FAQs
Updated as of 12 June 2026
All providers of managed security operations centre monitoring services and penetration testing services (i.e. licensable cybersecurity services) to the Singapore market will need to apply for a cybersecurity service provider’s licence, regardless of whether they are companies or individuals (i.e. freelancers or sole proprietorships owned and controlled by individuals) or third-party cybersecurity service providers (“CSPs”) that provide these services in support of other CSPs. However, a company that provides licensable cybersecurity services solely for its related company(ies) e.g. in-house service provider, does not require a licence.#
Resellers, third-party vendors or overseas CSPs including the affiliates of a licensee who provide licensable cybersecurity services to the Singapore market would need to be licensed.*
#According to the Companies Act, related company(ies) is defined as, but not limited to:
Singapore market refers to persons who engage or intend to engage in or advertise its businesses of providing licensable cybersecurity services in Singapore. Generally, this may include, without limitation, persons with customers located in Singapore, and persons that have corporate or business presence in Singapore. Service providers should consider their business plans and activities (including any future business or expansion plan) to determine if a licence is required.
Third-party vendors and resellers who are required to be licensed refer to those who are in the business of providing licensable cybersecurity services to consumers on behalf of another service provider (anywhere in the distribution chain) of the licensable cybersecurity services.
Each business entity within the same corporate group is required to apply for a licence if each of this business entity wishes to provide any of the licensable cybersecurity services.
Companies are required to apply for a licence for each of the licensable cybersecurity services (i.e. a licence for managed security operations centre monitoring service and a licence for penetration testing service).
Individual employees of cybersecurity service providers that provide licensable cybersecurity services on behalf of their employer are not required to be licenced.
CSRO will continue to monitor international and industry trends and engage the industry where necessary, to assess if any new types of cybersecurity services should be included in the licensing framework, such as those that pose higher risks to consumers.
Business entities are required to ensure that officer of the business entity is fit and proper when applying for a licence. Officer of a business entity refers to any director or partner, or other person listed in the business entity’s business profile e.g. ACRA BizFile, with the exception of shareholders (who are not directors or partners) and company secretary, or any other person who is responsible for the management of the business entity. Individuals who are applying for the licence should also be a fit and proper person to hold the licence.
With effect from 16 March 2026, business entities and individuals applying for the licence are required to hold an active certificate for Cyber Trust Mark (“CTM”) Promoter (Tier 3) or equivalent covering the required scope for the applied licensable cybersecurity service(s) at the point of licence application and/or renewal.*
Failing which, the licence application may be rejected.
*Applicants and licensees will be given a grace period of until 31 December 2026 to obtain and maintain an active certificate for CTM Promoter (Tier 3) or equivalent covering the required scope for the applied licensable cybersecurity service(s) for the duration of the Licence.
Overseas companies which are not registered in Singapore but wish to apply to be licensed to provide licensable cybersecurity services to the Singapore market must first apply for a CorpPass Admin Account for Foreign Entity which is necessary for the submission of the licence application via GoBusiness Licensing. For assistance on setting up a CorpPass Admin Account, please visit the CorpPass website or email support@corppass.gov.sg. Alternatively, please click here for more contact options.
Do note that overseas companies that are not registered with the Accounting and Corporate Regulatory Authority of Singapore (ACRA) are required to upload a copy of their business profile (reflecting the details of the business registration record with the relevant authorities in the overseas country) in the licence application. Documents not in the English language must be submitted together with an accurate translation in the English language. The translation must be certified by the person making it to be a correct translation. The certificate must contain a statement of that person's full name, address and qualifications for making the translation.
Overseas individuals who are not Permanent Residents, Pass holders (e.g. Employment Pass, S-Pass etc) or Work Permit holders and wish to apply to be licensed to provide licensable cybersecurity services to the Singapore market must first apply for a Singpass Foreign Account which is necessary for the submission of the licence application via GoBusiness Licensing. To apply for a Singpass Foreign Account, please email contact@csro.gov.sg for further instructions.
Key Executive Officer refers to the person who is responsible for the proper administration and overall management of the business entity and supervision of its employees.
Key Officer refers to any director, partner, or other person listed in the business entity's business profile e.g. ACRA Bizfile, with the exception of shareholders (who are not directors or partners) and the company secretary. This also includes any other person who is responsible for the management of the business entity, that may not be listed in the business profile.
Business entities are only required to include the Key Executive Officer and Key Officer(s) in their licence applications. Do take note that there can only be one Key Executive Officer for each licence application.
The Licensing Officer shall consider all relevant facts and matters when determining if officers of the business entity applicant are fit and proper, including whether any Key Executive Officer or Key Officers:
a)Has been convicted in Singapore or elsewhere of any offence involving fraud, dishonesty or moral turpitude;
b) Has had a judgment entered against him/her in civil proceedings that involves a finding of fraud, dishonesty or breach of fiduciary duty on his/her part;
c) Is or was suffering from a mental disorder;
d) Is an undischarged bankrupt or has entered into a composition with his/her creditors; or
e) Has had a licence revoked by the Licensing Officer previously.
Business entity applicants with officer(s) failing to meet the fit and proper criteria may be refused a licence by the Licensing Officer. CSRO would like to highlight that every licence application is considered carefully on a case-by-case basis. For instance, officers of a business entity licence applicant who have past criminal conviction will not automatically be deemed as being not fit and proper. Factors such as the seriousness and nature of the offence, the time that has elapsed since the conviction, and the responsibility of the officer will be taken into consideration by the Licensing Officer when assessing the licence application.
Pursuant to regulation 2(2) of the Cybersecurity (Cybersecurity Service Providers) Regulations 2022, a licence application must include information on relevant qualifications or experience relating to the licensable cybersecurity services. In the situation where none of the Key Executive Officer or Key Officer(s) have qualifications or experience relevant to the licensable service, the information of the relevant qualification or experience of one of the business entity licence applicant's employee or proposed employee with supervisory responsibility who has qualifications or experience relating to the licensable service shall be included in the licence application.
A Certificate of Clearance (or equivalent documentation) is required for each of the overseas officer(s) and shall be obtained from the relevant authorities in the home country certifying that the officer does not have any record of criminal conviction nationwide in the home country. For avoidance of doubt, home country refers to the country of nationality.
The Certificate of Clearance (or equivalent documentation) shall not be obtained earlier than three months before the date of licence application is submitted to CSRO.
We do not intend to be prescriptive on the format of the Certificate of Clearance (or equivalent documentation) from the relevant authorities in the home country. The applicant should ensure that the Certificate of Clearance (or equivalent documentation) minimally certifies that the officer of the business entity licence applicant does not have any record of criminal conviction nationwide in the home country. For avoidance of doubt, nationwide includes all states of the home country.
Certificate of Clearance (or equivalent documentation) not in the English language must be submitted together with an accurate translation in the English language. The translation must be certified by the person making it to be a correct translation. The certificate must contain a statement of that person’s full name, address and qualifications for making the translation.
Each licence application takes up to approximately 8 weeks to process upon submission of a completed form and all required supporting documents. Applicant will receive an email notification on the outcome. If the application is approved, applicant will be required to make ePayment of licence fee via the GoBusiness Licensing prior to the issuance of each licence. Please note that licence fee not paid timely may result in a lapse of the application and new licence application will have to be submitted.
If you are experiencing any technical difficulties or need assistance with submitting your application, you may contact GoBusiness Licensing Helpdesk at Tel: 63363373.
For licence applications approved from 16 March 2026, a licence is valid for a period of 5 years and the licence fees for individuals and business entities are $1250 and $2500 respectively.
An application for renewal of a licence must be made no later than 2 months before the licence’s expiry. Licensee who fails to submit a licence renewal application 2 months prior to the expiry may be required to apply for a new licence. This may result in a possible lapse in the licensure period where the business entity will be required to suspend its operations, until the outcome of its licence application is determined.
When a licence is due for renewal, the GoBusiness Licensing will send a reminder via email to the licensee. Upon timely submission of the licence renewal application, CSRO will proceed to review the application and the applicant will be notified of the outcome via the system. If the application is approved, the licensee will be required to make an ePayment via GoBusiness Licensing.
Licensees may proceed to renew for the licences regardless of their CTM Promoter (Tier 3) certification status. However, licensees are reminded to ensure that an active CTM Promoter (Tier 3) or equivalent certificate is obtained by the end of the grace period on 31 December 2026 to remain in compliance with the conditions of the licence.
As long as a renewal application has been submitted within the renewal window, the existing licence continues in force until the date on which the licence is renewed or the application for its renewal is refused, as the case may be. Licensees may therefore continue to provide licensable cybersecurity service(s) in the interim while the renewal application is being processed.
CSRO intends to keep the licensing requirements simple to minimise operational costs for licensees. The requirements that licensees must comply with, as stipulated in the Cybersecurity Act, can be found here.
Licensees should ensure that records capture all required information in sufficient detail, and are kept in a form that allows accountability and traceability in the event of an alleged misconduct or irregularities. You may also wish to refer to Annex B of the closing note published on CSA's website on 11 Apr 2022 for examples of record keeping requirements.
The licensing framework aims to raise quality of the standards of the cybersecurity service providers over time. In view of the need to strike a good balance between industry development and cybersecurity needs, quality requirements will not be imposed on the licensees at the outset.
CSRO will work with the industry and professional association partners to introduce appropriate standards and certifications in the near future to improve the standing of cybersecurity professionals.
Licensee is required to update the Licensing Officer of changes to their details for the following changes:
a) Changes to Key Executive Officers;
b) Addition of Key Officers;
c) Removal of Key Officers; and
d) Changes to the other information of the licensee and/or its officers of business entity such as changes to Name, Passport Number, Company Name, Company UEN, and certifications of the existing applicant and officers of the business entity.
Licensees may refer to here for more information on the notification method and/or supporting documentation required for the update.
With effect from 16 March 2026, the licensee shall notify the Licensing Officer within 30 days after the appointment of any new key officer(s) and/or the cessation of existing key officer(s). Licensees are also required to notify the licensing officer of any change or inaccuracy in the information and particulars that the licensee and/or its key officers have submitted to the licensing officer in relation to its licence within 30 days. Licensees are reminded to ensure that any new key officer who is appointed must be fit and proper as defined in section 26(8) of the Act, failing which punitive measures may be imposed on the licensee, including revocation or suspension of the licence.
Licensees are not permitted to use the CSRO or CSA logo for publicity purposes. Instead, licensees may use text to describe their licensure status, or direct clients to the list of Licensed Service Providers on the CSRO website, where the licensee’s licence details are reflected.
Please be reminded that under Section 6A(3)(a) of the Cybersecurity Act, a person who uses, without the Commissioner's prior written permission, a symbol or representation that is identical to the Cyber Security Agency of Singapore's symbol or representation — including the CSRO and CSA logo — shall be guilty of an offence and shall be liable on conviction to a fine not exceeding $5,000 or to imprisonment for a term not exceeding 6 months, or to both.
A cybersecurity service provider's licence is not transferable and is unique to each licensee's registration number (such as UEN) as specified on the e-Licence.
If a business entity undergoes a change in ownership, restructuring, or merger that results in the setting up of a new entity (i.e. one with a different UEN), the new entity will be required to apply for a fresh licence before providing any licensable cybersecurity services.
Licensees who wish to terminate their licence before its expiry should submit an application via the GoBusiness Licensing.
Under the updated conditions of licence, all licensees who are licensed to provide licensable cybersecurity services are required to hold an active CTM Promoter (Tier 3) or equivalent certification. This requirement applies uniformly regardless of the type or modality of licensable cybersecurity services provided.
Acceptable CTM Promoter (Tier 3) or equivalent certifications are required to fulfil the following requirements:
1. Certification bodies must be accredited by the Singapore Accreditation Council or equivalent national accreditation bodies; and
2. Certification must cover the environment (people, processes, and technology) supporting the delivery of the licensed cybersecurity service(s). Examples of acceptable scope of certification includes:
⦁ [For providers of one licensable cybersecurity service] Provision of licensed cybersecurity services - Penetration testing or Provision of licensed cybersecurity services - Managed security operations centre (SOC) monitoring
⦁ [For providers of both licensable cybersecurity services] Provision of licensed cybersecurity services – Penetration testing and Managed security operations centre monitoring
As indicated in the Closing Note to the Consultation on the Licensing Framework for Cybersecurity Service Providers, ISO/IEC 27001 certification is currently the only recognised equivalent for CTM Promoter (Tier 3), as it is an international information security standard. Licensees that have obtained an acceptable ISO/IEC 27001 certificate will be deemed to have achieved CTM Advocate (Tier 5) certificate.
CSRO will progressively review additional certifications and update the list where appropriate.
All licensees, regardless of their current CTM Promoter (Tier 3) certification status, are given a grace period until 31 December 2026 to obtain the CTM Promoter (Tier 3) certification or equivalent certification. After this date, licensees must maintain an active CTM Promoter (Tier 3) or equivalent certification at all times to comply with the conditions of the licence.
Licensees that do not hold an active CTM Promoter (Tier 3) or equivalent certificate by the end of the grace period will be in breach of their licence conditions, which may result in a revocation or suspension of the licence under Section 30 of the Cybersecurity Act.
Licensee may submit their current CTM Promoter (Tier 3) certification status and all relevant supporting documents and information via FormSG. CSRO will contact the licensee for more information if necessary, and provide an assessment outcome to the licensee upon completion of the assessment.
It will not be an offence under the Cybersecurity Act to use unlicensed cybersecurity service providers. However, consumers should be wary of the safety and security risks that unlicensed service providers may pose, given the service providers’ extensive access into their clients’ computer systems when providing their services. Any misuse of such confidential information by the unlicensed service providers may result in severe damages to the consumers.
Consumers are therefore encouraged to only procure licensable cybersecurity services from licensed cybersecurity service providers, and to inform CSRO of any service providers who are providing licensable cybersecurity services without a licence. A person who engages in the business of providing any licensable cybersecurity services to other person without a licence shall be guilty of an offence under Section 24 of the Cybersecurity Act and shall be liable on conviction to a fine not exceeding $50,000 or to imprisonment for a term not exceeding 2 years or to both. Under Section 31 of the Cybersecurity Act, unlicensed cybersecurity service providers are also not entitled to bring any proceeding in any court to recover any commission, fee, gain, or reward for the service provided.
Consumers may refer to the lists of licensed cybersecurity service providers. Consumers are also encouraged to verify that a cybersecurity service provider holds a valid licence before engaging their services.
The Cyber Security Agency of Singapore (CSA) is the agency established to keep Singapore’s cyberspace safe and secure through administering of the Cybersecurity Act. To administer the licensing framework, CSA has set up the Cybersecurity Services Regulation Office (CSRO) which will act as the point of contact for all licensing-related matters. These include enforcing the licensing framework; responding to the industry’s queries and feedback; as well as sharing of resources on licensable cybersecurity services with consumers such as the list of licensees and buyer’s guides.
For further assistance, please contact us at:
Cybersecurity Services Regulation Office
92 Punggol Way
Level 8 North
Singapore 829854
Email: contact@csro.gov.sg
A. Licensing Requirements
1. Who needs to apply for cybersecurity service provider's licence?
All providers of managed security operations centre monitoring services and penetration testing services (i.e. licensable cybersecurity services) to the Singapore market will need to apply for a cybersecurity service provider’s licence, regardless of whether they are companies or individuals (i.e. freelancers or sole proprietorships owned and controlled by individuals) or third-party cybersecurity service providers (“CSPs”) that provide these services in support of other CSPs. However, a company that provides licensable cybersecurity services solely for its related company(ies) e.g. in-house service provider, does not require a licence.#Resellers, third-party vendors or overseas CSPs including the affiliates of a licensee who provide licensable cybersecurity services to the Singapore market would need to be licensed.*
#According to the Companies Act, related company(ies) is defined as, but not limited to:
- a) holding company of another corporation;
b) subsidiary of another corporation; or
c) subsidiary of the holding company of another corporation.
2. What is considered as providing licensable cybersecurity services to the Singapore market?
Singapore market refers to persons who engage or intend to engage in or advertise its businesses of providing licensable cybersecurity services in Singapore. Generally, this may include, without limitation, persons with customers located in Singapore, and persons that have corporate or business presence in Singapore. Service providers should consider their business plans and activities (including any future business or expansion plan) to determine if a licence is required.
3. Could you give me examples of the third-party vendors and resellers of the licensable cybersecurity services that are regulated under the licensing framework?
Third-party vendors and resellers who are required to be licensed refer to those who are in the business of providing licensable cybersecurity services to consumers on behalf of another service provider (anywhere in the distribution chain) of the licensable cybersecurity services.
4. Are all companies under the same corporate group required to apply for separate licences in order to provide licensable cybersecurity services?
Each business entity within the same corporate group is required to apply for a licence if each of this business entity wishes to provide any of the licensable cybersecurity services.
5. For companies providing both managed security operations centre monitoring services and penetration testing services, how many licence should they apply?
Companies are required to apply for a licence for each of the licensable cybersecurity services (i.e. a licence for managed security operations centre monitoring service and a licence for penetration testing service).
6. Are the employees of cybersecurity service providers required to apply for an individual licence?
Individual employees of cybersecurity service providers that provide licensable cybersecurity services on behalf of their employer are not required to be licenced.
7. Will CSRO consider licensing other cybersecurity services in the future?
CSRO will continue to monitor international and industry trends and engage the industry where necessary, to assess if any new types of cybersecurity services should be included in the licensing framework, such as those that pose higher risks to consumers.
B. Licence Application
8. What do I need to ensure prior to applying for a licence?
Business entities are required to ensure that officer of the business entity is fit and proper when applying for a licence. Officer of a business entity refers to any director or partner, or other person listed in the business entity’s business profile e.g. ACRA BizFile, with the exception of shareholders (who are not directors or partners) and company secretary, or any other person who is responsible for the management of the business entity. Individuals who are applying for the licence should also be a fit and proper person to hold the licence. With effect from 16 March 2026, business entities and individuals applying for the licence are required to hold an active certificate for Cyber Trust Mark (“CTM”) Promoter (Tier 3) or equivalent covering the required scope for the applied licensable cybersecurity service(s) at the point of licence application and/or renewal.*
Failing which, the licence application may be rejected.
*Applicants and licensees will be given a grace period of until 31 December 2026 to obtain and maintain an active certificate for CTM Promoter (Tier 3) or equivalent covering the required scope for the applied licensable cybersecurity service(s) for the duration of the Licence.
9. How can an overseas company or individual apply for a licence?
Overseas companies which are not registered in Singapore but wish to apply to be licensed to provide licensable cybersecurity services to the Singapore market must first apply for a CorpPass Admin Account for Foreign Entity which is necessary for the submission of the licence application via GoBusiness Licensing. For assistance on setting up a CorpPass Admin Account, please visit the CorpPass website or email support@corppass.gov.sg. Alternatively, please click here for more contact options.
Do note that overseas companies that are not registered with the Accounting and Corporate Regulatory Authority of Singapore (ACRA) are required to upload a copy of their business profile (reflecting the details of the business registration record with the relevant authorities in the overseas country) in the licence application. Documents not in the English language must be submitted together with an accurate translation in the English language. The translation must be certified by the person making it to be a correct translation. The certificate must contain a statement of that person's full name, address and qualifications for making the translation.
Overseas individuals who are not Permanent Residents, Pass holders (e.g. Employment Pass, S-Pass etc) or Work Permit holders and wish to apply to be licensed to provide licensable cybersecurity services to the Singapore market must first apply for a Singpass Foreign Account which is necessary for the submission of the licence application via GoBusiness Licensing. To apply for a Singpass Foreign Account, please email contact@csro.gov.sg for further instructions.
10. Who are the Key Executive Officer and Key Officer of a business entity applicant?
Key Executive Officer refers to the person who is responsible for the proper administration and overall management of the business entity and supervision of its employees.
Key Officer refers to any director, partner, or other person listed in the business entity's business profile e.g. ACRA Bizfile, with the exception of shareholders (who are not directors or partners) and the company secretary. This also includes any other person who is responsible for the management of the business entity, that may not be listed in the business profile.
11. Do I need to list down all the employees providing the licensable cybersecurity services in the licence application form?
Business entities are only required to include the Key Executive Officer and Key Officer(s) in their licence applications. Do take note that there can only be one Key Executive Officer for each licence application.
12. How does the Licensing Officer determine whether the officers of a business entity applicant are fit and proper?
The Licensing Officer shall consider all relevant facts and matters when determining if officers of the business entity applicant are fit and proper, including whether any Key Executive Officer or Key Officers:a)Has been convicted in Singapore or elsewhere of any offence involving fraud, dishonesty or moral turpitude;
b) Has had a judgment entered against him/her in civil proceedings that involves a finding of fraud, dishonesty or breach of fiduciary duty on his/her part;
c) Is or was suffering from a mental disorder;
d) Is an undischarged bankrupt or has entered into a composition with his/her creditors; or
e) Has had a licence revoked by the Licensing Officer previously.
13. What happens if any of the officers fails to meet the fit and proper criteria?
Business entity applicants with officer(s) failing to meet the fit and proper criteria may be refused a licence by the Licensing Officer. CSRO would like to highlight that every licence application is considered carefully on a case-by-case basis. For instance, officers of a business entity licence applicant who have past criminal conviction will not automatically be deemed as being not fit and proper. Factors such as the seriousness and nature of the offence, the time that has elapsed since the conviction, and the responsibility of the officer will be taken into consideration by the Licensing Officer when assessing the licence application.
14. Is it a requirement to include relevant qualification or experience relating to the licensable cybersecurity service in the licence application?
Pursuant to regulation 2(2) of the Cybersecurity (Cybersecurity Service Providers) Regulations 2022, a licence application must include information on relevant qualifications or experience relating to the licensable cybersecurity services. In the situation where none of the Key Executive Officer or Key Officer(s) have qualifications or experience relevant to the licensable service, the information of the relevant qualification or experience of one of the business entity licence applicant's employee or proposed employee with supervisory responsibility who has qualifications or experience relating to the licensable service shall be included in the licence application.
15. Who would require a Certificate of Clearance?
A Certificate of Clearance (or equivalent documentation) is required for each of the overseas officer(s) and shall be obtained from the relevant authorities in the home country certifying that the officer does not have any record of criminal conviction nationwide in the home country. For avoidance of doubt, home country refers to the country of nationality.
The Certificate of Clearance (or equivalent documentation) shall not be obtained earlier than three months before the date of licence application is submitted to CSRO.
16. What is the format for a Certificate of Clearance?
We do not intend to be prescriptive on the format of the Certificate of Clearance (or equivalent documentation) from the relevant authorities in the home country. The applicant should ensure that the Certificate of Clearance (or equivalent documentation) minimally certifies that the officer of the business entity licence applicant does not have any record of criminal conviction nationwide in the home country. For avoidance of doubt, nationwide includes all states of the home country.Certificate of Clearance (or equivalent documentation) not in the English language must be submitted together with an accurate translation in the English language. The translation must be certified by the person making it to be a correct translation. The certificate must contain a statement of that person’s full name, address and qualifications for making the translation.
17. By when and how will I receive the notification on the outcome of a licence application?
Each licence application takes up to approximately 8 weeks to process upon submission of a completed form and all required supporting documents. Applicant will receive an email notification on the outcome. If the application is approved, applicant will be required to make ePayment of licence fee via the GoBusiness Licensing prior to the issuance of each licence. Please note that licence fee not paid timely may result in a lapse of the application and new licence application will have to be submitted.
18.I have difficulties in submitting my application to GoBusiness Licensing, who can I contact for help?
If you are experiencing any technical difficulties or need assistance with submitting your application, you may contact GoBusiness Licensing Helpdesk at Tel: 63363373.
C. Licence Fees and Validity
19. How long is the validity period of a licence and what are the fees payable for a licence?
For licence applications approved from 16 March 2026, a licence is valid for a period of 5 years and the licence fees for individuals and business entities are $1250 and $2500 respectively.
D. Licence Renewal
20. When should a licence renewal application be submitted?
An application for renewal of a licence must be made no later than 2 months before the licence’s expiry. Licensee who fails to submit a licence renewal application 2 months prior to the expiry may be required to apply for a new licence. This may result in a possible lapse in the licensure period where the business entity will be required to suspend its operations, until the outcome of its licence application is determined.
21. How is the licence renewal application process like?
When a licence is due for renewal, the GoBusiness Licensing will send a reminder via email to the licensee. Upon timely submission of the licence renewal application, CSRO will proceed to review the application and the applicant will be notified of the outcome via the system. If the application is approved, the licensee will be required to make an ePayment via GoBusiness Licensing.
22. Are licensees able to renew the licences before obtaining the Cyber Trust Mark (“CTM”) Promoter (Tier 3) certification?
Licensees may proceed to renew for the licences regardless of their CTM Promoter (Tier 3) certification status. However, licensees are reminded to ensure that an active CTM Promoter (Tier 3) or equivalent certificate is obtained by the end of the grace period on 31 December 2026 to remain in compliance with the conditions of the licence.
23. If a licence renewal application has not been approved before the existing licence's expiry date, can licensees continue to provide licensable cybersecurity services?
As long as a renewal application has been submitted within the renewal window, the existing licence continues in force until the date on which the licence is renewed or the application for its renewal is refused, as the case may be. Licensees may therefore continue to provide licensable cybersecurity service(s) in the interim while the renewal application is being processed.
E. Licence Conditions and Obligations
24. What are the conditions of the licence?
CSRO intends to keep the licensing requirements simple to minimise operational costs for licensees. The requirements that licensees must comply with, as stipulated in the Cybersecurity Act, can be found here.
25. Are there guidelines for the type(s) of records a licensee should maintain/keep?
Licensees should ensure that records capture all required information in sufficient detail, and are kept in a form that allows accountability and traceability in the event of an alleged misconduct or irregularities. You may also wish to refer to Annex B of the closing note published on CSA's website on 11 Apr 2022 for examples of record keeping requirements.
26. Will quality requirements be imposed on licensees?
The licensing framework aims to raise quality of the standards of the cybersecurity service providers over time. In view of the need to strike a good balance between industry development and cybersecurity needs, quality requirements will not be imposed on the licensees at the outset. CSRO will work with the industry and professional association partners to introduce appropriate standards and certifications in the near future to improve the standing of cybersecurity professionals.
27. What are the changes to business details that a licensee is required to inform the Licensing Officer?
Licensee is required to update the Licensing Officer of changes to their details for the following changes:a) Changes to Key Executive Officers;
b) Addition of Key Officers;
c) Removal of Key Officers; and
d) Changes to the other information of the licensee and/or its officers of business entity such as changes to Name, Passport Number, Company Name, Company UEN, and certifications of the existing applicant and officers of the business entity.
Licensees may refer to here for more information on the notification method and/or supporting documentation required for the update.
28. When should I inform the Licensing Officer in the event of changes to key officer of my business?
With effect from 16 March 2026, the licensee shall notify the Licensing Officer within 30 days after the appointment of any new key officer(s) and/or the cessation of existing key officer(s). Licensees are also required to notify the licensing officer of any change or inaccuracy in the information and particulars that the licensee and/or its key officers have submitted to the licensing officer in relation to its licence within 30 days. Licensees are reminded to ensure that any new key officer who is appointed must be fit and proper as defined in section 26(8) of the Act, failing which punitive measures may be imposed on the licensee, including revocation or suspension of the licence.
29. Can I use the CSRO or CSA logo in our publicity materials?
Licensees are not permitted to use the CSRO or CSA logo for publicity purposes. Instead, licensees may use text to describe their licensure status, or direct clients to the list of Licensed Service Providers on the CSRO website, where the licensee’s licence details are reflected.Please be reminded that under Section 6A(3)(a) of the Cybersecurity Act, a person who uses, without the Commissioner's prior written permission, a symbol or representation that is identical to the Cyber Security Agency of Singapore's symbol or representation — including the CSRO and CSA logo — shall be guilty of an offence and shall be liable on conviction to a fine not exceeding $5,000 or to imprisonment for a term not exceeding 6 months, or to both.
30. My company is undergoing restructuring. Is the existing licence transferable?
A cybersecurity service provider's licence is not transferable and is unique to each licensee's registration number (such as UEN) as specified on the e-Licence.If a business entity undergoes a change in ownership, restructuring, or merger that results in the setting up of a new entity (i.e. one with a different UEN), the new entity will be required to apply for a fresh licence before providing any licensable cybersecurity services.
31. How do I request to terminate a licence?
Licensees who wish to terminate their licence before its expiry should submit an application via the GoBusiness Licensing.
F. Requirement for Cyber Trust Mark (“CTM”) Promoter (Tier 3) Certification
32. Am I required to obtain Cyber Trust Mark (“CTM”) Promoter (Tier 3) or equivalent certification?
Under the updated conditions of licence, all licensees who are licensed to provide licensable cybersecurity services are required to hold an active CTM Promoter (Tier 3) or equivalent certification. This requirement applies uniformly regardless of the type or modality of licensable cybersecurity services provided.
33. What are the requirements for Cyber Trust Mark (“CTM”) Promoter (Tier 3) or equivalent certification?
Acceptable CTM Promoter (Tier 3) or equivalent certifications are required to fulfil the following requirements:
1. Certification bodies must be accredited by the Singapore Accreditation Council or equivalent national accreditation bodies; and
2. Certification must cover the environment (people, processes, and technology) supporting the delivery of the licensed cybersecurity service(s). Examples of acceptable scope of certification includes:
⦁ [For providers of one licensable cybersecurity service] Provision of licensed cybersecurity services - Penetration testing or Provision of licensed cybersecurity services - Managed security operations centre (SOC) monitoring
⦁ [For providers of both licensable cybersecurity services] Provision of licensed cybersecurity services – Penetration testing and Managed security operations centre monitoring
34. What would be considered as a Cyber Trust Mark (“CTM”) Promoter (Tier 3) equivalent certification?
As indicated in the Closing Note to the Consultation on the Licensing Framework for Cybersecurity Service Providers, ISO/IEC 27001 certification is currently the only recognised equivalent for CTM Promoter (Tier 3), as it is an international information security standard. Licensees that have obtained an acceptable ISO/IEC 27001 certificate will be deemed to have achieved CTM Advocate (Tier 5) certificate.CSRO will progressively review additional certifications and update the list where appropriate.
35. Is there a grace period for licensees to obtain Cyber Trust Mark (“CTM”) Promoter (Tier 3) or equivalent certification?
All licensees, regardless of their current CTM Promoter (Tier 3) certification status, are given a grace period until 31 December 2026 to obtain the CTM Promoter (Tier 3) certification or equivalent certification. After this date, licensees must maintain an active CTM Promoter (Tier 3) or equivalent certification at all times to comply with the conditions of the licence.
36. What happens if a licensee does not hold an active Cyber Trust Mark (“CTM”) Promoter (Tier 3) or equivalent certificate by the end of the grace period?
Licensees that do not hold an active CTM Promoter (Tier 3) or equivalent certificate by the end of the grace period will be in breach of their licence conditions, which may result in a revocation or suspension of the licence under Section 30 of the Cybersecurity Act.
37. How should licensee submit their Cyber Trust Mark (“CTM”) Promoter (Tier 3) or equivalent certification for assessment?
Licensee may submit their current CTM Promoter (Tier 3) certification status and all relevant supporting documents and information via FormSG. CSRO will contact the licensee for more information if necessary, and provide an assessment outcome to the licensee upon completion of the assessment.
G. Consumer Guidance
38. Will it be an offence to use unlicensed cybersecurity service providers?
It will not be an offence under the Cybersecurity Act to use unlicensed cybersecurity service providers. However, consumers should be wary of the safety and security risks that unlicensed service providers may pose, given the service providers’ extensive access into their clients’ computer systems when providing their services. Any misuse of such confidential information by the unlicensed service providers may result in severe damages to the consumers.
Consumers are therefore encouraged to only procure licensable cybersecurity services from licensed cybersecurity service providers, and to inform CSRO of any service providers who are providing licensable cybersecurity services without a licence. A person who engages in the business of providing any licensable cybersecurity services to other person without a licence shall be guilty of an offence under Section 24 of the Cybersecurity Act and shall be liable on conviction to a fine not exceeding $50,000 or to imprisonment for a term not exceeding 2 years or to both. Under Section 31 of the Cybersecurity Act, unlicensed cybersecurity service providers are also not entitled to bring any proceeding in any court to recover any commission, fee, gain, or reward for the service provided.
39. Where can I find the list of licensed cybersecurity service providers?
Consumers may refer to the lists of licensed cybersecurity service providers. Consumers are also encouraged to verify that a cybersecurity service provider holds a valid licence before engaging their services.
H. About CSRO
40. What is the difference between CSA and CSRO?
The Cyber Security Agency of Singapore (CSA) is the agency established to keep Singapore’s cyberspace safe and secure through administering of the Cybersecurity Act. To administer the licensing framework, CSA has set up the Cybersecurity Services Regulation Office (CSRO) which will act as the point of contact for all licensing-related matters. These include enforcing the licensing framework; responding to the industry’s queries and feedback; as well as sharing of resources on licensable cybersecurity services with consumers such as the list of licensees and buyer’s guides.
41. Who can I contact for further details?
For further assistance, please contact us at:
Cybersecurity Services Regulation Office
92 Punggol Way
Level 8 North
Singapore 829854
Email: contact@csro.gov.sg