Singapore is introducing a new Digital Infrastructure Act (DIA) to improve resilience and security within the city-state.
A task force was formed on January 4, 2024, to look into the act which is currently still being drafted, following cyber outages and incidents that impacted the banking and healthcare sectors, including one on October 14 at an Equinix facility.
The planned DIA is expected to cover a wider range of risks encountered by digital service providers than the previous Cyber Security Act 2018, including provisioning for issues such as misconfiguration in cloud architecture, and outages caused by physical issues such as fires, water leaks, and cooling systems failures.
A post from Singapore's Ministry of Communications and Information noted: "Recent disruptions, such as the four-hour Equinix data center outage on 14 Oct 2023, did not result from cyber-attacks but had nonetheless resulted in widespread disruption of banking services.
"Hence, it is necessary for the Government to go beyond the CS Act to enhance the resilience and security of other digital infrastructure and services that enterprises and citizens rely heavily on in our highly digitalized economy and society."
It is likely that the DIA will also require regulated entities - including telecommunication service providers, cloud service providers, and data center operators - to report significant outages and cyber incidents to authorities.
Throughout the formulation of the DIA, the task force will consult industry players and other stakeholders in order to "balance trade-offs, such as those between risk mitigation and compliance costs, and between tailoring interventions to Singapore’s context and accounting for global operations of many providers."
The Ministry further noted that "regulation alone is insufficient." The task force is thus exploring other non-regulatory measures to help offer guidance to digital infrastructure providers.
In December 2023, the Singaporean government shared that it was considering labeling data centers and clouds as "critical infrastructure" as an amendment to the Cybersecurity bill.
