Clause 17

The Commissioner may, by written notice to a provider of a foundational digital infrastructure service, designate the provider as a major foundational digital infrastructure service provider for the purposes of this Act, if the Commissioner is satisfied that —

a computer or computer system (or class of computers or computer systems) is necessary for the continuous delivery of a foundational digital infrastructure service by the provider of the foundational digital infrastructure service; and

the provider provides the foundational digital infrastructure service —

whether from within or outside Singapore, to persons in Singapore, and the loss or impairment of the provision of that foundational digital infrastructure service is likely to lead to or cause disruption or deterioration of the operation of a large number of businesses or organisations in Singapore which rely on or are enabled by that foundational digital infrastructure service; or

wholly or partially from Singapore, and the loss or impairment of the provision of that foundational digital infrastructure service is likely to lead to or cause disruption or deterioration of the operation of a large number of businesses or organisations (in or outside Singapore) which rely on or are enabled by that foundational digital infrastructure service.(2) A notice issued under subsection (1) must —

identify the foundational digital infrastructure service in relation to which the provider is designated as a major foundational digital infrastructure service provider;

identify the provider of the foundational digital infrastructure service so designated as a major foundational digital infrastructure service provider;

describe the computer or computer systems (or class of computers or computer systems) stated to be necessary for the continuous delivery of the foundational digital infrastructure service;

inform the major foundational digital infrastructure service provider regarding the provider’s duties and responsibilities under this Act that arise from the designation;

provide the name and contact particulars of the officer assigned by the Commissioner to supervise the major foundational digital infrastructure service provider in relation to the cybersecurity of the major foundational digital infrastructure;

inform the major foundational digital infrastructure service provider that any representations against the designation are to be made to the Commissioner by a specified date, being a date not earlier than 14 days after the date of the notice; and

inform the major foundational digital infrastructure service provider that the provider may appeal to the Minister against the designation, and provide information on the applicable procedure.(3) Any designation under subsection (1) has effect for a period of 5 years, unless it is withdrawn by the Commissioner before the expiry of the period.(4) A notice issued under this section need not be published in the Gazette.(5) A provider of a foundational digital infrastructure service mentioned in this section or section 18H who is located outside Singapore may appoint a person in Singapore to accept service of notices or directions under this Act.(6) A major foundational digital infrastructure service provider who is located outside Singapore must appoint a person in Singapore to accept service of notices or directions under this Act.(7) In this section —

a provider provides a foundational digital infrastructure service —

from within Singapore — when the provider is present in Singapore when providing the service; or

wholly or partially from Singapore — when all or part of the computers or computer systems used to provide the foundational digital infrastructure service are located in Singapore;

the “loss or impairment” of the provision of a foundational digital infrastructure service includes the loss or impairment of the availability, confidentiality or integrity of data stored, transmitted or processed in relation to the provision of that service; and

a reference to a person in Singapore is a reference to —

an individual physically present in Singapore; or

an entity incorporated or established under any written law, or constituted or organised under a law of a foreign country or territory but registered under any written law.Power to obtain information to ascertain if criteria for major foundational digital infrastructure service provider fulfilled18H.—

This section applies where the Commissioner has reason to believe that a provider of a foundational digital infrastructure service may fulfil the criteria to be designated as a major foundational digital infrastructure service provider.(2) The Commissioner may, by notice given in the prescribed form and manner, require any person who appears to be a provider of a foundational digital infrastructure service, to provide to the Commissioner, within a reasonable period specified in the notice, such relevant information relating to that service as may be required by the Commissioner for the purpose of ascertaining whether the provider fulfils the criteria to be designated as a major foundational digital infrastructure service provider.(3) Without limiting subsection (2), for the purpose of ascertaining whether the provider of a foundational digital infrastructure service fulfils the criteria to be designated as a major foundational digital infrastructure service provider, the Commissioner may in the notice require the provider to provide —

information relating to —

the function that the foundational digital infrastructure service is employed to serve; and

the extent to which the operations of businesses or organisations in Singapore rely on or are enabled by that foundational digital infrastructure service;

in the case of a person who appears to provide a foundational digital infrastructure service wholly or partially from Singapore, information relating to —

whether the foundational digital infrastructure service is provided wholly or partially from Singapore; and

the extent to which the operations of businesses or organisations, in or outside Singapore, rely on or are enabled by that foundational digital infrastructure service; and

any other information that the Commissioner may require in order to ascertain whether the provider of a foundational digital infrastructure service fulfils the criteria to be designated as a major foundational digital infrastructure service provider.(4) Any person who —

without reasonable excuse, fails to comply with a notice issued under subsection (2); and

continues, after the expiry of the period specified in the notice, to provide a foundational digital infrastructure service —

whether from within or outside Singapore, to persons in Singapore; or (ii)wholly or partially from Singapore,shall be guilty of an offence and shall be liable on conviction to a fine not exceeding the greater of $200,000 or 10 percent of the annual turnover of the person’s business in Singapore and, in the case of a continuing offence, to a further fine not exceeding $5,000 for every day or part of a day during which the offence continues after conviction.(5) Any person to whom a notice is issued under subsection (2) is not obliged to disclose any information that is subject to any right, privilege or immunity conferred, or obligation or limitation imposed, by or under any law, contract or rules of professional conduct in relation to the disclosure of such information.Withdrawal of designation of major foundational digital infrastructure service provider18I. The Commissioner may, by written notice, withdraw the designation of a major foundational digital infrastructure service provider at any time if the Commissioner is of the opinion that the provider no longer fulfils the criteria to be designated as a major foundational digital infrastructure service provider.Extension of designation of major foundational digital infrastructure service provider18J.—

At any time before the expiry of the designation of a major foundational digital infrastructure service provider, the Commissioner may, by written notice, extend the designation of the major foundational digital infrastructure service provider, if the Commissioner is of the opinion that the provider continues to fulfil the criteria to be designated as a major foundational digital infrastructure service provider.(2) Any extension of a designation under subsection (1) has effect for a period of 5 years starting from the expiry of the earlier designation, unless the designation is withdrawn by the Commissioner before the extension takes effect or before the expiry of the period of extension.Furnishing of information relating to major foundational digital infrastructure18K.—

The Commissioner may by notice given in the prescribed form and manner, require the major foundational digital infrastructure service provider to furnish, within a reasonable period specified in the notice, the following:

information on the measures in place to safeguard the cybersecurity of the major foundational digital infrastructure;

information on the design features of the major foundational digital infrastructure which affect cybersecurity risk;

any other information that the Commissioner may require in order to ascertain the level of cybersecurity of the major foundational digital infrastructure.(2) Any major foundational digital infrastructure service provider who —

without reasonable excuse, fails to comply with a notice mentioned in subsection (1); and

continues to provide the foundational digital infrastructure service in relation to which the provider is designated under section 18G(1)(b)(i) or (ii) after the expiry of the period specified in the notice,shall be guilty of an offence and shall be liable on conviction to a fine not exceeding the greater of $200,000 or 10 percent of the annual turnover of the person’s business in Singapore and, in the case of a continuing offence, to a further fine not exceeding $5,000 for every day or part of a day during which the offence continues after conviction.(3) The major foundational digital infrastructure service provider to whom a notice is issued under subsection (1) is not obliged to disclose any information that is subject to any right, privilege or immunity conferred, or obligation or limitation imposed, by or under any law or rules of professional conduct in relation to the disclosure of such information, except that the performance of a contractual obligation is not an excuse for not disclosing the information.(4) The major foundational digital infrastructure service provider is not treated as being in breach of any contractual obligation mentioned in subsection (3) for doing or omitting to do any act, if the act is done or omitted to be done with reasonable care and in good faith and for the purpose of complying with a notice issued under subsection (1).Power of Commissioner to issue written directions18L.—

The Commissioner may, if the Commissioner thinks —

it is necessary or expedient for ensuring the cybersecurity of a major foundational digital infrastructure; or

it is necessary or expedient for the effective administration of this Act,issue a written direction, either of a general or specific nature, to the major foundational digital infrastructure service provider or a class of such major foundational digital infrastructure service providers.(2) Without limiting subsection (1), a direction under that subsection may relate to —

the action to be taken by the provider or providers in relation to a cybersecurity threat;

compliance with any prescribed technical or other standards relating to cybersecurity in respect of the major foundational digital infrastructure;

compliance with any code of practice or standard of performance applicable to the provider;

the appointment of an auditor approved by the Commissioner to audit the provider or providers on their compliance with this Act or any code of practice or standard of performance applicable to the provider or providers; or

any other matter that the Commissioner may consider necessary or expedient to ensure the cybersecurity of the major foundational digital infrastructure.(3) A direction under subsection (1) must specify a deadline for compliance, and may be revoked at any time by the Commissioner.(4) Before giving a direction under subsection (1), the Commissioner must, unless the Commissioner considers that it is not practicable or desirable to do so, give notice to the person or persons to whom the Commissioner proposes to issue the direction —

stating that the Commissioner proposes to issue the direction and setting out its effect; and

specifying the time within which representations or objections to the proposed direction may be made.(5) The Commissioner must consider any representations or objections which are duly made before giving any direction.(6) Any person who —

without reasonable excuse, fails to comply with a direction under subsection (1); and

continues to provide the foundational digital infrastructure service in relation to which the person is designated under section 18G(1)(b)(i) or (ii) after the deadline for compliance specified in the direction,shall be guilty of an offence and shall be liable on conviction to a fine not exceeding the greater of $200,000 or 10 percent of the annual turnover of the person’s business in Singapore and, in the case of a continuing offence, to a further fine not exceeding $5,000 for every day or part of a day during which the offence continues after conviction.Duty to report cybersecurity incident affecting major foundational digital infrastructure service provider18M.—

The major foundational digital infrastructure service provider must notify the Commissioner of the occurrence of any of the following in the prescribed form and manner, within the prescribed period after becoming aware of such occurrence:

a prescribed cybersecurity incident in respect of the major foundational digital infrastructure or any other computer or computer system under the major foundational digital infrastructure service provider’s control, where the incident results in a disruption or degradation to the continuous delivery, in Singapore, of the foundational digital infrastructure service for which the provider is designated;

a prescribed cybersecurity incident in respect of the major foundational digital infrastructure or any other computer or computer system under the major foundational digital infrastructure service provider’s control, where the incident has a significant impact on the major foundational digital infrastructure service provider’s business operations in Singapore.(2) The major foundational digital infrastructure service provider must establish such mechanisms and processes for the purposes of detecting cybersecurity threats and incidents in respect of the major foundational digital infrastructure, as set out in any applicable code of practice.(3) Any major foundational digital infrastructure service provider who, without reasonable excuse, fails to comply with subsection (1) shall be guilty of an offence and shall be liable on conviction to a fine not exceeding the greater of $200,000 or 10 percent of the annual turnover of the person’s business in Singapore.”.