Reed Smith Client Alerts

The Cyber Security Agency of Singapore (CSA) launched a licensing framework for cybersecurity service providers (CSPs) on 11 April 2022. In conjunction, Part 5 and the Second Schedule of the Cybersecurity Act 2018 (CS Act) came into force on the same date. This alert gives an overview of the licensing framework and what to expect in the future.

Authors: Bryan Tan Nathanael Yao Hui Lim Eng Han Goh

Background

Under the new licensing framework, CSPs providing penetration testing services and managed security operations centre monitoring services will have to apply for a licence by 11 October 2022 (six months from the date the framework came into force). The aims of the licensing framework are to:

  1. Address the information asymmetry between consumers and CSPs
  2. Better safeguard consumers’ interests
  3. Improve CSPs’ standards

The licensing framework was developed with input from a public consultation conducted in September and October 2021 on how the CSA can achieve the three aims of the licensing framework.

The licensing framework supports the objectives of the CS Act, which established oversight and maintenance of Singapore’s cybersecurity through measures for cybersecurity incident response, as well as regulations for infrastructure owners and CSPs, in 2018. The four objectives of the CS Act are to:

  1. Strengthen the protection of critical information infrastructure against cyber-attacks
  2. Authorise the CSA to prevent and respond to cybersecurity threats and incidents
  3. Establish a framework for sharing cybersecurity information
  4. Establish a light-touch licensing framework for CSPs

CS Act licensing framework

The licensing framework is set out in Part 5 of the CS Act. Under section 49 of the CS Act, a CSP may continue its business until it receives the outcome of its license application or until 11 October 2022, whichever comes first.

The licensing framework requires CSPs to:

  1. Abide by standards set out in their license conditions
  2. Record information
  3. Notify changes to the CSA (see sections 27 and 29 of the CS Act)