Articles, EDM, Product in Focus

Who must certify, and by when

Who must certify, and by when — Enova Technologies

Cyber Trust Mark Certification Requirements for 2027

Singapore’s Cyber Security Agency now mandates that every Critical Information Infrastructure owner achieve Cyber Trust Mark Level 5 certification by the end of 2027. This requirement extends beyond CII systems to encompass the supporting infrastructure that keeps your operations running, including KVM and out-of-band management solutions that may currently fall outside existing regulatory frameworks.

Meeting this certification demands a comprehensive security posture across your entire data centre stack, from physical access controls to remote management protocols. Understanding the scope of what must be certified—and the technical controls required to achieve Level 5 status—is essential for planning your compliance timeline and avoiding costly infrastructure overhauls.


CSA now requires every Critical Information Infrastructure owner in Singapore to certify to Cyber Trust Mark Level 5, the highest of five tiers, by end-2027. The requirement covers the non-CII systems that support your operations, on top of the CII systems already regulated under the Cybersecurity Act. That is exactly where your KVM and out-of-band management stack sits.

What is the Cyber Trust mark? The Cyber Trust mark is a cybersecurity certification developed by the Cyber Security Agency of Singapore (CSA) for organisations with digital operations. It has five tiers, each covering an increasing number of security domains. The 2025 revision extends the framework beyond classical IT into operational technology (OT), cloud and AI. Level 5 is the highest tier.

Who must certify, and by when

The CSA requirement sets two deadlines.

END-2026

CII auditors must hold Cyber Trust Mark Level 5. Licensed cybersecurity service providers must hold Level 3.

END-2027

CII owners must hold Cyber Trust Mark Level 5 for the non-CII systems under their control that support business operations.

The requirement applies across all 11 CII sectors, including energy, water, banking and finance, healthcare, transport, infocomm, media and government.

The scope matters. Designated CII systems were already regulated. The new requirement pulls in the broader enterprise environment that supports them. Management infrastructure has spent years in the gap between the two. That gap is closing.

Why the KVM layer is inside the scope

A KVM-over-IP device holds privileged, BIOS-level access to every server it touches. It is a supporting system by any definition a certifier would use.

The OT angle sharpens this. The CCoP 2.0 OT addendum requires the OT network to be segregated from the enterprise network. A KVM-over-IP device spans that boundary in practice: production consoles on one side, the management network on the other. The 2025 Cyber Trust mark revision added OT domains to the framework, so the certifier now has a section to assess it under.

A generic KVM with a shared local password, no session logging and no patching story is no longer a procurement shortcut. It is a finding waiting to be written.

What a Level 5 answer looks like at the KVM layer

Certification at the top tier examines the domains where commodity KVM hardware has nothing to show: access control, network segmentation, logging and third-party assurance.

[1]  Access: MFA on every session. ZPE enforces it through SAML 2.0 single sign-on
[2]  Segmentation: out-of-band management on its own network path, not a shared VLAN
[3]  Logging: session records that show what was done, not only who logged in
[4]  Evidence: ZPE carries FIPS 140-3, SOC 2 Type 2 and ISO 27001
[5]  Assurance: G&D carries Common Criteria EAL2+ and DoDIN APL

The point is not the brand. It is whether the device on your management network can produce the evidence a certifier asks for. G&D and ZPE both publish documented answers. Most KVM datasheets stop at the port count.

Eighteen months is shorter than it sounds

A gap assessment, a certification cycle and a hardware refresh do not fit inside eighteen months comfortably. Certification bodies will be busy: every CII owner in Singapore is working to the same date.

The KVM decision you make this year is the one the certifier sees in 2027.

Frequently asked questions

What is the Cyber Trust mark?

A cybersecurity certification developed by the Cyber Security Agency of Singapore (CSA) for organisations with digital operations. It has five tiers of increasing rigour. The 2025 revision extends coverage to OT, cloud and AI. Level 5 is the highest tier.

Who must certify, and by when?

CSA requires CII owners to certify to Cyber Trust Mark Level 5 by end-2027. CII auditors must reach Level 5 by end-2026, and licensed cybersecurity service providers must reach Level 3 by end-2026.

Does the requirement cover only designated CII systems?

No. Designated CII systems are already regulated under the Cybersecurity Act. The Cyber Trust Mark requirement covers the non-CII systems under a CII owner’s control that support business operations, which is where management infrastructure such as KVM and out-of-band devices sits.

Why does a KVM switch fall within scope?

A KVM-over-IP device holds privileged, BIOS-level access to the servers it connects, and it spans the boundary between production and management networks. The 2025 Cyber Trust mark revision added OT domains, giving certifiers a framework section to assess it under.

What evidence do certifiers look for at the management layer?

MFA-protected access, network segmentation of the management plane, session logging that records activity rather than only logins, and third-party assurance. ZPE holds FIPS 140-3, SOC 2 Type 2 and ISO 27001. G&D holds Common Criteria EAL2+ and DoDIN APL.

Which sectors does the requirement apply to?

All 11 CII sectors in Singapore: energy, water, banking and finance, healthcare, land transport, maritime, aviation, infocomm, media, security and emergency services, and government.

eNOVA Technologies

Published by

eNOVA Technologies

eNOVA Technologies is Singapore's specialist distributor for data centre IT management solutions, representing Adder, Guntermann & Drunck, Raritan, Sunbird, ZPE Systems, and VuWall across Singapore and Southeast Asia. Our technical content is produced with AI assistance and reviewed by our in-house team before publication.

This article was produced with AI assistance and reviewed by the eNOVA Technologies team. All technical claims are verified against manufacturer documentation.

author-avatar

About eNOVA Technologies

eNOVA Technologies is Singapore's specialist distributor for data centre IT management solutions, representing Adder, Guntermann & Drunck, Raritan, Sunbird, ZPE Systems, and VuWall across Singapore and Southeast Asia. Our technical content is produced with AI assistance and reviewed by our in-house team before publication.