Cybersecurity - Singapore

The Cybersecurity Act 2018 is the primary statute, empowering the CSA Commissioner to designate and regulate Critical Information Infrastructure across sectors including Energy, Water, Banking & Finance, Healthcare, Transport, Infocomm, Media, Security & Emergency Services, and Government.

The Cybersecurity (Amendment) Act 2024 was passed in May 2024 to address evolving risks; a tranche of its provisions commenced on 31 October 2025, updating CII rules and introducing 'Systems of Temporary Cybersecurity Concern' (STCCs).

CII owners must report prescribed cybersecurity incidents to CSA within two hours of becoming aware; the 2024 amendments extended this to incidents reasonably suspected to involve Advanced Persistent Threats (APTs) and disruptions to essential services, including in non-interconnected systems under the owner's control.

The amendments also create future categories — Entities of Special Cybersecurity Interest (Part 3C) and major Foundational Digital Infrastructure providers (Part 3D) — which were not part of the 31 October 2025 commencement and await later operationalisation.

Under the Personal Data Protection Act and the 2021 Notification of Data Breaches Regulations, organisations must notify the PDPC of notifiable breaches (those likely to cause significant harm or affecting 500+ individuals) as soon as practicable and within 3 calendar days of assessing the breach as notifiable.

The Monetary Authority of Singapore imposes stricter duties on financial institutions via its Technology Risk Management Notices/Guidelines, including notifying MAS within one hour of discovering a relevant/major incident and submitting a root-cause report within 14 days.