Part of a comprehensive analysis of the Cybersecurity Act 2018
All Parts in This Series
Designation and Regulation of Provider-Owned Critical Information Infrastructure under the Cybersecurity Act 2018
The Cybersecurity Act 2018 establishes a comprehensive legal framework to safeguard Singapore's critical information infrastructure (CII). Part 3 of the Act specifically addresses the designation, regulation, and oversight of provider-owned critical information infrastructure. This analysis explores the key provisions, their purposes, definitions, penalties for non-compliance, and relevant cross-references within the Act.
Designation of Provider-Owned Critical Information Infrastructure
Section 7(1) empowers the Commissioner to designate a computer or computer system as a provider-owned critical information infrastructure if it meets specific criteria. The designation is essential to ensure the continuous delivery of essential services and to protect these services from debilitating cybersecurity threats.
"The Commissioner may, by written notice to the owner of a computer or computer system, designate the computer or computer system as a provider-owned critical information infrastructure for the purposes of this Act, if the Commissioner is satisfied that— (a) the computer or computer system is necessary for the continuous delivery of an essential service, and the loss or compromise of the computer or computer system will have a debilitating effect on the availability of the essential service in Singapore; and (b) the computer or computer system is located wholly or partly in Singapore." — Section 7(1), Cybersecurity Act 2018
Verify Section 7 in source document →
This provision exists to identify and protect systems that are vital to Singapore’s national interests and public welfare. By focusing on systems whose compromise would have a debilitating effect on essential services, the Act prioritizes resources and regulatory attention to the most critical infrastructures.
Information Gathering and Verification Powers
To determine whether a computer or system qualifies for designation, the Commissioner is vested with powers to obtain relevant information from persons exercising control over the system. Section 8(2) mandates compliance with such information requests, facilitating informed decision-making.
"The Commissioner may, by notice given in the prescribed form and manner, require any person who appears to be exercising control over the computer or computer system, to provide to the Commissioner... such relevant information... for the purpose of ascertaining whether the computer or computer system fulfils the criteria to be designated as a provider-owned critical information infrastructure." — Section 8(2), Cybersecurity Act 2018
Verify Section 8 in source document →
This provision ensures that the Commissioner has access to necessary data to accurately assess the criticality of infrastructure. Without such powers, the Commissioner’s ability to protect essential services would be severely limited.
Withdrawal and Extension of Designation
The Act provides mechanisms for the dynamic management of designations. Section 9 allows the Commissioner to withdraw designation if the system no longer meets the criteria, while Section 9A permits extension of designation before expiry if the system continues to fulfill the criteria.
"The Commissioner may, by written notice, withdraw the designation of any provider-owned critical information infrastructure at any time if the Commissioner is of the opinion that the computer or computer system no longer fulfils the criteria to be designated as a provider-owned critical information infrastructure." — Section 9, Cybersecurity Act 2018
Verify Section 9 in source document →
"At any time before the expiry of the designation... the Commissioner may, by written notice, extend the designation... if the Commissioner is of the opinion that the computer or computer system continues to fulfil the criteria..." — Section 9A(1), Cybersecurity Act 2018
Verify Section 9A in source document →
These provisions exist to maintain regulatory relevance and flexibility, ensuring that only systems currently critical to essential services remain designated, while allowing continued protection where necessary.
Obligations to Furnish Information on Infrastructure
Section 10(1) requires owners of designated provider-owned critical information infrastructure to furnish detailed information about the design, configuration, security, and operation of their systems. This obligation enables the Commissioner to assess cybersecurity risks and the adequacy of protective measures.
"The Commissioner may by notice... require the owner... to furnish... information on the design, configuration and security... and any other information... to ascertain the level of cybersecurity..." — Section 10(1), Cybersecurity Act 2018
Verify Section 10 in source document →
This provision exists to facilitate ongoing oversight and risk management by the Commissioner. It ensures transparency and accountability from owners, enabling proactive cybersecurity governance.
Written Directions to Ensure Cybersecurity
Section 12(1) empowers the Commissioner to issue written directions to owners of designated infrastructure to ensure cybersecurity or for effective administration of the Act. This power is critical for enforcing compliance and mitigating cybersecurity risks.
"The Commissioner may... issue a written direction... to the owner... if the Commissioner thinks it is necessary or expedient for ensuring the cybersecurity... or for the effective administration of this Act." — Section 12(1), Cybersecurity Act 2018
Verify Section 12 in source document →
The rationale for this provision is to provide the Commissioner with a direct enforcement tool to compel owners to implement necessary cybersecurity measures or administrative actions, thereby safeguarding essential services.
Mandatory Reporting of Cybersecurity Incidents
Section 14(1) imposes a duty on owners to notify the Commissioner of any prescribed cybersecurity incidents within a prescribed period after becoming aware of such incidents. This requirement is fundamental for timely response and mitigation.
"The owner... must notify the Commissioner of the occurrence of any... prescribed cybersecurity incident... within the prescribed period after becoming aware of such occurrence." — Section 14(1), Cybersecurity Act 2018
Verify Section 14 in source document →
This provision exists to ensure that the Commissioner is promptly informed of cybersecurity threats or breaches, enabling coordinated response efforts to minimize damage and restore services.
Mandatory Cybersecurity Audits and Risk Assessments
Section 15 mandates owners to conduct cybersecurity audits and risk assessments and to furnish reports to the Commissioner. These activities are essential for identifying vulnerabilities and ensuring continuous improvement in cybersecurity posture.
"The owner... must... cause an audit... to be carried out... and conduct a cybersecurity risk assessment... and furnish a copy of the report... to the Commissioner." — Section 15(1)(a),(b) and (2), Cybersecurity Act 2018
Verify Section 15 in source document →
This provision exists to institutionalize regular evaluation of cybersecurity measures, thereby promoting resilience and compliance with best practices.
Cybersecurity Exercises to Test Readiness
Section 16 authorizes the Commissioner to conduct cybersecurity exercises to test the readiness of owners and requires owners to participate if directed. This ensures preparedness for real-world cybersecurity incidents.
"The Commissioner may conduct cybersecurity exercises for the purpose of testing the state of readiness of owners... An owner... must participate... if directed in writing to do so by the Commissioner." — Section 16(1),(2), Cybersecurity Act 2018
Verify Section 16 in source document →
This provision exists to simulate cybersecurity threats and evaluate the effectiveness of response plans, thereby strengthening overall cybersecurity resilience.
Definitions Relevant to Provider-Owned Critical Information Infrastructure
While Part 3 does not explicitly define all terms, it clarifies the treatment of government-owned infrastructure. Section 7(8) states that when a provider-owned critical information infrastructure is owned by the Government and operated by a Ministry, the Permanent Secretary responsible for the infrastructure is treated as the owner for the purposes of the Act.
"Where a provider-owned critical information infrastructure is owned by the Government and operated by a Ministry, the Permanent Secretary allocated to the Ministry who has responsibility for the provider-owned critical information infrastructure is treated as the owner of the provider-owned critical information infrastructure for the purposes of this Act." — Section 7(8), Cybersecurity Act 2018
Verify Section 7 in source document →
This provision exists to ensure clear accountability and responsibility within government entities, facilitating effective implementation of the Act’s requirements.
Penalties for Non-Compliance
The Act imposes stringent penalties to enforce compliance with its provisions. Failure to comply with information requests, notices, or directions can result in substantial fines and imprisonment. The penalties reflect the critical importance of cybersecurity in protecting essential services.
"Any person who, without reasonable excuse, fails to comply with a notice issued under subsection (2) shall be guilty of an offence and shall be liable on conviction to a fine not exceeding $100,000 or to imprisonment for a term not exceeding 2 years or to both and, in the case of a continuing offence, to a further fine not exceeding $5,000 for every day or part of a day during which the offence continues after conviction." — Section 8(4), Cybersecurity Act 2018
Verify Section 8 in source document →
"Any owner of a provider-owned critical information infrastructure who, without reasonable excuse, fails to comply with a notice mentioned in subsection (1) shall be guilty of an offence and shall be liable on conviction to a fine not exceeding $100,000 or to imprisonment for a term not exceeding 2 years or to both and, in the case of a continuing offence, to a further fine not exceeding $5,000 for every day or part of a day during which the offence continues after conviction." — Section 10(2), Cybersecurity Act 2018
Verify Section 10 in source document →
"Any person who, without reasonable excuse, fails to comply with a direction under subsection (2) shall be guilty of an offence and shall be liable on conviction to a fine not exceeding $100,000." — Section 16(3), Cybersecurity Act 2018
Verify Section 16 in source document →
"Any owner of a provider-owned critical information infrastructure who, without reasonable excuse, fails to comply with subsection (5) shall be guilty of an offence and shall be liable on conviction to a fine not exceeding $25,000 or to imprisonment for a term not exceeding 12 months or to both." — Section 10(7), Cybersecurity Act 2018
Verify Section 10 in source document →
"Any owner of a provider-owned critical information infrastructure who, without reasonable excuse, fails to comply with subsection (2) shall be guilty of an offence and shall be liable on conviction to a fine not exceeding $25,000 or to imprisonment for a term not exceeding 12 months or to both and, in the case of a continuing offence, to a further fine not exceeding $2,500 for every day or part of a day during which the offence continues after conviction." — Section 15(8), Cybersecurity Act 2018
Verify Section 15 in source document →
These penalties exist to deter non-compliance and underscore the seriousness of maintaining cybersecurity standards for critical infrastructure.
Cross-References to Other Laws and Protections
The Act recognizes that certain information may be protected by other laws, contracts, or professional conduct rules. Sections 8(5) and 10(3) provide that persons are not obliged to disclose information subject to such protections, balancing cybersecurity oversight with legal and professional confidentiality obligations.
"Any person to whom a notice is issued under subsection (2) is not obliged to disclose any information that is subject to any right, privilege or immunity conferred, or obligation or limitation imposed, by or under any law, contract or rules of professional conduct in relation to the disclosure of such information." — Section 8(5), Cybersecurity Act 2018
Verify Section 8 in source document →
"The owner of a provider-owned critical information infrastructure to whom a notice is issued under subsection (1) is not obliged to disclose any information that is subject to any right, privilege or immunity conferred, or obligation or limitation imposed, by or under any law or rules of professional conduct in relation to the disclosure of such information..." — Section 10(3), Cybersecurity Act 2018
Verify Section 10 in source document →
These provisions exist to respect existing legal frameworks and professional ethics, ensuring that cybersecurity regulation does not override fundamental rights or contractual obligations.
Conclusion
Part 3 of the Cybersecurity Act 2018 establishes a robust regulatory regime for provider-owned critical information infrastructure in Singapore. Through designation, information gathering, mandatory reporting, audits, and cybersecurity exercises, the Act ensures that essential services are protected against cybersecurity threats. The imposition of significant penalties reinforces compliance, while provisions safeguarding privileged information maintain legal balance. Together, these measures fortify Singapore’s cybersecurity resilience and safeguard national interests.
Sections Covered in This Analysis
- Section 7(1), (8)
- Section 8(2), (4), (5)
- Section 9
- Section 9A(1)
- Section 10(1), (2), (3), (7)
- Section 12(1)
- Section 13(2)
- Section 14(1), (3)
- Section 15(1)(a), (b), (2), (7)(a), (b), (c), (8)
- Section 16(1), (2), (3)
Source Documents
For the authoritative text, consult SSO.