Since the enactment of Singapore’s Cybersecurity Act 2018 (Cybersecurity Act), Singapore’s digital economy has grown rapidly, and cyber threats have evolved at a remarkable pace. To address this shifting landscape, the Cybersecurity  (Amendment)  Act 2024 (Amendment Act) was passed last year, introducing significant amendments to the Cybersecurity Act to broaden regulatory oversight. On 31 October 2025, several key provisions of the Amendment Act came into effect. This article summarises the main amendments now in force, highlights those that are still pending commencement, and sets out recommendations on how to respond to these changes.

Third‑Party‑Owned CIIs Now Directly Regulated – Impact on Agreements     

Previously, the Cybersecurity Act focused on critical information infrastructure (CIIs) owned and operated by essential service providers such as utility (provider-owned CIIs). As third-party cloud, outsourced and managed infrastructures have become integral to the performance of essential services by companies designated as essential service providers, the Amendment Act introduces a new framework delineating the responsibilities regarding CIIs owned by third parties (third-party-owned CIIs), namely big IT/software/cloud service providers. Specifically, it empowers the Commissioner of Cybersecurity (Commissioner) to designate an essential service provider (rather than the third-party owner) as responsible for the cybersecurity of a third‑party‑owned CII used by one or more essential service providers. Once designated, the essential service provider must obtain legally binding commitments from the third-party CII owner that the third-party will:

  • provide information on the design, configuration, security and operation of the third-party-owned CII upon the essential service provider’s request;
  • maintain any applicable prescribed technical or other cybersecurity standards; and
  • notify the essential service provider of material changes affecting the system’s design, configuration, security or operation.

Effectively, this mandates certain contractual assurances in the contract between essential service providers and their third party IT vendors. This will likely be helpful for essential service providers, who may have previously found it difficult to impose or flow down certain contractual terms to large IT vendors, especially those located outside of Singapore (see below).

Overseas CIIs Now in Scope

The original Cybersecurity Act only regulates CIIs located wholly or partly within Singapore. Under the Amendment Act, computers or computer systems located wholly outside Singapore may be designated as CIIs (whether provider-owned or third-party-owned) and, therefore, be subject to relevant regulatory requirements. How in practice the Commissioner will be able to have oversight over such overseas systems remains to be seen, but it does again perhaps give essential service providers great ability to impose compliance with Singapore’s cybersecurity framework on its overseas IT vendors, including shared service companies. Care will need to be taken in this regard if procurement of such third party systems used across an MNC (of which an essential service provider is part) is conducted outside of Singapore.

Systems of Temporary Cybersecurity Concern

To enable rapid regulatory intervention against emerging cyber risks, the Amendment Act extends oversight beyond CIIs to computers or computer systems that are temporarily critical to the nation’s interests. It empowers the Commissioner to designate a computer or computer system located wholly or partly in Singapore as a System of Temporary Cybersecurity Concern (STCC) for a limited period (up to one year for the initial period and for each subsequent extension), where the Commissioner is satisfied that:

  • there is a high risk that a cybersecurity threat or incident may occur; and
  • the loss or compromise of the computer or computer system would have a serious detrimental effect on Singapore’s national security, defence, foreign relations, economy, public health, public safety, or public order.

Once designated, the owner of an STCC must:

  • furnish information on the design, configuration, security and operation of the STCC upon the Commissioner’s request;
  • comply with written directions regarding actions to address cybersecurity threats, technical or other cybersecurity standards, codes of practice or standards of performance, or audits; and
  • report cybersecurity incidents affecting the STCC or computers or computer systems interconnected or communicating with the STCC.

This is likely to create practical issues for essential service providers, who may need to renegotiate contractual arrangements with third party providers of a system which is – potentially months or years after its procurement – subsequently designated as a STCC. Even with proprietary systems, essential service providers may be faced with a regulator request to reconfigure the system on short notice.

More Changes to Come – FDIs and ESCIs to be Introduced

Certain provisions of the Amendment Act remain pending and will commence by future notification by the Singapore authorities. Notably, these include two new categories of regulated systems/entities: Foundational Digital Infrastructure(FDI)andEntities of Special Cybersecurity Interest (ESCIs). Please refer to our previous blog post for a summary of the regulatory mechanisms surrounding them.

Recommendations

The Amendment Act marks a pivotal step in Singapore’s evolution toward a more robust and responsive cybersecurity framework, with the expanded regulatory scope recognising the realities of today’s interconnected digital environment. Essential service providers and their IT vendors are recommended to review compliance programs and contractual terms to ensure alignment with the new requirements. Organisations, especially those that may fall within the scope of FDI service providers and ESCIs, should also look out for the commencement of outstanding provisions.