Forms

This page contains a list of forms prescribed under the Cybersecurity Act 2018 and Cybersecurity (Critical Information Infrastructure) Regulations 2018.

1. Provision of information to ascertain if computer, etc., fulfils criteria of critical information infrastructure

In accordance with Section 8 of the Cybersecurity Act, the Commissioner may issue a notice to a person who appears to be exercising control over a computer or computer system to provide relevant information for the purpose of ascertaining whether the computer or computer system fulfils the criteria of a critical information infrastructure. The notice shall be issued in the format below:

• Notice to Provide Information Under Section 8(2) of the Cybersecurity Act 2018 [PDF, 357 KB]

2. Furnishing of information relating to critical information infrastructure
In accordance with Section 10 of the Cybersecurity Act, the Commissioner may issue a notice to an owner of a critical information infrastructure to furnish information relating to critical information infrastructure. The notice shall be issued in the format below:

• Notice to Provide Information Under Section 10(1) of the Cybersecurity Act 2018 [PDF, 375 KB]

3. Reporting of cybersecurity incident in respect of critical information infrastructure

3.1 In accordance with Section 14(1) of the Cybersecurity Act, the owner of a provider-owned critical information infrastructure1 must notify the Commissioner of the occurrence of any of the following, in the prescribed form and manner within the prescribed period after becoming aware of such occurrence:

(a) a prescribed cybersecurity incident in respect of the provider-owned critical information infrastructure (see para 3.2, 3.3);

(b) a prescribed cybersecurity incident in respect of any computer or computer system under the owner’s control that is interconnected with or that communicates with the provider-owned critical information infrastructure (see para 3.2, 3.3);

(c) a prescribed cybersecurity incident in respect of any other computer or computer system under the owner’s control that does not fall within paragraph (b) (see para 3.2 – 3.4);

(d) a prescribed cybersecurity incident in respect of any computer or computer system under the control of a supplier to the owner that is interconnected with or that communicates with the provider-owned critical information infrastructure (see para 3.2, 3.3);

(e) any other type of cybersecurity incident in respect of the provider-owned critical information infrastructure that the Commissioner has specified by written direction to the owner.

1Existing critical information infrastructure designated under the Cybersecurity Act 2018 has been renamed to provider-owned critical information infrastructure to differentiate them from the new third-party-owned critical information infrastructure under Part 3A of the Cybersecurity (Amendment) Act 2024.

3.2 The owner of a provider-owned critical information infrastructure must notify the Commissioner of the occurrence of the cybersecurity incident within 2 hours from awareness of an incident by calling the telephone number specified by the Commissioner in the National Cybersecurity Incident Response Framework (NCIRF) document. If the owner is unable to submit the details by calling the telephone number or by text message to the telephone number, owner must submit the details of the cybersecurity incident by filling in all fields in Part 1 of the National Cyber Security Incident Reporting Form below.

3.3 For submission of supplementary details of a cybersecurity incident within 72 hours after becoming aware of the occurrence of the incident, the owner of a provider-owned critical information infrastructure must submit the details required in Part 1 and Part 2 of the National Cyber Security Incident Reporting Form below to CSA.

• National Cyber Security Incident Reporting Form

3.4 The owner of a provider-owned critical information infrastructure must notify the Commissioner of the occurrence of the cybersecurity incident by submitting a consolidated quarterly report. This report should include, to the fullest extent practicable, details such as but not limited to, the date and time of the incidents, the name and description of the affected systems, the nature and description of the incidents, etc. The report must notify cybersecurity incidents that occurred during that quarter, and must be submitted no later than the end of the 3rd working day following the end of the quarter (i.e. If the end of the quarter falls on a Friday, then the report is due no later than Wednesday of the following week. If the end of the quarter falls on a Monday, and Wednesday is a public holiday, then the report is due no later than Friday of the same week. A quarter is defined as the period that falls in the listed calendar months, i.e. January – March, April – June, July – September, and October – December.) This quarterly report shall be submitted in the format below:

• Batch reporting file