What are the key changes in the Cybersecurity Act 2026 and who is affected?

The 2026 amendments broadened the definition of Critical Information Infrastructure (CII) to capture more digital services, including payment systems and settlement platforms, tightened incident-reporting timelines, increased penalties, expanded CSA’s enforcement and investigation powers, and clarified extraterritorial application. Any organisation that owns, operates, or provides services to a system designated as CII is directly affected. Fintechs, PSPs, DPT providers, and VASPs with systems that underpin essential financial services should treat the amendments as immediately applicable.

Do fintechs and payment service providers become Operators of Critical Information Infrastructure?

Not automatically, but the broadened CII criteria make designation significantly more likely. If your system supports the continuous delivery of an essential service, such as real-time payment processing, fund settlement, or digital-asset custody, and its compromise would have a debilitating effect on that service, you may be designated as a CII owner. The prudent step is to complete a CII self-assessment using the indicator table above and engage CSA proactively.

What new incident-reporting, protection, or penalty requirements must payment firms meet?

CII owners must report prescribed cybersecurity incidents to CSA within the statutory timeframe. Licensed payment institutions must also notify MAS within 1 hour of discovering a relevant IT security incident. The 2026 amendments increased maximum penalties for late reporting and non-compliance with CII obligations. Both regulatory bodies can impose conditions, directions, and fines.

How does the CSA's April 15, 2026 AI advisory change cybersecurity controls for fintechs using generative AI?

CSA Advisory AD‑2026‑004 sets out expectations for organisations deploying frontier AI models. Fintechs must now maintain a model inventory, conduct AI-specific DPIAs, implement access controls and API rate limits, perform adversarial red-teaming, monitor AI outputs for data leakage, and build human-in-the-loop fallback mechanisms. These are treated as regulatory expectations, and non-compliance may be considered in enforcement decisions.

How soon must I notify CSA and MAS after detecting a cyber incident?

The Cybersecurity Act requires CII owners to notify CSA as soon as practicable after becoming aware of a prescribed incident, within the statutory prescribed window. MAS expects licensed financial institutions to notify it within 1 hour of discovering a severe IT security incident. Recommended internal SLA: escalate internally within 30 minutes, file first CSA notification within 2 hours, and submit the MAS parallel notification within 1 hour. A detailed incident notification template should be pre-approved and stored in an accessible, offline-available location.

Do cross-border data transfers affect cybersecurity obligations?

Yes. Where CII systems process or store personal data that is transferred outside Singapore, both the Cybersecurity Act’s data-integrity requirements and the PDPA’s cross-border transfer provisions apply. Fintechs must ensure appropriate data-transfer mechanisms (contractual clauses, binding corporate rules, or certifications) are in place and that encryption at rest and in transit is maintained throughout. See our detailed guide on PDPA cross-border data transfers for fintechs for a full walkthrough.

What contractual clauses should fintechs add to vendor agreements now?

At a minimum, fintechs should insert or update five clause categories in all critical vendor contracts: (1) incident notification SLA, the vendor must notify you within two hours of detecting any cybersecurity incident affecting your data or services; (2) cooperation with investigations, full cooperation with CSA and MAS, including providing logs, access, and technical assistance; (3) data residency, explicit designation of where data may be stored and processed, with prior consent for offshore transfers; (4) audit and penetration-testing rights, at least annual testing; and (5) logging retention, a minimum 12-month retention period for all security event logs, accessible on request.

Cybersecurity Act Singapore | Global Law Experts

The Cybersecurity Act Singapore framework entered a new chapter in 2026, with broadened Critical Information Infrastructure (CII) definitions, tightened incident-reporting windows, and expanded enforcement powers that directly affect fintechs, payment service providers (PSPs), digital payment token (DPT) providers, and virtual asset service providers (VASPs). On 15 April 2026, the Cyber Security Agency of Singapore (CSA) escalated expectations further by issuing Advisory AD‑2026‑004 on the cybersecurity risks of frontier AI models, a move that places immediate obligations on any organisation deploying generative or advanced AI in payment-adjacent services. This guide provides the step-by-step compliance checklist that Singapore-based legal, compliance, and information-security teams need to act on now.

At a Glance, Five Priority Actions

Map your CII exposure. Determine whether your payment systems, settlement infrastructure, or cloud-hosted transaction platforms meet the broadened CII criteria under the 2026 amendments.
Update incident response plans. Align internal notification workflows to the tightened reporting windows the Cybersecurity Act now requires for CII operators.
Conduct an AI risk assessment. If you deploy frontier AI models, CSA Advisory AD‑2026‑004 expects you to complete an AI-specific impact assessment and implement eight concrete controls.
Revise vendor contracts. Add cybersecurity cooperation clauses, logging obligations, and data-residency requirements to every critical third-party agreement.
Coordinate CSA + MAS obligations. Financial institutions must satisfy both CSA and MAS Technology Risk Management (TRM) expectations, gaps between the two regimes create enforcement risk.

What Changed in the Cybersecurity Act 2026, and Who Is Affected?

The 2026 cybersecurity act amendments introduced several material changes that shift compliance obligations for technology-reliant financial services firms. The key amendments, as published on the CSA Cybersecurity Act legislation page, include the following:

Broadened CII definitions. The definition of critical information infrastructure in Singapore now captures a wider range of digital services that underpin essential functions, including payment processing, clearing, and settlement systems.
Tightened reporting windows. Operators of CII face compressed timelines for notifying CSA of prescribed cybersecurity incidents.
Enhanced enforcement powers. The Commissioner of Cybersecurity has been granted wider investigation and direction-issuing powers, including the ability to compel third-party service providers to cooperate.
Higher penalties. Maximum fines have been increased for failure to comply with CII obligations, failure to report incidents, and obstruction of investigations.
Extraterritorial reach. The amendments clarify obligations where CII is partly or wholly hosted outside Singapore but serves Singapore-based essential services.

Quick Checklist, Does This Apply to You?

Entity Type	Key Triggers	Immediate Action
Licensed PSP (major payment institution)	Operates payment systems or e-money infrastructure used by essential services	CII mapping exercise; update incident response plan
DPT service provider / VASP	Hosts custodial wallets, operates exchange matching engines, or processes high-volume DPT transfers	CII self-assessment; review MAS licence conditions
Fintech using frontier AI	Deploys generative or advanced AI models in fraud detection, credit scoring, or customer-facing chatbots connected to payment rails	AI impact assessment per CSA AD‑2026‑004; model inventory
Cloud/infrastructure vendor to above	Hosts, processes, or stores data for CII operators	Review contract obligations; prepare for CSA cooperation directions

Critical Information Infrastructure, Fintech Mapping and Implications

Under the Cybersecurity Act, the Commissioner may designate a computer or computer system as CII if its loss or compromise would have a debilitating effect on the continuous delivery of an essential service in Singapore. The 2026 amendments make clear that critical information infrastructure Singapore designations now extend to digital payment networks, automated clearing systems, and transaction-processing platforms that underpin the national payments ecosystem.

CII Indicator Table, How to Assess Your Systems

Asset / System	Essential Service Connection	Consequence of Compromise
Core payment-processing engine	Real-time fund transfers (e.g., PayNow rails, FAST settlement)	Disruption to national payment continuity
DPT custody and hot-wallet infrastructure	Safeguarding of customer digital assets	Large-scale asset loss; systemic confidence impact
Cloud-hosted transaction database	Records of all payment instructions and reconciliations	Data integrity failure across multiple financial institutions
AI-driven fraud detection system	Gatekeeper for authorising or blocking transactions	Undetected fraud; cascading losses across payment network

Who Must Register or Notify CSA?

If the Commissioner designates your system as CII, you become an “owner of CII” and must comply with a prescribed set of obligations. Even if you have not yet received a formal designation, the CSA expects operators of systems that plausibly meet CII thresholds to proactively engage. Industry observers expect that several major PSPs and at least one DPT exchange will receive formal designation notices in the second half of 2026.

Governance Impacts for CII Owners

Board accountability. A named senior executive must take ownership of CII cybersecurity obligations.
Local CISO requirement. A Singapore-based cybersecurity officer must be appointed and made available to CSA.
Least-privilege and segmentation. CII systems must be logically and, where feasible, physically segmented from non-critical networks.
Audit and compliance reporting. CII owners must conduct regular cybersecurity audits and risk assessments, with results reportable to CSA on request.

New Obligations Under the Cybersecurity Act Singapore: Technical, Governance, and Contractual

The 2026 amendments do not merely broaden scope, they impose a layer of technical and governance controls that fintechs and PSPs must embed into day-to-day operations. Singapore cybersecurity compliance now demands demonstrable action across the following domains.

Patching and vulnerability management. Critical patches must be applied within defined timeframes; a documented patching policy is mandatory.
Multi-factor authentication (MFA). MFA must be enforced for all administrative and privileged-access accounts, no exceptions.
Logging and monitoring. Security event logs must be retained for a minimum period and monitored continuously with anomaly-detection capabilities.
Endpoint detection and response (EDR). EDR solutions must be deployed on all endpoints within the CII perimeter.
Secure software development lifecycle (SDLC). Fintechs building proprietary platforms, including AI-enabled features, must integrate security testing at every development stage.
Backup and recovery. Offline or immutable backups must be maintained and tested at defined intervals.

Third-Party and Vendor Management, Contract Clause Checklist

Payment service provider cybersecurity obligations now extend to the supply chain. The Cybersecurity Act’s enhanced enforcement powers mean CSA can issue directions to third-party providers. Fintechs should add or update the following contract provisions immediately:

Incident notification SLA. Vendor must notify you of any cybersecurity incident affecting your data or services within a defined window (recommended: within two hours of detection).
Cooperation with investigations. Vendor must cooperate fully with CSA and MAS investigations, including providing logs, access, and technical assistance.
Data residency and transfer controls. Specify where data may be stored and processed; require prior written consent for any offshore transfer.
Audit and penetration-testing rights. You must retain the right to audit vendor controls and conduct or commission penetration testing at least annually.
Logging retention. Vendor must maintain security event logs for a minimum of 12 months, accessible on request.

Data Protection Intersections, PDPA and Cross-Border Considerations

Cybersecurity obligations under the Act operate alongside Singapore’s Personal Data Protection Act (PDPA). Fintechs processing personal data across borders must ensure that data-transfer mechanisms comply with PDPC requirements. Encryption at rest and in transit is both a cybersecurity control and a PDPA reasonable-security obligation. For a detailed walkthrough of cross-border transfer requirements, see our guide on PDPA cross-border data transfers for fintechs.

Practical Step-by-Step Cybersecurity Act Compliance Checklist

This section is the operational core of this guide. Each action item names an owner, a recommended timeline, and the regulatory basis. Use this as a working project plan for your compliance programme.

CII mapping exercise.
Owner: General Counsel + Head of Infrastructure
Timeline: Immediate (complete within 14 days)
Action: Inventory every computer system that supports essential services. Map each to the CII indicator table above. Produce a CII mapping document for board sign-off.
Regulatory basis: Cybersecurity Act, Part 3 (CII provisions).
Update incident response plan (IRP).
Owner: CISO + Legal
Timeline: Within 30 days
Action: Revise your IRP to reflect the tightened reporting windows. Include escalation triggers, notification templates for CSA, and parallel notification to MAS where applicable.
Regulatory basis: Cybersecurity Act, incident-reporting provisions; MAS Technology Risk Management Guidelines.
AI impact assessment.
Owner: Chief Data Officer / Head of AI + Legal
Timeline: Within 30 days
Action: For every frontier AI model deployed in payment-adjacent services, conduct a data protection impact assessment (DPIA) that also addresses CSA Advisory AD‑2026‑004 controls. Produce a model inventory with risk ratings.
Regulatory basis: CSA AD‑2026‑004; PDPC DPIA guidance.
Vendor contract review and amendment.
Owner: Legal + Procurement
Timeline: Within 60 days
Action: Review all contracts with cloud providers, SaaS platforms, and managed-service providers. Insert or update clauses covering incident notification SLAs, cooperation, data residency, audit rights, and logging retention.
Implement MFA and privileged-access controls.
Owner: CISO + IT Operations
Timeline: Within 30 days
Action: Enforce MFA on all administrative accounts. Implement privileged-access management (PAM) with session recording for CII systems.
Logging retention policy.
Owner: CISO
Timeline: Within 30 days
Action: Define and implement a minimum 12-month retention policy for all security event logs. Ensure logs are tamper-evident and centrally aggregated.
Penetration testing and AI red-teaming.
Owner: CISO + external assessor
Timeline: Within 90 days (schedule now)
Action: Commission penetration testing of all CII-perimeter systems. If you use frontier AI, include prompt-injection and agent-abuse scenarios in the test scope.
Board reporting and escalation framework.
Owner: General Counsel + CISO
Timeline: Within 30 days
Action: Establish a quarterly board-level cybersecurity briefing and define escalation triggers (e.g., any incident that may require CSA notification must be escalated to the board within 4 hours).
Prepare regulatory notification templates.
Owner: Legal
Timeline: Within 14 days
Action: Draft pre-approved notification templates for CSA incident reports, CII designation-change notifications, and MAS parallel reports. Templates should be stored in an accessible, offline-available repository.
Staff training, phishing and AI-enabled threats.
Owner: HR + CISO
Timeline: Within 60 days; recurring quarterly
Action: Roll out mandatory training covering phishing, social engineering, deepfake-enabled attacks, and AI-generated impersonation. Include scenario-based tabletop exercises for legal and compliance staff.
Cyber-insurance policy review.
Owner: CFO + Legal
Timeline: Within 60 days
Action: Review your cyber-insurance policy to confirm it covers regulatory fines under the Cybersecurity Act, incident-response costs, and third-party claims arising from CII compromise.
Secure SDLC for AI features.
Owner: CTO + CISO
Timeline: Within 90 days
Action: Integrate security-gate reviews into your software development lifecycle for all AI-enabled product features. Include model-provenance verification and adversarial-testing checkpoints.

Incident Reporting Singapore, Timelines, Obligations, and Comparison Table

Incident reporting is the obligation most likely to trigger enforcement action if breached. The 2026 amendments compressed notification windows for CII operators and expanded the categories of reportable incidents. At the same time, MAS expects licensed financial institutions to file parallel incident notifications under its own Technology Risk Management framework.

The following comparison table summarises reporting obligations by entity type. Where the Cybersecurity Act does not prescribe an exact hour count for a specific entity, the recommended internal SLA below reflects CSA guidance and emerging industry practice.

Entity Type	What to Report	Timeline & Escalation
CII owner (designated by CSA)	Any prescribed cybersecurity incident: unauthorised access, data exfiltration, ransomware, denial-of-service affecting essential service delivery	Notify CSA as soon as practicable and no later than the prescribed statutory window after becoming aware of the incident. Recommended internal SLA: initial report within 2 hours of detection; full report within 14 days.
Licensed PSP / major payment institution (MAS-regulated)	Any IT security incident that affects or may affect the provision of payment services, customer data, or system availability	Notify MAS within 1 hour of discovery of a relevant incident under MAS Notice on Cyber Hygiene. File CSA notification in parallel if the system is designated CII.
DPT provider / VASP	Incidents involving loss of custody assets, compromise of hot/cold wallet infrastructure, or data breach affecting customer personal data	Notify MAS per licence conditions. Notify CSA if system meets CII threshold. Recommended internal SLA: escalate to board and legal within 1 hour; file first regulatory notice within 2 hours.
Fintech deploying frontier AI	AI system compromise leading to data leakage, automated generation of fraudulent transactions, or model manipulation	Assess whether incident triggers CII or MAS reporting. CSA Advisory AD‑2026‑004 expects proactive engagement with CSA where AI misuse has cybersecurity implications.

Enforcement Consequences for Late or Failed Reporting

The Cybersecurity Act provides for fines and, in serious cases, criminal liability for individuals who fail to report prescribed incidents within the required timeframe. The 2026 amendments increased maximum penalties. Beyond statutory sanctions, late reporting can trigger MAS supervisory action, including conditions on licences and public reprimand.

CSA Advisory AI (AD‑2026‑004), What Fintechs Must Do When Using Frontier AI

On 15 April 2026, the CSA issued Advisory AD‑2026‑004, titled “Advisory on Risks associated with Frontier AI Models.” The advisory outlines how organisations can plan ahead and strengthen their cybersecurity posture against risks posed by frontier AI, defined as the most recent advanced AI models that can automate and scale cyber-attack techniques, compress attack timelines, and enable sophisticated data exfiltration.

For fintech cybersecurity Singapore teams, the practical effect of the CSA advisory AI is a set of eight concrete mitigations that should be treated as regulatory expectations:

Model inventory. Maintain a complete register of all AI models deployed, including model provenance, training-data sources, and access permissions.
Access controls. Restrict who can query, fine-tune, or deploy frontier AI models. Apply the principle of least privilege rigorously.
AI-specific DPIA. Conduct a data protection and cybersecurity impact assessment tailored to AI risks, including prompt injection, data leakage via model outputs, and hallucination-driven misinformation.
Red-teaming for prompt and agent risks. Test AI systems with adversarial prompts and agentic-workflow abuse scenarios before production deployment.
API rate limits and anomaly detection. Implement rate limits on AI model APIs and monitor for unusual query patterns that may indicate extraction or manipulation attempts.
Output monitoring. Deploy automated checks on AI outputs to detect potential data leakage, personally identifiable information (PII) exposure, or generation of harmful content.
Data governance for training data. Ensure training data is sourced, labelled, and retained in compliance with PDPA and the Cybersecurity Act’s data-integrity expectations.
Fallback and sanity checks. Build human-in-the-loop review stages and automated sanity checks for any AI-driven decision that affects financial transactions or customer data.

Industry observers expect the CSA to follow up AD‑2026‑004 with sector-specific implementation guidance. The recent follow-on advisory AD‑2026‑005 on the cybersecurity risks of the “OpenClaw” AI deployment already signals a trend toward model-specific advisories that name particular platforms.

Fintechs using AI vendor platforms should also insert the following sample contractual provision: “The Vendor shall disclose to the Client the provenance, version, and risk classification of any AI model used to deliver the Services, and shall notify the Client within 24 hours of any change to the model, any security incident affecting the model, or any regulatory advisory issued by CSA or MAS concerning the model.”

MAS Intersections: Fintech Licensing, Safeguarding, and MAS Fintech Cyber Guidance

The Cybersecurity Act does not operate in isolation for financial-services firms. MAS fintech cyber guidance, primarily the Technology Risk Management Guidelines and MAS Notices on Cyber Hygiene, impose overlapping and in some areas more prescriptive requirements. The likely practical effect is that fintechs must meet the higher standard where MAS and CSA expectations diverge.

Key areas of intersection include outsourcing and third-party risk (MAS requires prior notification for material outsourcing; CSA can now direct third parties to cooperate), incident reporting (MAS expects notification within 1 hour for severe incidents; CSA timelines run in parallel), and penetration testing (MAS mandates annual testing for major payment institutions; CSA may require additional testing for designated CII). Where an incident affects both payment-system availability and CII integrity, coordinated engagement with both MAS and CSA is essential to avoid conflicting regulatory responses. Technology law specialists with dual MAS and CSA experience are best placed to manage these parallel reporting tracks.

Need Legal Advice?

This article was produced by Global Law Experts. For specialist advice on this topic, contact Geraldine Tan at Amica Law, a member of the Global Law Experts network.

Next Steps, Templates, and Compliance Resources

The compliance programme outlined in this article is designed to be implemented in phases, immediate actions within 14 days, core governance updates within 30 days, contract amendments within 60 days, and technical controls within 90 days. To support implementation, the following templates are recommended:

CII mapping document, structured inventory of all systems with essential-service connections and risk ratings.
Incident notification template, pre-approved draft for CSA and MAS first notifications, with fields for incident classification, timeline, affected systems, and remedial actions.
AI DPIA template, tailored assessment covering model inventory, threat modelling, and the eight CSA AD‑2026‑004 controls.
Vendor cybersecurity addendum, standard contract rider with the five clause categories detailed above.

If you are a fintech, PSP, DPT provider, or VASP operating in Singapore, now is the time to complete a comprehensive review of your cybersecurity act Singapore obligations. Early engagement with CSA, before a formal CII designation or enforcement action, demonstrably reduces regulatory risk and positions your organisation as a responsible operator in the eyes of both CSA and MAS.