By Evvo Labs | May 19, 2026
On March 2, 2026, Singapore’s Cyber Security Agency (CSA) made what was once a voluntary certification scheme effectively mandatory for a growing slice of the economy. The Cyber Trust Mark (CTM) — a tiered cybersecurity certification introduced in 2022 and enhanced in 2025 to cover AI security, cloud security, and operational technology (OT) risks — is now a legal requirement for Critical Information Infrastructure (CII) owners, their auditors, and licensed cybersecurity service providers.
If you operate in or sell to sectors considered critical infrastructure — financial services, healthcare, energy, transport, water, government, infocomm, media, and aviation — the compliance deadlines are not suggestions. They are law.
What Changed on March 2, 2026
The CSA formally adopted obligations requiring three categories of entities to obtain Cyber Trust Mark Level 5 certification:
- CII Owners — organisations that own or operate systems classified as Critical Information Infrastructure under Singapore’s Cybersecurity Act. These entities must certify their non-CII systems that support core CII operations.
- CII Auditors — the firms that conduct cybersecurity audits of CII systems. If you perform CII audits, you need CTM Level 5 by end of 2026.
- Licensed Cybersecurity Service Providers (CSPs) — specifically those providing penetration testing and managed Security Operations Centre (SOC) services. CSA is also consulting on requiring CSPs to meet at minimum CTM Tier 3.
The enhanced 2025 Cyber Trust Mark (published as Singapore Standard SS 712:2025) added three new pillars beyond classical cybersecurity:
– Cloud Security — covering multi-cloud configurations, data sovereignty, and third-party provider risk
– OT Security — for operational technology environments in industrial and critical infrastructure settings
– AI Security — addressing prompt injection, model tampering, and AI supply chain risk
This makes the CTM 2025 one of the first nationally-adopted certification frameworks in the world to explicitly codify AI security controls at the standards level.
The Compliance Deadlines
| Entity | Deadline | Certification Level |
|---|---|---|
| CII Auditors | December 31, 2026 | CTM Level 5 |
| Licensed CSPs (pentest, managed SOC) | December 31, 2026 | CTM Level 5 |
| CII Owners — CII systems | Already mandatory under Cybersecurity Act | CTM Level 5 |
| CII Owners — non-CII supporting systems | December 31, 2027 | CTM Level 5 |
Residential routers sold in Singapore will also need to meet Cybersecurity Labelling Scheme (CLS) Level 2 by 2027 — an expansion from the current Level 1 baseline (unique default passwords, software updates).
Why This Matters Beyond Compliance
The CTM mandate is part of a broader structural shift in how Singapore regulates cybersecurity across the national digital ecosystem. Three strategic implications stand out:
1. The Supply Chain Is Now in Scope
The requirement for government vendors managing critical systems and sensitive government data to meet CTM requirements — announced by SMS Tan Kiat How at the MDDI Committee of Supply Debate in March 2026 — means that compliance is not just about your own systems. If you supply to the government or to CII operators, your customers will demand your certification as a precondition of doing business.
2. AI Security Is No Longer Optional
The 2025 CTM enhancement was not a box-ticking exercise. With prompt injection attacks on large language models increasing — and the Singapore Cyber Landscape 2024 report flagging AI-enabled attack surfaces as a growing concern — CSA’s decision to include AI security as a core pillar signals that regulators expect enterprises deploying AI to have security controls commensurate with the risk. If you’re building, integrating, or operating AI systems in-scope, Level 5 requires demonstrated capability across model access controls, training data protection, and output validation.
3. Tier 3 May Become a De Facto Baseline for All CSPs
While only pentest and managed SOC providers face the December 2026 Level 5 deadline, CSA’s consultation on minimum Tier 3 requirements for all licensed CSPs suggests that CTM certification is on a path to becoming the standard of professional competence for the entire cybersecurity industry in Singapore. Early adoption positions your firm favourably as the market re-certifies.
Funding and Support Available
Singapore is not leaving enterprises to absorb this cost alone. Key support mechanisms:
- Funding subsidy: SMEs and NPOs incorporated in Singapore can receive up to $2,250 (classical cybersecurity) and $450 (cloud/OT/AI security add-ons) deducted directly from certification fees, depending on endpoint count
- CISO-as-a-Service: Refreshed programme helps SMEs access senior cybersecurity expertise without full-time hires
- Cyber Resilience Centre: Established by Singapore Business Federation (SBF) with founding members including SCCCI and SGTech, commencing operations in 2026 — providing coordinated incident response and cybersecurity workshops aligned to Cyber Essentials
- Google Cybersecurity Certificate scholarships: Available through appointed certification bodies for newly certified organisations
What Enterprises Should Do Now
If you are a CII owner or operator:
– Assess your current certification status against the 22 CTM Level 5 domains
– Engage an appointed certification body immediately — lead times for audits can be 3–6 months
– Map your non-CII supporting systems and include them in your certification scope
If you are a CII auditor or licensed CSP:
– December 2026 is 7 months away. Prioritise gap assessment against the 22 domains
– CISA-level CTM Level 5 certification positions you to win CII audit mandates as the market contracts
If you supply to CII operators or government:
– Expect CTM requirements to flow down your procurement chain within 12–18 months
– Proactive certification differentiates you in competitive tenders
Sources
- Cyber Security Agency of Singapore. (2025). Certification for the Cyber Trust Mark. CSA. Retrieved from https://www.csa.gov.sg/our-programmes/support-for-enterprises/sg-cyber-safe-programme/cybersecurity-certification-for-organisations/cyber-trust/certification-for-the-cyber-trust-mark
- Digital Policy Alert. (2026). Cyber Trust Mark requirements in critical information infrastructure and cybersecurity industries. Retrieved from https://digitalpolicyalert.org/change/18573-cyber-trust-mark-requirements-in-critical-information-infrastructure-and-cybersecurity-industries
- Baker McKenzie. (2026). Singapore: Cybersecurity Regulatory Developments Ahead. Retrieved from https://www.bakermckenzie.com/en/insight/publications/2026/04/singapore-cybersecurity-regulatory-developments-ahead
- Ministry of Digital Development and Information. (2026). Opening Remarks by SMS Tan Kiat How for SG Cyber Safe for Enterprises. MDDI. Retrieved from https://www.mddi.gov.sg/newsroom/opening-remarks-by-sms-tan-kiat-how-for-sg-cyber-safe-for-enterprises/
- The Straits Times. (2026). Singapore develops its own threat detection tool on the heels of UNC3886 attacks. Retrieved from https://www.straitstimes.com/singapore/politics/singapore-develops-its-own-threat-detection-tool-on-the-heels-of-unc3886-attacks
Evvo Labs is a CREST-accredited cybersecurity consultancy specialising in VAPT, AI security, and regulatory compliance for enterprises in Singapore and Southeast Asia. Contact us at security@evvolabs.vn.