Clause 3

in subsection (1), in the definition of “code of practice”, replace “section 11(1)” with “section 35A(1)”;

in subsection (1), delete the definition of “critical information infrastructure”;

in subsection (1), after the definition of “Deputy Commissioner”, insert —“ “designated provider responsible for third‑party‑owned critical information infrastructure” means a provider of an essential service in respect of whom a designation under section 16A(1), as a provider of an essential service who is responsible for the cybersecurity of a third‑party‑owned critical information infrastructure, is in effect;“digital service” means any service normally provided for remuneration, that is delivered by one party to another party at the individual request of the other party, entirely through electronic means, and without needing the parties’ simultaneous physical presence, but does not include such services as the Minister may, by notification in the Gazette, prescribe;“entity of special cybersecurity interest” means an entity in respect of whom a designation under section 18(1) is in effect;”;

in subsection (1), after the definition of “essential service”, insert —“ “foundational digital infrastructure service” means any service which promotes the availability, latency, throughput or security of digital services, and is specified in the Third Schedule;”;

in subsection (1), after the definition of “licensee”, insert —“ “major foundational digital infrastructure” means the computer or computer system (or class of computers or computer systems) that is necessary for a major foundational digital infrastructure service provider’s continuous delivery of the foundational digital infrastructure service in relation to which a designation of the major foundational digital infrastructure service provider under section 18G(1) is in effect;“major foundational digital infrastructure service provider” means a provider of a foundational digital infrastructure service in respect of whom a designation under section 18G(1) is in effect;”;

in subsection (1), replace the definition of “owner” with —“ “owner”, in relation to a provider‑owned critical information infrastructure, third‑party‑owned critical information infrastructure or system of temporary cybersecurity concern —

means the legal owner of the provider‑owned critical information infrastructure, third‑party‑owned critical information infrastructure or system of temporary cybersecurity concern (as the case may be); and

where the provider‑owned critical information infrastructure, third‑party‑owned critical information infrastructure or system of temporary cybersecurity concern (as the case may be) is jointly owned by more than one person, includes every joint owner;“provider‑owned critical information infrastructure” means a computer or a computer system in respect of which a designation under section 7(1) or (1A) is in effect;”;

in subsection (1), in the definition of “standard of performance”, replace “section 11(1)” with “section 35A(1)”;

in subsection (1), in the definition of “standard of performance”, replace the full‑stop at the end with a semi‑colon;

in subsection (1), after the definition of “standard of performance”, insert —“ “system of special cybersecurity interest” means the computer or computer system (or class of computers or computer systems) in relation to which a designation of an entity of special cybersecurity interest under section 18(1) is in effect;“system of temporary cybersecurity concern” means a computer or computer system in respect of which a designation under section 17(1) is in effect;“third‑party‑owned critical information infrastructure” means the computer or computer system in relation to which a designation of a designated provider responsible for third‑party‑owned critical information infrastructure under section 16A(1) is in effect;“virtual computer” means a purely digital analogue of a computer, created by the simulation of software and hardware, performing logical, arithmetic or storage functions and including communications functions, but does not include the physical computing resources used for the simulation;“virtual computer system” means a purely digital analogue of a computer system, created by the simulation of an arrangement of interconnected computers that is designed to perform one or more specific functions, but does not include the physical computing resources used for the simulation.”; and

after subsection (2), insert —“(3) For the purposes of this section (except the definitions of “computer”, “computer system” and “owner”), sections 3 and 43, Part 2, Part 3 (except section 7(1A)) and Parts 3A, 3B, 3C and 4 —

“computer” includes a virtual computer;

“computer system” includes a virtual computer system;

“control”, in relation to a virtual computer or virtual computer system, means —

having the control over the operations of the virtual computer or virtual computer system;

having the right and ability to perform security configuration and management tasks in respect of the virtual computer or virtual computer system, including to make any modification as necessary for the cybersecurity of the virtual computer or virtual computer system; and

where applicable, having responsibility for the security of the virtual computer or virtual computer system under a person’s contractual arrangement with a cloud computing service provider;

“owner”, in relation to a provider‑owned critical information infrastructure, third‑party‑owned critical information infrastructure or system of temporary cybersecurity concern that is a virtual computer or virtual computer system —

means the person who has exclusive control of the provider‑owned critical information infrastructure, third‑party‑owned critical information infrastructure or system of temporary cybersecurity concern (as the case may be); and

where the provider‑owned critical information infrastructure, third‑party‑owned critical information infrastructure or system of temporary cybersecurity concern (as the case may be) is jointly controlled by more than one person, includes every joint controller; (e)“change in the beneficial or legal ownership (including any share in such ownership)”, in relation to a provider‑owned critical information infrastructure or third‑party‑owned critical information infrastructure that is a virtual computer or virtual computer system —

in a case where the virtual computer or virtual computer system is jointly controlled by more than one person — means change in any joint controller; or

in any other case — means change in the person who has exclusive control of the virtual computer or virtual computer system; and

a virtual computer or virtual computer system is wholly or partly in Singapore if one or more of the physical computing resources deployed for the simulation of the virtual computer or virtual computer system (as the case may be) is located in Singapore.”.