Cybersecurity Code of Practice For Critical Information Infrastructure
– Second Edition (CCoP2.0) of Singapore

Thales helps CIIO to align the CCoP2.0 requirements of the Singapore Cybersecurity Act 2018 with a focus on Protection Requirements.


The Cyber Security Agency of Singapore (CSA) has published the Codes of Practice or Standards of Performance issued by the Commissioner of Cybersecurity for the regulation of owners of Critical Information Infrastructure (CII), in accordance with the Cybersecurity Act. The Cybersecurity Code of Practice for Critical Information Infrastructure – Second Edition (CCoP2.0) comes into effect from Jul. 4, 2022, superseding previous versions of the Code.

There is a grace period of 12 months on the compliance timeline for all clauses for the compliance of CCoP2.0, applicable to both existing and any newly designated CII.

  • Regulation
  • Compliance

The Cybersecurity Code of Practice For Critical Information Infrastructure – Second Edition (CCoP2.0) is intended to specify the minimum requirements that the critical information infrastructure owner (CIIO) shall implement to ensure the cybersecurity of the CII, due to the evolving cyber threat landscape with threat actors using sophisticated tactics, techniques, and procedures (TTPs) to attack CII sectors.

The CCoP 2.0 document addresses the key requirements for CII below.

  • Governance
  • Identification
  • Protection
  • Detection
  • Response and Recovery
  • Cyber Resiliency
  • Cybersecurity Training and Awareness
  • Operational Technology (OT) Security

Thales helps Critical Information Infrastructure (CII) to align the CCoP2.0 requirements with a focus on Protection Requirements through:

  • Access Control
  • Data Security & Cryptographic Key Management

Access Control

Thales Access Management and Authentication solutions provide both the security mechanisms and reporting capabilities organizations need to comply with CCOP2.0 requirements.

Data Security & Cryptographic Key Management

Protect: It is crucial to apply protective measures such as encryption or tokenization to sensitive data. To successfully secure sensitive data, the cryptographic keys themselves must be secured, managed and controlled by the organization.

  • CipherTrust Database Protection provides high-performance and database encryption with granular access controls.
  • CipherTrust Tokenization offers file-level encryption with access controls, application-layer encryption, database encryption, static data masking, vaultless tokenization with policy-based dynamic data masking, and vaulted tokenization to support a wide range of data protection use cases.
  • CipherTrust Transparent Encryption (CTE) delivers data-at-rest encryption with centralized key management, privileged user access control and detailed data access audit logging.
  • CipherTrust Data Protection Gateway (DPG) enables transparent data protection to any RESTful web service or microservice leveraging REST APIs.

Monitor: Enterprises need to monitor access to sensitive data to identify ongoing or recent attacks from malicious insiders, privileged users, and other cyber threats.

  • CipherTrust Security Intelligence logs and reports streamline compliance reporting and speedup threat detection using leading Security Information and Event Management (SIEM) systems.

Control: CII Organizations require to control access to their data and centralize key management. Every data security regulation and mandate requires organizations to be able to monitor, detect, control, and report on authorized and unauthorized access to data and encryption keys.

  • The CipherTrust Data Security Platform (CDSP) delivers robust enterprise key management via Enterprise Key Management solutions to manage and protect keys on behalf of a variety of applications.
  • Thales Cipher Trust Cloud Key Manager (CCKM) centralizes encryption key management from multiple environments, presenting all supported clouds and even multiple cloud accounts in a single browser tab.

Recommended Resources

Singapore CCoP for Critical Information Infrastructure

Singapore CCoP for Critical Information Infrastructure 2.0 - eBook

As the leader in digital security and data protection, Thales has helped hundreds of enterprises comply with regulations worldwide by recommending the appropriate data protection technologies required to meet regulatory requirements. Thales enables CIIO to align the Singapore...

Data Security Compliance and Regulations - eBook

Data Security Compliance and Regulations - eBook

This ebook shows how Thales data security solutions enable you to meet global compliance and data privacy requirements including - GDPR, Schrems II, PCI-DSS and data breach notification laws.

The Key Pillars for Protecting Sensitive Data in Any Organization - White Paper

The Key Pillars for Protecting Sensitive Data in Any Organization - White Paper

Traditionally organizations have focused IT security primarily on perimeter defense, building walls to block external threats from entering the network. However, with today’s proliferation of data, evolving global and regional privacy regulations, growth of cloud adoption, and...

Other key data protection and security regulations


Active Now

Perhaps the most comprehensive data privacy standard to date, GDPR affects any organization that processes the personal data of EU citizens - regardless of where the organization is headquartered.


Active Now

Any organization that plays a role in processing credit and debit card payments must comply with the strict PCI DSS compliance requirements for the processing, storage and transmission of account data.

Data Breach Notification Laws

Active Now

Data breach notification requirements following loss of personal information have been enacted by nations around the globe. They vary by jurisdiction but almost universally include a “safe harbor” clause.