On March 1, 2024, Singapore’s Ministry of Communications and Information announced[1] that a study would be launched to introduce a new piece of legislation, the Digital Infrastructure Act (DIA), to boost the resilience and security of key digital infrastructure and services in Singapore.

What Do the Current Laws Cover?

Singapore has a Cybersecurity Act[2] that governs the cybersecurity and resiliency of critical information infrastructure (CII). CII are computer systems that are necessary for the continuous delivery of essential services in Singapore. Such essential services include energy, water, banking and finance, healthcare, transport (including land, maritime and aviation), info-communications, media, security and emergency services and the government. The Cybersecurity Act is supplemented by a patchwork of sectoral laws and regulations; for instance, the Banking Act and subsidiary regulations, guidelines and notices issued by the Monetary Authority of Singapore for the banking industry; the Telecommunications Act and accompanying regulations and codes for the telecoms sector, etc. As mentioned in a previous post,[3] Singapore will be amending the Cybersecurity Act imminently.

What Has Led to the Need for a New DIA?

Recent disruptions, including a four-hour major data centre outage in October last year, resulted in widespread disruption of banking services in Singapore. As these were not a result of cyberattacks, the Cybersecurity Act would have had limited applicability and impact in addressing the issue. It was also noted that Singapore is a highly digitalised economy and society, which relies heavily on the resilience and security of digital infrastructure and services. It is against this evolving risk landscape and backdrop that Singapore is now studying similar measures deployed by other countries, and of which it has been determined that the DIA will form part of the suite of measures to be developed and adopted to suit Singapore’s context.

What and Who Will the DIA Cover?

The DIA will go beyond cybersecurity risks and seek to address a broader set of digital resilience issues faced by digital infrastructure service providers. These span misconfigurations in technical architecture, to physical hazards such as fires, water leaks and cooling system failures. The study will also identify key digital infrastructure ecosystem players in Singapore, which, if disrupted, could have a systemic impact on Singapore’s economy and society. These are likely to include data centres and cloud services that support the delivery of widely used digital services and platforms in banking and payments, ride-hailing and digital identities.

What Obligations Will the DIA Impose?

These obligations will likely include incident reporting, as well as baseline resilience and security standards. However, Singapore is studying similar frameworks adopted in other jurisdictions such as the EU, Germany and Australia, and will continue to consult the industry as it formulates its proposals for these requirements, regulatory processes and guidance.


When passed, the DIA will have significant impact not only on any directly regulated entity under the DIA, but also the broader ecosystem that relies on Singapore’s digital infrastructure, including data centres and cloud providers to deliver products and services. While the precise scope and reach of the DIA’s provisions and requirements remain to be seen, businesses should pay particular attention to contractual means of protection against digital resilience and business continuity risks. Should you require support on this or any related issue, feel free to reach out to your usual firm contact.

[1] https://www.mci.gov.sg/media-centre/press-releases/new-digital-infrastructure-act/

[2] https://sso.agc.gov.sg/Acts-Supp/9-2018/

[3] https://www.privacyworld.blog/2023/12/singapore-to-amend-cybersecurity-law/

Disclaimer: While every effort has been made to ensure that the information contained in this article is accurate, neither its authors nor Squire Patton Boggs accepts responsibility for any errors or omissions. The content of this article is for general information only, and is not intended to constitute or be relied upon as legal advice.