Introduction
Following the conclusion of a public consultation, the Cyber Security Agency of Singapore (“CSA“) has indicated that it will proceed to enact proposed changes to the licensing framework for cybersecurity service providers. The changes seek to raise baseline cybersecurity standards nationally and enhance clarity on the licensing requirements.
Singapore’s licensing framework for cybersecurity service providers was established in 2022 under the Cybersecurity Act 2018. However, with the swift and continuous evolution of the cybersecurity landscape, it has become necessary to update and enhance the framework, particularly given the important role that cybersecurity service providers play in the security of organisations and Singapore’s cyber resilience.
CSA has issued a closing note on the public consultation (“Closing Note“), summarising the feedback received, its response to the feedback, and the implementation of the proposed changes moving forward. This Update highlights the impending changes, the key points of CSA’s response, and what cybersecurity service providers should be aware of with regard to the licensing requirements.
Proposed Changes
CSA conducted a public consultation on the proposed changes to the licensing framework for cybersecurity service providers from 22 September 2025 to 21 October 2025. The public consultation set out the following proposed changes:
Introduction of cyber and data hygiene requirements: For cybersecurity service provider licensees to demonstrate their commitment to good cyber and data hygiene measures by obtaining mandatory hygiene certifications.
Mandatory certification requirements: For licensees to obtain and maintain the following certifications for the duration of their licence: (i) minimum Cyber Trust Mark (“CTM“) Promoter (Tier 3) or its equivalent; and (ii) Data Protection Trust Mark (“DPTM“) SS 714:2025 or its equivalent.
Changes to licensing timeframes: Introduction of other changes to the licensing conditions to reduce regulatory friction and improve operational clarity for licensees, including: (i) an extension of licence validity from two years to five years; (ii) an extension of licence renewal timeframes; (iii) simplified notification obligations; and (iv) a revision to information required in a licence application.
- Implementation timeline: Implementation of the proposed changes to the licensing framework progressively from January 2026.
- A grace period to obtain the required CTM certification would be in effect until 31 December 2026 for new licensees and for those who renewed their licences in 2026.
- A grace period for licensees to obtain the required DPTM SS 714:2025 certification would be in effect until 31 December 2027 for all licensees.
For more information on the public consultation, please see our earlier Legal Update here.
Closing Note
On 16 February 2026, CSA issued its Closing Note to the public consultation. It noted that respondents to the consultation generally expressed support for the raising of cyber hygiene assurance levels through certification requirements, as well as the reduction of regulatory friction through extended licence validity and simplified notification obligations.
The key points of feedback received include the following:
Feedback on CTM and DPTM Certification Requirements
- Equivalent certifications: Respondents appreciated the recognition of ISO/IEC 27001 as an equivalent to CTM. However, respondents suggested the recognition of additional global standards as equivalents. CSA has assessed that ISO/IEC 27001 remains the only recognised equivalent for CTM for now, but has stated that it will progressively review additional certifications and add them to the list, if appropriate.
- Applicability of DPTM: Several respondents raised concerns over the relevance of DPTM for penetration testing services or for cloud service providers. CSA has clarified that the DPTM certification requirement is intended for licensed cybersecurity service providers, which are Managed Security Operations Centre monitoring service and penetration testing service providers only; it is not intended for cloud service providers. CSA has further clarified that CTM Promoter (Tier 3) certification holders are not required to achieve DPTM as a mandatory requirement due to limited access to client personal data and the inclusion of data protection measures under the CTM certification.
- Requirements for resellers: CSA has clarified that the licensing framework applies to all entities providing the licensable services, regardless of their business model. This includes resellers who are licensed to provide licensable cybersecurity services.
- Small businesses and individual licensees: In response to concerns expressed over the administrative burden on small businesses and individual licensees in obtaining the required certifications, CSA has stated that it will study the possibility of introducing alternative compliance routes for smaller providers and individual licensees. However, CSA maintains that all licensees should achieve a minimum level of cyber hygiene posture regardless of firm size, and the CTM Promoter (Tier 3) certification was assessed to be proportionate to licensees’ risk profile.
Positive Feedback on Changes to Licence Validity and Notification Timeframes
CSA will proceed with the proposed extension of licence validity to five years, and the proposed simplification of notification obligations.
In response to suggestions to automate updates using ACRA data and SingPass-based declarations to further streamline processes, CSA will explore opportunities to streamline processes through integration with other government digital services where feasible.
Feedback on Implementation Timeline
For boutique firms and individual licensees, CSA has maintained that the proposed grace period is sufficient.
- Licensees will have a grace period until 31 December 2026 to obtain CTM Promoter (Tier 3) certification. Thereafter, licensees would be required to have an active CTM certification during licence application or renewal.
- CSA will not mandate DPTM certification at this point, and the proposed timeline to obtain DPTM certification by the end of 2027 will not be implemented.
Concluding Words
CSA will proceed to implement the proposed changes to the licensing framework, taking into account the feedback received. The updated licence conditions, which will apply to all existing licensees, new licence applications or licence renewals, are accessible at Annex B here.
For existing licensees, the licence conditions will be in effect 30 days from the publication of the Closing Note on 16 February 2026. Existing licensees will transition to the five-year licence term upon renewal.
For further queries, please feel free to contact our team set out on this page.
Disclaimer
Rajah & Tann Asia is a network of member firms with local legal practices in Cambodia, Indonesia, Lao PDR, Malaysia, Myanmar, the Philippines, Singapore, Thailand and Vietnam. Our Asian network also includes our regional office in China as well as regional desks focused on Brunei, Japan and South Asia. Member firms are independently constituted and regulated in accordance with relevant local requirements.
The contents of this publication are owned by Rajah & Tann Asia together with each of its member firms and are subject to all relevant protection (including but not limited to copyright protection) under the laws of each of the countries where the member firm operates and, through international treaties, other countries. No part of this publication may be reproduced, licensed, sold, published, transmitted, modified, adapted, publicly displayed, broadcast (including storage in any medium by electronic means whether or not transiently for any purpose save as permitted herein) without the prior written permission of Rajah & Tann Asia or its respective member firms.
Please note also that whilst the information in this publication is correct to the best of our knowledge and belief at the time of writing, it is only intended to provide a general guide to the subject matter and should not be treated as legal advice or a substitute for specific professional advice for any particular course of action as such information may not suit your specific business and operational requirements. You should seek legal advice for your specific situation. In addition, the information in this publication does not create any relationship, whether legally binding or otherwise. Rajah & Tann Asia and its member firms do not accept, and fully disclaim, responsibility for any loss or damage which may result from accessing or relying on the information in this publication.
