FAQs
Updated as of 4 November 2022
All providers of managed security operations centre monitoring services and penetration testing services (i.e. licensable cybersecurity services) to the Singapore market will need to apply for a cybersecurity service provider’s licence, regardless of whether they are companies or individuals (i.e. freelancers or sole proprietorships owned and controlled by individuals) or third-party cybersecurity service providers (“CSPs”) that provide these services in support of other CSPs. However, a company that provides licensable cybersecurity services solely for its related company(ies) e.g. in-house service provider, does not require a licence.#
Resellers, third-party vendors or overseas CSPs including the affiliates of a licensee who provide licensable cybersecurity services to the Singapore market would need to be licensed.*
#According to the Companies Act, related company(ies) is defined as, but not limited to:
Singapore market refers to persons who engage or intend to engage in or advertise its businesses of providing licensable cybersecurity services in Singapore. Generally, this may include, without limitation, persons with customers located in Singapore, and persons that have corporate or business presence in Singapore. Service providers should consider their business plans and activities (including any future business or expansion plan) to determine if licence is required.
Third-party vendors and resellers who are required to be licensed refer to those who are in the business of providing licensable cybersecurity services to consumers on behalf of another service provider (anywhere in the distribution chain) of the licensable cybersecurity services.
Each business entity within the same corporate group is required to apply for a licence if each of this business entity wishes to provide any of the licensable cybersecurity services.
Companies are required to apply for a licence for each of the licensable cybersecurity services (i.e. a licence for managed security operations centre monitoring service and a licence for penetration testing service).
Individual employees of cybersecurity service providers providing licensable cybersecurity services on behalf of their employer are not required to be licenced.
Business entities are required to ensure that officer of the business entity is fit and proper when applying for a licence. Officer of a business entity refers to any director or partner, or other person listed in the business entity’s business profile e.g. ACRA BizFile, with the exception of shareholders (who are not directors or partners) and company secretary, or any other person who is responsible for the management of the business entity. Individuals who are applying for the licence should also be a fit and proper person to hold the licence. Failing which, the licence application may be rejected.
Overseas cybersecurity service providers which are not registered in Singapore but wish to apply to be licensed to provide licensable cybersecurity services to the Singapore market must first apply for a CorpPass Admin Account for Foreign Entity which is necessary for the submission of the licence application via GoBusiness Licensing. For assistance on setting up a CorpPass Admin Account, please visit the CorpPass website or email support@corppass.gov.sg. Alternatively, please click here for more contact options.
Do note that overseas companies that are not registered with the Accounting and Corporate Regulatory Authority of Singapore (ACRA) are required to upload a copy of their business profile (reflecting the details of the business registration record with the relevant authorities in the oversea country) in the licence application. Please note that documents not in the English language must be submitted together with an accurate translation in the English language. The translation must be certified by the person making it to be a correct translation. The certificate must contain a statement of that person's full name, of his address and of his qualifications for making the translation.
Key Executive Officer refers to the person who is responsible for the proper administration and overall management of the business entity and supervision of its employees.
Key Officer refers to any director, partner, or other person listed in the business entity's business profile e.g. ACRA Bizfile, with the exception of shareholders (who are not directors or partners) and the company secretary.
Business entities are only required to include the Key Executive Officer and Key Officer(s) in their licence applications. Do take note that there can only be one Key Executive Officer for each licence application.
The Licensing Officer shall consider all relevant facts and matters when determining if officers of the business entity applicant are fit and proper, including whether any key executive officer or key officers:
Business entity applicants with officer(s) failing to meet the fit and proper criteria may be refused a licence by the Licensing Officer. CSRO would like to highlight that every licence application is considered carefully on a case-by-case basis. For instance, officers of business entity licence applicant who have past criminal conviction will not automatically be deemed as being not fit and proper. Factors such as the seriousness and nature of the offence, the time that has elapsed since the conviction, and the responsibility of the officer will be taken into consideration by the Licensing Officer when assessing the licence application.
Pursuant to regulation 2(2) of the Cybersecurity (Cybersecurity Service Providers) Regulations 2022, a licence application must include information on relevant qualification or experience relating to the licensable cybersecurity services. In the situation where none of the Key Executive Officer or Key Officer(s) has qualification or experience relevant to the licensable service, the curriculum vitae of one of the business entity licence applicant's employee or proposed employee with supervisory responsibility who has qualification or experience relating to the licensable service shall be included in the licence application.
A Certificate of Clearance (or equivalent documentation) is required for each of the overseas officer(s) and shall be obtained from the relevant authorities in the home country certifying that the officer does not have any record of criminal conviction nationwide in the home country. For avoidance of doubt, home country refers to the country of nationality.
We do not intend to be prescriptive on the format of Certificate of Clearance (or equivalent documentation) from the relevant authorities in the home country. The applicant should ensure that the Certificate of Clearance (or equivalent documentation) minimally certifies that the officer of the business entity licence applicant does not have any record of criminal conviction nationwide in the home country. For avoidance of doubt, nationwide includes all states of the home country.
Certificate of Clearance (or equivalent documentation) not in the English language must be submitted together with an accurate translation in the English language. The translation must be certified by the person making it to be a correct translation. The certificate must contain a statement of that person’s full name, of his address and of his qualifications for making the translation.
Business Entity applicants’ Key Executive Officer and Key Officer(s) are each required to complete the Declaration Form for Individual, in addition to the Declaration Form for Business Entity. Please note that any false declaration will subject the licence application to be rejected and punitive action may be taken against the incumbent.
The licensing framework aims to raise quality of the standards of the cybersecurity service providers over time. In view of the need to strike a good balance between industry development and cybersecurity needs, quality requirements will not be imposed on the licensees at the outset.
Instead, to complement the light touch licensing framework, CSRO will continue to work with the industry and professional association partners to establish voluntary accreditation regimes for cybersecurity professionals, to improve the standing of cybersecurity professionals.
CSRO will continue to monitor international and industry trends and engage the industry where necessary, to assess if any new types of cybersecurity services should be included in the licensing framework, such as those that are of higher risks to consumers.
CSRO intends to keep the licensing requirements simple to minimise operational costs on licensees. The requirements that licensees must comply with, as stipulated in the Cybersecurity Act, include:
Licenses should ensure that records collectively capture all the required information with sufficient details and are kept in a form that allows accountability and traceability in the event of foul play. You may also wish to refer to Annex B of the closing note published on CSA's website on 11 Apr 2022 for examples of record keeping requirements.
A licence is valid for a period of 2 years and the licence fees for individuals and business entities are $500 and $1000 respectively.
Note: Due to the COVID-19 pandemic which has negatively impacted many businesses, a 50% wavier of the first cycle of licence fees will be granted for all applications submitted by 11 April 2023.
Each licence application takes up to approximately 8 weeks to process upon submission of completed form and all required supporting documents. Applicant will receive an email notification on the outcome. If the application is approved, applicant will be required to make ePayment of licence fee via the GoBusiness Licensing prior to the issuance of each licence. Please note that licence fee not paid within 30 days will automatically lapse and new licence application will have to be submitted.
An application for renewal of a licence must be made no later than 2 months before expiry. Licensee who fails to submit their licence renewal application 2 months prior to the expiry may be required to apply for a new licence. This may result in a possible lapse in the licensure period where the business entity will be required to suspend its operations, until the outcome of its licence application is determined.
When a licence is due for renewal, the GoBusiness Licensing will send a Renewal Request Notification via email to the licensee. Upon timely submission of the licence renewal application, CSRO will proceed to review the application and applicant will be notified of the outcome via the system. If the application is approved, licensee will be required to make ePayment via the GoBusiness Licensing.
If you are facing any technical difficulties or require any assistance on how to submit the application, you may contact GoBusiness Licensing Helpdesk at Tel: 63363373.
Licensees who wish to terminate their licence before expiry should submit an application via the GoBusiness Licensing within 14 calendar days before ceasing the business of providing the licensable cybersecurity service.
Licensee is required to update changes to their business details through the GoBusiness Licensing for the following material changes:
Supporting documentation will be required to be uploaded to GoBusiness Licensing during the update.
The licensee shall notify the Licensing Officer within 14 days after the appointment of any new key officer. Licensees are also required to notify the licensing officer of any change or inaccuracy in the information and particulars that the licensee and/or its key officers have submitted to the licensing officer in relation to its licence within 14 days. Licensees are reminded to ensure that any new key officer who is appointed must be fit and proper as defined in section 26(8) of the Act, failing which may result in punitive measures being imposed on the licensee, including revocation or suspension of licence.
It will not be an offence under the Cybersecurity Act to use unlicensed cybersecurity service providers. However, consumers should be wary of the safety and security risks that unlicensed service providers may pose, given the service providers’ extensive access into their clients’ computer systems when providing their services. Any misuse of such confidential information by the unlicensed service providers may result in severe damages to the consumers.
Consumers are therefore encouraged to only procure licensable cybersecurity services from licensed cybersecurity service providers, and to inform CSRO of any service providers providing licensable cybersecurity services without a licence. Person who engages in the business of providing any licensable cybersecurity services to other person without a licence shall be guilty of an offence under Section 24 of the Cybersecurity Act and shall be liable on conviction to a fine not exceeding $50,000 or to imprisonment for a term not exceeding 2 years or to both. Under Section 31 of the Cybersecurity Act, unlicensed cybersecurity service providers are also not entitled to bring any proceeding in any court to recover any commission, fee, gain, or reward for the service provided.
The Cyber Security Agency of Singapore (CSA) is the agency set up to keep Singapore’s cyberspace safe and secure through the administering of the Cybersecurity Act. To administer the licensing framework, CSA has set up Cybersecurity Services Regulation Office (CSRO) which will act as the point of interface for all licensing related matters. These include enforcing the licensing framework; responding to the industry’s queries and feedback; as well as sharing of resources on licensable cybersecurity services with consumers such as the list of licensees and buyer’s guides.
For further assistance, please contact us at:
Cybersecurity Services Regulation Office
100 Victoria Street
National Library Building #10-01
Singapore 188064
Email: contact@csro.gov.sg
1. Who needs to apply for cybersecurity service provider licence?
All providers of managed security operations centre monitoring services and penetration testing services (i.e. licensable cybersecurity services) to the Singapore market will need to apply for a cybersecurity service provider’s licence, regardless of whether they are companies or individuals (i.e. freelancers or sole proprietorships owned and controlled by individuals) or third-party cybersecurity service providers (“CSPs”) that provide these services in support of other CSPs. However, a company that provides licensable cybersecurity services solely for its related company(ies) e.g. in-house service provider, does not require a licence.#Resellers, third-party vendors or overseas CSPs including the affiliates of a licensee who provide licensable cybersecurity services to the Singapore market would need to be licensed.*
#According to the Companies Act, related company(ies) is defined as, but not limited to:
- a) holding company of another corporation;
b) subsidiary of another corporation; or
c) subsidiary of the holding company of another corporation.
2. What is considered as providing licensable cybersecurity services to the Singapore market?
Singapore market refers to persons who engage or intend to engage in or advertise its businesses of providing licensable cybersecurity services in Singapore. Generally, this may include, without limitation, persons with customers located in Singapore, and persons that have corporate or business presence in Singapore. Service providers should consider their business plans and activities (including any future business or expansion plan) to determine if licence is required.
3. Could you give me examples of the third-party vendors and resellers of the licensable cybersecurity services that are regulated under the licensing framework?
Third-party vendors and resellers who are required to be licensed refer to those who are in the business of providing licensable cybersecurity services to consumers on behalf of another service provider (anywhere in the distribution chain) of the licensable cybersecurity services.
4. Are all companies under the same corporate group be required to apply for separate licences in order to provide licensable cybersecurity services?
Each business entity within the same corporate group is required to apply for a licence if each of this business entity wishes to provide any of the licensable cybersecurity services.
5. For companies providing both managed security operations centre monitoring services and penetration testing services, how many licence should they apply?
Companies are required to apply for a licence for each of the licensable cybersecurity services (i.e. a licence for managed security operations centre monitoring service and a licence for penetration testing service).
6. Are the employees of cybersecurity service providers required to apply for an individual licence?
Individual employees of cybersecurity service providers providing licensable cybersecurity services on behalf of their employer are not required to be licenced.
7. What do I need to ensure prior to applying for a licence?
Business entities are required to ensure that officer of the business entity is fit and proper when applying for a licence. Officer of a business entity refers to any director or partner, or other person listed in the business entity’s business profile e.g. ACRA BizFile, with the exception of shareholders (who are not directors or partners) and company secretary, or any other person who is responsible for the management of the business entity. Individuals who are applying for the licence should also be a fit and proper person to hold the licence. Failing which, the licence application may be rejected.
8. How can an overseas company apply for a licence?
Overseas cybersecurity service providers which are not registered in Singapore but wish to apply to be licensed to provide licensable cybersecurity services to the Singapore market must first apply for a CorpPass Admin Account for Foreign Entity which is necessary for the submission of the licence application via GoBusiness Licensing. For assistance on setting up a CorpPass Admin Account, please visit the CorpPass website or email support@corppass.gov.sg. Alternatively, please click here for more contact options.
Do note that overseas companies that are not registered with the Accounting and Corporate Regulatory Authority of Singapore (ACRA) are required to upload a copy of their business profile (reflecting the details of the business registration record with the relevant authorities in the oversea country) in the licence application. Please note that documents not in the English language must be submitted together with an accurate translation in the English language. The translation must be certified by the person making it to be a correct translation. The certificate must contain a statement of that person's full name, of his address and of his qualifications for making the translation.
9. Who are the Key Executive Officer and Key Officer of a business entity applicant?
Key Executive Officer refers to the person who is responsible for the proper administration and overall management of the business entity and supervision of its employees.
Key Officer refers to any director, partner, or other person listed in the business entity's business profile e.g. ACRA Bizfile, with the exception of shareholders (who are not directors or partners) and the company secretary.
10. Do I need to list down all the employees providing the licensable cybersecurity services in the licence application form?
Business entities are only required to include the Key Executive Officer and Key Officer(s) in their licence applications. Do take note that there can only be one Key Executive Officer for each licence application.
11. How does the Licensing Officer determine whether the officers of a business entity applicant are fit and proper?
The Licensing Officer shall consider all relevant facts and matters when determining if officers of the business entity applicant are fit and proper, including whether any key executive officer or key officers:
- a) Has been convicted in Singapore or elsewhere of any offence involving fraud, dishonesty or moral turpitude;
b) Has had a judgment entered against him/her in civil proceedings that involves a finding of fraud, dishonesty or breach of fiduciary duty on his/her part;
c) Is or was suffering from a mental disorder;
d) Is an undischarged bankrupt or has entered into a composition with his/her creditors; or
e) Has had a licence revoked by the Licensing Officer previously.
12. What happens if any of the officers fails to meet the fit and proper criteria?
Business entity applicants with officer(s) failing to meet the fit and proper criteria may be refused a licence by the Licensing Officer. CSRO would like to highlight that every licence application is considered carefully on a case-by-case basis. For instance, officers of business entity licence applicant who have past criminal conviction will not automatically be deemed as being not fit and proper. Factors such as the seriousness and nature of the offence, the time that has elapsed since the conviction, and the responsibility of the officer will be taken into consideration by the Licensing Officer when assessing the licence application.
13. Is it a requirement to include relevant qualification or experience relating to the licensable cybersecurity service in the licence application?
Pursuant to regulation 2(2) of the Cybersecurity (Cybersecurity Service Providers) Regulations 2022, a licence application must include information on relevant qualification or experience relating to the licensable cybersecurity services. In the situation where none of the Key Executive Officer or Key Officer(s) has qualification or experience relevant to the licensable service, the curriculum vitae of one of the business entity licence applicant's employee or proposed employee with supervisory responsibility who has qualification or experience relating to the licensable service shall be included in the licence application.
14. Who would require a Certificate of Clearance?
A Certificate of Clearance (or equivalent documentation) is required for each of the overseas officer(s) and shall be obtained from the relevant authorities in the home country certifying that the officer does not have any record of criminal conviction nationwide in the home country. For avoidance of doubt, home country refers to the country of nationality.
15. What is the format for a Certificate of Clearance?
We do not intend to be prescriptive on the format of Certificate of Clearance (or equivalent documentation) from the relevant authorities in the home country. The applicant should ensure that the Certificate of Clearance (or equivalent documentation) minimally certifies that the officer of the business entity licence applicant does not have any record of criminal conviction nationwide in the home country. For avoidance of doubt, nationwide includes all states of the home country.
Certificate of Clearance (or equivalent documentation) not in the English language must be submitted together with an accurate translation in the English language. The translation must be certified by the person making it to be a correct translation. The certificate must contain a statement of that person’s full name, of his address and of his qualifications for making the translation.
16. What do I need to note when completing the Declaration Form for Business Entity/Individual?
Business Entity applicants’ Key Executive Officer and Key Officer(s) are each required to complete the Declaration Form for Individual, in addition to the Declaration Form for Business Entity. Please note that any false declaration will subject the licence application to be rejected and punitive action may be taken against the incumbent.
17. Will quality requirements be imposed on the licensees?
The licensing framework aims to raise quality of the standards of the cybersecurity service providers over time. In view of the need to strike a good balance between industry development and cybersecurity needs, quality requirements will not be imposed on the licensees at the outset.
Instead, to complement the light touch licensing framework, CSRO will continue to work with the industry and professional association partners to establish voluntary accreditation regimes for cybersecurity professionals, to improve the standing of cybersecurity professionals.
18. Will CSRO consider licensing other cybersecurity services in the future?
CSRO will continue to monitor international and industry trends and engage the industry where necessary, to assess if any new types of cybersecurity services should be included in the licensing framework, such as those that are of higher risks to consumers.
19. What are the conditions of the licence?
CSRO intends to keep the licensing requirements simple to minimise operational costs on licensees. The requirements that licensees must comply with, as stipulated in the Cybersecurity Act, include:
- a) Ensure that officers of business entity licensees are fit and proper persons as defined in section 26(8) of the Cybersecurity Act. For example, the individual has not been convicted of any offence involving fraud, dishonesty, or moral turpitude;
b) Keep for at least 3 years, records on the cybersecurity services that they have provided. This includes but not limited to details of the person engaging the licensee for the service, name of the person providing the service on behalf of the licensee, date on which the service is provided and details of the type of service provided, etc.;
c) Ensure that any information obtained in the course of providing their cybersecurity services is not disclosed or used by any other person other than for the purpose of providing the cybersecurity services; and
d) Ensure that their employees do not give any false representation to their clients regarding the employees’ level of training, skill, or qualification.
20. Are there guidelines for the type(s) of records a licensee should maintain/keep?
Licenses should ensure that records collectively capture all the required information with sufficient details and are kept in a form that allows accountability and traceability in the event of foul play. You may also wish to refer to Annex B of the closing note published on CSA's website on 11 Apr 2022 for examples of record keeping requirements.
21. How long is the validity period of a licence and what are the fees payable for a licence?
A licence is valid for a period of 2 years and the licence fees for individuals and business entities are $500 and $1000 respectively.
Note: Due to the COVID-19 pandemic which has negatively impacted many businesses, a 50% wavier of the first cycle of licence fees will be granted for all applications submitted by 11 April 2023.
22. By when and how will I receive the notification on the outcome of a licence application?
Each licence application takes up to approximately 8 weeks to process upon submission of completed form and all required supporting documents. Applicant will receive an email notification on the outcome. If the application is approved, applicant will be required to make ePayment of licence fee via the GoBusiness Licensing prior to the issuance of each licence. Please note that licence fee not paid within 30 days will automatically lapse and new licence application will have to be submitted.
23. When should licence renewal application be submitted?
An application for renewal of a licence must be made no later than 2 months before expiry. Licensee who fails to submit their licence renewal application 2 months prior to the expiry may be required to apply for a new licence. This may result in a possible lapse in the licensure period where the business entity will be required to suspend its operations, until the outcome of its licence application is determined.
24. How is the licence renewal application process like?
When a licence is due for renewal, the GoBusiness Licensing will send a Renewal Request Notification via email to the licensee. Upon timely submission of the licence renewal application, CSRO will proceed to review the application and applicant will be notified of the outcome via the system. If the application is approved, licensee will be required to make ePayment via the GoBusiness Licensing.
25. I have difficulties in submitting my application to GoBusiness Licensing, who can I contact for help?
If you are facing any technical difficulties or require any assistance on how to submit the application, you may contact GoBusiness Licensing Helpdesk at Tel: 63363373.
26. How do I request to terminate a licence?
Licensees who wish to terminate their licence before expiry should submit an application via the GoBusiness Licensing within 14 calendar days before ceasing the business of providing the licensable cybersecurity service.
27. What are the changes to business details that a licensee is required to inform the Licensing Officer?
Licensee is required to update changes to their business details through the GoBusiness Licensing for the following material changes:
- a) Changes to Key Executive Officers
b) Additional of Key Officers; and
c) Removal of Key Officers.
Supporting documentation will be required to be uploaded to GoBusiness Licensing during the update.
28. When should I inform the Licensing Officer in the event of changes to key officer of my business?
The licensee shall notify the Licensing Officer within 14 days after the appointment of any new key officer. Licensees are also required to notify the licensing officer of any change or inaccuracy in the information and particulars that the licensee and/or its key officers have submitted to the licensing officer in relation to its licence within 14 days. Licensees are reminded to ensure that any new key officer who is appointed must be fit and proper as defined in section 26(8) of the Act, failing which may result in punitive measures being imposed on the licensee, including revocation or suspension of licence.
29. Will it be an offence to use unlicensed cybersecurity service providers?
It will not be an offence under the Cybersecurity Act to use unlicensed cybersecurity service providers. However, consumers should be wary of the safety and security risks that unlicensed service providers may pose, given the service providers’ extensive access into their clients’ computer systems when providing their services. Any misuse of such confidential information by the unlicensed service providers may result in severe damages to the consumers.
Consumers are therefore encouraged to only procure licensable cybersecurity services from licensed cybersecurity service providers, and to inform CSRO of any service providers providing licensable cybersecurity services without a licence. Person who engages in the business of providing any licensable cybersecurity services to other person without a licence shall be guilty of an offence under Section 24 of the Cybersecurity Act and shall be liable on conviction to a fine not exceeding $50,000 or to imprisonment for a term not exceeding 2 years or to both. Under Section 31 of the Cybersecurity Act, unlicensed cybersecurity service providers are also not entitled to bring any proceeding in any court to recover any commission, fee, gain, or reward for the service provided.
30. What is the difference between CSA and CSRO?
The Cyber Security Agency of Singapore (CSA) is the agency set up to keep Singapore’s cyberspace safe and secure through the administering of the Cybersecurity Act. To administer the licensing framework, CSA has set up Cybersecurity Services Regulation Office (CSRO) which will act as the point of interface for all licensing related matters. These include enforcing the licensing framework; responding to the industry’s queries and feedback; as well as sharing of resources on licensable cybersecurity services with consumers such as the list of licensees and buyer’s guides.
31. Who can I contact for further details?
For further assistance, please contact us at:
Cybersecurity Services Regulation Office
100 Victoria Street
National Library Building #10-01
Singapore 188064
Email: contact@csro.gov.sg