Singapore is developing new regulations to treat data centers as critical infrastructure

Singapore already has strict government oversight of critical technology infrastructure. The municipality now aims to extend this oversight to other "important" information technology providers as well. Singapore is working to amend the Cybersecurity Act, approved in 2018, to impose new obligations on third-party companies that provide critical technology services. The Asian country has launched a public consultation on the amendments, seeking feedback over a month-long period until January 15, 2024.

The existing Cyber ​​Security Act gives the Cyber ​​Security Authority of Singapore (CSA) the power to supervise Singapore’s national cybersecurity. According to the proposed amendments, the cyber threat landscape and business environment have continued to evolve since the enactment of the Act. Singapore has become one of the most digitally connected countries in the world, leading to increased demand for connectivity, computing and data storage.

These changing needs are prompting new considerations about cybersecurity and government regulation. While the CSA previously regulated critical information infrastructure (CII) platforms, it now intends to extend cybersecurity guidance to "other critical systems and infrastructure." The Cybersecurity Act specifically identifies energy, water, banking and finance, healthcare, land transport, maritime transport, aviation, government, information and communications, media, and security and emergency services as CII service providers.

The proposed amendments to the Cybersecurity Bill will introduce a new category of "underlying digital infrastructure", alongside CII services. This new category is expected to include data centers and cloud computing services operating within Singapore. Basic infrastructure operators are obliged to provide additional assurances to the Singaporean authorities, including continued service provision and effective prevention of cyber incidents.

The CSA also wants basic infrastructure providers to report cyberattacks within hours and quickly comply with Commissioner David Koh's demands, including requests for audits and provision of data center design information. The amendment authorizes CSA to conduct on-site inspections to verify compliance with the new rules.

As stated in the amendments, organizations that fail to comply will be subject to fines or other penalties. Temporary systems, such as those deployed for large events, will need to comply with similar rules for a year. CSA invites the public and stakeholders to provide feedback online through the Cybersecurity (Amendment) Bill Feedback Form.