In brief
The Cybersecurity Agency of Singapore (CSA) has concluded its public consultation on cybersecurity licensing framework updates and have published their conclusions and outcomes. Key changes include mandatory certification requirements, extended five-year licence validity, and streamlined notification processes. These new requirements are expected to come into force by end-2027.
Singapore will also be developing and deploying its own threat detection tools to help critical information infrastructure (CII) owners better detect advanced persistent threats. According to the CSA, this technology will be developed by the Centre for Strategic Infocomm Technologies, a technical agency in the Ministry of Defence.
Together, these developments signal a tightening both of defensive capabilities and regulatory expectations across Singapore's cybersecurity ecosystem.
In more detail
Cyber Trust mark certification requirements
The currently-voluntary Cyber Trust mark certification scheme, which certifies companies that demonstrate they have strong and appropriate cybersecurity practices, will soon be mandatory for owners of CII, auditors conducting cybersecurity checks for CII owners, and licensed cybersecurity service providers providing penetration testing and managed security operations centre monitoring services.
There are five cybersecurity preparedness levels, with 10 to 22 domains under each level.
CII owners will have until the end of 2027 to obtain the highest-tier Cyber Trust mark level 5 certification for their non-CII systems that support their business operations and services. Level 5 certification requires preparedness in 22 domains, including governance, asset protection, and secure access.
CII auditors and licensed cybersecurity service providers have until the end of 2026 to obtain Cyber Trust mark certification.
Residential routers will also need to meet level 2 requirements, from level 1, by 2027. Level 1 requirements include unique default passwords, vulnerability management processes, and keeping software updated. Level 2 requirements include stronger security for communications, storage of sensitive data and methods to verify users before granting access. Though current level 1 requirements address fundamental vulnerabilities, the authorities have expressed that these are insufficient against more sophisticated attacks that exploit weaknesses in data encryption, authentication mechanisms, and secure storage.
The CSA and Infommunications Development Media Authority (IMDA) are also looking into requiring internet protocol (IP) cameras to meet level 2 cybersecurity labelling standards, being another common target for cyberthreat actors.
Changes to licence validity, and notification timeframes
CSA has announced that following positive feedback from the public consultation, they will be proceeding with their proposed extension of licence validity to five years, with the aim of reducing the administrative burden on licensees; as well as the removal of requirements to report non-material changes, and the extension of the reporting window for key information changes from 14 to 30 calendar days.
New threat detection tools
As mentioned, the Singapore Government intends to help CII infrastructure owners defend against cyberattacks by equipping them with proprietary threat detection tools, which will complement their current commercial threat detection systems. The Government's aim is to avail some of their expertise to the private sector, to level the playing field between the defenders and the attackers.
Authorities have started deploying these tools in selected CII systems and will progressively deploy them across the rest.
While CII owners may need to incur costs to integrate these tools into their systems, the Government will also consider providing funding support if needed.
The Government also intends to selectively share classified threat intelligence to help CII owners better detect and respond to threats.
Key takeaways
These updates follow the recent coming into force of the amendments to Singapore's Cybersecurity Act 2018 in October 2025, and are further recognition of the need to protect against cybersecurity threat actors and in particular the targeting of critical systems.
Affected companies should review their certification status and licensing processes in light of these developments. Companies that fall outside of the regime may be indirectly affected and should also be mindful of these updates, as customers and regulators increasingly expect alignment with national cybersecurity standards.
If you would like to understand more about how these developments may affect you, please do not hesitate to reach out to your usual Baker McKenzie contact.
Even with these measures in place, the Government has cautioned that companies will need to be prepared for the reality that some threats will inevitably go undetected. It is imperative to remain vigilant and constantly enhance defensive capabilities.
* * * * *
Sanil Khatri, Daryl Seetoh, and Natalie Joy Huang, Local Principals, have contributed to this legal update.
© 2026 Baker & McKenzie. Wong & Leow. All rights reserved. Baker & McKenzie. Wong & Leow is incorporated with limited liability and is a member firm of Baker & McKenzie International, a global law firm with member law firms around the world. In accordance with the common terminology used in professional service organizations, reference to a "principal" means a person who is a partner, or equivalent, in such a law firm. Similarly, reference to an "office" means an office of any such law firm. This may qualify as "Attorney Advertising" requiring notice in some jurisdictions. Prior results do not guarantee a similar outcome.