Cybersecurity (Cybersecurity Service Providers) Regulations 2022

Status:

Current version
as at 21 Nov 2024

No. S 304

Cybersecurity Act 2018

Cybersecurity
(Cybersecurity Service Providers)
Regulations 2022

In exercise of the powers conferred by section 48 of the Cybersecurity Act 2018, Mrs Josephine Teo, Minister for Communications and Information and Second Minister for Home Affairs who is charged with the responsibility for cybersecurity, makes the following Regulations:

Citation and commencement

1. These Regulations are the Cybersecurity (Cybersecurity Service Providers) Regulations 2022 and come into operation on 11 April 2022.

Applications for grant or renewal of licence

2.—(1) Subject to paragraph (4), every application for the grant or renewal of a cybersecurity service provider’s licence under section 26 of the Act must be made electronically using the electronic application service provided by the licensing officer mentioned in section 25 of the Act at https://www.gobusiness.gov.sg/licences.

(2) The application for the grant or renewal of a licence must include the following:

(a)

where the applicant is an individual —

(i)

the applicant’s name;

(ii)

the applicant’s identity card number, work pass number, passport number or foreign identification number;

(iii)

the applicant’s nationality;

(iv)

the applicant’s residential address and, if different, the applicant’s correspondence address;

(v)

the applicant’s contact telephone number and email address;

(vi)

information relating to —

(A)	the applicant’s qualification or experience (if any) relating to the licensable cybersecurity service for which a licence is sought;
(B)	where the applicant does not have any qualification or experience relating to the licensable cybersecurity service for which a licence is sought — the qualification or experience of the applicant’s employees or proposed employees having supervisory responsibility relating to the licensable cybersecurity service; or
(C)	where sub-paragraphs (A) and (B) are not applicable — the business partnership, consortium or other legal arrangement (if any) through which the applicant proposes to provide the licensable cybersecurity service;

(vii)

information as to whether the applicant has been convicted in Singapore or elsewhere of —

(A)	an offence involving fraud, dishonesty or moral turpitude; or
(B)	an offence the conviction for which involves a finding that the applicant had acted fraudulently or dishonestly;

(viii)

information as to whether the applicant has had a judgment entered against the applicant in civil proceedings that involves a finding of fraud, dishonesty or breach of fiduciary duty on the part of the applicant;

(ix)

information as to whether the applicant is or was suffering from a mental disorder;

(x)

information as to whether the applicant is an undischarged bankrupt or has entered into a composition with any creditor of the applicant;

(xi)

information as to whether the applicant has had a licence revoked by the licensing officer previously; and

(xii)

any other information that may be specified by the licensing officer in the electronic application service mentioned in paragraph (1);

(b)

where the applicant is a business entity —

(i)

the applicant’s name;

(ii)

the applicant’s —

(A)	Singapore unique entity number; or
(B)	business entity registration number in the foreign country or territory that the applicant is incorporated or registered in;

(iii)

the address of the applicant’s registered office or principal place of business;

(iv)

if the address in sub-paragraph (iii) is outside Singapore, the address of the applicant’s principal place of business or address for service in Singapore;

(v)

the applicant’s contact telephone number and email address;

(vi)

the particulars mentioned in sub‑paragraph (a) (except sub‑paragraph (a)(vi)(B) and (C)) in respect of every director or partner of the applicant or other person who is responsible for the management of the applicant, with each reference in sub‑paragraph (a) to the applicant substituted with a reference to the director, partner or other person, as the case may be;

(vii)

where no director or partner of the applicant or other person who is responsible for the management of the applicant has any qualification or experience relating to the licensable cybersecurity service for which a licence is sought — information relating to the qualification or experience of the applicant’s employees or proposed employees having supervisory responsibility relating to the licensable cybersecurity service for which a licence is sought;

(viii)

information as to whether the applicant has been convicted in Singapore or elsewhere of —

(A)	an offence involving fraud, dishonesty or moral turpitude; or
(B)	an offence the conviction for which involves a finding that the applicant had acted fraudulently or dishonestly;

(ix)

(x)

information as to whether the applicant is in liquidation or is the subject of a winding up order, or there is a receiver appointed in relation to the applicant, or the applicant has entered into a composition or scheme of arrangement with any creditor of the applicant;

(xi)

information as to whether the applicant has had a licence revoked by the licensing officer previously; and

(xii)

any other information that may be specified by the licensing officer in the electronic application service mentioned in paragraph (1).

(3) An application for the renewal of a licence must be made no later than 2 months before the date of expiry of the licence.

(4) If the electronic application service is not operating or available, an application for the grant or renewal of a licence must be made in such written form as the licensing officer may require.

(5) If an application for the renewal of a licence cannot be submitted in accordance with paragraph (1) within the time specified in paragraph (3) due to the unavailability of the electronic application service, an application in such written form mentioned in paragraph (4) must be submitted on the next working day to the licensing officer.

(6) In this regulation, “employee having supervisory responsibility relating to the licensable cybersecurity service”, in relation to an applicant, means an employee of the applicant who is responsible for supervising or managing the provision of a licensable cybersecurity service or any part of a licensable cybersecurity service by any other employee of the applicant.

Licence fee

3.—(1) The fee payable for the grant or renewal of a licence is the following:

(a)

where the applicant is an individual —

(i)	$125 per year or part of a year, where the application is made to the licensing officer during the initial period; or
(ii)	$250 per year or part of a year, where the application is made to the licensing officer after the expiry of the initial period;

(b)

where the applicant is a business entity —

(i)	$250 per year or part of a year, where the application is made to the licensing officer during the initial period; or
(ii)	$500 per year or part of a year, where the application is made to the licensing officer after the expiry of the initial period.

(2) The licensing officer may, where the licensing officer considers appropriate, refund or remit the whole or part of any fee paid or payable under paragraph (1).

(3) In this regulation, “initial period” means the period from 11 April 2022 to 10 April 2023 (both dates inclusive).

Keeping of records

4.—(1) For the purposes of section 29(1)(a)(v) of the Act, a licensee must, in relation to each occasion on which the licensee is engaged to provide its cybersecurity service, keep records of the information specified in paragraph (2) in respect of every person who delivers the cybersecurity service on behalf of the licensee.

(2) For the purposes of paragraph (1) —

(a)

the information for which records must be kept in respect of every individual who delivers any part of the cybersecurity service on behalf of the licensee, whether or not the individual is an employee of the licensee, is the following:

(i)	the individual’s name;
(ii)	the individual’s identity card number, work pass number, passport number or foreign identification number; and

(b)

the information for which records must be kept in respect of every business entity which delivers any part of the cybersecurity service on behalf of the licensee is the following:

(i)

the business entity’s name;

(ii)

the business entity’s —

(A)	Singapore unique entity number; or
(B)	business entity registration number in the foreign country or territory that the business entity is incorporated or registered in.

Appeals

5. An appeal made under section 35(1), (2), (3) or (4) of the Act must —

(a)

be made in the form set out at https://www.mci.gov.sg;

(b)

specify the name and particulars of the person bringing the appeal (called in this regulation the appellant);

(c)

identify the decision or order appealed against;

(d)

state the reasons for the appeal and the issues arising from the appeal;

(e)

be accompanied by any document mentioned in, or relied on in support of, the appeal; and

(f)

be signed and dated —

(i)	where the appellant is an individual — by that individual or a duly authorised representative of the individual; or
(ii)	where the appellant is a business entity — by a duly authorised representative of the business entity.

Made on 6 April 2022.

JOSEPH LEONG WENG KEONG

Permanent Secretary
(Cybersecurity),
Prime Minister’s Office,
Singapore.

[CSA.0007.200003; AG/LEGIS/SL/70A/2015/7 Vol. 1]

Search within Legislation