CSA Cybersecurity Code of Practice for Critical Information Infrastructure

Singapore's Cybersecurity Agency (CSA) Cybersecurity Code of Practice for Critical Information Infrastructure (CII) establishes mandatory cybersecurity requirements for CII owners in 11 critical sectors: energy, water, banking and finance, healthcare, transport (land, maritime, aviation), infocomm, media, security and emergency services, and government. The Code of Practice is issued under the Cybersecurity Act 2018 and is legally binding on designated CII owners. Requirements include: implementing cybersecurity measures across 16 domains; conducting annual cybersecurity audits; performing penetration testing every two years; reporting cybersecurity incidents to CSA within 2 hours; submitting annual compliance reports; and participating in national cybersecurity exercises. CII owners must also notify CSA before making significant changes to their CII. The Code of Practice is supplemented by sector-specific guidelines issued by sector leads. Non-compliance with the Code of Practice can result in fines of up to SGD 100,000 and criminal penalties for serious violations.