What is a critical information infrastructure under the Cybersecurity Act?

What the Law Says

The Cybersecurity Act 2018 defines and empowers the designation of critical information infrastructure (CII) to safeguard systems essential to Singapore’s national interests.

Under the Cybersecurity Act 2018, a 'critical information infrastructure' means a computer system or network that is necessary for the continuous delivery of essential services — and whose disruption or compromise would have a debilitating impact on national security, defence, foreign relations, the economy, public health, safety, or the orderly conduct of government.

The Minister for Communications and Information has the authority to designate any computer system or network as CII if it meets this definition and falls within one of the 11 specified sectors — including energy, water, healthcare, banking, transport, and infocomm.

Once designated, the owner or operator of the CII must comply with cybersecurity obligations, such as reporting incidents, conducting audits, and adhering to codes of practice issued by the Cyber Security Agency of Singapore (CSA).

Statutory Text

‘critical information infrastructure’ means a computer system or network, whether physical or virtual, which is necessary for the continuous delivery of an essential service, the failure or compromise of which would have a debilitating impact on the availability, integrity or confidentiality of the essential service, or on national security, defence, foreign relations, the economy, public health, safety or the orderly conduct of government;

— Cybersecurity Act 2018, s. 7 — Interpretation

What to Do

Sources