In more detail
Our previous client alerts from May 2024, April 2024 and March 2024 tracked the progress of the Amendment Act and set out its key provisions.
The following are some of the key amendments from the Amendment Act that took effect on 31 October 2025:
1. Expansion of CII definitions to cover virtualization
The Cybersecurity Act regulates CII, which are computers or computer systems that are necessary for the continuous delivery of essential services in Singapore. These definitions have been expanded to expressly include virtual computers and virtual computer systems. This reflects the increased use of and reliance on virtual over physical systems and confirms that CII providers are equally responsible for virtual systems.
2. CII located outside of Singapore
The Cybersecurity Act applies to CII located wholly or partly in Singapore. The Amendment Act expands this so the Commissioner of Cybersecurity (“Commissioner”) may designate computer or computer systems (including virtual computers and virtual computer systems) located wholly outside Singapore as regulated provider-owned CII. The Commissioner must be satisfied that the computer or computer system is necessary for the continuous delivery of an essential service (and its compromise would have a debilitating effect on the essential service), and that it would have been designated as provider-owned CII under the original Cybersecurity Act were it located wholly or partly in Singapore.
3. Essential service provider responsible for cybersecurity of third-party owned CII
This is a new category of regulated entity, intended to more appropriately address cases where providers of essential services use computing or virtualization vendors.
The new Part 3A of the Cybersecurity Act came into force, allowing the Commissioner to designate the provider of an essential service as responsible for the cybersecurity of third-party owned CII. This applies where the third-party owned CII is necessary for the continuous delivery of the provider’s essential service, and the compromise of the computer or computer system will have a debilitating effect on the availability of the essential service.
The third-party owned CII includes virtual computers and virtual computer systems, and these may be located within or outside Singapore. Part 3A imposes various obligations on the provider to supply information on this third-party CII, ensure it meets prescribed standards, report incidents with respect to the third-party CII, conduct audits and other obligations and Commissioner powers similar to those that apply to provider-owned CII.
4. Expansion of incident reporting obligations
Section 14 of the Cybersecurity Act required CII owners to report incidents involving any computer or computer system under their control that is interconnected with or communicates with the CII. This is expanded under the Amendment Act to also cover any other computer or computer system, under the owner’s control and under the control of the owner’s supplier, that is interconnected with or communicates with the provider-owned CII.
Although not strictly under the Amendment Act, the new Cybersecurity (Critical Information Infrastructure) (Amendment) Regulations 2025 also took effect on 31 October 2025. This creates specific reporting obligations for CII owners in relation to incidents suspected to be caused by advanced persistent threats (see our client alert on this).
5. STCC
The new Part 3B of the Cybersecurity Act, regulating STCCs, came into force. STCCs are computers or computer systems designated by the Commissioner for a limited period as having a high risk of suffering a cybersecurity threat or incident, where their compromise would have a serious detrimental effect on Singapore’s national security, defense, foreign relations, economy, public health, public safety or public order. Examples provided by the Cybersecurity Agency include “systems used to fulfil a temporal need, such as the supporting of governmental election processes or the distribution of vaccines during a pandemic.”
The Amendment Act imposes similar obligations on owners of STCCs as apply to CII owners, including information provision and incident reporting obligations. The Commissioner also has broad powers to require specific actions to be taken and standards to be met by the STCC owner during the period of designation. The relevant computers or computer systems include virtual computers and virtual computer systems, and may be located within or outside Singapore.
Note that key provisions of the Amendment Act relating to Entities of Special Cybersecurity Interest (new Part 3C of the Cybersecurity Act), FDI (new Part 3D of the Cybersecurity Act) and updates to the penalty regime are not yet in force.
In particular, the regulation of FDI service providers has been watched closely, as these cover cloud computing services and data center facility services, imposing various obligations, standards of performance and codes of practice.
The introduction of a new right of the Cybersecurity Agency to bring actions in court for civil penalties with the Public Prosecutor’s consent, instead of criminal prosecution, is also an important change to the government’s enforcement rights, but is yet to come into force.
Key takeaways
These long-awaited amendments to the Cybersecurity Act are now in effect, implementing important updates to reflect advances in technology and the cyber threat and security landscape.
The Amendment Act clearly recognizes the need to protect against cybersecurity threat actors and, in particular, the targeting of operational vulnerabilities of critical systems to disrupt society.
In particular, the recognition of virtual computers and computer systems as forming CII is a necessary update to reflect the reality that use of virtual systems is increasingly common over physical hardware, and providers should remain responsible for the cybersecurity of these systems.
This goes hand in hand with the regulation of providers responsible for third-party owned CII and the expansion of CII to cover computer or computer systems where they are located outside of Singapore. With globalized use of cloud computing and systems by overseas service providers, the Cybersecurity Act catches up to ensure it covers essential service providers’ increasing reliance on these systems.
Cybersecurity and the threat of disruption to essential services and important temporary events remain key concerns for the government.
The coming into force of the further provisions imposing direct cybersecurity obligations on FDI (i.e., cloud computing services and data center facility services) is eagerly awaited.
* * * * *
© 2025 Baker & McKenzie. Wong & Leow. All rights reserved. Baker & McKenzie. Wong & Leow is incorporated with limited liability and is a member firm of Baker & McKenzie International, a global law firm with member law firms around the world. In accordance with the common terminology used in professional service organizations, reference to a "principal" means a person who is a partner, or equivalent, in such a law firm. Similarly, reference to an "office" means an office of any such law firm. This may qualify as "Attorney Advertising" requiring notice in some jurisdictions. Prior results do not guarantee a similar outcome.
