On April 3, 2024, the Cybersecurity (Amendment) Bill No. 15/2024 was introduced and read for the first time. In particular, the Cyber Security Agency of Singapore (CSA) published a press release, on April 3, 2024, outlining that the bill aims to amend the Cybersecurity Act 2018 (the Act) so that its scope is expanded beyond the current critical information infrastructure (CII) that it covers. Specifically, the bill provides that CII owners are responsible for the cybersecurity and cyber resilience of CII and must report incidents, including those that happen in their supply chains.

In addition, the bill provides that the CSA may designate entities of special cybersecurity interest (ESCI) if they hold sensitive information or perform a function of national interest, such that their disruption would impact the defense, economy, or public health of Singapore, among other things. However, the CSA clarified that the obligations applicable to ESCI are not the same as those for CIIs. Notably, the bill also provides that the CSA may proactively secure Systems of Temporary Cybersecurity Concern (STCCs), where computer systems that are critical to Singapore are at high risk of cyberattacks owing to certain events.

The bill also details obligations applicable to foundational digital infrastructure services, such as cloud service providers and data centers.

You can read the CSA press release here and the bill here.

Update: May 7, 2024

Bill passed by Parliament

On May 7, 2024, Josephine Teo, the Singapore Minister for Communications and Information, announced, via LinkedIn, that the bill had been passed, on the same date, by the Parliament of Singapore.

You can read the LinkedIn post here and the bill here.