Under the new licensing framework, CSPs providing penetration testing services and managed security operations centre monitoring services will have to apply for a licence by 11 October 2022 (six months from the date the framework came into force). The aims of the licensing framework are to:
- Address the information asymmetry between consumers and CSPs
- Better safeguard consumers’ interests
- Improve CSPs’ standards
The licensing framework was developed with input from a public consultation conducted in September and October 2021 on how the CSA can achieve the three aims of the licensing framework.
The licensing framework supports the objectives of the CS Act, which established oversight and maintenance of Singapore’s cybersecurity through measures for cybersecurity incident response, as well as regulations for infrastructure owners and CSPs, in 2018. The four objectives of the CS Act are to:
- Strengthen the protection of critical information infrastructure against cyber-attacks
- Authorise the CSA to prevent and respond to cybersecurity threats and incidents
- Establish a framework for sharing cybersecurity information
- Establish a light-touch licensing framework for CSPs
CS Act licensing framework
The licensing framework is set out in Part 5 of the CS Act. Under section 49 of the CS Act, a CSP may continue its business until it receives the outcome of its license application or until 11 October 2022, whichever comes first.
The licensing framework requires CSPs to:
- Abide by standards set out in their license conditions
- Record information
- Notify changes to the CSA (see sections 27 and 29 of the CS Act)