62013

Development of software for cybersecurity

classLevel 4Use for ACRA Registration

This sub-class includes activities of providing expertise in the field of information technologies such as writing, modifying, testing and supporting software, designing the structure and content of, and/or writing the computer code necessary to create, implement, develop and/or customise software and applications for cybersecurity (including updates and/or patches).

SSIC Guide

Licences & Permits

8 licences apply to businesses in this SSIC code depending on the specific activities you conduct. Most are activity-triggered — a holding company in 64, for example, only needs a Banking Licence if it actually conducts banking.

Required for activityCSRO

Managed Security Operations Centre (SOC) Monitoring Service Licence

Validity
Each licence is valid for a period of 5 years from the date of licence issuance (for applications approved from 16 March 2026 onwards)
Processing
8 weeks upon submission of the complete application including all supporting documents
Prerequisites (7)
  • Photocopy of Identification document
  • Photocopy of both sides of NRIC/Work Pass, or photocopy of Passport showing the personal particulars and official descriptions (for overseas applicants only)
  • Certificate of Clearance (For overseas applicants only)
  • Certificate of Clearance or documentation from the relevant authorities in the home country certifying that the officer does not have any record of criminal conviction in the home country.
  • The Certificate of Clearance or documentation shall not be obtained earlier than three months before it is submitted to CSRO.
  • Business Profile or equivalent document (For business entity only)
  • Latest ACRA Business Profile or equivalent.
Full reference: how to apply, FAQ, prerequisites
Required for activityCSRO

Penetration Testing Service Licence

Validity
Each licence is valid for a period of 5 years from the date of licence issuance (for applications approved from 16 March 2026 onwards)
Processing
8 weeks upon submission of the complete application including all supporting documents
Prerequisites (7)
  • Photocopy of Identification document
  • Photocopy of both sides of NRIC/Work Pass, or photocopy of Passport showing the personal particulars and official descriptions (for overseas applicants only) 
  • Certificate of Clearance (For overseas applicants only)
  • Certificate of Clearance or documentation from the relevant authorities in the home country certifying that the officer does not have any record of criminal conviction in the home country.
  • The Certificate of Clearance or documentation shall not be obtained earlier than three months before it is submitted to CSRO.
  • Business Profile or equivalent document (For business entity only)
  • Latest ACRA Business Profile or equivalent.
Full reference: how to apply, FAQ, prerequisites
Required for activityIMDA

Services-Based Operations (Class) Licence

For leasing telecommunication network elements from any Facilities-Based Operator (FBO) licensed by the Info-communications Media Development Authority (IMDA) so as to provide their own telecommunication services or to resell the telecommunication services of FBOs or Services-Based Operations (SBOs) licensees to third parties. SBO (Class) Licensees shall not collect monetary deposits and/or use prepaid cards as a means of collecting payment from their customers. For more information please visit: https://iris.imda.gov.sg/application/services-based-operations-licence

Validity
No expiry
Processing
8 working days for manual approval if not Auto Approved
Prerequisites (4)
  • Documents Needed
  • Description of each service (Including scope and type)
  • Latest ACRA Bizfile
  • System/Network Configuration Diagram
Full reference: how to apply, FAQ, prerequisites
OptionalCSA

Cybersecurity Labelling Scheme for IoT (Level 1)

The Cybersecurity Labelling Scheme for IoT is launched by the Cyber Security Agency of Singapore (CSA) as part of efforts to improve Internet of Things (IoT) security, raise overall cyber hygiene levels and better secure Singapore's Cyberspace. Under the scheme, smart consumer devices will be rated according to their levels of cybersecurity provisions, and a label will be issued to the smart device, enabling consumers to identify smart products with better cybersecurity provisions. For more information please visit: CSA website

Validity
Up to 3 years
Processing
1 day
Prerequisites (5)
  • Declaration of Conformity
  • To declare that the device met with the relevant cybersecurity level security provision.
  • Supporting Evidence Document
  • To provide evidence that demonstrates the product's compliance with requirements.
  • Download application templates here.
Full reference: how to apply, FAQ, prerequisites
OptionalCSA

Cybersecurity Labelling Scheme for Medical Devices (Level 1)

The Cybersecurity Labelling Scheme for Medical Devices (CLS(MD)) is a joint initiative by the Cyber Security Agency of Singapore (CSA), Ministry of Health (MOH), Health Sciences Authority (HSA), and Synapxe as part of efforts to improve medical device cybersecurity. Under the voluntary CLS(MD), medical devices are rated according to 4 levels of cybersecurity provisions and assessments. The cybersecurity label for medical devices would provide an indication of the level of security in medical devices. The scheme seeks to incentivise manufacturers to adopt a security-by-design approach, and to enable consumers and healthcare providers to make more informed decisions about the use of such devices. The scope of the CLS(MD) applies to medical devices as described in the First Schedule of the Health Product Act (Cap122D, 2008 Rev Ed) and have any of the following characteristics: Handles personal identifiable information (PII) and clinical data and has the ability to collect, store, process, or transfer such data; Connects to other devices, systems, and services - Has the ability to communicate using wired and / or wireless communication protocols through a network of connections. For more information please visit: CSA website

Validity
Up to 3 years
Processing
1 day
Prerequisites (5)
  • Declaration of Conformity
  • To declare that the device met with the relevant cybersecurity level security provision.
  • Supporting Evidence Document
  • To provide evidence that demonstrates the product's compliance with requirements.
  • Download application templates here.
Full reference: how to apply, FAQ, prerequisites
OptionalCSA

Cybersecurity Labelling Scheme for Medical Devices (Level 2)

The Cybersecurity Labelling Scheme for Medical Devices (CLS(MD)) is a joint initiative by the Cyber Security Agency of Singapore (CSA), Ministry of Health (MOH), Health Sciences Authority (HSA), and Synapxe as part of efforts to improve medical device cybersecurity. Under the voluntary CLS(MD), medical devices are rated according to 4 levels of cybersecurity provisions and assessments. The cybersecurity label for medical devices would provide an indication of the level of security in medical devices. The scheme seeks to incentivise manufacturers to adopt a security-by-design approach, and to enable consumers and healthcare providers to make more informed decisions about the use of such devices. The scope of the CLS(MD) applies to medical devices as described in the First Schedule of the Health Product Act (Cap122D, 2008 Rev Ed) and have any of the following characteristics: Handles personal identifiable information (PII) and clinical data and has the ability to collect, store, process, or transfer such data; Connects to other devices, systems, and services - Has the ability to communicate using wired and / or wireless communication protocols through a network of connections. For more information please visit: CSA website

Validity
Up to 3 years
Processing
2 days
Prerequisites (5)
  • Declaration of Conformity
  • To declare that the device met with the relevant cybersecurity level security provision.
  • Supporting Evidence Document
  • To provide evidence that demonstrates the product's compliance with requirements.
  • Download application templates here.
Full reference: how to apply, FAQ, prerequisites
OptionalCSA

Cybersecurity Labelling Scheme for Medical Devices (Level 3)

The Cybersecurity Labelling Scheme for Medical Devices (CLS(MD)) is a joint initiative by the Cyber Security Agency of Singapore (CSA), Ministry of Health (MOH), Health Sciences Authority (HSA), and Synapxe as part of efforts to improve medical device cybersecurity. Under the voluntary CLS(MD), medical devices are rated according to 4 levels of cybersecurity provisions and assessments. The cybersecurity label for medical devices would provide an indication of the level of security in medical devices. The scheme seeks to incentivise manufacturers to adopt a security-by-design approach, and to enable consumers and healthcare providers to make more informed decisions about the use of such devices. The scope of the CLS(MD) applies to medical devices as described in the First Schedule of the Health Product Act (Cap122D, 2008 Rev Ed) and have any of the following characteristics: Handles personal identifiable information (PII) and clinical data and has the ability to collect, store, process, or transfer such data; Connects to other devices, systems, and services - Has the ability to communicate using wired and / or wireless communication protocols through a network of connections. For more information please visit: CSA website

Validity
Up to 3 years
Processing
1 month
Prerequisites (5)
  • Declaration of Conformity
  • To declare that the device met with the relevant cybersecurity level security provision.
  • Supporting Evidence Document
  • To provide evidence that demonstrates the product's compliance with requirements.
  • Download application templates here.
Full reference: how to apply, FAQ, prerequisites
OptionalCSA

Cybersecurity Labelling Scheme for Medical Devices (Level 4)

The Cybersecurity Labelling Scheme for Medical Devices (CLS(MD)) is a joint initiative by the Cyber Security Agency of Singapore (CSA), Ministry of Health (MOH), Health Sciences Authority (HSA), and Synapxe as part of efforts to improve medical device cybersecurity. Under the voluntary CLS(MD), medical devices are rated according to 4 levels of cybersecurity provisions and assessments. The cybersecurity label for medical devices would provide an indication of the level of security in medical devices. The scheme seeks to incentivise manufacturers to adopt a security-by-design approach, and to enable consumers and healthcare providers to make more informed decisions about the use of such devices. The scope of the CLS(MD) applies to medical devices as described in the First Schedule of the Health Product Act (Cap122D, 2008 Rev Ed) and have any of the following characteristics: Handles personal identifiable information (PII) and clinical data and has the ability to collect, store, process, or transfer such data; Connects to other devices, systems, and services - Has the ability to communicate using wired and / or wireless communication protocols through a network of connections. For more information please visit: CSA website

Validity
Up to 3 years
Processing
3 months
Prerequisites (5)
  • Declaration of Conformity
  • To declare that the device met with the relevant cybersecurity level security provision.
  • Supporting Evidence Document
  • To provide evidence that demonstrates the product's compliance with requirements.
  • Download application templates here.
Full reference: how to apply, FAQ, prerequisites

Need help with these licences?

We handle the applications, document prep, and agency liaison end-to-end.

Licence requirements change — we keep this list current as part of the engagement.

Tax Incentives & Schemes

4 schemes that businesses in this SSIC code may qualify for. Eligibility is case-by-case — talk to the relevant authority.

Concessionary taxEDBDEI

Development & Expansion Incentive (DEI)

Benefit: 5% or 10% concessionary corporate tax on qualifying incremental income for up to 10 years. The follow-on to Pioneer once activity is established.

Eligibility: Existing activity in Singapore expanding into substantially new capability or capacity. Discretionary, EDB-administered.

Concessionary taxEDBPioneer

Pioneer Certificate Incentive (PC)

Benefit: 0% corporate tax on qualifying income for up to 15 years (typically 5–10) for genuinely pioneer manufacturing or services activity.

Eligibility: Substantial new economic activity in Singapore: substantial fixed-asset investment, technology spillovers, and new-to-Singapore expertise. Approved on a discretionary, case-by-case basis.

Note for SSIC : Software & IT services pioneer track

Tax exemptionIRASPTE

Partial Tax Exemption (PTE)

Benefit: First SGD 10,000: 75% exemption; next SGD 190,000: 50% exemption. Available to all companies (including those past their 3-year SUTE window).

Eligibility: Singapore tax-resident company.

Tax exemptionIRASSUTE

Start-Up Tax Exemption (SUTE)

Benefit: First SGD 100,000 of chargeable income: 75% exemption; next SGD 100,000: 50% exemption. For each of the first 3 YAs after incorporation.

Eligibility: Newly incorporated SG-resident company, ≤ 20 individual shareholders (or one corporate holding ≥ 10%), not in investment-holding or property-development.

Note for SSIC : Excludes 64202 investment holding & 41001/68101 property development

Worth applying for any of these?

We screen eligibility and shape the application — most schemes are discretionary and need a substantive activity case.

Foreign Worker Levies

This SSIC code falls under MOM's Services sector for foreign-worker levy purposes. Levies below apply per worker per month, paid by the employer in addition to salary.

S Pass

TierMonthlyConditions
Tier 1SGD 550Up to 10% of total workforce

Work Permit

TierMonthlyConditions
Higher-skilled (Tier 1)SGD 300Up to 10%
Basic (Tier 1)SGD 450Up to 10%
Basic (Tier 2)SGD 60010–25%
Basic (Tier 3)SGD 800>25% (up to DRC of 35%)

Hiring foreign workers in this sector?

We handle Work Permit, S Pass, and EP applications alongside the incorporation — and check Dependency Ratio Ceilings before you commit headcount.

Levies and Dependency Ratio Ceilings are reviewed periodically by MOM (rates above effective 2024-09-01).

Classification Path

Section
K-TELECOMMUNICATIONS, COMPUTER PROGRAMMING, CONSULTANCY, COMPUTING INFRASTRUCTURE, AND OTHER INFORMATION SERVICE ACTIVITIES
Division
62-COMPUTER PROGRAMMING, INFORMATION TECHNOLOGY CONSULTANCY AND RELATED ACTIVITIES
Group
620-COMPUTER PROGRAMMING, INFORMATION TECHNOLOGY CONSULTANCY AND RELATED ACTIVITIES
Current class
62013-Development of software for cybersecurity

Need help choosing?

Our guide helps you find the right SSIC code for your business activity.

Read the SSIC Guide