How Singapore Widened the Net
The amendment did not arrive with a siren. On 31 October 2025, a batch of changes to Singapore's Cybersecurity Act came quietly into force, and the legal meaning of the phrase "our systems" grew wider for a long list of companies that had assumed it never would.
For most of the past decade the boundary was comfortable. The Cyber Security Agency of Singapore, the CSA, kept watch over the critical computer systems that powered essential services and physically sat inside the country. A bank, a power utility, a hospital could point to the machines in its own racks and know roughly where its regulated risk began and ended. Push a workload offshore, or hand the running of it to a third party, and that boundary tended to soften in the operator's favour.
That softness is what the Cybersecurity (Amendment) Act 2024 was written to remove.
The Commissioner of Cybersecurity can now designate a computer system located wholly outside Singapore as critical information infrastructure, provided its owner is a person in Singapore and the system would have qualified had it sat onshore.
What actually changed
Read it from the CISO's chair first, because the mechanics are the whole story. The 2018 Act protected Critical Information Infrastructure, or CII, that was located wholly or partly in Singapore and, in practice, physical. The amendment closes two gaps that every modern architecture had quietly opened, and opens a third front for later.
The first gap is geography. If an essential-service provider in Singapore runs a critical system from a data centre in another jurisdiction, the CSA can now reach it. According to the Cyber Security Agency of Singapore, the test follows the service, not the postcode: if the system would have been designated had it been onshore, the location offshore no longer puts it out of reach. The same provisions confirm that virtual systems, not only physical hardware, fall within scope.
The second gap is ownership. A new Part 3A brings in the operator who relies on critical infrastructure it does not own, the third-party-owned CII. When a Singapore essential-service provider depends on a vendor's platform to keep the lights on, the regulator can now designate that arrangement and attach duties to it.
The third front is the one the article's premise points at, and it is moving more slowly by design. The 2024 Act also wrote in two new classes of regulated entity: Entities of Special Cybersecurity Interest, and Foundational Digital Infrastructure providers, the cloud platforms and data centres that quietly carry the country's digital economy. Those regimes, found in Parts 3C and 3D, were passed in 2024 but were deliberately left out of the October 2025 commencement. They are being switched on in stages. The net for foundational infrastructure is drawn in law; the regulator is choosing when to pull it tight.
Why the board should care
Designation is not a label a company opts into. Once the CSA designates a system, duties follow: compliance with codes of practice, cybersecurity audits, incident reporting against the regulator's clock, and adherence to written directions. The reputational and regulatory exposure that used to live with the company's own data centre now travels with the workload, wherever it runs and whoever runs it.
That last point is the one most likely to surprise a finance director. Outsourcing the operation of a critical system has never outsourced the accountability for it, and the amendment makes that explicit.
Responsibility for an offshore or vendor-run critical system now sits with the essential-service provider in Singapore, even when neither the asset nor the people running it are.
For most affected companies, the work surfaces first in their contracts. Cloud agreements and managed-service deals signed before this change rarely contain the audit-cooperation rights, notification timelines, and direction-compliance clauses the Act now assumes are there. The gap between what the law expects and what the paperwork allows is where the unbudgeted cost lives.
A regional pattern, not a Singapore quirk
It would be easy to file this as one city-state tidying its rulebook. The wider reporting suggests otherwise.
Look north. Malaysia's Cyber Security Act 2024, Act 854, came into force on 26 August 2024 and reaches across eleven National Critical Information Infrastructure sectors, from banking and finance to energy, healthcare, transport and water. Per Malaysia's National Cyber Security Agency, NACSA, designated entities carry mandatory risk assessments and audits by approved auditors, incident reporting against a tight statutory deadline, and a licensing regime for cybersecurity service providers themselves. Law firm Mayer Brown noted that with this Act, Malaysia joins China, Singapore, Japan and Australia among regional jurisdictions with dedicated cybersecurity statutes, and that Act 854 closely echoes Singapore's original 2018 framework.
The direction of travel is consistent across the region. The regulated perimeter is being redrawn to follow the workload rather than the building, and the obligations attach to the entity delivering the service, not the address where the servers happen to sit. Singapore did not invent this idea. It is showing, in unusual detail, how a mature digital economy intends to enforce it.
What to do before the letter arrives
The companies that treat designation as a someday problem will meet it as a deadline. The ones that prepare will meet it as paperwork. Five moves, in order:
Map essential services to the systems that deliver them. Include the offshore systems and the vendor-run ones. The designation logic follows the service, so your map has to as well.
Pull every cloud and managed-service contract. Check for audit-cooperation rights, incident-notification timelines, and the ability to meet a regulator's written directions. Flag the contracts that cannot.
Stand up an incident-reporting clock. Know who decides a reportable event has occurred, who files, and how fast, before an incident forces you to invent the process live.
Run a code-of-practice gap assessment now. Measure your current controls against the standards a designation would impose, while the timeline is yours and not the regulator's.
Name the owner at board level. This is a governance question before it is a security one. Decide who carries it.
The net widened quietly, on a Friday, with no headline to mark it. The boundary that felt comfortable for a decade has moved, and it moved outward. The question for any company operating in the region is no longer where its critical systems are. It is whether the company can prove who answers for them.
Sources
Cyber Security Agency of Singapore, First Reading of the Cybersecurity (Amendment) Bill. https://www.csa.gov.sg/news-events/press-releases/csa-first-reading-of-the-cybersecurity-(amendment)-bill/
Singapore Statutes Online, Cybersecurity (Amendment) Act 2024 (No. 19 of 2024). https://sso.agc.gov.sg/Acts-Supp/19-2024/Published/20240704
National Cyber Security Agency Malaysia, Cyber Security Act 2024 [Act 854]. https://www.nacsa.gov.my/act854.php
Mayer Brown, Malaysia's New Cyber Security Act 2024: A Summary and Brief Comparative Analysis. https://www.mayerbrown.com/en/insights/publications/2024/12/malaysias-new-cyber-security-act-2024-a-summary-and-brief-comparative-analysis
Disclaimer
This article is provided for general information and does not constitute legal, regulatory, or professional advice. Cybersecurity legislation in Singapore, Malaysia, and across the region is subject to staged commencement and ongoing subsidiary regulation; the status of specific provisions may change after publication. Organisations should obtain advice specific to their circumstances and confirm the current force of any provision against the relevant official sources before acting.
How Singapore Widened the Net
The 2024 amendment extended oversight to overseas-hosted systems and foundational digital infrastructure. The questions below explain what moved, and when.