27 March 2024

On 1 March 2024, during the Ministry of Communications and Information (“MCI”) Committee of Supply debate, Minister for Communications and Information Josephine Teo (“Minister”) announced that the inter-agency Taskforce on the Resilience and Security of Digital Infrastructure and Services (“Taskforce”) is considering the introduction of a new Digital Infrastructure Act (“DIA”) to address broader security and resilience concerns of key digital infrastructure and services, beyond cybersecurity.

The DIA would complement the Government’s other regulatory levers, such as the Cybersecurity Act 2018 (“CS Act”) which focuses on mitigating cyber-related risks. It would go beyond cybersecurity and focus on digital infrastructure that can cause significant impact on the economy and society if disrupted. For example, large cloud service providers and data centres are crucial to the functioning of a wide array of digital services that enterprises and consumers use daily and may therefore need to meet higher security and resilience standards, to reduce the likelihood of systemic disruptions.

The Taskforce is conducting further studies develop its proposals relating to the possible DIA, including looking into Singapore’s digital infrastructure ecosystem to identify that which would have a systemic impact on the economy and society if disrupted, such as data centres, cloud services, and the support for many widely used digital services (e.g. banking and payments, ride-hailing, and digital identities).

The Taskforce will continue to consult industry players and other relevant stakeholders as well as ensure coherence in requirements between the possible DIA and the CS Act.

The Taskforce is also exploring non-regulatory measures such as providing guidance to digital infrastructure and service providers on best practices for security and resilience to complement the laws and regulations.

The Minister also mentioned that the Cybersecurity (Amendment) Bill is expected to be introduced in Parliament in April 2024. By way of background, the Cyber Security Agency of Singapore conducted a public consultation between 15 December 2023 and 15 January 2024 on the draft Cybersecurity (Amendment) Bill which seeks to raise the cybersecurity of foundational digital infrastructure and other systems as well as entities, beyond the critical information infrastructure (“CII”) the current CS Act covers. The expanded coverage will include data centres, cloud services, and key entities that may hold sensitive data or perform important public functions. CII are computers or computer systems necessary for the continuous delivery of essential services.

Reference materials

The following materials are available on the MCI website www.mci.gov.sg: