Singapore Cybersecurity Act 2024 amendments: what CII operators need to certify now

Published by ICFC Pte Ltd | April 2026 | 13 min read
Categories: ISO 27001 · ISO 27032 · Cybersecurity Act · CII · Cyber Trust Mark · Singapore compliance

---

The Cybersecurity (Amendment) Act 2024 has been in force since 31 October 2025. The Cyber Security Agency of Singapore (CSA) announced mandatory Cyber Trust Mark certification requirements for Critical Information Infrastructure Owners (CIIOs) in March 2026. And parts of the Amendment Act — including the Entities of Special Cybersecurity Interest and Major Foundational Digital Infrastructure frameworks — have not yet commenced, meaning further obligations are still to come.

For organisations designated as, or supplying services to, Singapore's Critical Information Infrastructure operators, this is the most consequential regulatory period since the original Cybersecurity Act came into force in 2018.

Background: Singapore's cybersecurity regulatory architecture

The original Cybersecurity Act 2018 established Singapore's statutory framework for CII across eleven critical sectors. The 2024 Amendment Act extends coverage to virtual systems, third-party-owned CII (3PO CII) and extraterritorial infrastructure, recognising modern cloud and outsourcing realities.

What commenced on 31 October 2025: key changes in force

1. Virtual computers and systems now designated as CII – Cloud-hosted VMs, containers, and software-defined networks can be designated as CII. Your ISO 27001 ISMS scope must be reviewed to include cloud-hosted CII.

2. New Part 3A: third-party-owned CII (3PO CII) – The Commissioner may designate a third‑party system (including overseas) as 3PO CII. The essential service provider becomes responsible for its cybersecurity, requiring binding contracts with providers for information access, standards compliance, and incident reporting.

3. Extraterritorial designation of PO CII – Singapore-incorporated essential service providers cannot avoid CII obligations by hosting systems offshore.

4. Expanded incident reporting scope – including APTs and supply chain incidents – CII owners must now report APT incidents and supply chain incidents within two hours of becoming aware.

5. Systems of Temporary Cybersecurity Concern (STCCs) – Temporary designation for systems supporting national events or emergencies.

6. Enhanced enforcement powers – CSA can order audits, inspections, and entry; non‑compliance is a criminal offence.

March 2026 announcement: mandatory Cyber Trust Mark certification

CSA requires all CIIOs to achieve Cyber Trust Mark (CTM) Level 5 for non-CII systems supporting business operations by end‑2027. Approved CII auditors must obtain CTM Level 5 by end‑2026, licensed CSPs CTM Level 3 by end‑2026. The CTM 2025 edition (SS 712:2025) now applies. Up to 65% of CTM controls map to ISO/IEC 27001:2022, making ISO 27001 the most efficient foundation.

What is still pending: ESCI and MFDI frameworks

Parts 3C (Entities of Special Cybersecurity Interest) and 3D (Major Foundational Digital Infrastructure) have not commenced. Organisations adjacent to CII sectors should monitor CSA announcements.

The CII compliance map: obligations, standards, and ISO integration

Existing CII obligations are enhanced: compliance with Code of Practice, regular audits, risk assessments, two‑hour incident reporting, penetration testing, information provision. ISO/IEC 27001:2022 addresses these through Clause 6.1 (risk assessment), Annex A 5.19-5.22 (supply chain), A 5.23 (cloud services), and A 8.8 (vulnerability management). ISO 27032 complements for OT/ICS environments, particularly relevant for energy/water/transport CII operators.

How ISO 27032 complements for CII operators

For CII operators managing OT environments, ISO 27032 provides cybersecurity controls for industrial systems. ICFC implements integrated ISO 27001 + ISO 27032 scopes for CII operators in OT-heavy sectors.

Cyber Trust Mark: Level 5 and the ISO pathway

Level 5 requires mature governance, advanced threat detection, supply chain security, and privileged access controls. Starting from ISO 27001:2022 reduces the gap to about 35% additional controls. ICFC's integrated approach: conduct joint gap analysis, implement shared controls once, achieve ISO 27001 first (4‑8 months), then complete CTM Level 5 assessment.

Sector‑specific considerations

Banking & Finance: Dual burden with MAS TRM and Cyber Hygiene Notice – integrate with ISO 27001.
Healthcare: Health Information Bill and MOH guidelines; recommended ISO 27001 + ISO 27701.
Energy & Utilities: Implement ISO 27001 + ISO 27032 integrated scope with OT Cybersecurity Masterplan.
Transport: Overlapping CAAS/MPA/LTA requirements; ISO 27001 as anchor.

Frequently asked questions

Not designated as CII – should I care? Yes – as a supplier you may fall under 3PO CII or future ESCI/MFDI.

Already ISO 27001:2022: how much work for CTM Level 5? ~65% already addressed; ICFC gap analysis typically finds 20‑35 specific control gaps.

Two‑hour APT reporting – realistic? Yes – initial notification within 2 hours is required; root cause can follow. Requires detection, escalation, pre‑drafted templates.

The bottom line

The Cybersecurity (Amendment) Act 2024 and March 2026 CTM mandates represent the most significant expansion since 2018. CII operators must act now: update incident response, secure 3PO CII contracts, achieve CTM Level 5 by end‑2027 with ISO 27001 as foundation. ICFC supports CII operators, technology vendors, and CSPs through integrated ISO 27001, ISO 27032, and Cyber Trust Mark certification.

About ICFC Pte Ltd
ISO certification partner since 2014, providing consultation, third‑party audit, and training across 25 industries. Contact: admin@icfc.com.sg | +65 8601 7001.

---

© 2026 ICFC Pte Ltd. This article is for informational purposes and does not constitute legal advice. Verify current requirements at csa.gov.sg.