Online Criminal Harms Act 2023

Statute Details

• Title: Online Criminal Harms Act 2023 (No. 24 of 2023)
• Act Code: OCHA2023
• Long title: An Act to counter online criminal activity and protect against online harms, and for connected purposes.
• Commencement: 1 February 2024 (Parts 1, 2, 3 and 6 to 10; sections 50 and 52 to 60; First Schedule). 24 June 2024 (Parts 4 and 5; section 51; Second and Third Schedules).
• Current version: Current version as at 27 March 2026 (per provided metadata).
• Legislative structure (high level): 12 Parts covering directions, reconsideration/appeals, designated online services, orders for non-compliance, tribunals, information powers, offences/defences, and general provisions.
• Key concepts: “Part 2 directions” (against offences), “rectification notice” and “implementation directive” (for designated online services), “Part 6 orders” (for non-compliance), and review/appeal mechanisms.
• Key sections (from extract): Section 4 (appointment of designated/authorised officers); sections 6–14 (Part 2 directions); sections 16–18 (reconsideration and appeal); sections 19–24 (designated online services and codes of practice); sections 28–33 (Part 6 orders); sections 38–44 (reviewing tribunals); sections 47–49 (information powers); sections 50–56 (offences/penalties/defences/jurisdiction); sections 57–60 (immunity/exemptions/regulations).
• Schedules: First Schedule (specified offences and scam/malicious cyber activity offences); Second Schedule (offence groups); Third Schedule (purposes of systems/processes/measures).

What Is This Legislation About?

The Online Criminal Harms Act 2023 (“OCHA”) is Singapore’s legislative framework for countering online criminal activity and reducing online harms. In practical terms, it gives the Government—through designated competent authorities and officers—power to require certain online services to take action against content, accounts, and access pathways associated with specified criminal offences and scam/malicious cyber activity.

OCHA is designed to operate quickly and operationally. Rather than relying solely on traditional criminal investigations and court processes, the Act creates a system of administrative directions and compliance mechanisms. These include “Part 2 directions” that can require immediate operational steps (such as stopping communications, disabling access, restricting accounts, or removing apps) and a separate compliance regime for “designated online services” that must implement systems and processes to prevent and respond to relevant harms.

Importantly, the Act also builds in procedural safeguards: reconsideration mechanisms, appeals (including to a Reviewing Tribunal and, for certain matters, to the Minister), and a structured process for reviewing and potentially cancelling directions or orders. For practitioners, the key is to understand how OCHA translates legal thresholds into operational obligations imposed on online intermediaries and service providers.

What Are the Key Provisions?

1. Appointment of officers and the direction-making machinery (Part 1, especially section 4). OCHA begins by establishing who can act. Section 4 empowers the Minister to appoint “designated officers” and “authorised officers”. These officers are central to the Act’s enforcement workflow: they issue notices, directions, and requests for information, and they interact with designated online services and other affected parties. Section 5 further allows delegation by the competent authority, enabling the system to function efficiently.

2. Part 2 directions: operational measures against online harms (sections 6–14). Part 2 is the core “immediate response” framework. It provides for different types of directions, each tailored to the harm vector. While the extract lists the direction types by reference to sections, the structure is clear:

• Stop communication direction (section 8): targets communications/content that facilitate specified wrongdoing.
• Disabling direction (section 9): requires disabling access to relevant online material or locations.
• Access blocking direction (section 10): blocks access to relevant material or locations, potentially using the recipient’s chosen means of identification.
• Account restriction direction (section 11): restricts accounts associated with the relevant offence group.
• App removal direction (section 12): requires removal of an app (or related distribution/download pathway) where relevant.

Part 2 also contains supplementary provisions (section 13) and a mechanism for “self-initiated cancellation or substitution” (section 14). This is significant for compliance planning: it suggests that service providers may be able to take corrective action themselves and thereby avoid or modify the effect of a direction, depending on how the Act’s conditions are satisfied.

3. Reconsideration and appeal for Part 2 directions (Part 3). OCHA provides a layered review process. Part 3 includes: (i) reconsideration (sections 16–17), and (ii) appeal to a Reviewing Tribunal (section 18). The Act contemplates that an “appellant” can challenge the direction. For practitioners, the practical takeaway is that affected parties should treat timelines and procedural requirements as critical—administrative directions are often time-sensitive, and review mechanisms may be triggered only if the statutory steps are complied with.

4. Designated online services, codes of practice, and implementation directives (Parts 4 and 5). OCHA moves beyond case-by-case directions by creating a compliance regime for certain “designated online services” (Part 4). The Act provides for:

• Designation and offence group linkage (section 20): a designated online service is linked to a “related offence group”, meaning the service’s obligations are offence-group specific.
• Codes of practice (section 21): the competent authority issues codes that guide how services should implement measures.
• Code application notice (section 22): formal notice that a code applies to a service.
• Rectification notice (section 23): a notice requiring rectification of non-compliance or deficiencies.
• Implementation directive (section 24): a directive requiring implementation of specified systems/processes/measures for the relevant purposes.

Part 5 then addresses appeals arising from Part 4 decisions, including appeals to the Minister (sections 25–26) and the role of an Appeals Advisory Committee (section 27). This is a key difference from Part 2: Part 4/5 concerns compliance obligations and implementation planning, and the appeal route may differ from the direction-specific reconsideration/tribunal path in Part 3.

5. Orders against non-compliance (Part 6) and further review (Part 7). If a designated online service fails to comply with Part 2 directions, rectification notices, implementation directives, or other statutory requirements, OCHA provides for “Part 6 orders” (sections 28–33). The Act includes:

• Access blocking order (section 29)
• App removal order (section 30)
• Service restriction order (section 31)

Part 6 also contains supplementary provisions (section 32) and a “self-initiated cancellation or substitution” mechanism (section 33), again indicating that compliance can be achieved through provider-led remediation. Part 7 then provides reconsideration and appeal to a Reviewing Tribunal (sections 35–37), mirroring the review logic seen in Part 3 but applied to Part 6 orders.

6. Reviewing Tribunals: composition, function, and procedure (Part 8). OCHA establishes Reviewing Tribunals (sections 38–44). These provisions cover composition (section 38), remuneration and terms (section 39), resources (section 40), and function (section 41). Section 42 sets out grounds for cancellation, while sections 43–44 address procedure and rules for proceedings. For counsel, this part is crucial when preparing submissions: tribunal procedure can determine admissibility of evidence, the scope of review, and the practical standard for challenging administrative decisions.

7. Information powers and cross-border notice (Part 10). OCHA includes powers to obtain information for administration (section 47) and information on online activity in furtherance of specified offences (section 48). Section 49 allows written notice to be given to persons outside Singapore, which is particularly relevant for platform operators and intermediaries with offshore operations. This means practitioners should anticipate compliance requests that may involve foreign entities, and should plan for how information will be gathered, preserved, and produced.

8. Offences, penalties, and defences (Part 11). OCHA creates offences for non-compliance with Part 2 directions (section 50), rectification notices or implementation directives (section 51), Part 6 orders (section 52), and written notices under sections 47–48 (section 53). Section 54 provides defences, while sections 55–56 address which offences are arrestable/bailable and the jurisdiction of courts. The existence of criminal offences for administrative non-compliance underscores that OCHA is not merely regulatory guidance; it is backed by enforceable sanctions.

9. General provisions: immunity, exemptions, and regulations (Part 12). Section 57 provides immunity (typically to protect persons acting in good faith under the Act). Section 58 provides general exemptions. Section 59 allows amendment of schedules, and section 60 empowers regulations. These provisions matter for risk management: immunity and exemptions can affect liability exposure for service providers and officers.

How Is This Legislation Structured?

OCHA is organised into 12 Parts:

• Part 1 (Preliminary): short title/commencement, interpretation, competent authority, appointment of designated/authorised officers, and delegation.
• Part 2 (Directions against offences): general direction framework and specific direction types (stop communication, disabling, access blocking, account restriction, app removal), plus supplementary and self-initiated substitution provisions.
• Part 3 (Reconsideration and appeal for Part 2 directions): appellants, reconsideration, and appeal to a Reviewing Tribunal.
• Part 4 (Designated online services): designation and offence group linkage; codes of practice; code application notice; rectification notice; implementation directive.
• Part 5 (Appeals arising from Part 4): appeals to the Minister and the Appeals Advisory Committee.
• Part 6 (Orders against non-compliance): access blocking, app removal, and service restriction orders, with supplementary and self-initiated substitution provisions.
• Part 7 (Reconsideration and appeal for Part 6 orders): appellants, reconsideration, and appeal to a Reviewing Tribunal.
• Part 8 (Reviewing Tribunals): composition, function, procedure, and grounds for cancellation.
• Part 9 (Service of notices): how notices are served by designated officers and to them.
• Part 10 (Powers to obtain information): information for administration; information on online activity; cross-border written notices.
• Part 11 (Offences, penalties and defences): offences for non-compliance; defences; arrest/bail; court jurisdiction.
• Part 12 (General): immunity, exemptions, amendments to schedules, and regulations.

Who Does This Legislation Apply To?

OCHA applies primarily to (i) the competent authority and appointed officers, and (ii) “designated online services” and recipients of Part 2 directions or Part 6 orders. In practice, this includes platform operators, app distribution services, and other online intermediaries that host, transmit, facilitate access to, or otherwise enable online activity relevant to specified offences and scam/malicious cyber activity.

It also applies to persons who receive notices under the Act’s information powers. Because section 49 permits written notice to persons outside Singapore, the Act can reach offshore entities that are involved in relevant online services or activities, subject to how the statutory notice and compliance obligations are operationalised.

Why Is This Legislation Important?

OCHA is important because it creates a comprehensive administrative enforcement model for online harms. It combines: (a) rapid operational directions against specific harmful content/accounts/communications; (b) a forward-looking compliance regime for designated services; and (c) escalating consequences for non-compliance, including access blocking, app removal, and service restriction orders.

For practitioners advising platforms or intermediaries, the Act’s practical impact is significant. Compliance is not limited to responding to individual takedown requests; designated services must implement systems and processes aligned with codes of practice and implementation directives. Counsel should therefore focus on governance: internal escalation procedures, evidence handling, auditability of compliance steps, and readiness to engage in reconsideration and tribunal processes.

OCHA also affects litigation and dispute strategy. The availability of reconsideration and appeal routes means that decisions are contestable, but the administrative nature of the process requires careful attention to statutory timelines, the scope of review, and the evidential record. Finally, the criminal offence provisions for non-compliance elevate the stakes: failure to comply can create criminal exposure, making legal oversight and compliance documentation essential.

Related Legislation

• Telecommunications Act 1999
• Online Criminal Harms Act 2023 (subsidiary legislation and amendments, including S 42/2024, S 527/2024, S 986/2024, and S 561/2025 as reflected in the provided timeline)

Source Documents

• Official Text — Singapore Statutes Online
• Archived Copy — Litt Law CDN

This article provides an overview of the Online Criminal Harms Act 2023 for legal research and educational purposes. It does not constitute legal advice. Readers should consult the official text for authoritative provisions.