Home > Cybersecurity > Significant amendments to the Singapore Cyber Security Act set to have implications for the cybersecurity landscape
On 15 December 2023, the Cyber Security Agency of Singapore (CSA) released the draft Cybersecurity (Amendment) Bill (Draft Bill), which seeks to amend the Cyber Security Act 2018 (CS Act), for public consultation. The public consultation concluded on 15 January 2024.
The consultation paper and the Draft Bill can be accessed here.
The proposed changes are significant and will have implications for the cybersecurity landscape in Singapore which we consider below.
Background
The amendments in the Bill seek to ensure that Singapore’s cybersecurity laws are aligned with their purpose of protecting Singapore against cybersecurity threats and adverse disruptions.  
The Proposed Changes
Broadly, the Draft Bill proposes to make two key changes: 
Strengthening the Regulatory Approach to CII
At present, Part 3 of the CS Act primarily imposes obligations on CII owners. This regulatory approach reflects the fact that, at the time the CS Act was enacted, providers of essential services tended to own and operate the CII necessary for the delivery of such essential services.
However, since the enactment of the CS Act, there has been a shift towards virtualisation or use of outsourced vendors (Computing Vendors) to provide specific computing needs. Recognising that the use of such Computing Vendors should be facilitated if it could improve the delivery of essential services, the CSA is proposing to introduce a new Part 3A to the CS Act, to facilitate the use of Computing Vendors by providers of essential services.
Under the new proposed Part 3A of the CS Act, providers of essential services will be permitted to use Computing Vendors in the delivery of an essential service. However, responsibility for the cybersecurity of the essential service will remain with its providers. The Commissioner of Cybersecurity (Commissioner) will be able to impose various duties on providers of essential services that are designed to result in the same cybersecurity outcomes as Part 3 of the CS Act (which applies to CII owners).[1] 
To ensure that providers of essential services can discharge their duties under the CS Act, they will be required to obtain legally binding commitments from their Computing Vendor. If they are not able to obtain such commitments, the Commissioner may order the provider of essential service to cease the use of the non-provider owned CII.
Extending the Regulatory Scope of the CS Act beyond CII
The other significant change to the CS Act relates to the extension of the regulatory scope of the CS Act beyond that of CII owners and providers of essential services.
This is a recognition of the fact that due to increased digitisation, there are other components in Singapore’s cybersecurity landscape apart from essential services where disruptions caused by cybersecurity incidents could significantly impact or degrade life in Singapore.
Therefore, the CSA is proposing to expand the CS Act, with Parts 3B, 3C and 3D, to regulate the following classes of entities:
As providers of essential services and CII owners, once designated, these entities will be subject to certain duties under the CS Act. The duties imposed on these entities include the duty to provide information to the Commissioner, the duty to comply with codes of practices, standards of performance or written directions issued by the Commissioner and the duty to notify the Commissioner of prescribed cybersecurity incidents. 
Key Takeaways
The proposed enhanced powers of the CSA will have the following implications for the cybersecurity landscape:
We would like to thank our practice trainee, Charles How, for his assistance with the preparation of this update.
[1] Such duties include providing information on non-provider owned CIIs, complying with codes of practice, standards of performance, conduct regular audits, notify the Commissioner of changes of ownership of non-provider-owned CII and of the occurrence of prescribed cybersecurity incidents etc.

source