Third-Party Risk Management Under Singapore’s Cybersecurity Act

Third-Party Risk Management Under Singapore's Cybersecurity Act

Written by

July 9, 2026

For years, managing the risk from your vendors was good practice. A responsible company checked its suppliers, asked the right questions, and slept a little easier. In Singapore, that’s no longer just good practice. For organisations running essential services, it’s now the law, with real penalties attached.

Under Singapore’s updated Cybersecurity Act, third-party risk management is no longer voluntary for essential service operators. If you rely on a vendor’s system to deliver a critical service, you can be held legally accountable for that system’s security, even if you don’t own it. At the same time, the cybersecurity providers you hire must now meet national certification standards. Both changes took effect from 31 October 2025.

The updated Cybersecurity Act has changed who is responsible when a third-party system fails. If your business depends on a vendor’s system to deliver an essential service, you can now be held legally accountable for that system’s security, even though you don’t own it.

At the same time, the providers you rely on for security services are being held to tough new certification standards. The comfortable, voluntary era of third-party risk management is ending.

This guide explains what changed, who it affects, and what to do about it, in plain terms.

What Is Third-Party Risk Management?

Third-party risk management is the work of identifying and controlling the risks that come from the outside parties your business relies on: vendors, suppliers, cloud providers, and contractors.

Almost no organisation operates alone anymore. You use a cloud provider to host your systems, a software vendor for key tools, perhaps an outside team to run your security. Each of those relationships is useful, and each one is also a doorway.

If a vendor gets breached, the attacker can often reach you through that connection. Third-party risk management is how you keep those doorways from becoming the way an attacker walks in.

The reason it matters more than ever is simple: attackers have learned that the easiest way into a well-defended company is often through a less-defended supplier. Some of the largest breaches in history started not with the victim, but with one of the victim’s vendors.

What Changed in Singapore: Vendors Are Now in Scope

On 31 October 2025, several key parts of the Cybersecurity (Amendment) Act came into force. To see what changed, you need one term: CII Singapore.

Critical information infrastructure Singapore refers to the computer systems behind essential services like energy, water, banking, healthcare, and transport. The companies that own these systems have always had strict legal duties to protect them. What changed is whose systems count.

Here’s the gap the law closed. The old rules mostly covered systems a company owned and ran itself. But today, many essential services run on systems owned by someone else, a cloud platform or an outside vendor. That left a hole: a critical system could sit outside the rules simply because a third party owned it.

So the Cybersecurity Act Singapore was updated to keep up with the shift to cloud and outsourced systems, ensuring a company stays responsible for security even when it relies on someone else’s infrastructure. The result is a new category: third-party-owned CII, or 3PO CII.

What Is Third-Party-Owned CII

Third-party-owned CII, sometimes called provider-owned CII, applies when your organisation provides an essential service and relies on a system owned by a third party to deliver it. The Commissioner of Cybersecurity can designate that arrangement as 3PO CII. As the law firm DLA Piper explains, the regulator can hold the essential service provider, not the third-party owner, responsible for the cybersecurity of that system.

Read that again, because it’s the whole point. You can be made legally accountable for the security of a system you don’t own and don’t directly control. The responsibility for a vendor’s security has shifted onto you.

The law doesn’t expect you to magically control someone else’s system. Instead, it requires you to get specific, enforceable promises from the vendor in writing. According to analysis from the law firm CMS, a designated provider must obtain legally binding commitments from the third-party owner to do several things:

  • Share information about how the system is built, secured, and run.
  • Maintain the cybersecurity standards the law requires.
  • Tell you about any security incidents affecting the system.
  • Notify you of any change in who owns the system.

What happens if you can’t get those commitments?

This is where it gets serious. If a designated provider fails to secure these binding commitments, or the standards aren’t kept up without good reason, the Commissioner can order the provider to stop using the system entirely. For a business that depends on that system to deliver its service, being ordered to stop using it is a serious operational blow. Non-compliance is also an offence under the Act.

The choice is stark: get your vendor relationships in order, or risk losing the ability to use the systems your business runs on.

Security Providers Now Need Certification

The vendor liability change is only half the story. Singapore is also raising the bar for the cybersecurity firms that businesses hire.

In early 2026, the Cyber Security Agency of Singapore announced that several groups must now earn the Cyber Trust Mark, a national certification that proves an organisation has strong cybersecurity practices. Each group has a deadline:

  • CII owners: Level 5 by the end of 2027.
  • Auditors who check CII owners: Level 5 by the end of 2026.
  • Licensed security providers offering penetration testing and managed SOC monitoring: Level 3 by the end of 2026.

There’s more. As the CSA’s licensing rules now set out, from March 2026 a cybersecurity provider needs an active Cyber Trust Mark just to keep its licence, with time to obtain it running until the end of 2026.

The point is simple: the firm you hire to protect you must now prove its own security to a national standard. What was once a nice-to-have badge is becoming a basic requirement to operate, and providers who don’t meet the bar won’t be allowed to offer these services.

For you as a customer, this is mostly good news: it means the licensed providers you can hire have been held to a real standard. But it also means you should be checking that the providers you use are on track to meet it.

Who does this affect? Any organisation in Singapore that holds a CII designation, or that provides cybersecurity services such as managed SOC monitoring or penetration testing, is directly in scope. But even businesses without a CII designation should treat this as a signal: the overall standard of third-party risk management expected across Singapore’s digital economy is rising.

Why the Supply Chain Is the Real Target

These two changes, vendor liability and provider certification, point at the same problem. Modern attacks come through the supply chain.

An attacker who can’t break into a bank directly will look at the bank’s software vendors, its cloud provider, and its outsourced IT team. Compromise one of those, and you may reach the real target through a trusted connection.

The same logic applies inside critical infrastructure, where attackers move sideways from a less-protected supplier system into the systems that actually run essential services, the same lateral-movement path that turns an ordinary vendor breach into a national-scale incident.

Singapore’s amendments are a direct response. By making essential service providers accountable for their vendors’ systems and by forcing security providers to meet a high standard, the law is trying to close the supply-chain gaps that attackers exploit.

Whether you’re an essential service provider or just a business that wants to stay safe, the underlying lesson is the same: your security is now inseparable from your vendors’ security.

What to Do Now

Whether the law applies to you directly or you simply want to manage vendor risk well, the steps are similar. Here’s where to focus.

1. Map which vendors you actually depend on

You can’t manage what you haven’t mapped. List the outside systems and providers your business relies on, and mark the ones you couldn’t operate without. Those critical dependencies are where third-party-owned CII designation is most likely, and where your attention belongs first.

2. Turn your vendor contracts into real safeguards

Review the contracts with your most critical vendors. Do they require the vendor to maintain security standards, report incidents to you quickly, give you audit rights, and tell you if ownership changes? If not, these are exactly the binding commitments the law now expects. Renegotiate them before a regulator, or an incident, forces the issue.

3. Check your security providers’ certification status

If you hire a licensed cybersecurity provider for penetration testing or SOC monitoring, ask where they stand on Cyber Trust Mark certification. A provider on track to meet the standard is one you can keep relying on. One that isn’t may not be able to serve you for long.

4. Demand visibility into vendor incidents

A vendor breach becomes your problem the moment it touches your service. Make sure your critical vendors are contractually bound to tell you fast when something goes wrong, and that you have a way to act on that information, the same discipline that lets a business hit tight regulatory reporting deadlines.

5. Build vendor risk into an ongoing routine

Third-party risk management isn’t a one-time audit. Vendors change, get acquired, and have incidents. Review your critical vendor relationships on a regular schedule, so a problem at a supplier doesn’t catch you unaware months after it started.

Turning a Compliance Burden Into an Advantage

Singapore’s updated Cybersecurity Act Singapore has made third-party risk management a legal obligation, not just a best practice, for essential service operators.

Through the third-party-owned CII framework, accountability for vendor systems now sits squarely with the essential service provider and the security providers you rely on must meet national certification to stay in business. The organisations that get ahead of this won’t just avoid penalties; they’ll be meaningfully harder to breach.

It’s easy to read all this as just more regulatory weight. But there’s a better way to see it. The organisations that handle these changes well won’t just avoid penalties. They’ll be genuinely safer, because they’ll know their vendors, hold them to real standards, and catch supplier problems early.

Singapore’s message is clear: the supply chain is everyone’s responsibility now, and the standard is rising. Better to meet it on your own terms than have a deadline or a breach set them for you.

This raises an obvious question: if your security providers now have to meet a national standard, are the ones you rely on actually meeting it?

Zentara is built for exactly this. As a provider of managed SOC monitoring and VAPT, we hold ourselves to the standards this market now demands. So hiring us strengthens your compliance rather than adding risk to it. We help you map your critical vendors, turn supplier contracts into the binding commitments the law expects, and watch for the incidents, yours or a vendor’s, that you’re now accountable to catch and report.

Talk to our cybersecurity specialists and we’ll help you find the gaps before the deadline does.

Watch our FREE webinar: AI vs. Hackers - The Cyber Battle You Didn’t Know Was Happening

Marsha Widagdo, Zentara’s Head of Security Operations (Blue Team), will break down how defenders use AI to spot, triage, and contain real threats—and how attackers are weaponising it in return. Expect practical playbooks, recent cases, and clear steps you can apply.

Where Cybersecurity Meets Community

We’re building a space for cybersecurity practitioners, students, researchers, and enthusiasts to connect, learn, exchange ideas, and grow as a collective. A community built around discourse, industry insights, and driven by mutual goals.

Modern Cybersecurity Services, Built for Complexity

From threat intelligence to vulnerability assessments and incident response, Zentara helps governments and enterprises stay ahead of every attack vector