In brief
At the MDDI Committee of Supply Debate on 2 March 2026, Senior Minister of State for Digital Development and Information Mr Tan Kiat How (“SMS Tan”) set out a series of forthcoming developments that will reshape aspects of Singapore's cybersecurity regulatory landscape. These include a review of the scope of cybersecurity standards and obligations, enhanced regulations for telecommunications operators, Singapore's approach to quantum-safe migration, and the extension of Cyber Trust Mark ("CTM") requirements to new categories of entities. Consultations with stakeholders are ongoing, with measures to be implemented progressively over the next two years.
In more detail
SMS Tan announced that the Cyber Security Agency of Singapore ("CSA") is reviewing the scope of the current cybersecurity standards and obligations to potentially include non-CII systems such as networks that are interconnected with Critical Information Infrastructure ("CII") systems. CSA will also selectively share classified threat intelligence with CII Owners, and equip CII Owners with proprietary threat detection systems to strengthen their abilities to detect malicious activities on their networks, complementing the existing commercial threat detection systems used by CII Owners.
SMS Tan further announced that the Infocomm Media Development Authority ("IMDA") will enhance its cybersecurity regulations for telecommunications operators, given recent cyberattacks, and that IMDA intends to issue guidance for areas such as managing virtualisation of infrastructure and credential management.
SMS Tan confirmed that Singapore adopts the position that Post-Quantum Cryptography ("PQC") will be the mainstream solution for quantum-safe migration, and Singapore will take reference from the US National Institute of Standards and Technology as a baseline. SMS Tan noted that Singapore takes a risk-oriented approach to quantum-safe migration and is deploying two quantum-safe networks nationwide through the National Quantum-Safe Network Plus initiative.
The speech also flagged two extensions of the CTM regime:
- GovTech will require government vendors that manage critical systems and sensitive government data to meet CTM requirements.
- CSA will require three further groups of entities to meet CTM requirements: CII Owners, auditors conducting cybersecurity audits on CII systems, and CSA's licensed Cybersecurity Service Providers providing penetration testing and managed security operations centre services.
Key takeaways
The announcements set out the near-term direction of travel for Singapore's cybersecurity regulatory framework.
The speech is available at: https://www.csa.gov.sg/news-events/speeches/senior-minister-of-state-tan-kiat-how-committee-of-supply-2026-speech/
* * * * *
For further information and to discuss what this development might mean for you, please get in touch with your usual Baker McKenzie contact.
© 2026 Baker & McKenzie. Wong & Leow. All rights reserved. Baker & McKenzie. Wong & Leow is incorporated with limited liability and is a member firm of Baker & McKenzie International, a global law firm with member law firms around the world. In accordance with the common terminology used in professional service organizations, reference to a "principal" means a person who is a partner, or equivalent, in such a law firm. Similarly, reference to an "office" means an office of any such law firm. This may qualify as "Attorney Advertising" requiring notice in some jurisdictions. Prior results do not guarantee a similar outcome.