Major data centres, cloud providers could be fined up to $1m under proposed Digital Infrastructure Bill

Sign up now: Get ST's newsletters delivered to your inbox

The Digital Infrastructure Bill carries a licensing regime to hold data centre and cloud services operators to higher standards of resiliency.

ST PHOTO: KUA CHEE SIONG

  • Major data centre and cloud service operators in Singapore could face fines up to $1 million or 10% of turnover for failing cybersecurity, business continuity, and incident reporting standards under the proposed Digital Infrastructure Bill.
  • The Bill introduces licensing for foundational digital infrastructure, requiring strict security, continuity plans, and incident notifications.
  • Sustainability is emphasised, reflecting Singapore’s resource constraints.

AI generated

SINGAPORE - Major data centre and cloud service operators could be fined up to $1 million, or up to 10 per cent of their annual turnover in Singapore, for failing to meet cybersecurity, business continuity and incident reporting requirements under proposed new legislation.

The Digital Infrastructure Bill, which the public can now provide feedback on, introduces a licensing regime to hold these data centre and cloud services operators to higher standards of resiliency as they have become the backbone of everyday life.

In a public consultation paper released on July 1, the Ministry of Digital Development and Information (MDDI) and Infocomm Media Development Authority (IMDA) said that such digital infrastructure services offered by data centres and cloud operators power everything from digital banking to ride hailing and e-commerce, and have become essential like traditional mobile and broadband services.

The new legislation was first mooted in March 2024, after a spate of service outages both locally and overseas.

In October 2023, more than 2.5 million payment and ATM transactions could not be completed by two banks due to a fault in the cooling system of a data centre used by the banks. In April 2023, a fire in a Global Switch data centre in Paris brought down Google Cloud services in Europe for weeks for some customers.

MDDI and IMDA said that while the Cybersecurity Act amendments in 2024 established requirements to address cybersecurity risks faced by data centre and cloud operators, there is no statutory framework to ensure broader operational resilience, and the new legislation will cover this gap.

Under the new Bill, regulatory regime for foundational digital infrastructure (FDI) in Singapore will be introduced.

Foundational digital infrastructure includes data centres with essential computing equipment — servers, storage drives and networking hardware — that requires 10 megawatts (MW) of electrical power to operate. Cloud computing services that generate more than an average annual revenue of $100 million in Singapore users over three years are also foundational digital infrastructure.

These parties have to apply for a major FDI license, which will require them to ensure the physical and digital security of their services, put in place business continuity and disaster recovery plans, and notify IMDA of cybersecurity incidents or service disruptions.

Detailed requirements for major FDI service providers will be set out in subsidiary legislation and codes of practice. These will take reference from advisory guidelines introduced in February 2025 for data centre operators and cloud service providers.

Advisory guidelines introduced earlier require data centres to put in place fire and flood mitigation measures to minimise service disruptions, and safeguards against supply chain attacks, malware and ransomware, among other requirements.

Cloud service providers also need to strengthen controls over privileged accounts and user access, and maintain audit logs to detect and investigate security incidents.

To enhance environmental sustainability, data centre operators that use at least 3 MW of electricity will need to apply for a data centre (DC) licence.

These data centre operations will be required to meet power usage effectiveness or PUE requirements, which measures how efficiently a data centre uses energy. A score that is closer to 1 indicates greater efficiency.

Other considerations for DC licence approval include water efficiency, renewability of energy sources, greenhouse gas emissions and contributions to Singapore’s economy.

The Bill also paves the way for energy requirements to be imposed on IT equipment, and water efficiency requirements for the facility in future, amid constraints including limited land, energy and water resources.

Singapore introduced a temporary pause on new data centres in 2019 to review how the sector could grow more sustainably in the resource-constrained nation.

At the time, data centres accounted for about 5.3 per cent of the country’s electricity consumption. The figure rose to 7 per cent in 2020 as the Covid-19 pandemic accelerated digitalisation.

The pause was lifted in 2022, with new projects assessed against stricter sustainability requirements.

For example, data centres then had to achieve a PUE of 1.3 or lower.

Operators are also expected to tap renewable energy or invest in technologies that reduce or offset carbon emissions. They can also adopt more energy-efficient cooling methods, such as immersion cooling, which uses significantly less energy than conventional air cooling.

The consultation will close on July 22, 10am.

See more on