How Singapore Widened the Net

The amendment did not arrive with a siren. On 31 October 2025, a batch of changes to Singapore's Cybersecurity Act came quietly into force, and the legal meaning of the phrase "our systems" grew wider for a long list of companies that had assumed it never would.

For most of the past decade the boundary was comfortable. The Cyber Security Agency of Singapore, the CSA, kept watch over the critical computer systems that powered essential services and physically sat inside the country. A bank, a power utility, a hospital could point to the machines in its own racks and know roughly where its regulated risk began and ended. Push a workload offshore, or hand the running of it to a third party, and that boundary tended to soften in the operator's favour.

That softness is what the Cybersecurity (Amendment) Act 2024 was written to remove.

The Commissioner of Cybersecurity can now designate a computer system located wholly outside Singapore as critical information infrastructure, provided its owner is a person in Singapore and the system would have qualified had it sat onshore.

What actually changed

Read it from the CISO's chair first, because the mechanics are the whole story. The 2018 Act protected Critical Information Infrastructure, or CII, that was located wholly or partly in Singapore and, in practice, physical. The amendment closes two gaps that every modern architecture had quietly opened, and opens a third front for later.

The first gap is geography. If an essential-service provider in Singapore runs a critical system from a data centre in another jurisdiction, the CSA can now reach it. According to the Cyber Security Agency of Singapore, the test follows the service, not the postcode: if the system would have been designated had it been onshore, the location offshore no longer puts it out of reach. The same provisions confirm that virtual systems, not only physical hardware, fall within scope.

The second gap is ownership. A new Part 3A brings in the operator who relies on critical infrastructure it does not own, the third-party-owned CII. When a Singapore essential-service provider depends on a vendor's platform to keep the lights on, the regulator can now designate that arrangement and attach duties to it.

The third front is the one the article's premise points at, and it is moving more slowly by design. The 2024 Act also wrote in two new classes of regulated entity: Entities of Special Cybersecurity Interest, and Foundational Digital Infrastructure providers, the cloud platforms and data centres that quietly carry the country's digital economy. Those regimes, found in Parts 3C and 3D, were passed in 2024 but were deliberately left out of the October 2025 commencement. They are being switched on in stages. The net for foundational infrastructure is drawn in law; the regulator is choosing when to pull it tight.

Why the board should care

Designation is not a label a company opts into. Once the CSA designates a system, duties follow: compliance with codes of practice, cybersecurity audits, incident reporting against the regulator's clock, and adherence to written directions. The reputational and regulatory exposure that used to live with the company's own data centre now travels with the workload, wherever it runs and whoever runs it.

That last point is the one most likely to surprise a finance director. Outsourcing the operation of a critical system has never outsourced the accountability for it, and the amendment makes that explicit.

Responsibility for an offshore or vendor-run critical system now sits with the essential-service provider in Singapore, even when neither the asset nor the people running it are.

For most affected companies, the work surfaces first in their contracts. Cloud agreements and managed-service deals signed before this change rarely contain the audit-cooperation rights, notification timelines, and direction-compliance clauses the Act now assumes are there. The gap between what the law expects and what the paperwork allows is where the unbudgeted cost lives.

A regional pattern, not a Singapore quirk

It would be easy to file this as one city-state tidying its rulebook. The wider reporting suggests otherwise.

Look north. Malaysia's Cyber Security Act 2024, Act 854, came into force on 26 August 2024 and reaches across eleven National Critical Information Infrastructure sectors, from banking and finance to energy, healthcare, transport and water. Per Malaysia's National Cyber Security Agency, NACSA, designated entities carry mandatory risk assessments and audits by approved auditors, incident reporting against a tight statutory deadline, and a licensing regime for cybersecurity service providers themselves. Law firm Mayer Brown noted that with this Act, Malaysia joins China, Singapore, Japan and Australia among regional jurisdictions with dedicated cybersecurity statutes, and that Act 854 closely echoes Singapore's original 2018 framework.

The direction of travel is consistent across the region. The regulated perimeter is being redrawn to follow the workload rather than the building, and the obligations attach to the entity delivering the service, not the address where the servers happen to sit. Singapore did not invent this idea. It is showing, in unusual detail, how a mature digital economy intends to enforce it.

What to do before the letter arrives

The companies that treat designation as a someday problem will meet it as a deadline. The ones that prepare will meet it as paperwork. Five moves, in order:

  1. Map essential services to the systems that deliver them. Include the offshore systems and the vendor-run ones. The designation logic follows the service, so your map has to as well.

  2. Pull every cloud and managed-service contract. Check for audit-cooperation rights, incident-notification timelines, and the ability to meet a regulator's written directions. Flag the contracts that cannot.

  3. Stand up an incident-reporting clock. Know who decides a reportable event has occurred, who files, and how fast, before an incident forces you to invent the process live.

  4. Run a code-of-practice gap assessment now. Measure your current controls against the standards a designation would impose, while the timeline is yours and not the regulator's.

  5. Name the owner at board level. This is a governance question before it is a security one. Decide who carries it.

The net widened quietly, on a Friday, with no headline to mark it. The boundary that felt comfortable for a decade has moved, and it moved outward. The question for any company operating in the region is no longer where its critical systems are. It is whether the company can prove who answers for them.


Sources


Disclaimer

This article is provided for general information and does not constitute legal, regulatory, or professional advice. Cybersecurity legislation in Singapore, Malaysia, and across the region is subject to staged commencement and ongoing subsidiary regulation; the status of specific provisions may change after publication. Organisations should obtain advice specific to their circumstances and confirm the current force of any provision against the relevant official sources before acting.


How Singapore Widened the Net — FAQ
Content protected
AKATI Sekurity Insights · FAQ

How Singapore Widened the Net

The 2024 amendment extended oversight to overseas-hosted systems and foundational digital infrastructure. The questions below explain what moved, and when.

01What did Singapore's 2024 Cybersecurity Amendment Act change?+
It widened the Cyber Security Agency of Singapore's oversight beyond physical, onshore Critical Information Infrastructure to include overseas-hosted systems owned by Singapore entities, virtual systems, and systems owned by third-party vendors. It also created new regulated classes, including Foundational Digital Infrastructure providers.
02When did the amendments take effect?+
The Cybersecurity (Amendment) Act 2024 was passed on 7 May 2024. A first batch of key provisions came into force on 31 October 2025, including the extraterritorial and third-party-owned CII provisions. The Foundational Digital Infrastructure and Entities of Special Cybersecurity Interest regimes were enacted but left for staged commencement.
03Can Singapore regulate systems hosted outside the country?+
Yes. The Commissioner of Cybersecurity can designate a computer system located wholly outside Singapore as Critical Information Infrastructure if it is owned by a person in Singapore and would have qualified had it been onshore.
04What is Foundational Digital Infrastructure under the Act?+
Foundational Digital Infrastructure refers to digital services foundational to Singapore's economy and daily life, such as cloud service providers and data centres. The 2024 Act created this regulated class, with commencement staged separately from the October 2025 provisions.
05Does the law apply to critical systems run by third-party vendors?+
Yes. A new Part 3A brings third-party-owned CII into scope, so an essential-service provider that depends on a vendor's platform can have that arrangement designated and regulated, with accountability remaining with the Singapore provider.
06How does this compare to Malaysia's Cyber Security Act 2024?+
Malaysia's Act 854 came into force on 26 August 2024, establishing NACSA and regulating eleven National Critical Information Infrastructure sectors with mandatory audits, incident reporting, and licensing of cybersecurity service providers. It closely echoes Singapore's framework, reflecting a regional pattern of expanding cybersecurity oversight.
Next
Next

Nobody Knows Where Their Crypto Is. PCI Made That a Finding.