Data centres and cloud operators - potential new requirements on Singapore’s horizon

Singapore is considering implementing a new Act – the Digital Infrastructure Act (DIA) – to further enhance the security and digital resilience of key digital infrastructure such as data centres and cloud services.

An inter-agency taskforce (“Taskforce”) was set up in early March 2024 to study the introduction of the DIA. If passed, operators of critical infrastructure in Singapore can expect to face further obligations on top of existing legal obligations already in place in Singapore.

Operators of critical infrastructure in Singapore are already regulated by an existing comprehensive framework of legislation

• they have direct obligations under the Cybersecurity Act in respect of detailed reporting requirements, compliance with codes of practice and standards of performance and obligations in relation to cybersecurity incidents
• in their capacity as service providers of financial institutions, they are required to comply with obligations in respect of technology risk management, business continuity and outsourcing

The Taskforce has indicated that the DIA will complement existing regulatory measures, including upcoming updates to the Cybersecurity Act. In particular, the Act will focus on identifying those operators which would have a systemic impact on Singapore’s economy and society if disrupted. If Singapore’s DIA follows the approach of similar legislation in other jurisdictions such as the EU (e.g. the Digital Operational Resilience Act), it is likely that the Act will focus on putting in place baseline incident reporting requirements and resilience and security standards.

In recent years, the Singapore government has focused on enhancing the digital resilience of Singapore’s economy, particularly in the light of the spate of serious IT disruptions suffered by various financial institutions.

Going forward, it is clear that there will be an enhanced regulatory burden on operators of digital infrastructure in Singapore, whether in the realm of telecommunications, banking and payments or digital identities etc.

Companies in the business of providing such services should keep a close eye on DIA developments. For now, it appears that the ultimate end-users of such services (e.g. financial institutions) will not be separately regulated under the proposed legislation.

For more information on the DIA, please refer to the press release here.