Close this search box.

We are creating some awesome events for you. Kindly bear with us.

MCI and CSA to refine designation of Critical Information Infrastructures (CIIs) and duties of CII owners in Singapore’s proposed Cybersecurity Bill

MCI and CSA to refine designation of Critical Information Infrastructures (CIIs) and duties of CII owners in Singapore’s proposed Cybersecurity Bill

The Ministry of Communications and Information (MCI) and the Cyber Security Agency of Singapore (CSA) have released a report on the public consultation on the proposed Cybersecurity Bill. The draft bill was released in July 2017. The original submission deadline of 3 August 2017 was extended in response to requests for more time to provide feedback.

92 submissions were received from a wide and diverse range of stakeholder groups at the close of the public consultation on the draft Bill from 10 July to 24 August 2017.

Respondents included local and international organisations, multi-national companies, industry and professional associations, sector regulators, academia and members of the public. During this period, CSA also participated in dialogues with industry organisations and attended sessions organised by professional associations for their members and the public to address queries regarding the Bill.

Respondents generally shared the Singapore Government’s concerns on the impact of increasingly sophisticated cyber-attacks which could potentially cause major disruptions, or even cripple the economy. Respondents acknowledged the timeliness and importance of the Bill in setting the necessary legislative framework for pro-active oversight and response to cyber threats and incidents.

Several respondents also agreed with the need for cybersecurity information-sharing between CSA and other organisations, including the need to safeguard the information source and information disclosed.

However, respondents had some reservations about the proposed licensing framework.

Following careful deliberation, MCI and CSA intend to refine the Bill in several aspects. Some of these clauses that will be refined include the below:

Designation of Critical Information Infrastructures (CIIs) – Some respondents felt that the proposed definition of CIIs was too broad and asked for more clarity on the scope of “computers” and “computer systems” that might be designated as CIIs.

MCI and CSA have clarified that this definition is intended to formalise existing engagements with CII stakeholders, which has been in place since 2013. The Bill will be amended to clarify that only systems which have been explicitly designated by the Commissioner will be considered CIIs.

All other computers and computer systems will not be considered CIIs, and the obligations in Part 3 of the Bill therefore do not apply to them. Specifically, computer systems in the supply chain supporting the operation of a CII will not be designated as CIIs, therefore third-party vendors will not be considered as owners of CIIs.

CII owners are ultimately responsible for the cybersecurity of their CIIs. If need be, CII owners can impose cybersecurity requirements contractually on their vendors.

Duties of CII owners – Respondents suggested that any codes of practices and standards of performance required under the Bill should take into consideration any existing codes and standards that CII owners were already required to comply with, e.g. sectoral regulations, in order to avoid inconsistencies and confusion.

In response, MCI and CSA plan to work closely with sector regulators to streamline and harmonise the obligations of CII owners under the Bill with their respective sectoral regulations.

The appointment of Assistant Commissioners to oversee CIIs in each sector will ensure that the Bill requirements are sensible and take into account existing sector specific requirements, including international
requirements. This is because the sector regulators understand the unique contexts and complexities in each sector, and are in a good position to balance the sectors’ cybersecurity needs and business requirements.

Requirements of licensing regime – Several respondents expressed reservations about the proposed licensing framework. Some respondents were against licensing of cybersecurity service providers in any form as they felt that licensing could impact the development of a vibrant cybersecurity ecosystem in Singapore.

To strike a balance between industry development and security needs, MCI and CSA intend to simplify the licensing framework by doing away with the licensing of individual cybersecurity professionals, and removing the distinction between “investigative” and “non-investigative” types of licensable services.

This is expected to make Bill more future-proof, and enable it to stay relevant even as cybersecurity services continue to evolve. At this point, MCI and CSA intend to license only penetration testing and managed security operations centre (SOC) monitoring service providers, as such services are already mainstream and widely-adopted.


Qlik’s vision is a data-literate world, where everyone can use data and analytics to improve decision-making and solve their most challenging problems. A private company, Qlik offers real-time data integration and analytics solutions, powered by Qlik Cloud, to close the gaps between data, insights and action. By transforming data into Active Intelligence, businesses can drive better decisions, improve revenue and profitability, and optimize customer relationships. Qlik serves more than 38,000 active customers in over 100 countries.


As a Titanium Black Partner of Dell Technologies, CTC Global Singapore boasts unparalleled access to resources.

Established in 1972, we bring 52 years of experience to the table, solidifying our position as a leading IT solutions provider in Singapore. With over 300 qualified IT professionals, we are dedicated to delivering integrated solutions that empower your organization in key areas such as Automation & AI, Cyber Security, App Modernization & Data Analytics, Enterprise Cloud Infrastructure, Workplace Modernization and Professional Services.

Renowned for our consulting expertise and delivering expert IT solutions, CTC Global Singapore has become the preferred IT outsourcing partner for businesses across Singapore.


Planview has one mission: to build the future of connected work. Our solutions enable organizations to connect the business from ideas to impact, empowering companies to accelerate the achievement of what matters most. Planview’s full spectrum of Portfolio Management and Work Management solutions creates an organizational focus on the strategic outcomes that matter and empowers teams to deliver their best work, no matter how they work. The comprehensive Planview platform and enterprise success model enables customers to deliver innovative, competitive products, services, and customer experiences. Headquartered in Austin, Texas, with locations around the world, Planview has more than 1,300 employees supporting 4,500 customers and 2.6 million users worldwide. For more information, visit


SIRIM is a premier industrial research and technology organisation in Malaysia, wholly-owned by the Minister​ of Finance Incorporated. With over forty years of experience and expertise, SIRIM is mandated as the machinery for research and technology development, and the national champion of quality. SIRIM has always played a major role in the development of the country’s private sector. By tapping into our expertise and knowledge base, we focus on developing new technologies and improvements in the manufacturing, technology and services sectors. We nurture Small Medium Enterprises (SME) growth with solutions for technology penetration and upgrading, making it an ideal technology partner for SMEs.


HashiCorp provides infrastructure automation software for multi-cloud environments, enabling enterprises to unlock a common cloud operating model to provision, secure, connect, and run any application on any infrastructure. HashiCorp tools allow organizations to deliver applications faster by helping enterprises transition from manual processes and ITIL practices to self-service automation and DevOps practices. 


IBM is a leading global hybrid cloud and AI, and consulting services provider, helping clients in more than 175 countries capitalize on insights from their data, streamline business processes, reduce costs and gain the competitive edge in their industries. Nearly 3,800 government and corporate entities in critical infrastructure areas such as financial services, telecommunications and healthcare rely on IBM’s hybrid cloud platform and Red Hat OpenShift to affect their digital transformations quickly, efficiently, and securely. IBM’s breakthrough innovations in AI, quantum computing, industry-specific cloud solutions and business services deliver open and flexible options to our clients. All of this is backed by IBM’s legendary commitment to trust, transparency, responsibility, inclusivity, and service. For more information, visit