IMDA introduces advisory guidelines for cloud services and data centres

25 March 2025

On 25 February 2025, the Info-communications Media Development Authority of Singapore (“IMDA”) introduced advisory guidelines (“AGs”) for cloud services and data centres. The AGs set out recommended measures for cloud service providers (“CSPs”) and data centre (“DC”) operators in Singapore to enhance the resilience and security of their services and minimise the occurrence of disruptions to these services and impact on the economy and society. The AGs set out best practices to address risks to cloud services and DCs which range from misconfigurations in technical architecture to physical hazards such as fires, water leaks, cooling system failures, and cyber-attacks.

  • For cloud services, the AGs cover seven categories of measures to uplift the security and resilience of cloud services. Measures that CSPs are encouraged to implement relate to areas such as security testing, user access controls, proper data governance, and planning for disaster recovery.
  • For DCs, the AGs provide a framework for operators to put in place a robust business continuity management system to minimise service disruptions and ensure high availability for their customers. This includes guidance on implementing business continuity policies, controls, and processes, and continuously reviewing and improving them. The AGs also set out measures to address cybersecurity risks in DCs.

Referencing existing international and industry standards and incorporating lessons from past incidents, the AGs were developed in consultation with key CSPs and DC operators in Singapore, as well as end-user enterprises (e.g. banks, healthcare providers, and digital platforms) that rely on such digital infrastructure.

The AGs will continuously be updated to incorporate technological developments, learning points from incidents, and industry feedback. In addition to the AGs, a whole-of-ecosystem approach is required to ensure that Singapore’s economy and society continues to reap the benefits of digitalisation while being prepared to manage digital disruptions. In particular, companies that provide digital services are advised to conduct risk assessments and implement business continuity plans to mitigate the impact of disruptions on their customers.

New Digital Infrastructure Act

The AGs are an additional step to enhance the resilience and security of cloud services and DCs, following the amendments to the Cybersecurity Act 2018 pursuant to the Cybersecurity (Amendment) Act 2024 to address the cybersecurity risks of such digital infrastructure. On 7 May 2024, the Cybersecurity (Amendment) Bill was passed in Parliament to, among other things, regulate major foundational digital infrastructure service providers. The Cybersecurity (Amendment) Act 2024 was gazetted on 4 July 2024, but a commencement date has yet to be appointed by notification in the Gazette. More information is set out in our article “Bill passed to expand scope of Cybersecurity Act 2018 to regulate more entities”.

Additionally, the AGs complement the upcoming introduction of a new Digital Infrastructure Act, which will regulate systemically important digital infrastructure such as major CSPs and DC operators. On 1 March 2024, during the then Ministry of Communications and Information (now Ministry of Digital Development and Information) Committee of Supply debate, it was announced that the inter-agency Taskforce on the Resilience and Security of Digital Infrastructure and Services (“Taskforce”) was considering the introduction of a new Digital Infrastructure Act to address broader security and resilience concerns of key digital infrastructure and services, beyond cybersecurity. The AGs are part of the work of the Taskforce. More information is set out in our article “Singapore studying introduction of Digital Infrastructure Act”.

In his speech at the launch of Smart Nation 2.0 on 1 October 2024, Prime Minister and Minister for Finance Lawrence Wong stated that the Digital Infrastructure Act will be introduced in 2025.

Reference materials

The following materials are available on the IMDA website www.imda.gov.sg: