Singapore Plans to Introduce New Digital Infrastructure Act
Key Takeaways
- An inter-agency Taskforce on the Resilience and Security of Digital Infrastructure and Services (“Taskforce”), led by the Ministry of Communications and Information, has announced its plans to introduce a new Digital Infrastructure Act (“DIA”) to bolster the resilience and security of key digital infrastructure and services in Singapore.
- The DIA will complement various other regulatory measures, including the upcoming amendments to the Cybersecurity Act 2018.
- The DIA is being drafted at present and it is likely to have an impact on digital infrastructure and service providers (e.g. telecommunication service providers, cloud service providers and data centre operators).
Background
Singapore’s highly digitalised economy and society places heavy reliance on digital infrastructure and services. A recent spate of cyber outages and incidents in the banking and healthcare sectors[1][2] has caused disruptions in the delivery of digital services and negatively affected public confidence. The Taskforce was therefore formed on 4 January 2024 with the aim of maintaining public faith and assurance in digital infrastructure and services in Singapore, by proposing measures and guidelines to mitigate cybersecurity risks and enhance resiliency standards.
One new measure, which was announced on 1 March 2024, is the new DIA, which addresses a broad range of resilience risks faced by digital infrastructure and service providers. By holding these providers accountable and requiring them to comply with safety standards, the DIA aims to mitigate the risks of such service disruptions that could have profound economic and societal impacts.
What does the Act say?
The DIA is currently still being drafted. The Taskforce plans to draft the DIA with a broader scope than existing regulatory levers such as the Cybersecurity Act 2018 in order to tackle a wider range of risks encountered by digital infrastructure and service providers,[3] such as misconfigurations in cloud architecture and outages caused by fires, water leaks, and cooling system failures.
In drafting the DIA, the Taskforce will consider Singapore’s operating context and also draw inspiration from international developments. For instance, the European Union, Germany and Australia require regulated entities to report significant outages and cyber incidents to the authorities and also adhere to baseline resilience and security standards.[4] It appears likely that the DIA will follow this trend and include similar obligations.
Digital infrastructure and service providers, such as telecommunication service providers, cloud service providers and data centre operators, will be affected by the DIA if it is introduced.[5]
What’s Next?
The Taskforce will continue to seek input from industry players and other stakeholders while scoping and developing its proposals for the DIA.[6] Concurrently, the Taskforce is also exploring non-regulatory measures to supplement Singapore’s legal framework, such as offering guidance to digital infrastructure and service providers on the best practices for enhancing resilience and security in order to ensure business continuity.[7]
For more information on the new DIA, please refer to the full press release here.
If you have any questions or would like to discuss any issues, please do not hesitate to contact us.
This article is produced by our Singapore office, Bird & Bird ATMD LLP. It does not constitute legal advice and is intended to provide general information only. Information in this article is accurate as of 6 March 2024.
[1] Websites of all S’pore public hospitals, polyclinics back up after crash lasting 7 hours
[2] 2.5 million transactions affected by recent DBS, Citibank outages; 810,000 login attempts failed
[6] COS 2024: Speech by Minister Josephine Teo (smartnation.gov.sg)
