CSA to Raise Cybersecurity Standards for Critical Information Infrastructure Owners

1. The Cyber Security Agency of Singapore (CSA) will require Critical Information Infrastructure Owners (CIIOs), auditors conducting audits for CIIOs, and licensed cybersecurity service providers providing penetration testing and managed security operations centre monitoring services to meet the Cyber Trust Mark (CTM) requirements, with the aim of raising baseline national cybersecurity standards of these organisations. This was announced at the Ministry of Digital Development and Information (MDDI) Committee of Supply Debates 2026. 

2. With Singapore’s rapid digital transformation, many businesses are becoming increasingly reliant on technology. It is important for organisations, especially CIIOs and their vendors that have access to sensitive data or critical systems, to adhere to a common set of standards to stay ahead of emerging cyber threats. All CIIOs, approved auditors conducting audits for CIIOs, and licensed cybersecurity providers¹ are required to demonstrate that they meet the cybersecurity standards that match their risk profile. This means attaining tiered requirements under the CTM², a mark of distinction that recognises organisations with comprehensive cybersecurity measures and practices according to their risk profile. The CTM was enhanced last year to account for newer cyber risks in Cloud, Operational Technology security and Artificial Intelligence (AI) security to adapt to the fast-evolving digital landscape.

3.  CIIOs will be given a two-year grace period (by end 2027) to obtain a CTM Level 5, the highest tier of the certification, for the non-CII systems under its control that supports the organisation’s business operations/services. CII auditors will be given a one-year grace period (by end 2026) to obtain this mark at the organisation level for systems that supports its business operations/services.

Licensed Cybersecurity Service Providers Required to Obtain Cyber Trust Mark Level 3 Certification

4. CSA conducted a four-week public consultation from 22 September 2025 to 21 October 2025 for the proposed changes to the licensing framework for licensed cybersecurity service providers. The intention was to raise the cyber hygiene posture of these providers who have access to sensitive data or systems belonging to their clients and reduce risks arising from cyber supply chain interdependencies. At the close of the consultation, CSA received 17 responses, with the majority of the respondents welcoming the move to increase baseline cyber hygiene for cybersecurity service providers.

5. Taking into account the feedback received, the changes were implemented in February 2026. Licensed cybersecurity service providers will now be required to obtain an active CTM Promoter (Tier 3) certification to ensure that they maintain an appropriate level of cyber hygiene. Licensees will be given a grace period until 31 December 2026 to obtain the CTM certification. Further details on CSA’s response to the public consultation can be found within the Closing Note to the Consultation on the Licensing Framework for Cybersecurity Service Providers.
   

¹ Under Section 49 of the Cybersecurity Act, cybersecurity service providers who are engaged in the businesses of providing either or both penetration testing and managed security operations centre monitoring services will need to apply for a licence to provide the service(s) in Singapore. 

² The Cyber Trust Mark (CTM) serves as a mark of distinction for organisations to prove that they have put in place good cybersecurity practices and measures that commensurate with their cybersecurity risk profile. There are five cybersecurity preparedness tiers, with 10 to 22 domains under each tier.  Organisations can use the CTM risk assessment framework to identify which cybersecurity preparedness tier is more suitable for their needs.  More details of the CTM can be read here.