Governments in the Asia-Pacific region tightened operational technology (OT) cybersecurity regulations in 2025, prompting manufacturers and utilities to strengthen resilience through coordination, intelligence sharing, and risk-based control frameworks. Singapore, Japan, Australia, India, Hong Kong, and Southeast Asian nations introduced new measures addressing incident reporting, vendor management, and AI-enabled monitoring as regulatory scrutiny increased across the region.
Background
Regulatory developments in APAC have shifted from voluntary guidelines to formal mandates for critical infrastructure sectors. Singapore released the updated OT Cybersecurity Masterplan in August 2024, enhancing workforce competency, promoting information sharing via the OT Information Sharing and Analysis Center (OT-ISAC), and advancing secure-by-deployment principles throughout the OT lifecycle. Amendments to the Cybersecurity Act and associated Codes of Practice expanded incident reporting and audit requirements for critical information infrastructure. Japan and Australia jointly issued the "Principles of Operational Technology Cyber Security," a multilateral framework published in October 2024 that provides cross-border guidance for OT systems. Hong Kong enacted the Protection of Critical Infrastructure (Computer Systems) Ordinance in March 2025, introducing mandatory operator registration, rapid incident reporting, and system protection measures. Other APAC countries-including India, Australia, and Thailand-have established frameworks such as India's CERT-In directives, Australia's Security of Critical Infrastructure (SOCI) Act and incident notification mandates, and Thailand's infrastructure classification and response requirements.
Details
Singapore's 2024 OT Masterplan addressed gaps in people, processes, and technology by launching the OT-ISAC, establishing a competency framework (OTCCF), building workforce pipelines, and deploying supply chain visibility tools linked to secure-by-deployment across OEMs, integrators, and operators. Japan's National Center of Incident Readiness and Strategy for Cybersecurity (NISC) and Australia's Australian Signals Directorate (ASD) published principles to harmonize resilience practices across nine countries. Hong Kong's ordinance, gazetted March 28, 2025, requires critical infrastructure operators to register key systems and comply with defined cybersecurity measures with tiered incident response deadlines. India's CERT-In mandates six-hour incident reporting and expanded log retention across OT and IT systems. Australia's SOCI Act requires risk management programs, mandatory incident notifications, and permits government intervention in national threats.
Multinational manufacturers now contend with overlapping regulations regarding vendor risk, compliance, and incident management. The OT security market in APAC reflects this environment, with regional growth projected at 15 percent compound annual growth rate, exceeding North America's 13.5 percent, driven by compliance demands and ongoing digital transformation. Adoption of ISA/IEC 62443 standards is increasing in energy, manufacturing centers in Japan and South Korea, mining, and transportation, providing a recognized approach to meet varying national requirements. Cross-border coordination is expanding through CERT collaboration and shared threat intelligence, although regulatory fragmentation continues to challenge unified compliance for operators working across jurisdictions.
Outlook
Manufacturers and utility operators are updating business continuity plans, segmenting OT networks by risk, and incorporating AI-enabled monitoring to meet evolving regulatory expectations while maintaining uptime. Harmonizing procurement and vendor risk assessments across markets remains a priority. Ongoing alignment with standards such as IEC 62443 and reinforced CERT engagement are expected to support scalable resilience in complex, multi-jurisdictional environments.
