Singapore’s proposed Digital Infrastructure Act: what businesses need to know

A. Introduction

Digital infrastructure is the backbone of day-to-day business operations – from supporting electronic payments and customer-facing platforms to creating and safeguarding digital identity and core enterprise systems. When that backbone fails, the impact is immediate: service disruptions occur, businesses and customers are put at risk, and regulatory and contractual exposure increases. Against this backdrop, Singapore is preparing to introduce the Digital Infrastructure Act (“DIA”), a new law intended to strengthen the resilience and security of key digital infrastructure providers, assets and services. Importantly, the DIA goes beyond cybersecurity risks: it also addresses physical hazards, hardware failures, misconfigurations, and other non-cyber risks that can be just as disruptive. Expected to be tabled in Parliament later this year, the DIA Bill will reshape the regulatory landscape for operators of critical digital infrastructure, particularly data centres and cloud service providers, as well as certain counterparties around them. For those businesses, the DIA is a prompt to assess contractual exposure and supply-chain dependencies.

B. Policy Drivers

Digital disruption is no longer a niche IT issue - it is an economy-wide risk. In 2024, it was reported that Singapore’s digital economy contributed approximately 17.7% of gross domestic product (GDP).^[1]  That economy and everything around it depends on data centres and cloud services to support essential functions such as banking and payments, ride-hailing and e-commerce. As this ecosystem expands, it becomes more complex and interdependent, increasing exposure to outages and cascading failures from both cyber and non-cyber causes.

Recent disruptions have underscored gaps in the current regulatory framework. In October 2023, a data centre suffered a cooling-system fault which affected approximately 2.5 million banking transactions in Singapore. In July 2024, the CrowdStrike outage caused what has been described as the largest global IT disruption to date. Neither incident fell squarely within the ambit of the existing Cybersecurity Act 2018 of Singapore (“CSA”), which focuses on cybersecurity threats and incidents and does not address physical hazards, misconfigurations, hardware failures, or cooling-system faults. Together, these incidents highlight the need for measures that address non-cyber causes of disruption. This aligns with international standards, with jurisdictions such as the EU, Germany, and Australia introducing resilience and incident-reporting requirements for such disruptions. 

C. Existing Legislative Landscape

To understand the DIA’s positioning, it is helpful to situate it within Singapore’s existing regulatory framework. The CSA (as amended) is the primary legislation governing the cybersecurity of Critical Information Infrastructure (“CII”) - computers or computer systems necessary for the continuous delivery of essential services, across sectors including energy, water, banking and finance, healthcare, transport and government. On 31 October 2025 amendments to the CSA introduced regimes for (i) third-party-owned CII (operating on a location-agnostic basis), (ii) extraterritorial designation powers, (iii) systems of temporary cybersecurity concern, and (iv) entities of special cybersecurity interest and major foundational digital infrastructure service providers (though the provisions relating to these regimes have not yet come into force). 

Alongside the CSA, the Telecommunications Act 1999 of Singapore (“Telecommunications Act”) requires broadband and mobile network operators to take proactive steps to minimise disruptions. Further, sectoral regulation, such as the Monetary Authority of Singapore’s (“MAS”) IT resilience and security requirements for financial institutions currently imposes targeted obligations on regulated entities. The regulatory landscape is therefore not bare - there is already an existing patchwork of requirements addressing different aspects of digital resilience across different sectors.  As the DIA is intended to complement, not replace, the CSA and existing sectoral regulation, it is important to delineate how the DIA will interact with these existing regimes, particularly where an entity is subject to multiple notification and compliance obligations simultaneously.

One of the DIA’s most significant interface challenges lies in incident notification. Singapore already has overlapping notification regimes - the Personal Data Protection Act 2012 of Singapore (“PDPA”) (triggered by notifiable data breaches affecting 500 or more individuals or likely to cause significant harm), the CSA (triggered by cybersecurity incidents affecting designated CII), MAS Notices (triggered by system malfunctions or IT security incidents at financial institutions), and the upcoming Health Information Act 2026 (triggered where national electronic records systems or relevant computer systems processing health information are affected). The DIA is expected to add a further layer, addressing system, server and infrastructure-level disruptions, including non-cyber causes such as power failures, cooling failures, misconfigurations and environmental incidents. Notification under the DIA is triggered by service disruption or system risk, even where no personal data, systems and servers are compromised. 

D. Scope of the DIA

The DIA targets what is described as “systemically important digital infrastructure” - infrastructure whose disruption would have a material impact on Singapore’s economy or essential services. The regime is expected to initially focus on major cloud service providers and data centres, which underpin widely used digital services such as banking and payments, ride-hailing and e-commerce.

The DIA Bill is likely to include designation powers enabling the regulator to identify specific providers as systemically important, similar to the CII designation mechanism under the CSA. There may also be extraterritorial reach - the recent CSA amendments already permit the designation of systems located outside Singapore, and the DIA may adopt a similar approach.

E. Core Obligations

The DIA is expected to impose a suite of obligations on designated operators, including:

1. Baseline resilience standards: designated operators will likely need to implement business continuity measures, appoint a senior designated representative, and meet other operational standards.
2. Energy efficiency: mandatory Power Usage Effectiveness (PUE) requirements for both new and existing data centres are anticipated.
3. Incident reporting: designated operators will likely be required to notify the relevant authorities and regulators of disruptions.
4. Contractual flow-downs: designated operators may be required to obtain binding commitments from third-party vendors, mirroring the approach under the CSA.

F. Implications for Industry

For many businesses, the DIA will matter not only if they are designated operators, but also if they sit within the wider ecosystem around them. Customers, vendors, subcontractors and service providers may find themselves drawn into new contractual, compliance and reporting expectations. Businesses may need to update (or repaper) existing contracts to align with the new regime. Cloud and data centre agreements may need to include DIA compliance warranties, flow-down obligations for subcontractors, and mandatory cooperation with regulators, while incident-response plans will need to incorporate new reporting requirements. A key challenge will be managing overlaps between DIA reporting requirements and existing obligations under the CSA, the Telecommunications Act and the PDPA, which may impose different timelines and information requirements for the same underlying incident. Finally, service outages and resilience failures may give rise to disputes, including contractual claims relating to outages, breaches of resilience obligations, or failures to meet regulatory standards.

G. Conclusion

The DIA signals a meaningful shift from sector-specific cyber regulation to system-wide digital resilience. The practical consequences cut across transactions, commercial contracts, incident response, and disputes involving critical digital infrastructure. Organisations that operate or rely on this infrastructure in Singapore should begin preparing now - reviewing their compliance posture, assessing designation risk, incident-readiness and ensuring that contractual frameworks are robust and fit for purpose before the regime takes effect.

We will continue to monitor the DIA Bill’s progress through Parliament. If you would like to discuss how the DIA may affect your business or require advice on readiness planning, please do not hesitate to contact our team.

Click here to read our previous article on the amendments to Singapore’s CSA.

Click here and here to read our previous articles on Singapore’s Advisory Guidelines for Cloud and Data Centres.
 

^[1] Infocomm Media Development Authority (IMDA) Digital Future Annual Report 2023/2024 - imda-annual-report-2024.pdf