Under the joint impetus of accelerated global digital transformation and expanding cybersecurity threats, improving legislation has become an inevitable choice for countries to strengthen the foundation of digital development. The amendment to Singapore's Cybersecurity Act 2018 came into effect on October 31,2025, while China's revision of the Cybersecurity Act will take effect on January 1, 2026. However, due to different national conditions and considerations, the directions of legal revisions differ between the two countries. China's revision focuses on strengthening internal legal liabilities and the coordinated construction of governance systems, while Singapore's revision enhances the overall resilience of its digital ecosystem by expanding regulatory scope and introducing flexible mechanisms. This nearly synchronous legislative dynamic provides a typical example for observing the differentiated evolution of cybersecurity rule of law under different governance models.

Comparison of Background and Purpose of the Amendment of the Cybersecurity Law of China

Background and Purpose of the Amendment of China's Cybersecurity Law

Background of the Amendment

This update serves dual purposes: it addresses the evolving cybersecurity landscape where expanding attack vectors and escalating risks have turned cybersecurity into a complex challenge, while strategically responding to rapid advancements in emerging technologies like AI to foster innovation and establish governance frameworks. Furthermore, the revision strengthens internal coordination within China's cyber and data legal system by aligning with subsequent legislation such as the Data Security Law and Personal Information Protection Law, thereby enhancing the effectiveness and coherence of comprehensive governance.

Purposes of Legal Amendment

The revision of the Cybersecurity Law serves as a comprehensive response to the aforementioned legislative context and institutional implementation. Its core objective is to further strengthen the legal liability framework by substantially increasing fine amounts and detailing penalty scenarios, thereby addressing the low cost of violations under the original law and enhancing its deterrent and enforcement power. Simultaneously, the revision clarifies the governance framework for artificial intelligence, adding specific provisions to improve ethical standards and security oversight while affirming the state's support for technological R&D, ensuring its healthy development through legal safeguards. Additionally, the revision significantly strengthens the law's extraterritorial applicability, introducing new clauses to clarify legal liabilities and related sanctions for overseas activities endangering China's cybersecurity, safeguarding the nation's cyberspace sovereignty and development interests.

Background and Purpose of Singapore Cybersecurity Act

Background of the Amendment

Singapore's recent amendment to the Cybersecurity Act, effective since 2018, responds to significant shifts in the external environment. The primary catalyst stems from evolving external threats and technological applications. As a highly digitalized nation, Singapore has long faced persistent security risks in critical infrastructure sectors, exemplified by the 2018 SingHealth data breach. Meanwhile, the widespread adoption of cloud services and virtualization technologies has increased reliance on third-party or overseas infrastructure, further amplifying vulnerabilities. Secondly, emerging technological scenarios have exposed regulatory gaps in existing laws. While the original legislation primarily covered 11 categories of critical information infrastructure, it excluded key entities like cloud service providers, data centers, and universities from oversight, and lacked regulatory frameworks for temporary critical systems supporting major events. Additionally, the amendment addresses core industry concerns raised during consultations, including increased compliance costs, regulatory transparency, and enforcement impacts. This revision specifically tackles these issues through targeted measures.

Purposes of Legal Amendment

Singapore's 2024 revision of the Cybersecurity Act represents a targeted response to emerging cyber risks, enhancing the foresight of its cybersecurity governance framework. The core revisions expand regulatory coverage to address new threats by introducing two new categories: "foundational digital infrastructure" (FDI) and "entities of special cybersecurity interest" (ESCI). These categories include cloud service providers, data centers, and universities, filling gaps in existing legal oversight. The revision also specifically addresses risks in supply chains and outsourcing, refining the original critical information infrastructure (CII) regulations. It clarifies that even if CII is owned by third parties or located overseas, local critical service providers must still assume cybersecurity responsibilities, ensuring security standards remain uncompromised while leveraging outsourcing benefits. Additionally, to strengthen resilience against sudden threats, the revision introduces the "systems of temporary cybersecurity concern " (STCC), authorizing regulators to implement temporary enhanced oversight measures on relevant systems during high-risk periods.

Core Clauses and Highlights of the Revision of China's Cybersecurity Law

Core Terms Interpretation

Establish a refined disciplinary gradient of "behavior + consequences"

The revised legal liability system (mainly reflected in new articles,such as 61,64,65,67,69, etc.) has changed the previous situation of insufficient punishment and excessive discretion, and constructed a refined "behavior + consequence" two-dimensional disciplinary ladder.

First, expanded coverage in terms of behavioral compliance. For instance, internet service providers (ISP) who fail to fulfill basic cybersecurity obligations (such as implementing the graded protection system) may now face direct fines of "10,000 to 50,000 yuan" from regulatory authorities, even in the absence of actual harm. This reform replaces the previous "warning-first, fine-later" approach under the old law. It demonstrates that compliance has evolved into a real-time, ongoing obligation rather than a post-facto remedial measure.

Secondly, the consequences are quantified and graded. The most deterrent innovation in this revision lies in the introduction of a cliff-like penalty mechanism directly linked to harmful consequences. The core logic is illustrated in the table below:

Substantial strengthening of penalties for individuals

The maximum fines for directly responsible supervisors and other personnel involved have been increased from 50,000 yuan to 1 million yuan, a twentyfold rise. This means executives 'personal assets will now be directly tied to their cybersecurity decisions, forcing a restructuring of the company's internal power-responsibility-interest framework. The compliance department's status will be elevated from a cost center to a core risk decision-making level.

Expand "Close Applications" as an Operational Sanction

The new law introduces a new penalty clause that adds "or application" to the existing "website shutdown" provisions. For modern enterprises with mobile apps as their primary business entry point, this effectively constitutes an "operational death penalty" whose deterrent power far exceeds financial fines. It signifies that regulators have gained the ability to directly intervene at the core of digital business models, elevating corporate compliance risks from the "financial loss" level to the "survival risk" level.

Expanding Jurisdiction from "Critical Information Infrastructure" to "Cybersecurity"

The jurisdictional scope in the original Article 75 was revised from 'endangering the critical information infrastructure of the People's Republic of China 'to' endangering the cybersecurity of the People's Republic of China' (new Article 77). This single word change carries profound implications.

From "facility defense" to "state protection", "critical information infrastructure" is a relatively specific and bounded concept; whereas "cybersecurity" is an abstract state with broad connotations and dynamic changes. This move greatly expands the extraterritorial application boundaries of China's laws in cyberspace. Any overseas behavior identified by China's competent authorities as endangering its "cybersecurity", regardless of whether it directly attacks the identified CII, may fall within the scope of sanctions under China's laws.

Compliance Clauses of the Administrative Penalty Law

The newly introduced Article 73 (aligning with the Administrative Penalty Law) provides enterprises with legal avenues for lenient, mitigated, or non-penalty treatment. The underlying intent of this provision is to incentivize companies to establish and effectively implement compliance systems featuring "pre-incident prevention" and "in-incident response." In the event of a safety incident, a company's ability to demonstrate that it has fulfilled its "reasonable duty of care" (e.g., maintaining robust compliance frameworks, conducting regular safety assessments, and maintaining complete emergency response logs) will serve as the key differentiator between "unfortunate victims" and "negligent liable parties." This also constitutes a primary defense for executives to avoid substantial personal fines.

Establishing an AI Governance Framework

The newly added Article 20 is a highly forward-looking highlight of this revision. The first half of the clause clarifies the "development orientation" of the state's support for artificial intelligence research and development and infrastructure construction, while the latter half emphasizes the "safety orientation" of improving ethical norms, strengthening risk monitoring and assessment, and enhancing safety supervision. This positioning indicates that artificial intelligence, under the legal framework of China, is not only a strategically prioritized technology but also a key risk area that must be incorporated into regulatory oversight. At the same time, the clause's parallel mention of "risk monitoring and assessment" and "safety supervision" implies that the compliance focus for future AI services and products will be shifted to the research and training stages, requiring enterprises to establish a risk self-assessment and supervision mechanism throughout the entire lifecycle.

Key Highlights of the Revision

Further escalation of deterrence

The new law has achieved a substantial leap in deterrence through a combination of measures, including 'multillion-dollar fines,'  'application shutdowns' (under new Articles 64 and 65), and 'million-dollar individual penalties.'

For the vast majority of internet and mobile application enterprises, applications serve as the core business vehicle and user entry point. The punitive measure of 'closing applications' carries far greater deterrence than fines, directly impacting the operation and survival of the business model.

The personal fine cap has been raised to one million yuan, effectively taking off the veil of corporate legal entities to expose cybersecurity accountability and directly targeting persons at the decision-making and execution levels. This will inevitably compel corporate executives, technical leaders, and legal compliance departments to foster deeper collaboration and synergy, elevating security compliance from a technical task to a critical managerial responsibility.

The Introduction of Compliance "Safe Harbor" Clause

The introduction of Article 73 (which aligns with the provisions of the Administrative Penalty Law regarding leniency, mitigation, or exemption from penalties) represents a pivotal regulatory design in this revision. Its practical value lies in providing legal defenses for enterprises that have established and effectively operated comprehensive compliance systems, yet still face attacks due to advanced technical measures. Under this framework, corporate investments in cybersecurity are no longer mere cost expenditures but are transformed into verifiable risk hedging assets and liability insurance. In the event of a security incident, these systematic and documented evidence chains can demonstrate that the enterprise has fulfilled its due diligence obligations, thereby securing penalty reductions or exemptions.

Enhanced alignment with the Data Security Law and the Personal Information Protection Law

For example, the second paragraph of the newly amended Article 42 explicitly requires internet service providers to comply with both the Civil Code and the Personal Information Protection Law when processing personal data. This resolves corporate compliance challenges arising from multiple legal frameworks, mandating integrated regulatory compliance. The revised Article 71 replaces the original penalty provisions for personal data protection and cross-border data transfers with "penalties in accordance with relevant laws and administrative regulations," directly referencing specific penalties under the Personal Information Protection Law and the Data Security Law. This approach eliminates legal redundancies while establishing a unified and authoritative regulatory basis for enforcement.

Core Clauses and Highlights of Singapore Cybersecurity Law Revision

 Interpretation of Core Clauses

1. The regulatory scope has achieved strategic expansion. The revised legislation introduces two new categories of regulated entities: the first is "Foundational Digital Infrastructure" (FDI), comprising core physical systems supporting Singapore's digital ecosystem, including data centers and cloud computing facilities; the second is "Entities with Special Cybersecurity Interest" (ESCI). Although not classified as Critical Information Infrastructure (CII) or FDI, these entities could cause severe disruptions to Singapore's defense, diplomacy, and economy if compromised. Major universities and key research institutions are categorized under this category. This revision formally incorporates previously unregulated critical entities into the regulatory framework.

2. Supply chain and outsourcing risks are now clearly regulated. The revised legislation strengthens the management responsibilities of critical information infrastructure (CII) owners over third-party suppliers (including cloud service providers), stipulating that even when core systems are owned, operated, or located overseas by third parties, CII owners remain ultimately accountable for security compliance, ensuring third-party services meet statutory cybersecurity standards. This provision precisely addresses the risk transmission issues arising from the widespread adoption of outsourcing and cloud services in the digital era.

3. Implementation of a flexible temporary regulatory framework. To address short-term high-risk scenarios during specific periods—such as hosting major international conferences or facing targeted advanced persistent threat attacks—the revised legislation introduces the " System of Temporary Cybersecurity Concern" (STCC). Cybersecurity commissioners may temporarily designate specific systems as STCCs, imposing enhanced cybersecurity obligations. This designation can be legally revoked upon the conclusion of the risk period, providing essential legal flexibility to respond to evolving cyber threats.

4. Event reporting requirements and regulatory authority are being reinforced in tandem. The revised legislation expands the scope of cybersecurity incident reporting while potentially shortening reporting timelines. Concurrently, it grants Cyber Security Authorities (CSAs) broader investigative and enforcement powers, including easier access to non-CII facilities for investigations and the ability to request necessary information from relevant entities, to address the increasingly complex demands of cybersecurity investigations.

Key Highlights of the Revision

1. This revision marks another advancement in Singapore's cybersecurity governance paradigm. By incorporating Foundational Digital Infrastructure (FDI) and Entities with Special Cybersecurity Interest (ESCI) into regulatory oversight, the legal scope has been extended to broader foundational levels supporting the digital economy, fully demonstrating the forward-looking strategic layout of national cybersecurity governance.

2. The legislation demonstrates a distinct risk-oriented approach and refined characteristics. The System of Temporary Cybersecurity Concern (STCC) mechanism abandons the "one-size-fits-all" regulatory model, avoiding permanent inclusion of all high-risk systems under strict oversight. Instead, it implements temporary, precisely targeted regulatory measures to address high-risk scenarios during specific periods, effectively balancing cybersecurity protection needs with the operational burdens on market entities.

3. Clear delineation of accountability. Addressing the industry trend of widespread cloud computing and IT outsourcing, the revised regulations explicitly establish the core principle that "responsibility does not transfer with outsourcing." This compels end-user enterprises to proactively fulfill their supply chain security management obligations, ensuring cybersecurity responsibilities are cascaded and effectively implemented throughout the supply chain. It resolves the industry challenge of difficult-to-implement security accountability in the context of technology outsourcing.

4. The revised legislation addresses dual priorities: cybersecurity safeguards and business-friendly development. While expanding regulatory coverage, it effectively addresses industry concerns by establishing clear entry thresholds and evaluation criteria for FDI and ESCI oversight. The Cyber Security Agency (CSA) is required to strictly adhere to the necessity principle when exercising newly granted regulatory and enforcement powers. This approach not only strengthens national cybersecurity defenses but also provides institutional safeguards to ensure a conducive business environment for market entities.

Epilogue

In summary, the revisions of China and Singapore's cybersecurity laws both demonstrate legal approaches to addressing the complex cyber risks of the digital era, but their legislative paths have different emphases. For multinational enterprises, this trend in legal revisions means that compliance work has evolved from meeting the requirements of a single jurisdiction to dynamically managing dual supervision. A deep understanding of the differences in governance logic behind the legislative revisions in the two countries, and accurate identification of overlapping obligations in key areas such as data export, supply chain security, and incident response, are the core pathways to building a robust and efficient cross-border cyber compliance system.