Consultation Paper on the Licensing Framework for Cybersecurity Service Providers

Cyber Security Agency of Singapore (CSA)

Consultation Period: 22 Sep 2025 - 21 Oct 2025

Status: Open

Detailed Description

Part 1: INTRODUCTION

Background on the Licensing Framework

1. The establishment of the licensing framework for cybersecurity service providers in Singapore was first introduced in 2022 under Section 5 of the Cybersecurity Act 2018. It adopts a light-touch regulatory approach, targeting service providers that perform cybersecurity functions with significant access and potential impact on client systems.

2. The framework sought to achieve three key objectives:

   1. Strengthening assurance on security and safety in the delivery of sensitive cybersecurity services

   2. Raising the quality and professional standing of cybersecurity service providers in Singapore

   3. Introducing licensing transparency to addressing information asymmetry between consumers and cybersecurity service providers

3. The framework covers two cybersecurity service categories:

   1. Managed Security Operations Centre (SOC) Monitoring Service

   2. Penetration Testing Service

• These services were prioritised because service providers providing such services have significant access into their clients’ computer systems and sensitive information, which if abused, can lead to disruptions for their clients’ operations. Such services are also widely available and used in the market, and thus have the potential to cause significant impact on the overall cybersecurity landscape.

Evolving Industry Context

4. Since the introduction of the framework, the cybersecurity landscape has evolved significantly. Cyber threats have become more frequent and sophisticated in nature with far-reaching consequences. Organisations in Singapore are now increasingly reliant on third-party cybersecurity service providers to effectively manage cybersecurity risks. The cybersecurity services industry is projected to grow substantially, alongside rapid digitalisation and growing threat exposure.

5. The role that cybersecurity service providers play in keeping organisations cybersafe will become more pronounced in contributing to Singapore’s cyber resilience. As such, cybersecurity service providers must be held to appropriate standards of competence and trustworthiness.

Objective of Consultation

6. The Cyber Security Agency of Singapore (“CSA”) seeks industry feedback on proposed changes to the existing licensing framework, with the intent to:

   1. Raise baseline cybersecurity standards nationally; and

   2. Enhance clarity on the licensing requirements

Part 2: PROPOSED CHANGES TO LICENSING FRAMEWORK

Introduction of Cyber and Data Hygiene Requirements

7. Ensuring cybersecurity service providers maintain strong internal cybersecurity and data protection standards is critical to national cyber resilience. To this end, CSA is proposing for cybersecurity service provider licensees to demonstrate their commitment to good cyber and data hygiene measures, by obtaining mandatory hygiene certifications. This aims to: (i) ensure licensed cybersecurity service providers are committed to protecting their own networks and client data, and (ii) establish a consistent and recognised standard of trustworthiness and professional conduct.

Mandatory Certification Requirements

8. Licensees will need to obtain and maintain the following certifications for the duration of their licence:

   1. minimum Cyber Trust Mark (“CTM”) Promoter (Tier 3) or its equivalent; and

   2. Data Protection Trust Mark (“DPTM”) SS 714:2025 or its equivalent.

Cyber Trust Mark Promoter (Tier 3)

9. The CTM is published as Singapore Standards (SS) 712:2025, and it adopts a risk-based approach to cybersecurity certification, differentiating organisations by their risk profiles and cybersecurity maturity. CTM Promoter (Tier 3) strikes a balance by providing a robust and accountable cybersecurity framework that addresses critical risks without requiring the highest levels of strategic and threat intelligence capabilities that might be disproportionate to many licensees' current risk profiles or operational scale. Licensees have the flexibility to pursue higher tiers of CTM certification suited to their business needs.

10. For operational efficacy and efficiency, CSA will also recognise CTM-equivalent certifications including, but not limited to, ISO/IEC 27001.

11. Regardless of the standard, the scope of certification shall minimally include the environment (including people, process and technology) of the licensee supporting the delivery of the licensed service.

12. The certification body shall be accredited by Singapore Accreditation Council (SAC) or equivalent, the national accreditation body in Singapore. In the context of CTM, all certification bodies appointed by CSA are accredited. 

13. While CTM certifications are typically issued to entities, CSA will work with the Certification Bodies so that individual licensees can also achieve the CTM Promoter (Tier 3) certification.

Data Protection Trust Mark SS 714:2025

14. The DPTM SS 714:2025 is an enterprise-wide certification for organisations to demonstrate accountable data protection practices, in compliance with the Personal Data Protection Act (PDPA) 2012. CSA has assessed that cybersecurity service provider licensees should achieve the DPTM SS 714:2025 to demonstrate their commitment to good data protection practices, given their access to privileged data in the course of their services.

15. CSA will also recognise other certification schemes including but not limited to, APEC Cross-Border Privacy Rules and Global Cross-Border Privacy Rules. While licensees pursue the relevant data protection certifications, licensees are encouraged to reference the self-assessment framework of Data Protection Essentials to implement basic data protection and security practices. 

16. Individual licensees will be exempted from data protection certifications as these certifications only apply to organisations.

Changes to licence validity, renewal and notification timeframes

17. CSA is proposing to introduce other changes to the licensing conditions, which aim to reduce regulatory friction and improve operational clarity for licensees without compromising oversight.

    1. Extension of Licence Validity: Licence validity will be extended from 2 years to 5 years, with no change in annual fee quantum. Licences with a 5-year validity will cost $ 2,500 for businesses, and $ 1,250 for individuals to be paid upon the approval of licence application and/or renewal application, as the case may be.

    2. Extension of Licence Renewal Timeframes: Currently, a licence renewal application must be made no later than 2 months before the licence expiry. For operational flexibility, CSA proposes to do away with the 2-month advance renewal period and allow for renewal applications to be made any time before the licence expiry. By doing so, licensees can submit renewal applications up to the last day of the licence (i.e. as long as the licence is active), reducing the possibility of missing the renewal period.   

    3. Simplified Notification Obligations: CSA will be extending the reporting window for key information changes to the licence from the current 14 calendar days to 30 calendar days. This will provide licensees more time to report changes and bring notification timelines in alignment with that for material changes in the Cybersecurity Act; Requirements to report non-material changes will be removed. These include the change in designations of the Licensee and/or its Officers, addresses and contact particulars, which licensees are required to report to CSA within 14 calendar days currently. Such information would be updated systematically upon renewal, given that the information does not have material impact on the delivery of the licensed service.

    4. Revision to Information required in a Licence Application: Information for licence application is presently listed in the Regulations.  CSA proposes to remove the list from the Regulations and for the information required to be indicated in the electronic application service (i.e. currently, the GoBusiness Licensing portal) instead. This will allow for CSA to reduce the information as necessary to streamline the application process; and

    5. Other Operative Changes: Powers that are currently duplicated across both the amended Cybersecurity Act and Conditions of Licence will be removed with no operational impact on licensees.

• Please refer to the Annex A and Annex B for the details of the proposed changes to the Conditions of Licence and Cybersecurity (Cybersecurity Service Providers) Regulations 2022 respectively. 

Implementation Timeline

18. CSA intends to implement the changes to the licensing framework progressively from January 2026.

19. The cyber and data hygiene requirements will be implemented in phases to space out the increased regulatory requirements. This is to allow a more gradual transition period for licensees and the wider ecosystem, including the certification bodies, to fulfil the requirements.  

    1. A grace period until 31 December 2026 will be in effect for both new licensees and those who renewed their licences in 2026 to obtain the required CTM certification. This means that licensees can continue to provide their services until 31 December 2026 while pending CTM certification. In order to provide licensable services from 1 January 2027, all licensees would be required to have an active CTM certification during licence application and/or renewal.  

    2. A grace period until 31 December 2027 will be in effect for all licensees to obtain the required DPTM SS 714:2025 certification. This means that licensees can continue to provide until 31 December 2027 while pending DPTM SS 714:2025 certification. In order to provide licensable services from 1 January 2028, all licensees would be required to have an active DPTM SS 714:2025 certification during licence application and/or renewal.

Part 3: INVITATION TO COMMENT

20. CSA would like to seek views and comments from the industry on the proposed changes to the licencing framework, which are set out in greater details in Annex A and Annex B. The draft licence conditions and Regulations may be further refined, based on feedback received during this consultation.

21. All submissions should be clearly and concisely written and should provide a reasoned explanation for any proposed revisions. Submissions are to be submitted through the Consultation on Licensing Framework for Cybersecurity Service Providers online form.

22. All submission should reach CSA within 4 weeks, no later than 5pm on 21 October 2025. We regret that late submissions will not be considered.

23. CSA reserves the right to make public all or parts of any submission and to disclose the identity of the source. Respondents may request confidential treatment for any part of the submission that the respondent believes to be proprietary, confidential or commercially sensitive. Any such information should be clearly marked and identified. Respondents are also required to substantiate with reasons any request for confidential treatment. If CSA grants confidential treatment, it will consider, but will not publicly disclose, the information. If CSA rejects the request for confidential treatment, it will return the information to the respondent that it submitted and will not consider this information as part of its review. As far as possible, respondents should limit any request for confidential treatment of information submitted. CSA will not accept any submission that requests confidential treatment for all, or a substantial part, of the submission.

24. For the avoidance of doubt, all the information provided and views expressed in this consultation paper are for purposes of discussion and consultation only. Nothing in this consultation paper represents or constitutes any decision made by CSA.  The consultation contemplated by this consultation paper is without prejudice to the exercise of powers by CSA under the Cybersecurity Act or any subsidiary legislation thereunder.

Consultation Paper on the Licensing Framework for Cybersecurity Service Providers [PDF]

Annexes

Annex A – Proposed Changes to the Conditions of Licence

Annex B – Proposed Changes to the Cybersecurity (Cybersecurity Service Providers) Regulations 2022