SINGAPORE Law and Practice Contributed by: Lim Chong Kin, Drew & Napier LLC
Cybersecurity The Cybersecurity Act 2018 sets out a frame - work for the designation and monitoring of criti - cal information infrastructure (CII) in essential sectors, such as energy, info-communications, media, water, healthcare, banking and finance, security and emergency services, aviation, land transport, maritime, and services relating to the functioning of the government. Under the Cybersecurity Act, a computer or computer system may be designated by the Commissioner of Cybersecurity as CII if: • it is necessary for the continuous delivery of an essential service, and the loss or compro - mise of the computer or computer system will have a debilitating effect on the availability of the essential service in Singapore; and • the computer or computer system is located wholly or partly in Singapore. Owners of CII are subject to various obligations under the Cybersecurity Act, including report - ing cybersecurity incidents, conducting regular cybersecurity audits and risk assessments, and furnishing relevant information. On 11 April 2022, the licensing framework for cybersecurity service providers came into effect, along with the Cybersecurity (Cybersecurity Ser - vice Providers) Regulations 2022. The licensing framework covers cybersecurity service provid - ers providing penetration testing services and managed security operations centre monitoring services, and aims to improve the standard of cybersecurity service providers and address the information asymmetry between consumers and service providers. To keep up with the evolving cybersecurity threats and nature of businesses, the Cyberse-
Under the TA, “telecommunications” is defined very broadly as any transmission, emission or reception of signs, signals, writing, images, sounds or intelligence of any nature by wire, radio, optical or other electromagnetic systems, whether or not such signs, signals, writing, images, sounds or intelligence have been sub - jected to rearrangement, computation or other processes by any means in the course of their transmission, emission or reception. As the primary legislation governing the telecom - munications industry in Singapore, the TA sets out the broad licensing and regulatory frame - work for the telecommunications sector. Unless an exemption applies, the IMDA’s jurisdiction may potentially extend to the licensing of IoT projects or applications if such projects or appli - cations may be regarded as involving the opera - tion or provision of telecommunications systems or services under the TA. Where applicable, such persons would therefore need to comply with the general obligations and any specific conditions of approval under their respective licences that have been granted by the IMDA (see 6.1 Scope of Regulation and Pre-Marketing Requirements for more details on the licensing of telecommu - nication systems and services). Data Protection The applicability of the PDPA may be triggered if the IoT device in question can be used to collect personal data in Singapore and transfer it wire - lessly through the network. In such a case, the organisation that collects or transfers the per - sonal data (which may be an IoT service provid - er) will need to comply with the data protection obligations in respect of such data, unless an exception applies.
413 CHAMBERS.COM
Powered by FlippingBook