The first dedicated cybersecurity framework in Singapore has been passed by the country's parliament

The Cybersecurity Act (87-page / 251KB PDF) will apply to organisations that are designated as operating 'critical information infrastructure' (CII) in Singapore. Organisations in the energy, telecoms, water, health, banking, transport and media sectors are among those that could be impacted.

A new commissioner of cybersecurity in Singapore will be tasked with selecting the specific organisations to designate as CII owners subject to the new regime. Organisations will be able to raise an appeal against the designations to Singapore government ministers.

Under the Act, CII owners will be subject to a number of requirements. These include a duty to report certain cybersecurity incidents to the commissioner of cybersecurity, and to disclose certain information to the commissioner regarding its CII, including on the "design, configuration and security" of that infrastructure.

In addition, CII owners could be subject to investigations from Singapore authorities regarding cybersecurity threats or incidents, and forced to take remedial action where deficiencies in security measures are found.

CII owners will also need to undertake periodic cybersecurity audits and risk assessments and could be further required to adhere to codes of practice or standards that the commissioner of cybersecurity has the power to issue under the new Act, as well as participate in cybersecurity testing exercises.