Singapore: The Cybersecurity Act, 2018
The Cybersecurity Act, 2018, is Singapore’s primary law governing cybersecurity, and it seeks to establish a framework for maintaining the cybersecurity of Singapore’s essential services and critical information infrastructure. The Act empowers the Cyber Security Agency of Singapore (CSA) to manage and respond to cybersecurity incidents and impose cybersecurity obligations on certain entities in Singapore.
Under the Act, the government can conduct inspections and investigations and require certain entities to take appropriate measures to address cybersecurity incidents. It also mandates sharing cybersecurity information between relevant parties to enhance the country’s cybersecurity. Additionally, the Act provides for personal data protection following Singapore’s Personal Data Protection Act.
The Cybersecurity Act, 2018, aims to enhance Singapore’s cybersecurity posture and resilience, protect against cyber threats, and secure the country’s critical information infrastructure and essential services. The Act places the onus on all stakeholders to play a part in securing Singapore’s cyberspace and provides a legal framework for the government to take action against entities that fail to meet their cybersecurity obligations.
PART 1 – PRELIMINARY
Section
1 – Short title and commencement
2 – Interpretation
3 – Application of Act
PART 2 – ADMINISTRATION
Section
4 – Appointment of Commissioner of Cybersecurity and other officers
5 – Duties and functions of Commissioner
6 – Appointment of authorised officers
PART 3 – CRITICAL INFORMATION INFRASTRUCTURE
7 – Designation of critical information infrastructure
8 – Power to obtain information to ascertain if computer, etc., fulfils
criteria of critical information infrastructure
9 – Withdrawal of designation of critical information infrastructure
10 – Furnishing of information relating to critical information infrastructure
11 – Codes of practice and standards of performance
12 – Power of Commissioner to issue written directions
13 – Change in ownership of critical information infrastructure
14 – Duty to report cybersecurity incident in respect of critical information infrastructure, etc.
15 – Cybersecurity audits and risk assessments of critical information infrastructure
16 – Cybersecurity exercises
17 – Appeal to Minister
18 – Appeals Advisory Panel
PART 4 – RESPONSES TO CYBERSECURITY THREATS AND INCIDENTS
19 – Powers to investigate and prevent cybersecurity incidents, etc.
20 – Powers to investigate and prevent serious cybersecurity incidents, etc.
21 – Production of identification card by incident response officer
22 – Appointment of cybersecurity technical experts
23 – Emergency cybersecurity measures and requirements
PART 5 – CYBERSECURITY SERVICE PROVIDERS
24 – No person to provide licensable cybersecurity service without licence
25 – Licensing officer and assistant licensing officers
26 – Grant and renewal of licence
27 – Conditions of licence
28 – Form and validity of licence
29 – Duty to keep records
30 – Revocation or suspension of licence
31 – Unlicensed cybersecurity service provider not to recover fees, etc.
32 – Financial penalty
33 – Licensing officer to give opportunity to make representations
before ordering financial penalty
34 – Recovery of financial penalties
35 – Appeal to Minister
PART 6 – GENERAL
36 – Offences by corporations
37 – Offences by unincorporated associations or partnerships
38 – Powers of investigation
39 – Power to enter premises under warrant
40 – Jurisdiction of court
41 – Composition of offences
42 – Service of documents
43 – Preservation of secrecy
44 – Protection from personal liability
45 – Protection of informers
46 – General exemption
47 – Amendment of Schedules
48 – Regulations
49 – Related amendments to Computer Misuse and Cybersecurity Act
50 – Consequential amendments to other Acts
51 – Saving and transitional provisions
First Schedule — Essential services
Second Schedule — Licensable cybersecurity services
