The Ministry of Digital Development and Information (MDDI) announced that the Digital Infrastructure Act (DIA), intended to improve Singapore’s digital resilience and security, will be introduced later this year. The DIA targets foundational digital infrastructure, starting with major cloud service providers and data centres. The DIA will extend regulatory efforts beyond cyberattack prevention to strengthen infrastructure stability and cybersecurity.
The Cybersecurity Act (CS Act) currently governs the cybersecurity and resilience of critical information infrastructure (CII), including computers or computer systems essential for uninterrupted delivery of key services. However, MDDI noted that some technological disruptions, such as the four-hour data centre outage on 14 October 2023, were not caused by cyberattacks but nevertheless severely impacted banking services.
The DIA aims to complement existing regulations by addressing a broader range of resilience risks faced by digital infrastructure and service providers. These risks include misconfigurations in technical architecture, fires, water leaks and cooling system failures.
The taskforce organised to study the introduction of the DIA will formulate requirements and specify covered entities by identifying which digital infrastructures are critical to Singapore’s economy and society. MDDI cited data centres, cloud services, and digital services that support banking, payments, ride-hailing and digital identities as examples of such infrastructures. Notably, such digital services fall outside the scope of the current CS Act.
The taskforce will draw inspiration from similar legislation in the European Union, Australia and Germany in drafting the DIA. Expected measures include baseline resilience and security standards and incident reporting, enabling the Singapore Government to learn from incidents and support response and recovery efforts.
The CS Act’s scope was also expanded in 2024 to regulate not just CII, but also foundational digital infrastructure (such as cloud service providers and data centres) and key entities that hold sensitive data and perform important public functions. For more information about this, see our article on the amendments to the CS Act.
Additionally, on 25 February 2025, the Infocomm and Media Development Authority also announced two new advisory guidelines for cloud service providers and data centres.
Because digital services are essential to modern life, cybersecurity is a key concern for all organisations. Cybersecurity service providers should monitor regulatory developments to support their customers in a timely and appropriate manner. Regulated entities should maintain their vigilance and comply with cybersecurity best practices to reduce risks.
OrionW regularly advises clients on cybersecurity and data protection matters. For more information about compliance with Singapore data protection and cybersecurity laws and regulations, or if you have questions about this article, please contact us at info@orionw.com.
Disclaimer: This article is for general information only and does not constitute legal advice.
