Most of the provisions in the Cybersecurity Act, which was finalised earlier this year, began to apply on 31 August.
The new rules apply to 'critical information infrastructure' (CII) operators in Singapore, which can span sectors such as energy, telecoms, water, health, banking, transport and media.
CII owners face a duty to report certain cybersecurity incidents to a new commissioner of cybersecurity, and to disclose certain information to the commissioner regarding its CII, including on the "design, configuration and security" of that infrastructure, under the new framework.
It is up to the commissioner of cybersecurity to select the specific organisations to designate as CII owners subject to the new regime. Organisations can raise an appeal against the designations to Singapore government ministers.
Under the Act, CII owners could be subject to investigations from Singapore authorities regarding cybersecurity threats or incidents, and forced to take remedial action where deficiencies in security measures are found.
CII owners also need to undertake periodic cybersecurity audits and risk assessments and could be further required to adhere to codes of practice or standards that the commissioner of cybersecurity has the power to issue under the new Act, as well as participate in cybersecurity testing exercises.
A further obligation to notify changes in legal or beneficial ownership of CII to the commissioner of cybersecurity within seven days is also stipulated in the Act.
A new licensing framework for providers of cybersecurity services is also provided for under the new laws, but that part of the Act has not yet come into effect.
Earlier this week, Singapore's financial regulator, the Monetary Authority of Singapore, proposed making a set of six cyber security measures for financial institutions legally binding.