CSA to Enact Changes to the Licensing Framework for Cybersecurity Service Providers

Introduction

Following the conclusion of a public consultation, the Cyber Security Agency of Singapore (“CSA“) has indicated that it will proceed to enact proposed changes to the licensing framework for cybersecurity service providers. The changes seek to raise baseline cybersecurity standards nationally and enhance clarity on the licensing requirements.

Singapore’s licensing framework for cybersecurity service providers was established in 2022 under the Cybersecurity Act 2018. However, with the swift and continuous evolution of the cybersecurity landscape, it has become necessary to update and enhance the framework, particularly given the important role that cybersecurity service providers play in the security of organisations and Singapore’s cyber resilience.

CSA has issued a closing note on the public consultation (“Closing Note“), summarising the feedback received, its response to the feedback, and the implementation of the proposed changes moving forward. This Update highlights the impending changes, the key points of CSA’s response, and what cybersecurity service providers should be aware of with regard to the licensing requirements.

Proposed Changes

CSA conducted a public consultation on the proposed changes to the licensing framework for cybersecurity service providers from 22 September 2025 to 21 October 2025. The public consultation set out the following proposed changes:

Introduction of cyber and data hygiene requirements: For cybersecurity service provider licensees to demonstrate their commitment to good cyber and data hygiene measures by obtaining mandatory hygiene certifications.
Mandatory certification requirements: For licensees to obtain and maintain the following certifications for the duration of their licence: (i) minimum Cyber Trust Mark (“CTM“) Promoter (Tier 3) or its equivalent; and (ii) Data Protection Trust Mark (“DPTM“) SS 714:2025 or its equivalent.
Changes to licensing timeframes: Introduction of other changes to the licensing conditions to reduce regulatory friction and improve operational clarity for licensees, including: (i) an extension of licence validity from two years to five years; (ii) an extension of licence renewal timeframes; (iii) simplified notification obligations; and (iv) a revision to information required in a licence application.
Implementation timeline: Implementation of the proposed changes to the licensing framework progressively from January 2026.
- A grace period to obtain the required CTM certification would be in effect until 31 December 2026 for new licensees and for those who renewed their licences in 2026.
- A grace period for licensees to obtain the required DPTM SS 714:2025 certification would be in effect until 31 December 2027 for all licensees.

For more information on the public consultation, please see our earlier Legal Update here.

Closing Note

On 16 February 2026, CSA issued its Closing Note to the public consultation. It noted that respondents to the consultation generally expressed support for the raising of cyber hygiene assurance levels through certification requirements, as well as the reduction of regulatory friction through extended licence validity and simplified notification obligations.

The key points of feedback received include the following:

Feedback on CTM and DPTM Certification Requirements

Equivalent certifications: Respondents appreciated the recognition of ISO/IEC 27001 as an equivalent to CTM. However, respondents suggested the recognition of additional global standards as equivalents. CSA has assessed that ISO/IEC 27001 remains the only recognised equivalent for CTM for now, but has stated that it will progressively review additional certifications and add them to the list, if appropriate.

Applicability of DPTM: Several respondents raised concerns over the relevance of DPTM for penetration testing services or for cloud service providers. CSA has clarified that the DPTM certification requirement is intended for licensed cybersecurity service providers, which are Managed Security Operations Centre monitoring service and penetration testing service providers only; it is not intended for cloud service providers. CSA has further clarified that CTM Promoter (Tier 3) certification holders are not required to achieve DPTM as a mandatory requirement due to limited access to client personal data and the inclusion of data protection measures under the CTM certification.

Requirements for resellers: CSA has clarified that the licensing framework applies to all entities providing the licensable services, regardless of their business model. This includes resellers who are licensed to provide licensable cybersecurity services.

Small businesses and individual licensees: In response to concerns expressed over the administrative burden on small businesses and individual licensees in obtaining the required certifications, CSA has stated that it will study the possibility of introducing alternative compliance routes for smaller providers and individual licensees. However, CSA maintains that all licensees should achieve a minimum level of cyber hygiene posture regardless of firm size, and the CTM Promoter (Tier 3) certification was assessed to be proportionate to licensees’ risk profile.

Positive Feedback on Changes to Licence Validity and Notification Timeframes

CSA will proceed with the proposed extension of licence validity to five years, and the proposed simplification of notification obligations.

In response to suggestions to automate updates using ACRA data and SingPass-based declarations to further streamline processes, CSA will explore opportunities to streamline processes through integration with other government digital services where feasible.

Feedback on Implementation Timeline

For boutique firms and individual licensees, CSA has maintained that the proposed grace period is sufficient.

Licensees will have a grace period until 31 December 2026 to obtain CTM Promoter (Tier 3) certification. Thereafter, licensees would be required to have an active CTM certification during licence application or renewal.
CSA will not mandate DPTM certification at this point, and the proposed timeline to obtain DPTM certification by the end of 2027 will not be implemented.

Concluding Words

CSA will proceed to implement the proposed changes to the licensing framework, taking into account the feedback received. The updated licence conditions, which will apply to all existing licensees, new licence applications or licence renewals, are accessible at Annex B here.

For existing licensees, the licence conditions will be in effect 30 days from the publication of the Closing Note on 16 February 2026. Existing licensees will transition to the five-year licence term upon renewal.

Register now for your free, tailored, daily legal newsfeed service.

CSA to Enact Changes to the Licensing Framework for Cybersecurity Service Providers

Filed under

Topics

Organisations

Popular articles from this firm

MAS Issues New MAS AML/CFT Notice for Financial Institutions Dealing in PSMs, Various Revised AML/CFT Notices for Financial Institutions and Variable Capital Companies *

MAS Revises AML/CFT Notices for FIs and VCCs - to Mandate PF Assessments, Align Trust Regime and Streamline STR Filing Regime *

Singapore High Court Provides Assessment of Damages for Crypto-assets *

PRC Issues Updated Administrative Measures for the Verification and Registration of Technology Contracts *

Damages for Defective Construction - Court Determines When to Award Cost of Cure *

Professional development

Related practical resources PRO

Related research hubs

Singapore

IT & Data Protection