The Cyber Security Agency of Singapore (CSA) is reviewing the scope of current cybersecurity standards and obligations to potentially include non-Critical Information Infrastructure (non-CII) systems, specifically networks that are interconnected with Critical Information Infrastructure (CII) systems.

Senior Minister of State Tan Kiat How announced the regulatory review on 2 March 2026 during the Ministry of Digital Development and Information (MDDI) Committee of Supply Debate. The proposed expansion targets supply chain and structural operational technology (OT) vulnerabilities, marking a strategic shift toward potential binding oversight for systems that interact directly with the nation's critical networks.

Context: The 2024 OT Cybersecurity Masterplan Baseline

This upcoming regulatory evaluation builds upon the foundation set by the updated Operational Technology Cybersecurity Masterplan, which was launched on 20 August 2024. Unveiled by Mrs Josephine Teo, Minister for Digital Development and Information and Minister-in-charge of Cybersecurity, at the 4th OTCEP Forum, the 2024 masterplan formally extended its strategic scope to encompass non-CII organisations. The foundational premise of the update recognized that cyber risks are widespread and impact CII and other important OT systems due to dependency or supply chain risks.

However, under the 2024 framework, the measures designated for non-CII operators remain strictly guidance-based rather than legally binding. The current paradigm relies on voluntary ecosystem uplift, utilizing tools such as:

  • The foundational OT Cybersecurity Masterplan guidance directives.

  • Specialized risk-assessment guides.

  • Sector-specific codes of practice and Technical Reference 111 (TR 111:2023) to foster a resilient and secure cyber environment for organisations in both the CII and non-CII sectors.

The 2026 Proposal: Shifting From Guidance to Potential Mandate

The current regulatory evaluation focuses on a potential transition from voluntary adoption to statutory obligation. Because modern industrial environments feature deep integration between corporate IT, cloud architectures, and operational infrastructure, an unmanaged vulnerability in a non-CII environment can serve as a pivot point into a critical asset.

The CSA's ongoing review explores whether voluntary compliance is sufficient to shield critical infrastructure from sophisticated lateral threat vectors. If enacted, the proposal under review would bring targeted non-CII systems under formal, binding obligations—meaning specific interconnected entities would face regulatory enforcement regarding their architectural defenses, access parameters, and incident notification pathways.