Singapore Makes Cyber Trust Mark Mandatory for Critical Infrastructure Owners

Singapore’s Cyber Security Agency (CSA) has made the Cyber Trust Mark (CTM) mandatory for Critical Information Infrastructure Owners (CIIOs) — organizations that operate computer systems essential to the continuous delivery of Singapore’s critical services — their auditors, and licensed cybersecurity service providers.

The move is aimed at raising baseline national cybersecurity standards and reducing supply chain risk across Singapore’s 11 critical sectors, which include finance, energy, health care, and transport.

Three Categories, Three Deadlines

CSA has set distinct deadlines for each affected group.

CIIOs must obtain CTM Level 5 — the highest tier in a five-tier framework — for non-Critical Information Infrastructure (CII) systems under their control that support business operations and services. CSA described the deadline as “by end 2027.”

Allen & Gledhill, a Singapore law firm, described this scope as covering non-CII enterprise systems — a category that includes CIIOs’ ERP estates.

CII auditors must obtain CTM Level 5 by the end of 2026, at the organization level for systems supporting their business operations. Licensed cybersecurity service providers — specifically those offering penetration testing and managed security operations center monitoring — must obtain CTM Promoter (Tier 3) by 31 December 2026.

CTM Level 5 requires demonstrated preparedness across 22 domains. The mark was enhanced in 2025 to incorporate three areas relevant to SAP environments: cloud security, operational technology (OT) security, and AI security.

Supply Chain Risk Is an Explicit Driver

CSA stated that a key objective of the mandate is to address supply chain risk, specifically the risk posed by vendors and auditors with access to CIIOs’ sensitive data or critical systems.

CSA does not name specific technology categories or vendor relationships in the announcement. However, CIIOs running SAP with external system integrators, managed Basis support providers, or third-party monitoring partners may wish to assess whether those relationships fall within the supply chain risk rationale CSA has articulated, and to review vendor certification status accordingly.

Baker McKenzie, an international law firm, noted that CSA is also reviewing whether cybersecurity standards should extend to non-CII systems interconnected with CII networks — a potential expansion that would pull additional ERP infrastructure into scope.

What This Means for SAPinsiders

• The certification clock starts now, not in 2027. CTM Level 5 covers 22 domains, and CSA’s stated scope includes non-CII enterprise systems that support business operations. CIIOs that wait until close to the deadline risk compressing the assessment and remediation work that certification requires.
• Service providers should confirm whether the mandate applies to them. CSA’s requirements extend beyond CIIOs to auditors and licensed cybersecurity service providers — each with distinct deadlines and certification tiers. Organizations providing services to CIIOs in Singapore should review whether their activities fall within the categories CSA has defined.
• This mandate may not be the final word on scope. CSA framed the requirement around supply chain risk, and Baker McKenzie noted CSA is reviewing whether standards should extend to non-CII systems interconnected with CII networks. CIIOs and their vendors should monitor that review, as its outcome could expand the compliance perimeter further.