Part of a comprehensive analysis of the Cybersecurity Act 2018
All Parts in This Series
Key Provisions and Their Purpose under the Cybersecurity Act 2018
The Cybersecurity Act 2018 establishes a comprehensive regulatory framework to safeguard Singapore’s critical information infrastructure and ensure robust cybersecurity practices. The key provisions in this Part of the Act empower the Commissioner and the Minister with regulatory, investigative, and enforcement authorities, while also providing mechanisms for compliance, appeals, and protection of sensitive information.
"The Commissioner may, from time to time — (a) issue or approve one or more codes of practice or standards of performance for the regulation of the following persons with respect to measures to be taken by them to ensure the cybersecurity of the computers or computer systems indicated... (b) amend or revoke any code of practice or standard of performance issued or approved under paragraph (a)." — Section 35A(1)
Verify Section 35A in source document →
This provision empowers the Commissioner to issue, amend, or revoke codes of practice or standards of performance aimed at regulating persons responsible for cybersecurity of specified computer systems. The purpose is to provide flexible, technical guidance that can be updated as cybersecurity threats evolve, without requiring legislative amendments.
"Any code of practice or standard of performance has no legislative effect." — Section 35A(5)
Verify Section 35A in source document →
Although codes of practice are mandatory unless waived, they do not carry the force of law. This allows for adaptability and technical specificity while maintaining legal clarity that only statutory provisions impose binding obligations.
"Subject to subsections (4) and (7), every person mentioned in subsection (1) must comply with the codes of practice and standards of performance that apply to the person." — Section 35A(6)
Verify Section 35A in source document →
This subsection mandates compliance with the codes, ensuring that regulated entities adhere to prescribed cybersecurity measures, thereby enhancing the overall security posture of critical systems.
"A person who is aggrieved by... may appeal to the Minister against the decision, order, direction, provision or amendment in the manner prescribed." — Section 35B(2)
Verify Section 35B in source document →
To ensure fairness and accountability, this provision allows persons affected by the Commissioner’s decisions or codes to appeal to the Minister, providing a check on administrative actions.
"Where the Minister considers that an appeal... requires particular technical skills or specialised knowledge, the Minister may establish an Appeals Advisory Panel to provide advice to the Minister in respect of the appeal." — Section 35C(1)
Verify Section 35C in source document →
This provision recognises the technical complexity of cybersecurity matters and allows the Minister to seek expert advice, ensuring informed decision-making on appeals.
"Where, in a proceeding for an offence under this Act... evidence that an officer, employee or agent of the corporation engaged in that conduct... is evidence that the corporation had that state of mind." — Section 36(1)
Verify Section 36 in source document →
This provision facilitates corporate liability by attributing the state of mind of officers or employees to the corporation, thereby promoting corporate accountability in cybersecurity compliance.
"An investigation officer authorised by the Commissioner may... require any person... to furnish evidence of the person’s identity; require... to furnish information or document...; require attendance...; examine orally any person..." — Section 38(1)
Verify Section 38 in source document →
These investigative powers enable the Commissioner’s officers to effectively gather information and evidence necessary to enforce the Act and investigate cybersecurity incidents.
"A Magistrate may, on the application of an investigation officer, issue a warrant in respect of any premises if the Magistrate is satisfied that there are reasonable grounds to suspect..." — Section 39(1)
Verify Section 39 in source document →
This provision ensures that investigation officers can obtain judicial authorization to enter premises, balancing enforcement needs with protection of privacy and property rights.
"Despite any provision to the contrary in the Criminal Procedure Code 2010, a District Court has jurisdiction to try any offence under this Act and has power to impose the full penalty or punishment in respect of the offence." — Section 40
Verify Section 40 in source document →
Granting the District Court jurisdiction to try offences under the Act streamlines prosecution and ensures that penalties can be fully imposed, reinforcing deterrence.
"The Commissioner or any Assistant Commissioner authorised by the Commissioner may compound any offence under this Act that is prescribed as a compoundable offence..." — Section 41(1)
Verify Section 41 in source document →
Compounding offences allows for efficient resolution of minor breaches without resorting to protracted court proceedings, conserving judicial resources.
"A person who... is unable to do any thing that the person is required to do under Part 3, 3A, 3B, 3C or 3D... may apply in writing to the Commissioner for an extension of time." — Section 41A(1)
Verify Section 41A in source document →
This provision provides flexibility for regulated persons facing genuine difficulties in compliance, promoting fairness and practical enforcement.
"A document that is permitted or required by this Act to be served on a person may be served as described in this section." — Section 42(1)
Verify Section 42 in source document →
Clear rules on service of documents ensure proper notice and procedural fairness in enforcement actions.
"Every specified person must preserve, and aid in preserving, the secrecy of... all matters relating to a computer or computer system of any person... all matters relating to the business, commercial or official affairs of any person..." — Section 43(1)
Verify Section 43 in source document →
This secrecy provision protects sensitive information obtained during enforcement or investigations, maintaining trust and confidentiality.
"No liability shall lie against the Commissioner... who, acting in good faith and with reasonable care, does or omits to do anything in the exercise or purported exercise of any power under this Act..." — Section 44(1)
Verify Section 44 in source document →
This immunity provision encourages officials to perform their duties without fear of personal liability, provided they act in good faith and with reasonable care.
"No witness in any proceedings for an offence... is obliged or permitted to disclose the name, address or other particulars of an informer..." — Section 45(1)
Verify Section 45 in source document →
Protection of informers encourages reporting of cybersecurity breaches or offences by safeguarding their identity.
"The Minister may, by order in the Gazette, exempt any person or any class of persons from all or any of the provisions of this Act..." — Section 46(1)
Verify Section 46 in source document →
This exemption power allows the Minister to tailor the application of the Act, providing flexibility to accommodate special circumstances or sectors.
"The Minister may at any time, by order in the Gazette, amend the First or Second Schedule." — Section 47(1)
Verify Section 47 in source document →
Amendment of Schedules enables the Minister to update the list of critical information infrastructures or other specified matters without legislative amendment, ensuring responsiveness to changing cybersecurity landscapes.
"The Minister may make regulations for carrying out the purposes and provisions of this Act." — Section 48(1)
Verify Section 48 in source document →
Regulations provide detailed rules and penalties necessary for effective implementation and enforcement of the Act.
"Despite anything in this Act, any person who, immediately before the date of commencement of Part 5, is engaged in the business of providing a licensable cybersecurity service, may continue to engage in that business..." — Section 49(1)
Verify Section 49 in source document →
Saving and transitional provisions protect existing businesses from disruption, allowing orderly transition to the new regulatory regime.
Definitions in This Part and Their Significance
Precise definitions are critical for clarity and effective enforcement of the Act. The definitions in this Part clarify the scope of entities and persons subject to the Act’s provisions, as well as key concepts such as "state of mind" and "occupier."
"In this section — 'corporation' includes a limited liability partnership within the meaning of section 2(1) of the Limited Liability Partnerships Act 2005; 'officer', in relation to a corporation, means any director, partner, chief executive, manager, secretary or other similar officer of the corporation, and includes — (a) any person purporting to act in any such capacity; and (b) for a corporation whose affairs are managed by its members, any of those members as if the member were a director of the corporation; 'state of mind' of a person includes — (a) the knowledge, intention, opinion, belief or purpose of the person; and (b) the person’s reasons for the intention, opinion, belief or purpose." — Section 36(6)
This definition ensures that limited liability partnerships are treated as corporations for liability purposes, and that officers include those acting in similar capacities, preventing evasion of responsibility. The broad definition of "state of mind" supports establishing intent or knowledge in offences.
"In this section — 'officer', in relation to an unincorporated association (other than a partnership), means the president, the secretary, or any member of the committee of the unincorporated association, and includes — (a) any person holding a position analogous to that of president, secretary or member of a committee of the unincorporated association; and (b) any person purporting to act in any such capacity; 'partner' includes a person purporting to act as a partner; 'state of mind' of a person includes — (a) the knowledge, intention, opinion, belief or purpose of the person; and (b) the person’s reasons for the intention, opinion, belief or purpose." — Section 37(6)
This extends similar definitions to unincorporated associations, ensuring accountability of their officers and partners.
"In this section — 'occupier', in relation to any premises specified in a warrant under subsection (1), means a person whom the investigation officer named in the warrant reasonably believes to be the occupier of those premises; 'premises' includes any building, structure, vehicle, vessel or aircraft." — Section 39(10)
Defining "occupier" and "premises" clarifies the scope of entry and search powers, ensuring lawful and targeted investigations.
"In this section, 'specified person' means a person who is or has been — (a) the Commissioner, the Deputy Commissioner, an Assistant Commissioner, a cybersecurity officer or a person appointed or employed to assist the Commissioner; (b) an authorised officer appointed under section 6; (c) a member of an Appeals Advisory Panel established under section 35C; (d) a cybersecurity technical expert appointed under section 22; (e) an assistant licensing officer; or (f) the Minister, or a person appointed or employed to assist the Minister." — Section 43(10)
Verify Section 43 in source document →
This definition identifies persons bound by secrecy obligations, ensuring confidentiality of sensitive information handled by officials and experts.
Penalties for Non-Compliance and Their Rationale
The Act imposes penalties to deter non-compliance and ensure effective enforcement of cybersecurity measures. The penalties are proportionate to the severity of the offence and provide for both fines and imprisonment.
"Any person who — (a) refuses to give access to, or assaults, obstructs, hinders or delays, an investigation officer in the discharge of the investigation officer’s duties under this Act; (b) wilfully misstates or without lawful excuse refuses to give any information or produce any document required by an investigation officer under subsection (1); or (c) fails to comply with a lawful demand of an investigation officer in the discharge of the investigation officer’s duties under this Act, shall be guilty of an offence and shall be liable on conviction to a fine not exceeding $20,000 or to imprisonment for a term not exceeding 12 months or to both." — Section 38(6)
This provision ensures that investigation officers can perform their duties without obstruction, which is essential for timely and effective enforcement.
"Any person who fails to comply with subsection (1) or (2) shall be guilty of an offence and shall be liable on conviction to a fine not exceeding $10,000 or to imprisonment for a term not exceeding 12 months or to both." — Section 43(4)
Verify Section 43 in source document →
Failure to preserve secrecy is penalised to protect sensitive information, maintaining trust in the regulatory process and preventing misuse of confidential data.
"Except as otherwise expressly provided in this Act, the regulations — (a) may be of general or specific application; (b) may provide that any contravention of any specified provision of the regulations shall be an offence; and (c) may provide for penalties not exceeding a fine of $50,000 or imprisonment for a term not exceeding 12 months or both for each offence and, in the case of a continuing offence, a further penalty not exceeding a fine of 10% of the maximum fine prescribed for that offence for every day or part of a day during which the offence continues after conviction." — Section 48(3)
Verify Section 48 in source document →
This provision empowers the Minister to prescribe detailed offences and penalties through regulations, allowing for flexible and responsive enforcement tailored to emerging cybersecurity risks.
Cross-References to Other Legislation and Their Importance
The Cybersecurity Act 2018 interacts with several other statutes to ensure coherence in Singapore’s legal framework and to leverage existing laws for effective enforcement.
"To avoid doubt, this section does not affect the application of — (a) Chapters 5 and 5A of the Penal Code 1871; or (b) the Evidence Act 1893 or any other law or practice regarding the admissibility of evidence." — Section 36(4)
Verify Section 36 in source document →
"To avoid doubt, this section does not affect the application of — (a) Chapters 5 and 5A of the Penal Code 1871; or (b) the Evidence Act 1893 or any other law or practice regarding the admissibility of evidence." — Section 37(4)
Verify Section 37 in source document →
These provisions clarify that the Act supplements but does not override the Penal Code or Evidence Act, ensuring that established criminal law principles and evidentiary rules continue to apply.
"'corporation' includes a limited liability partnership within the meaning of section 2(1) of the Limited Liability Partnerships Act 2005;" — Section 36(6)
Verify Section 36 in source document →
This cross-reference ensures that limited liability partnerships are properly included within the scope of corporate liability under the Act.
"Despite any provision to the contrary in the Criminal Procedure Code 2010, a District Court has jurisdiction to try any offence under this Act and has power to impose the full penalty or punishment in respect of the offence." — Section 40
Verify Section 40 in source document →
This provision overrides conflicting jurisdictional rules in the Criminal Procedure Code to streamline prosecution of cybersecurity offences.
The First Schedule to the Act also cross-references other statutes to identify critical information infrastructures, such as:
- "22. Registration services under the National Registration Act 1965"
- "29. Rapid transit systems operated under a licence granted under the Rapid Transit Systems Act 1995"
- "30. Bus services operated under a bus service licence granted under the Bus Services Industry Act 2015"
- "43. Services relating to the electronic processing of internal Government functions"
These references ensure that cybersecurity protections extend to vital public services regulated under other legislation.
"disclosing to any police officer any information which discloses the commission of an offence under the Computer Misuse Act 1993;" — Section 43(7)(b)(iv)
Verify Section 43 in source document →
This provision mandates cooperation with police investigations under the Computer Misuse Act, facilitating integrated enforcement against cybercrime.
Conclusion
The Cybersecurity Act 2018 Part under review establishes a robust framework for regulating cybersecurity practices in Singapore. It balances regulatory oversight with flexibility through codes of practice, provides clear definitions to ensure accountability, sets out penalties to deter non-compliance, and integrates with other legislation to form a cohesive legal regime. The powers granted to the Commissioner and the Minister, along with protections for secrecy and informers, are designed to promote a secure and resilient cyber environment while safeguarding rights and procedural fairness.
Sections Covered in This Analysis
- Section 35A – Codes of Practice and Standards of Performance
- Section 35B – Appeals to the Minister
- Section 35C – Appeals Advisory Panel
- Section 36 – Offences by Corporations
- Section 37 – Offences by Unincorporated Associations
- Section 38 – Powers of Investigation
- Section 39 – Powers of Entry and Search Warrants
- Section 40 – Jurisdiction of District Court
- Section 41 – Composition of Offences and Compounding
- Section 41A – Extension of Time for Compliance
- Section 42 – Service of Documents
- Section 43 – Preservation of Secrecy
- Section 44 – Protection from Personal Liability
- Section 45 – Protection of Informers
- Section 46 – General Exemption by Minister
- Section 47 – Amendment of Schedules
- Section 48 – Regulations
- Section 49 – Saving and Transitional Provisions
- First Schedule – Critical Information Infrastructure
Source Documents
For the authoritative text, consult SSO.