APAC Tightens OT Cybersecurity Rules for Critical Infrastructure
APAC regulators enacted new operational technology (OT) cybersecurity requirements for critical infrastructure on March 28, 2026. Authorities in Japan, Taiwan, Thailand, Australia, India, Hong Kong, and Singapore mandated network segmentation, asset visibility, vendor risk controls, and incident reporting to improve supply-chain resilience and cross-border threat intelligence.
Background
Digital transformation in APAC has increased exposure to OT cyber threats, notably in energy, manufacturing, transport, and utilities. A survey of 250 OT and IT leaders reported that 45% of APAC respondents view cybersecurity as a barrier to digital adoption; 46.6% cited insufficient infrastructure protection and 42.7% noted regulatory compliance challenges, according to VDC Research and Kaspersky.
In response, Japan's Economic Security Promotion Act introduced OT cybersecurity obligations for designated critical infrastructure, including supply-chain oversight. Taiwan's Cybersecurity Management Act and regulations require risk assessments and incident reporting under a tiered system. Thailand's Cybersecurity Act mandates classification of IT/OT systems by risk, designated personnel, expedited incident reporting, and audit trails. Australia's Security of Critical Infrastructure (SOCI) Act requires operators to adopt cyber risk management, report incidents within 12 hours, and comply with government interventions. India's NCIIPC guidelines and CERT-In directives mandate six-hour incident reporting and 180-day log retention for OT systems. Hong Kong's Protection of Critical Infrastructure (Computer Systems) Bill, passed in March 2025 and effective early 2026, requires CIO registration, risk assessments, network monitoring, encryption, and incident reporting within 12 hours. Singapore amended its Cybersecurity Act in 2024 to cover both physical and virtual critical infrastructure, extend reporting to suppliers, and establish a Commissioner's Office for enforcement.
Details
Regulators across APAC now require operators to implement network segmentation to isolate OT systems, maintain comprehensive asset inventories via passive scanning, and enforce vendor risk management protocols for third-party access and supply-chain transparency. Malaysia and Singapore aligned their frameworks with ISA/IEC 62443 standards to support consistent implementation across energy, manufacturing, transport, water treatment, and mining. Crowell & Moring identified these measures as central to APAC's efforts to strengthen cyber resilience.
Outlook
Regulatory requirements will phase in through 2026, with deadlines varying by jurisdiction. Manufacturers and infrastructure operators across APAC must accelerate adoption of incident response, segmentation, and vendor assurance standards to achieve compliance and enhance security.
