Statute Details
- Title: Electronic Transactions (Certification Authority) Regulations 2010
- Act Code: ETA2010-RG1
- Legislative Type: Subsidiary legislation (sl)
- Authorising Act: Electronic Transactions Act 2010 (noted in the extract as Sections 22, 36 and 38)
- Current Version: 2025 Revised Edition (2 June 2025)
- Original Commencement: 1 November 2010 (SL 650/2010)
- Parts: Part 1 (Preliminary) to Part 9 (Administration), plus a Schedule
- Key Provisions (as indicated): Section 2 (Definitions) and the regulatory framework across accreditation, operational requirements, repository requirements, accreditation mark, public agency application, and administration
- Schedule: Accreditation Mark for Accredited Certification Authorities
What Is This Legislation About?
The Electronic Transactions (Certification Authority) Regulations 2010 (“CA Regulations”) set out the detailed regulatory framework for accredited certification authorities in Singapore. In practical terms, the Regulations govern entities that issue digital certificates used to support secure electronic transactions—particularly where certificates and digital signatures are relied upon for authentication, integrity, and non-repudiation.
While the Electronic Transactions Act 2010 provides the overarching legislative foundation, the CA Regulations focus on the “how”: they prescribe the accreditation process, the conditions for maintaining accreditation, and the operational and security requirements that accredited certification authorities must meet. They also address what happens if accreditation is refused, suspended, or cancelled, and how the regulator can audit and enforce compliance.
For practitioners, the CA Regulations are best understood as a compliance and risk-control regime. They translate the legal trust placed in certificates into concrete governance, record-keeping, security, incident handling, and audit obligations. They also regulate the use of an accreditation mark and impose duties relating to repositories and disclosure—ensuring that certificate services remain reliable even when systems, personnel, or operational circumstances change.
What Are the Key Provisions?
1) Definitions and regulated concepts (Part 1)
The Regulations begin with definitions that anchor the entire regime. Section 2 defines, among other terms, “accreditation”, “accredited certification authority”, “accreditation mark”, and “subscriber identity verification method”. These definitions matter because they determine what activities fall within the regulatory scope and what standards must be met.
Notably, the definition of “trusted person” is broad and functional. It includes persons with day-to-day responsibilities for regulated business activities (including security and performance), and persons with direct duties involving issuance, renewal, suspension, revocation of certificates, identification of certificate applicants, creation of private keys, or administration of the certification authority’s computing facilities. This is a compliance-critical concept: it signals that the Regulations are concerned not only with formal roles, but also with operational control over security-sensitive processes.
2) Accreditation: application, renewal, and regulator decisions (Parts 2 and 3)
Parts 2 and 3 establish how a certification authority becomes accredited and what happens over time. Part 2 covers the application to be accredited and the renewal of accreditation. Part 3 addresses the regulator’s powers to refuse accreditation, cancel or suspend accreditation, and conduct inquiries into allegations of misconduct or related issues.
From a practitioner’s standpoint, the most important practical effect of Parts 2 and 3 is that accreditation is not a one-off event. It is a continuing status subject to ongoing compliance. The Regulations also provide for the effect of cancellation or suspension (Part 3), which is crucial for risk management: relying parties, subscribers, and public agencies need clarity on how trust in certificates changes when accreditation is withdrawn.
3) Accreditation requirements: governance, personnel, and the certification practice statement (Part 4)
Part 4 sets out baseline accreditation requirements. These include requirements relating to the certification authority’s business structure (Section 10), personnel (Section 11), and the certification practice statement (Section 12). The certification practice statement (CPS) is a central compliance document: it describes the authority’s policies and procedures for certificate issuance and management, and it becomes a reference point for both audits and operational expectations.
In practice, counsel advising a certification authority should treat the CPS as a living governance instrument. It should align with the Regulations’ operational requirements and be maintained and updated as necessary (a theme reinforced later in Part 5). Personnel requirements and business structure provisions also indicate that the regulator expects credible organisational controls—particularly around security and decision-making.
4) Conduct of business: security, logs, certificate lifecycle, confidentiality, and incident handling (Part 5)
Part 5 is the operational core. It imposes detailed duties on accredited certification authorities, including:
• Trustworthy record keeping and archival (Section 13) and trustworthy transaction logs (Section 14): These obligations ensure that certificate-related events can be reconstructed and verified. For disputes, audits, and incident investigations, the ability to produce reliable records is often determinative.
• Types of certificates and issuance/renewal/suspension/revocation/expiry (Sections 15–20): The Regulations require structured handling of the certificate lifecycle. This includes rules for issuance and renewal, and processes for suspension, revocation, and expiry. These provisions matter because the legal and practical value of certificates depends on accurate status management.
• Maintenance of the certification practice statement (Section 21): The CPS must remain current and consistent with actual practices.
• Secure digital signatures (Section 22): This reflects the Regulations’ security-by-design approach. The certification authority’s own cryptographic operations must be performed securely.
• Compliance audit checklist (Section 23): This indicates that compliance is expected to be measurable and auditable, not merely asserted.
• Incident handling (Section 24): Accredited certification authorities must have processes to respond to incidents—such as security breaches or operational failures—that could undermine trust.
• Confidentiality (Section 25) and change in management (Section 26): Confidentiality obligations protect subscriber and operational information. Change-in-management provisions ensure that governance continuity and security responsibilities are not disrupted by personnel transitions.
For practitioners, Part 5 is where “legal compliance” becomes “technical compliance”. If a certification authority’s procedures are weak—especially around key management, logging, certificate status, and incident response—then accreditation risk increases and liability exposure may follow.
5) Repositories and availability requirements (Part 6)
Part 6 requires accredited certification authorities to maintain repositories. Section 27 addresses availability of a general purpose repository, while Section 28 addresses specific purpose repositories. Repositories typically support publication and retrieval of certificate-related information (such as certificates, status information, or related documents). The Regulations’ repository requirements are designed to ensure that relying parties can access relevant information reliably.
6) Accreditation mark and public-facing compliance (Part 7)
Part 7 governs the use of the accreditation mark (Section 29). The Schedule sets out the accreditation mark itself. This provision is important because it links regulatory status to branding and public representation. Misuse of the accreditation mark can mislead relying parties about the authority’s accredited status.
7) Application to public agencies (Part 8)
Part 8 (Section 30) addresses how accreditation and certification services interface with public agencies. This is relevant for procurement, government reliance on certificates, and ensuring that public sector use aligns with the regulatory framework.
8) Administration: waiver, disclosure, discontinuation, audit, penalties, and composition (Part 9)
Part 9 provides administrative mechanisms and enforcement tools. It includes:
• Waiver (Section 31): allows for limited relief in appropriate circumstances, subject to conditions.
• Disclosure (Section 32): imposes duties around providing information—likely to the regulator and/or affected parties—consistent with transparency and oversight.
• Discontinuation of operations (Section 33): addresses what happens when an accredited certification authority stops operating. This is critical for continuity of trust and for managing certificate status and repository access.
• Audit (Section 34): empowers compliance checking. Audits are a practical enforcement lever and a key compliance milestone.
• Penalties and composition of offences (Sections 35–36): establishes consequences for non-compliance and provides a mechanism for dealing with offences through composition.
How Is This Legislation Structured?
The CA Regulations are organised into a logical compliance sequence:
Part 1 (Preliminary) contains citation and definitions (including “trusted person”).
Part 2 (Accreditation of certification authorities) covers applications and renewal.
Part 3 (Refusal, cancellation and suspension) sets out the regulator’s decision powers and the consequences of adverse actions, including inquiry and appeal.
Part 4 (Accreditation requirements) focuses on governance prerequisites: business structure, personnel, and the CPS.
Part 5 (Conduct of business) is the operational compliance chapter: record keeping, logs, certificate lifecycle, security, audits, incident handling, confidentiality, and management changes.
Part 6 (Requirements for repository) ensures information availability.
Part 7 (Accreditation mark) regulates public representation.
Part 8 (Application to public agencies) addresses use in the public sector context.
Part 9 (Administration) provides enforcement and operational continuity tools, including audit and penalties.
Finally, the Schedule specifies the accreditation mark design.
Who Does This Legislation Apply To?
The Regulations apply primarily to certification authorities that seek or hold accreditation under the Electronic Transactions framework. The obligations in Parts 4 to 6 and Part 5 in particular are directed at accredited certification authorities, meaning entities that have been granted accreditation and are therefore authorised to issue certificates within the regulated trust model.
In addition, the Regulations’ compliance expectations extend to individuals who qualify as “trusted persons”. This includes personnel with day-to-day operational and security responsibilities, as well as those directly involved in certificate lifecycle actions and key/certification facility administration. Accordingly, internal governance and role mapping are essential for compliance planning.
Why Is This Legislation Important?
The CA Regulations are important because they operationalise the legal trust placed in digital certificates. In many electronic transactions, the certificate is the mechanism by which parties authenticate identities and validate signatures. If certificate issuance and lifecycle management are unreliable, the legal and commercial value of electronic transactions is undermined.
From an enforcement perspective, the Regulations provide the regulator with structured oversight tools: accreditation decisions (including suspension/cancellation), inquiry powers, audit requirements, and penalties. The inclusion of incident handling, transaction logs, and record-keeping requirements reflects a modern regulatory approach: compliance is not only about initial qualification but also about resilience and traceability over time.
For practitioners advising certification authorities, the Regulations also have direct drafting and implementation implications. Counsel should ensure that the CPS and internal procedures are aligned with the Regulations’ lifecycle requirements (issuance, renewal, suspension, revocation, expiry), that repository arrangements meet availability expectations, and that governance changes (including management transitions) are handled in a way that preserves compliance. For relying parties and public agencies, the accreditation mark and the consequences of suspension/cancellation are key to managing reliance risk.
Related Legislation
- Electronic Transactions Act 2010 (authorising act; referenced as Sections 22, 36 and 38 in the extract)
Source Documents
This article provides an overview of the Electronic Transactions (Certification Authority) Regulations 2010 for legal research and educational purposes. It does not constitute legal advice. Readers should consult the official text for authoritative provisions.