top of page
  • Ace

New Law will require Owners of critical services to report wider range of Cybersecurity incidents

This is to address the "inventiveness" of malicious cyber actors, as tactics and techniques of malicious actors evolve to target systems peripheral or along supply chains to owners of critical services, Singapore must also place "alarms" at these places, says Senior Minister of State for Communication and Information Janil Puthucheary.

The new law will allow authorities to regulate a new type of system called Systems of Temporary Cybersecurity Concern (STCC). These are systems that, for a time-limited period, are at high risk of cyberattacks, and if compromised, would damage Singapore's national interests.

The Cyber Security Agency of Singapore (CSA) will now also be able to manage entities beyond its current regulatory regime. These include Entities of Special Cybersecurity Interest (ESCIs).

Attacks on ESCIs could have a "significant detrimental effect" on Singapore's defense, foreign relations, economy, public health, public safety, or public order, because of the disruption of the function they perform, or the disclosure of sensitive information their computer systems contain, explained Dr Janil.


While Singapore implemented legislation in the form of the Cybersecurity Act in 2018, technology has evolved and business models have changed.

In Singapore, over 90 percent of residents now communicate online and firms technology adoption rate has grown from 74 percent in 2018 to 94 percent in 2022. More are now online for longer and online for more varied purposes. This means that there is an increased "attack surface" as people are exposed to more cyber risks. The cyber threat landscape has also evolved and malicious actors are increasingly finding new ways to their target, that is why it is "vital" that Singapore updates cybersecurity laws to stay ahead of the curve, said Dr Janil.


Addressing concerns on increased compliance costs, Dr Janil said that neither the Cybersecurity Act nor the amendments proposed in the Bill imposes "cybersecurity obligations" on the business community at large.

Instead, what the new law will do is regulate only the cybersecurity of systems infrastructure and services that are important at a national level because their disruption or compromise could affect Singapore's survival, security, safety or other national interest.

"The issue for consideration is not whether a regulated entity is a large company, an MNC (Multinational Corporation) or a SME (small-medium-size enterprises), the key consideration is whether a cyberattack on the entity could have serious implications on our national security or other national interests."

For any enquiries, give us a call at 6262 0402 or email us at

3 views0 comments


bottom of page