Rajah & Tann Regional Round-Up
your snapshot of key legal developments in Asia
 Issue 2 - Apr/May/Jun 2022
 

Licensing Framework for Cybersecurity Service Providers Comes into Operation

The Cybersecurity Agency of Singapore ("CSA") has announced the launch of the licensing framework for cybersecurity providers ("Framework"), which has taken effect from 11 April 2022. The Framework imposes a licensing requirement for the provision of prescribed cybersecurity services. 


The Framework aims to better safeguard consumers' interests and address the information asymmetry between consumers and cybersecurity service providers. It also seeks to improve service providers' standards and standing over time.


The Framework has been enacted via Part 5 and the Second Schedule of the Cybersecurity Act 2018, which came into operation on 11 April 2022. Subsidiary legislation such as the Cybersecurity (Cybersecurity Service Providers) Regulations 2022 has also been enacted as part of the Framework.


CSA has set out the timeline for the relevant cybersecurity service providers to comply with the licensing requirements of the Framework:


  1. 11 April 2022: No person may provide a licensable cybersecurity service without a cybersecurity service provider's licence from 11 April 2022.

  2. 11 October 2022: Existing cybersecurity service providers who are already engaged in the business of providing licensable cybersecurity services must apply for a licence by 11 October 2022. If the licence application is made by 11 October 2022, the service provider may continue to provide its service until a decision on its application has been made.

  3. The licence is valid for a period of two years, and an application for renewal should be made no later than two months before the expiry of the licence.

For a start, CSA will license two types of cybersecurity service providers: (i) managed security operations centre monitoring services; and (ii) penetration testing services.


The Framework contains certain key conditions, such as those relating to: 


  1. Procedural and information requirements for licence applications;
  2. Keeping of records;
  3. Notification on changes to information about the licencee;
  4. Professional conduct of licensees;
  5. Provision to the licensing officer of information relating to the cybersecurity service.

For more information, click here to read our Legal Update.



Please note that whilst the information in this Update is correct to the best of our knowledge and belief at the time of writing, it is only intended to provide a general guide to the subject matter and should not be treated as a substitute for specific professional advice.

 

Rajah & Tann Singapore LLP

9 Straits View
Marina One West Tower
#06-07
Singapore 18937
Republic of Singapore
http://sg.rajahtannasia.com

Contacts:

Francis Xavier, SC, PBM
Partner
D +65 62320551
francis.xavier@rajahtann.com

Chia Kim Huat
Partner
D +65 62320464
kim.huat.chia@rajahtann.com

Howard Cheam
Partner
D +65 62320685
howard.cheam@rajahtann.com

Rajah & Tann Asia is a network of legal practices based in Asia.

Member firms are independently constituted and regulated in accordance with relevant local legal requirements. Services provided by a member firm are governed by the terms of engagement between the member firm and the client.

This update is solely intended to provide general information and does not provide any advice or create any relationship, whether legally binding or otherwise. Rajah & Tann Asia and its member firms do not accept, and fully disclaim, responsibility for any loss or damage which may result from accessing or relying on this update.