For years, the Cybersecurity Act Singapore mostly concerned a defined group, the owners of Critical Information Infrastructure behind essential services like power and water. If you weren’t one of them, the Act was someone else’s problem.
The Cybersecurity Act Singapore was significantly amended in 2024 to extend regulatory obligations beyond CII owners to two new categories; Foundational Digital Infrastructure (FDI) providers such as cloud platforms and data centres, and Entities of Special Cybersecurity Interest (ESCI), organisations whose disruption would harm national security or public order.
If your organisation falls into either category, specific cybersecurity duties and incident reporting obligations will apply once the relevant provisions come into force.
That’s changing. Singapore is widening the net to cover a new set of organisations, including cloud providers, data centres, and companies holding sensitive information, that were never directly regulated before.
Two new categories sit at the centre of this expansion, with awkward acronyms and real consequences, FDI and ESCI. If your organisation might fall into either, it’s worth understanding them now, before the rules switch on. This guide explains what they are, who they cover, why the old “someone else’s problem” no longer holds, and how to prepare.
What Is the Cybersecurity Act Singapore?
The Cybersecurity Act Singapore is the country’s main law for protecting the computer systems the country depends on. Administered by the Cyber Security Agency of Singapore (CSA), it sets the rules for defending critical systems and gives the Commissioner of Cybersecurity the power to oversee and enforce them.
When it first passed in 2018, the Act focused almost entirely on Critical Information Infrastructure Singapore, the systems directly behind essential services. In 2024, Parliament passed a major amendment to widen its reach.
According to the Cyber Security Agency of Singapore, the update was made to keep pace with a changing threat landscape and the shift to cloud computing and outsourced systems. Several parts of that amendment came into force on 31 October 2025, and more are still to come, including the two new categories this article is about.
Why the Old Cloud Thinking No Longer Protects You
For a long time, businesses relied on a comfortable idea called “shared responsibility.” When you used a cloud provider, the thinking went, the provider secured the cloud, and you were responsible only for what you put in it. If something went wrong at the infrastructure level, that was the provider’s problem.
The Singapore Cybersecurity Act erodes that comfort from both ends.
1. Customers can no longer point upstream
Essential service providers are now accountable for the security of systems they rely on but don’t own, including third-party and cloud infrastructure. Outsourcing the system no longer outsources the responsibility. We cover this shift in our piece on third-party risk under the Cybersecurity Act Singapore.
2. Providers can no longer stay behind the curtain
The cloud platforms and data centres that used to sit comfortably behind “shared responsibility” are being pulled directly into the regulatory net through the new FDI category.
3. Understanding Foundational Digital Infrastructure (FDI)
Foundational digital infrastructure Singapore refers to the digital services that so much of the modern economy quietly runs on, specifically cloud computing services and data centre facilities. FDI Singapore cybersecurity obligations stem from a straightforward recognition: so many essential services now depend on a handful of major cloud and data centre providers that those providers have become critical in their own right.
If a major cloud platform fails, the damage doesn’t stay with one company, it ripples across every business and service that relies on it.
According to the Cyber Security Agency of Singapore, companies providing digital infrastructure foundational to the economy or daily life will be regulated as FDI and required to follow cybersecurity codes and standards, and to report prescribed incidents.
As legal analysis from Chambers and Partners sets out, designated major FDI providers will have to notify the Commissioner of serious incidents that disrupt their service or business operations in Singapore. The penalties for failing to report are significant, with fines reaching the greater of SGD 200,000 or 10% of the provider’s annual turnover in Singapore.
One important point, which we’ll return to, is that these FDI obligations are not in force yet. They were enacted in the 2024 amendment but await a future commencement date.
Understanding Entities of Special Cybersecurity Interest (ESCI)
ESCI Singapore cybersecurity obligations target a different kind of organisation. Entities of Special Cybersecurity Interest capture organisations that aren’t CII Singapore owners, but still matter enough to national security that the government wants oversight of their cybersecurity.
According to the law firm Allen & Gledhill, an entity can be designated an ESCI if it holds sensitive information, or performs a function whose disruption would have a significant detrimental effect on Singapore’s defence, foreign relations, economy, public health, public safety, or public order.
There’s an unusual feature here worth knowing. The list of designated ESCIs will not be made public. As Allen & Gledhill explains, this is deliberate, naming these entities openly would effectively advertise them as high-value targets to attackers. So an organisation may be told privately that it has been designated, but the public won’t see a list.
Like FDI, the ESCI regime is not yet in force. It was enacted in the 2024 amendment and awaits a future commencement date.
Who might be designated an ESCI? Candidates include organisations in defence supply chains, financial market infrastructure, research institutions handling classified data, and any private entity whose systems or data are considered sensitive to Singapore’s national interests. Designation is made privately by CSA. So if you’re uncertain, it’s worth conducting an internal assessment rather than waiting to be told.
What Applies Now and What Comes Later
This is the part to get right, because the timing matters for how you should respond. The expanded Cybersecurity Act Singapore is arriving in stages, not all at once.
Already in force since 31 October 2025 are the following.
- The regulation of third-party-owned CII, making essential service providers accountable for systems they rely on but don’t own.
- The STCC regime for temporary, event-based risk.
- The expansion of CII definitions to cover virtual and cloud-based systems, not just physical ones.
Enacted but not yet in force, awaiting a future start date, are these.
- The FDI regime for major cloud and data centre providers.
- The ESCI regime for entities of special cybersecurity interest.
The gap between “enacted” and “in force” is your window. The rules are written and the direction is set, but the obligations haven’t switched on. That’s the time to get ready, not after the commencement notice lands.
How to Prepare Before the Rules Switch On
Whether you might be designated an FDI, an ESCI, or neither, the sensible preparation is similar. Here’s where to focus.
1. Work out whether you’re likely in scope
Start by asking the honest question. Do you provide cloud or data centre services that others depend on? Do you hold sensitive information or perform a function whose disruption would harm national interests? If yes to either, you’re a candidate for designation and should prepare as though it’s coming.
2. Get your incident reporting ready
Every one of these new categories under the Cybersecurity Act Singapore carries a duty to report serious incidents to the Commissioner. The exact timelines will come in subsidiary legislation, but the direction is clearly toward fast reporting. Building a tested incident-response process now means you won’t be scrambling when the duty becomes real.
3. Raise your security to a provable standard
These regimes are about demonstrating strong cybersecurity, not just claiming it. That means continuous monitoring, regular testing of your defences, and the records to prove both. Getting to a provable standard takes time, which is exactly why starting before the deadline matters.
4. Tighten your own vendor chain
If you’re a cloud or data centre provider being pulled into scope, your own suppliers become part of your risk. The accountability runs through the chain, so the security of the vendors you depend on is now part of the security you’ll be judged on.
Getting Ahead of the Expansion
The Cybersecurity Act Singapore has fundamentally expanded who is responsible for national cybersecurity. Cloud platforms, data centres, and holders of sensitive information are no longer bystanders; they are being brought into a framework that expects real, provable security and fast incident reporting, whether as FDI or ESCI.
The organisations that manage this well are the ones treating the current window, after enactment but before commencement, as preparation time rather than breathing room.
Singapore’s message with this expanded Act is hard to miss. The circle of organisations responsible for national cybersecurity is growing, and the old idea that infrastructure providers sit safely behind their customers no longer holds.
If you might be designated an FDI or ESCI, the two things you’ll need most are the ability to detect and report a serious incident quickly, and defences strong enough to prove to a regulator.
Zentara Managed SOC delivers the first, continuous monitoring and fast response, and our VAPT (penetration testing) delivers the second, finding and fixing the weaknesses a regulator or attacker would target.
The rules aren’t fully switched on yet. That’s the advantage, and it won’t last. Talk to our team today.


