Part of a comprehensive analysis of the Cybersecurity Act 2018
All Parts in This Series
Application of Part 3D to Major Foundational Digital Infrastructure Service Providers
Part 3D of the Cybersecurity Act 2018 (hereinafter “the Act”) establishes a regulatory framework specifically targeting major foundational digital infrastructure service providers. This Part applies to entities that provide foundational digital infrastructure services either from within Singapore or to persons in Singapore, regardless of the provider’s physical location. The purpose of this provision is to ensure that critical digital infrastructure, which underpins essential services and economic activities, is subject to stringent cybersecurity oversight to mitigate risks of disruption or compromise.
"Part 3D (except section 18H) applies to any major foundational digital infrastructure service provider that — (i) provides the foundational digital infrastructure service, whether from within or outside Singapore, to persons in Singapore within the meaning of section 18G; or (ii) provides the foundational digital infrastructure service wholly or partially from Singapore within the meaning of section 18G; and (b) section 18H applies to any person who appears to be a provider of a foundational digital infrastructure service, whom the Commissioner has reason to believe may fulfil the criteria to be designated as a major foundational digital infrastructure service provider." — Section 18G, Cybersecurity Act 2018
Verify Section 18G in source document →
This provision exists to capture a broad scope of providers, including those operating cross-border, reflecting the global nature of digital infrastructure and the necessity to safeguard Singapore’s cybersecurity interests regardless of where the service originates. By doing so, the Act ensures that foundational digital infrastructure providers cannot evade regulatory oversight by operating outside Singapore’s physical borders.
Exclusion of Critical Information Infrastructures from Part 3D
Notably, Part 3D expressly excludes providers of foundational digital infrastructure services that relate to critical information infrastructures (CIIs), whether provider-owned or third-party owned. This exclusion recognizes that CIIs are already subject to a distinct and comprehensive regulatory regime under other parts of the Act or related legislation.
"(2H) Part 3D does not apply to any provider of a foundational digital infrastructure service in relation to any computer or computer system which is a provider‑owned critical information infrastructure or a third‑party‑owned critical information infrastructure." — Section 18G, Cybersecurity Act 2018
Verify Section 18G in source document →
The rationale behind this exclusion is to avoid regulatory overlap and confusion, ensuring that CIIs, which are vital to national security and public safety, are governed under tailored provisions that address their unique risk profiles and operational contexts.
Binding Effect of the Act on the Government and Public Officers
The Act explicitly binds the Government, affirming that its provisions apply to government operations and personnel. However, it simultaneously clarifies that the Government itself is not liable to prosecution for offences under the Act. Additionally, no individual is immune from prosecution by virtue of being a public officer or engaged in service to the Government.
"(3) Except as provided in subsection (4), this Act binds the Government. (4) Nothing in this Act renders the Government liable to prosecution for an offence. (5) To avoid doubt, no person is immune from prosecution for any offence under this Act by reason that the person is a public officer or is engaged to provide services to the Government." — Section 18G, Cybersecurity Act 2018
Verify Section 18G in source document →
This provision exists to maintain accountability and uphold the rule of law within the public sector. While the Government as an entity is shielded from prosecution to preserve sovereign functions, individuals acting in official capacities remain subject to the law, thereby deterring misconduct and promoting responsible cybersecurity practices within government operations.
Definitions and Criteria for Designation of Major Foundational Digital Infrastructure Service Providers
While the excerpt does not provide the full definitions, it references section 18G for the meaning of “foundational digital infrastructure service” and “major foundational digital infrastructure service provider.” Section 18H pertains to the criteria and process for designation of such providers by the Commissioner.
"provides the foundational digital infrastructure service, whether from within or outside Singapore, to persons in Singapore within the meaning of section 18G; ... provides the foundational digital infrastructure service wholly or partially from Singapore within the meaning of section 18G; ... section 18H applies to any person who appears to be a provider of a foundational digital infrastructure service, whom the Commissioner has reason to believe may fulfil the criteria to be designated as a major foundational digital infrastructure service provider." — Sections 18G and 18H, Cybersecurity Act 2018
Verify source in source document →
The purpose of these definitions and designation criteria is to identify and regulate entities whose services are fundamental to Singapore’s digital ecosystem and whose compromise could have significant adverse effects on national security, economic stability, or public welfare. The Commissioner’s power to designate providers ensures a dynamic and responsive regulatory approach that can adapt to emerging threats and technological developments.
Absence of Explicit Penalties in Part 3D Excerpt
The provided excerpt does not specify penalties for non-compliance with Part 3D obligations. However, the Cybersecurity Act 2018 contains general provisions on offences and penalties applicable to contraventions of its provisions.
The omission in this excerpt likely reflects the structural organisation of the Act, where penalties are consolidated in separate sections to maintain clarity and coherence. The existence of penalties is essential to enforce compliance and deter breaches that could jeopardise the security and resilience of foundational digital infrastructure.
Cross-References Within the Cybersecurity Act
The excerpt references sections 18G and 18H within the same Act, indicating an interconnected regulatory framework. Section 18G defines key terms, while section 18H outlines the designation process for major providers.
"within the meaning of section 18G; ... section 18H applies to any person ..." — Part 3D, Cybersecurity Act 2018
Verify source in source document →
These cross-references ensure that the provisions operate cohesively, providing clear guidance on the scope and application of Part 3D. They facilitate a structured approach to identifying and regulating major foundational digital infrastructure service providers.
Conclusion
Part 3D of the Cybersecurity Act 2018 plays a critical role in safeguarding Singapore’s foundational digital infrastructure by imposing regulatory obligations on major service providers. Its application to providers both within and outside Singapore reflects the globalised nature of digital services. The exclusion of critical information infrastructures from this Part ensures regulatory clarity and focus. Binding the Government while maintaining individual accountability promotes a culture of cybersecurity responsibility across public and private sectors. Although penalties are not detailed in the excerpt, the Act’s comprehensive framework supports enforcement and compliance. Cross-references within the Act provide a cohesive regulatory structure that enables effective oversight of foundational digital infrastructure service providers.
Sections Covered in This Analysis
- Section 18G, Cybersecurity Act 2018
- Section 18H, Cybersecurity Act 2018
- Part 3D, Cybersecurity Act 2018 (excluding section 18H)
Source Documents
For the authoritative text, consult SSO.