Major data center and cloud service providers might have to pay a fine of up to $1 million or up to 10 percent of their yearly revenue in Singapore, whichever is more, if they do not follow cybersecurity, business continuity, and incident reporting rules in new proposed laws.
The Digital Infrastructure Bill is open for public comments. It sets up a licensing system to make data centers and cloud service providers follow better rules because they are essential for daily life.
On July 1, the Ministry of Digital Development and Information (MDDI) and Infocomm Media Development Authority (IMDA) released a public consultation paper. They said that digital services from data centres and cloud operators support things like online banking, ride-hailing, and e-commerce. These services are now just as important as regular mobile and broadband services.
The new legislation was first mooted in March 2024, after a spate of service outages both locally and overseas.
In October 2023, over 2.5 million payments and ATM transactions failed at two banks because the cooling system in a data center had a problem. In April 2023, a fire at a Global Switch data center in Paris caused Google Cloud services to go down in Europe for weeks for some users.
MDDI and IMDA stated that the changes to the Cybersecurity Act in 2024 set rules for handling cybersecurity risks for data centres and cloud operators. However, there is no law to guarantee wider operational strength, and the new law will fill this need.
Under the new Bill, a regulatory regime for foundational digital infrastructure (FDI) in Singapore will be introduced.
A basic digital setup is a data center with important computers — servers, storage devices, and network tools. It needs 10 megawatts (MW) of power to run. It should also offer services to other companies.
Cloud computing services that make over $100 million a year on average in Singapore users for three years are also basic digital infrastructure.
These groups need to get a big FDI license. They must make sure their services are safe both online and offline. They should also have plans for keeping their business running and recovering from disasters. Plus, they must inform IMDA about any cybersecurity problems or service outages.
Detailed rules for big FDI service providers will be explained in separate laws and practice guides. These will use advice from guidelines released in February 2025 for data centre and cloud service providers.
Advisory guidelines that came out earlier ask data centres to have fire and flood safety plans to reduce service problems. They also need to protect against supply chain attacks, malware, and ransomware. Cloud service providers must improve control over special accounts and user access, and keep audit logs to spot and look into security issues.
Data centre operators that use 3MW of electricity or more must get a DC licence to help protect the environment.
These data center operations must follow power usage effectiveness or PUE rules. PUE shows how well a data center uses energy. A score near 1 means better efficiency.
Other points for getting a DC license are water use, renewable energy, greenhouse gas emissions, and support for Singapore’s economy.
The Bill also sets rules for energy use in IT equipment and water saving in the building later, due to limits like not enough land, energy, and water.
Singapore stopped new data centres in 2019 to think about how to grow this area in a better way for the country with limited resources. At that time, data centres used about 5.3 percent of the country’s electricity. This number went up to 7 percent in 2020 as Covid-19 sped up the move to digital.
The pause was lifted in 2022, with new projects assessed against stricter sustainability requirements. For example, data centres then had to achieve a PUE of 1.3 or lower.
Operators should aim to use renewable energy or invest in ways to cut down carbon emissions. They can also use better cooling methods, like immersion cooling, which needs much less energy than regular air cooling.
The consultation stops on July 22 at 10am.
InfoSecBulletin Cybersecurity for mankind
