Cybersecurity & Sector Regulators
Four sector regulators governing AI within their domains. Security, healthcare, competition, and legal.
Singapore’s Sectoral Approach
No single AI regulator. Existing sector authorities govern AI within their domains, coordinated by a cross-cutting national framework.
No Omnibus Regulator
Singapore does not have a single AI regulator. Instead, existing sector regulators apply AI governance within their statutory domains. CSA covers cybersecurity, MOH covers healthcare, CCCS covers competition, MinLaw covers legal practice.
IMDA as Coordinator
IMDA provides the cross-cutting framework layer through the Model AI Governance Framework and AI Verify. Sector regulators then add domain-specific requirements on top. The result is coverage without overlap.
Precision Governance
This mirrors Singapore’s broader “precision governance” philosophy: targeted intervention at the sector level, proportionate to actual risk, with voluntary adoption incentivized through tooling and international alignment.
CSA: Securing AI Systems
Cyber Security Agency of Singapore. Foundational security principles for AI throughout its lifecycle.
Guidelines and Companion Guide on Securing AI Systems
Published October 2024. The Guidelines establish foundational security principles for AI systems across their entire lifecycle. The Companion Guide provides practical measures and controls, referencing MITRE ATLAS and OWASP Top 10 for ML and GenAI.
The approach is not prescriptive. CSA curates best practices from industry and academia rather than mandating specific technical controls. Organizations select the measures most relevant to their risk profile.
CSA released an Agentic AI Addendum for public consultation in 2026, extending the original guidelines to autonomous agent systems. This addresses the security challenges unique to AI systems that can take actions, make decisions, and interact with external tools without direct human oversight at each step.
MOH / HSA: Healthcare AI
Ministry of Health, Health Sciences Authority, and Synapxe. Practical guidance for safe AI in healthcare.
AI in Healthcare Guidelines (AIHGle)
First published October 2021. Updated to AIHGle 2.0 on March 10, 2026.
Provides practical guidance for the safe development, deployment, and use of AI in healthcare settings. The guidelines complement HSA’s Software as Medical Device (SaMD) regulatory framework, covering AI applications that may not qualify as medical devices but still carry clinical risk.
Principles are adapted from the PDPC Model AI Governance Framework and MAS FEAT Principles, tailored for clinical workflows, patient safety, and healthcare data sensitivity.
AIHGle is jointly developed by MOH (policy), HSA (medical device regulation), and Synapxe (health tech agency). This three-agency structure ensures the guidelines address regulatory, clinical, and technical perspectives simultaneously.
CCCS: Competition & Consumer Protection
Competition and Consumer Commission of Singapore. Voluntary self-assessment built on AI Verify.
AI Markets (AIM) Toolkit
Launched September 24, 2025. Developed in collaboration with IMDA. The AIM Toolkit is a voluntary self-assessment tool for organizations to evaluate AI systems against the Competition Act 2004 and the Consumer Protection (Fair Trading) Act 2003.
Built as plugins for the AI Verify platform, the toolkit runs entirely on local systems. CCCS has no access to the organization’s data or test results. Currently supports supervised learning only (binary classification, multiclass classification, and regression).
Four AI Verify Plugins
MinLaw: Legal Sector
Ministry of Law. The first sector-specific GenAI guide from a Singapore regulator.
Guide for Using Generative AI in the Legal Sector
Published March 6, 2026. Developed in consultation with over 20 stakeholders spanning law practices, in-house counsel, legaltech providers, and academia. This is the first sector-specific GenAI guide issued by any Singapore regulator.
Three Key Principles
Professional Ethics
Lawyers remain responsible for all work products. GenAI output must be reviewed and verified before use in any professional capacity.
Confidentiality
Safeguard client data at all times. Be mindful of GenAI model risks including data retention, training data leakage, and cross-session exposure.
Transparency
Disclose the use of GenAI tools where appropriate. Maintain clear records of AI-assisted work products and their human review status.
Sector Regulator Comparison
All four sector guidelines are voluntary. Each regulator retains enforcement authority through existing legislation in their domain.
| Regulator | Domain | Key Instrument | Year | Binding? |
|---|---|---|---|---|
| CSA | Cybersecurity | Guidelines + Companion Guide on Securing AI Systems | 2024 | Voluntary |
| MOH / HSA | Healthcare | AIHGle 2.0 | 2026 | Voluntary |
| CCCS | Competition | AI Markets (AIM) Toolkit (AI Verify plugin) | 2025 | Voluntary |
| MinLaw | Legal | Guide for Using GenAI in the Legal Sector | 2026 | Voluntary |
While all sector AI guidelines are voluntary, the underlying legislation is not. CSA enforces the Cybersecurity Act 2018. CCCS enforces the Competition Act 2004 and the Consumer Protection (Fair Trading) Act 2003. MOH/HSA enforce healthcare regulations and medical device approvals. MinLaw enforces the Legal Profession Act. The PDPA applies across all sectors as the binding data protection baseline. If an AI system violates these laws, voluntary adoption of the AI guidelines does not create a safe harbor.
Related Tools
Practical tools to operationalize cybersecurity controls for AI systems.
CSA AI Security Lifecycle Checklist
Walk through all 5 CSA lifecycle stages with security controls per stage. 24 checkpoints across Design, Development, Deployment, Operations, and End-of-Life.