Statute Details
- Title: Electronic Transactions (Certification Authority) Regulations 2010
- Act Code: ETA2010-RG1
- Type: Subsidiary Legislation (SL)
- Authorising Act: Electronic Transactions Act 2010 (noted as authorising sections including 22, 36 and 38)
- Status: Current version as at 27 Mar 2026
- Revised Edition: 2025 RevEd (2 June 2025)
- Original Commencement: 1 November 2010 (SL 650/2010)
- Parts: Part 1 (Preliminary) to Part 9 (Administration), plus a Schedule
- Key Provisions (from extract): Section 2 (Definitions) and the regulatory framework across accreditation, conduct, repository requirements, accreditation mark, public agency application, and administration
- Schedule: Accreditation Mark for Accredited Certification Authorities
What Is This Legislation About?
The Electronic Transactions (Certification Authority) Regulations 2010 (“CA Regulations”) set out the detailed compliance framework for certification authorities (“CAs”) in Singapore. In practical terms, the Regulations operationalise how Singapore regulates the issuance and management of digital certificates used for secure electronic transactions—especially where certificates and digital signatures are relied upon for authentication, integrity, and non-repudiation.
At a high level, the Regulations do three things. First, they establish a formal accreditation regime: a CA must be accredited to perform regulated certification activities. Second, they impose substantive governance and operational requirements on accredited CAs, covering record keeping, transaction logs, certificate lifecycle management (issuance, renewal, suspension, revocation, expiry), security controls, confidentiality, incident handling, and changes in management. Third, they provide administrative and enforcement mechanisms, including refusal, cancellation or suspension of accreditation, audit, disclosure, and offences/penalties.
For practitioners, the key takeaway is that the CA Regulations are not merely procedural. They are compliance-heavy and risk-focused. They require accredited CAs to demonstrate “trustworthy” practices and to maintain systems and documentation that can withstand audit and regulatory scrutiny. This is essential because the credibility of digital certificates depends on the CA’s operational integrity and security posture.
What Are the Key Provisions?
Accreditation: application, renewal, and regulator control. Part 2 provides the pathway for a CA to apply for accreditation and to renew it. Part 3 then addresses what happens when accreditation is refused, cancelled, or suspended. These provisions are designed to ensure that only CAs meeting the regulatory standards can operate, and that accreditation can be withdrawn where misconduct, non-compliance, or other disqualifying circumstances arise.
Part 3 also includes an inquiry mechanism into allegations of misconduct (and related matters). This is important for due process and for understanding how enforcement decisions are made. The Regulations further specify the effect of cancellation or suspension of accreditation (Part 3), which is critical for subscribers and relying parties: once accreditation is withdrawn or suspended, the CA’s ability to issue or manage certificates may be constrained, and reliance on certificates may need to be reassessed.
Accreditation requirements: business structure, personnel, and the certification practice statement. Part 4 sets out baseline eligibility and governance requirements. These include requirements relating to the CA’s business structure (Part 4, section 10), personnel (section 11), and the certification practice statement (“CPS”) (section 12). The CPS is a central compliance document: it describes the CA’s policies and procedures for certificate issuance and management, and it becomes a reference point for both regulators and relying parties.
From a legal and operational standpoint, the CPS is where many obligations become concrete. If the CPS is inaccurate, incomplete, or inconsistent with actual practices, the CA may be exposed to regulatory action. Practitioners advising CAs should therefore treat the CPS as a living compliance instrument, not a static policy document.
Conduct of business: trustworthy record keeping, transaction logs, certificate lifecycle, and security. Part 5 is the core operational compliance section. It includes requirements for trustworthy record keeping and archival (section 13) and trustworthy transaction logs (section 14). These provisions matter because they enable traceability: regulators and auditors must be able to reconstruct what happened, when, and why—particularly in disputes or incident investigations.
Part 5 also addresses types of certificates (section 15), issuance (section 16), renewal (section 17), suspension (section 18), revocation (section 19), and expiry dates (section 20). Together, these provisions create a structured lifecycle model. For practitioners, this means that certificate management cannot be ad hoc: the CA must have processes that support timely and accurate status changes, and must ensure that relying parties can understand the certificate’s validity and trustworthiness over time.
Security is addressed through requirements such as secure digital signatures (section 22). The Regulations also require the CA to maintain its CPS (section 21), implement a compliance audit checklist (section 23), handle incidents (section 24), and comply with confidentiality obligations (section 25). Additionally, there are requirements relating to change in management (section 26), reflecting the reality that governance and control can shift with leadership changes.
Repository requirements: general purpose and specific purpose repositories. Part 6 requires accredited CAs to maintain repositories (sections 27 and 28). Repositories are typically used to publish certificate-related information (such as certificate status information and other relevant data). The distinction between a general purpose repository and a specific purpose repository signals that the Regulations contemplate different deployment models depending on the certificate use case and the relying environment.
Accreditation mark: permitted use and branding controls. Part 7 governs the use of the accreditation mark (section 29). This is not merely marketing. Accreditation marks help relying parties identify that a CA is accredited and regulated. The Regulations therefore control how the mark is used to prevent misleading representations.
Application to public agencies. Part 8 (section 30) addresses how accredited CAs interact with public agencies. This is particularly relevant for government procurement and public sector reliance on certificates. Practitioners should note that public sector reliance often triggers heightened assurance expectations and may require additional contractual or compliance alignment beyond baseline accreditation.
Administration: waiver, disclosure, discontinuation, audit, and offences. Part 9 includes administrative provisions. These cover waiver (section 31), disclosure (section 32), discontinuation of operations of an accredited CA (section 33), audit (section 34), and enforcement mechanisms including penalties (section 35) and composition of offences (section 36). These provisions are essential for understanding regulatory oversight and the consequences of non-compliance.
In particular, the audit and disclosure provisions indicate that the CA’s compliance posture is not assessed only at accreditation time; it is monitored and verified over time. Discontinuation rules also matter for transition planning: if a CA ceases operations, subscribers and relying parties need clarity on how certificate services will be handled and how information will be managed.
How Is This Legislation Structured?
The CA Regulations are structured to move from foundational concepts to operational obligations and then to enforcement and administration. Part 1 contains preliminary matters, including the citation and definitions. Part 2 and Part 3 address accreditation and the regulator’s powers to refuse, renew, cancel, or suspend accreditation, including inquiry and appeal mechanisms. Part 4 sets accreditation requirements (business structure, personnel, and CPS). Part 5 is the main conduct-of-business regime, covering record keeping, transaction logs, certificate lifecycle, security, audits, incident handling, confidentiality, and governance changes. Part 6 imposes repository requirements. Part 7 regulates use of the accreditation mark. Part 8 addresses applications to public agencies. Part 9 provides administrative and enforcement provisions, including waiver, disclosure, discontinuation, audit, penalties, and composition of offences. The Schedule sets out the accreditation mark.
Who Does This Legislation Apply To?
The Regulations apply primarily to certification authorities that seek or hold accreditation under the Electronic Transactions framework. In other words, the obligations in the CA Regulations are directed at entities performing regulated certification activities and operating as accredited CAs.
The Regulations also have practical implications for subscribers (those who obtain certificates) and relying parties (those who rely on certificates). While the CA Regulations are drafted as obligations on accredited CAs, the certificate lifecycle rules, repository publication requirements, and enforcement mechanisms affect how subscribers and relying parties should assess certificate validity and trust. For public agencies, Part 8 signals additional considerations when accredited CAs provide services in the public sector context.
Why Is This Legislation Important?
The CA Regulations are important because they protect trust in digital certification services. Digital certificates are foundational to secure electronic transactions. If a CA’s identity verification processes, key management, record keeping, or certificate lifecycle controls are weak, the entire trust model can fail—leading to fraud, repudiation disputes, and systemic security risks.
From an enforcement perspective, the Regulations provide the regulator with structured tools: accreditation can be granted, renewed, refused, cancelled, or suspended; inquiries can be conducted into misconduct; and audits can be performed. The inclusion of penalties and composition of offences underscores that compliance is legally consequential, not merely best practice.
For practitioners advising a CA, the Regulations provide a compliance blueprint that should be reflected in governance documents (especially the CPS), technical controls (such as secure signature practices), and operational procedures (such as incident handling and certificate status management). For practitioners advising relying parties or public agencies, the Regulations provide assurance indicators: an accredited CA is subject to defined obligations, and certificate reliance should be informed by the CA’s compliance and accreditation status.
Related Legislation
- Electronic Transactions Act 2010 (authorising provisions referenced for these Regulations, including sections 22, 36 and 38)
Source Documents
This article provides an overview of the Electronic Transactions (Certification Authority) Regulations 2010 for legal research and educational purposes. It does not constitute legal advice. Readers should consult the official text for authoritative provisions.