or public safety) indicates that the law is not limited to financial loss; it can extend to harms with broader societal consequences.
3. Credential-related offences (ss 8–10). The CMA also criminalises disclosure and handling of access credentials. Section 8 addresses unauthorised disclosure of an access code. Sections 8A and 8B then expand the credential regime specifically for the national digital identity service: s 8A targets disclosure of password/access code “in relation to” that service, while s 8B targets supplying (or otherwise dealing with) the credential of another person. These provisions are designed to deter identity fraud and reduce the risk of credential-based impersonation.
Section 9 criminalises supplying personal information obtained in contravention of certain provisions—an important link between the initial cyber wrongdoing and subsequent misuse (e.g., selling or distributing stolen personal data). Section 10 addresses obtaining items for use in certain offences, which is aimed at preparatory or enabling conduct (for instance, acquiring tools or materials that facilitate committing specified CMA offences). For counsel, these provisions can be significant because they may allow prosecution even where the “main” harm is not fully realised, provided the statutory elements are met.
4. Aggravated liability and participation (ss 11–12). Section 11 provides for enhanced punishment for offences involving “protected computers”. This reflects a legislative policy that certain systems—because of their criticality or sensitivity—warrant stronger deterrence. Section 12 provides that abetments and attempts are punishable as offences. Practically, this means that liability can attach to those who encourage, assist, or attempt to commit CMA offences, not only the principal actor.
5. Territorial scope and procedural provisions (ss 13–20). Part 3 includes provisions that practitioners often rely on in charging and trial strategy. Section 13 addresses the territorial scope of offences under the Act, which is crucial in cross-border cyber cases where servers, victims, and perpetrators may be located in different jurisdictions. Section 15 deals with jurisdiction of courts, and Section 16 provides for composition of offences (i.e., a mechanism for resolving certain offences without full trial, subject to statutory conditions).
Section 17 allows for an order for payment of compensation, which can be relevant where victims seek restitution. Section 18 contains a saving for investigations by police and law enforcement officers, which helps ensure that lawful investigative activities are not inadvertently captured by offence provisions. Section 19 provides for arrest by police without warrant in specified circumstances, and Section 20 allows for amendment of schedules—important because the Second Schedule (scam offences) may be updated as policy evolves.
How Is This Legislation Structured?
The CMA is organised into three main parts.
Part 1 (Preliminary) contains the short title (s 1) and interpretation provisions (s 2). Section 2 is particularly important because it defines the scope of “computer”, “data”, “program”, “computer service”, “damage”, “intercept”, and the special concepts tied to the national digital identity service and scam offences.
Part 2 (Offences) sets out the substantive criminal offences. It begins with general unauthorised access/modification/interference offences (ss 3–7), then moves to credential and personal information offences (ss 8–10), and concludes with enhanced punishment and participation rules (ss 11–12).
Part 3 (Miscellaneous and General) addresses territorial scope (s 13), charging mechanics (s 14), court jurisdiction (s 15), composition (s 16), compensation (s 17), investigative savings (s 18), arrest powers (s 19), and schedule amendments (s 20). The Act also contains two schedules: the First Schedule (definitions relating to the national digital identity service) and the Second Schedule (scam offences).
Who Does This Legislation Apply To?
The CMA applies to “any person” who engages in the prohibited conduct defined in Part 2, including individuals and potentially corporate actors through their responsible persons, depending on how liability is established under Singapore criminal law principles. The offences are drafted to cover both direct perpetrators and those who participate through abetment or attempt (s 12).
In practice, the Act is particularly relevant to: (i) persons who access or interfere with computer systems without authorisation; (ii) persons who disclose or supply access codes/passwords/credentials; (iii) persons who handle or distribute personal information obtained through cyber offences; and (iv) persons involved in scam-related conduct specified in the Second Schedule. The territorial scope provision (s 13) means that conduct may be prosecuted in Singapore even where elements of the offence occur outside Singapore, provided the statutory territorial test is satisfied.
Why Is This Legislation Important?
The CMA is foundational to Singapore’s cybercrime enforcement framework. Its offence categories map closely to the lifecycle of many cyber incidents: initial intrusion (unauthorised access), escalation (intent to commit/facilitate further offences), manipulation (unauthorised modification), exploitation (unauthorised use/interception), and disruption (unauthorised obstruction). This makes it a central statute for investigators and prosecutors when charging hacking, data tampering, service interference, and credential compromise.
For practitioners, the Act’s drafting choices have practical consequences. First, the definitions in s 2 are broad and technology-neutral, reducing arguments that the law is “outdated” for new forms of computing. Second, the consent/entitlement approach to “unauthorised” access provides a structured way to analyse authorisation. Third, the inclusion of credential-specific offences for the national digital identity service (ss 8A and 8B) reflects a targeted legislative response to identity fraud risks.
Finally, the procedural provisions in Part 3—territorial scope, jurisdiction, composition, compensation, and arrest powers—affect case management and litigation strategy. For example, compensation orders can influence settlement discussions, while composition provisions may provide an alternative resolution pathway in appropriate cases. Enhanced punishment for protected computers (s 11) can materially affect sentencing outcomes.
Related Legislation
- Computer Misuse Act 1993 (CMA1993) — as amended and revised (including the 2020 Revised Edition and subsequent amendments)
- First Schedule to the Computer Misuse Act 1993 — definitions relating to the national digital identity service
- Second Schedule to the Computer Misuse Act 1993 — scam offences
Source Documents
This article provides an overview of the Computer Misuse Act 1993 for legal research and educational purposes. It does not constitute legal advice. Readers should consult the official text for authoritative provisions.