New Digital Infrastructure Act (Factsheet)

Factsheet - New Digital Infrastructure Act to enhance the resilience & security of digital infrastructure and services

1 March 2024

At COS 2024, MCI announced that the inter-agency Taskforce on the Resilience and Security of Digital Infrastructure and Services (“Taskforce”) is studying the introduction of a Digital Infrastructure Act (DIA) to enhance the resilience and security of key digital infrastructure and services.

Today, the cybersecurity and resilience of critical information infrastructure (“CII”),[1] which are computers or computer systems necessary for the continuous delivery of essential services, are governed by the Cybersecurity Act (“CS Act”). The CS Act is supplemented by relevant sector regulation (e.g., CII in the telecommunications sector are additionally governed by the Telecommunications Act). Recent disruptions, such as the four-hour Equinix data centre outage on 14 Oct 2023, did not result from cyber-attacks but had nonetheless resulted in widespread disruption of banking services. Hence, it is necessary for the Government to go beyond the CS Act to enhance the resilience and security of other digital infrastructure and services that enterprises and citizens rely heavily on in our highly digitalised economy and society. While the risk of disruptions cannot be eliminated entirely, the Taskforce has been reviewing the evolving risk landscape, studying measures deployed by other countries which are similarly facing these issues, and developing measures suited to Singapore’s context.

The DIA is one such measure that the Taskforce is developing. The DIA is intended to complement the Government’s other regulatory levers, such as the CS Act which focuses on mitigating cyber-related risks.[2] It will go beyond cybersecurity to address a broader set of resilience risks faced by digital infrastructure and service providers, ranging from misconfigurations in technical architecture, to physical hazards such as fires, water leaks, and cooling system failures.

In scoping the DIA, the Taskforce is studying the digital infrastructure ecosystem in Singapore to identify those which would have a systemic impact on Singapore’s economy and society if disrupted. Examples include data centres and cloud services, and support the delivery of many widely-used digital services (e.g., banking and payments, ride-hailing, and digital identities).

The Taskforce is also formulating the requirements that the regulated entities would be subject to under the DIA. This will take into account Singapore’s operating context as well as international developments. For example, jurisdictions such as the European Union (EU), Germany and Australia have introduced incident reporting requirements and baseline resilience and security standards which regulated entities must comply with. The incident reporting requirements would deepen the Government’s situational awareness and understanding of systemic risk when disruptions occur. Collectively, these requirements could contribute to the prevention of disruptions and effective recovery should disruptions occur.

The Taskforce will continue to consult industry players and other relevant stakeholders as it develops its proposals. It is mindful of the need to ensure coherence in requirements and processes (e.g., reporting channels) across different regulatory levers. It will also balance trade-offs, such as those between risk mitigation and compliance costs, and between tailoring interventions to Singapore’s context and accounting for global operations of many providers.

Regulation alone is insufficient. The Taskforce is therefore exploring non-regulatory measures to complement Singapore’s laws. These could include providing guidance to digital infrastructure and service providers on best practices for resilience and security to ensure business continuity.

About the Taskforce

The formation of the Taskforce was announced by Minister for Communications and Information, Mrs Josephine Teo, earlier this year on 4 January. The Taskforce’s overarching objective is to uphold public trust and confidence in digital infrastructure and services in Singapore. The Taskforce will review the evolving landscape of resilience and security risks to digital infrastructure and services, and recommend measures and policies to mitigate cybersecurity risks and raise resiliency standards.

As an inter-agency effort, the Taskforce is led by the Ministry of Communications and Information, and comprises members from Smart Nation Group, Cyber Security Agency of Singapore, Infocomm Media Development Authority, and Government Technology Agency. Relevant sector agencies (e.g., regulators of digital services with systemic impact on Singapore’s economic activity and the public’s daily lives) will also be consulted.

For media clarifications, contact:

Wu Fan
Assistant Manager, Media Relations
Ministry of Communications and Information
HP: 9623 1977
wu_fan@mci.gov.sg

[1] CII sectors include: Energy, Water, Banking and Finance, Healthcare, Transport (including Land, Maritime, Aviation), Infocomm, Media, Security and Emergency Services, Government.
[2] As part of upcoming amendments, the Cybersecurity Act’s scope will be expanded beyond CII to regulate the foundational digital infrastructure (e.g., Cloud Service Providers and Data Centres) and key entities that hold sensitive data and perform important public functions.