Singapore is looking to strengthen its cybersecurity framework amidst rising cyber risks and increasing pressure from threat actors. In line with this, the Cyber Security Agency of Singapore (“CSA“) will be embarking on efforts relating to: (i) protection of Critical Information Infrastructure (“CII“); and (ii) cybersecurity labelling requirements.
Strengthening Protection of CII
- Cyber Trust Mark: CSA will require CII Owners (“CIIOs“), auditors conducting audits for CIIOs, and licensed cybersecurity service providers providing penetration testing and managed security operations centre monitoring services to meet the Cyber Trust Mark (“CTM“) requirements, with the aim of raising baseline national cybersecurity standards of these organisations. CIIOs must obtain a CTM Level 5, the highest tier of the certification, for the non-CII systems under its control that support the organisation’s business operations/services, by end 2027. CII auditors must obtain this mark at the organisation level for systems that support its business operations/services by end 2026.
- Review of CII framework: CSA is reviewing the scope of the current cybersecurity standards and obligations, and may include non-CII systems, such as networks that are interconnected with the CII systems. Sector Leads may introduce additional sector-specific obligations that are adapted for their sector. For example, the Infocomm Media Development Authority (“IMDA“) will be enhancing its cybersecurity regulations for the telecommunications operators. IMDA also intends to provide guidance for areas such as managing virtualisation of infrastructure and credential management.
- Cybersecurity tools: The Singapore Government will avail some of its expertise to the private sector, including the following:
- selective sharing of classified threat intelligence with CIIOs;
- equipping CIIOs with proprietary threat detection systems; and
- CSA collaborating with CIIOs to test the use of technologies such as artificial intelligence, to help enhance their efficiency and effectiveness of their cybersecurity operations.
Cybersecurity Labelling Requirements
CSA will work with IMDA to raise mandatory cybersecurity requirements for residential routers from Cybersecurity Labelling Scheme (“CLS“) Level 1 to Level 2 by 2027. The CLS rates the cybersecurity levels of Internet-of-Things (IoT) devices through a tiered labelling system.
Currently, all residential routers sold in Singapore must meet CLS Level 1 requirements. To better protect consumers from cyber threats, CSA will raise the mandatory cybersecurity requirements for routers to CLS Level 2, under which manufacturers need to ensure that residential routers incorporate stronger security measures such as secure communications, secure storage of sensitive data and robust authentication mechanisms to better protect users’ data and privacy.
CSA is also exploring requiring IP cameras to meet CLS Level 2. CSA will continue to monitor and review if more digital devices should be required to meet minimum cybersecurity standards.
Click on the following links for more information (available on the CSA website at www.csa.gov.sg):
- Senior Minister of State, Tan Kiat How, Committee of Supply 2026 Speech, Safeguarding our Digital Space in a Digital Age
- CSA Press Release titled “CSA to Raise Cybersecurity Standards for Critical Information Infrastructure Owners”
- CSA Press Release titled “Government to Raise Cybersecurity Labelling Requirements for Residential Routers”
Disclaimer
Rajah & Tann Asia is a network of member firms with local legal practices in Cambodia, Indonesia, Lao PDR, Malaysia, Myanmar, the Philippines, Singapore, Thailand and Vietnam. Our Asian network also includes our regional office in China as well as regional desks focused on Brunei, Japan and South Asia. Member firms are independently constituted and regulated in accordance with relevant local requirements.
The contents of this publication are owned by Rajah & Tann Asia together with each of its member firms and are subject to all relevant protection (including but not limited to copyright protection) under the laws of each of the countries where the member firm operates and, through international treaties, other countries. No part of this publication may be reproduced, licensed, sold, published, transmitted, modified, adapted, publicly displayed, broadcast (including storage in any medium by electronic means whether or not transiently for any purpose save as permitted herein) without the prior written permission of Rajah & Tann Asia or its respective member firms.
Please note also that whilst the information in this publication is correct to the best of our knowledge and belief at the time of writing, it is only intended to provide a general guide to the subject matter and should not be treated as legal advice or a substitute for specific professional advice for any particular course of action as such information may not suit your specific business and operational requirements. You should seek legal advice for your specific situation. In addition, the information in this publication does not create any relationship, whether legally binding or otherwise. Rajah & Tann Asia and its member firms do not accept, and fully disclaim, responsibility for any loss or damage which may result from accessing or relying on the information in this publication.
