Singapore’s Proposed Digital Infrastructure Bill: What Businesses Need to Know

By

|

Singapore’s Digital Infrastructure Bill up for consultation.

Digital infrastructure has become the invisible backbone of everyday life and commerce. In response to growing systemic reliance on these systems, Singapore’s Ministry of Digital Development and Information (MDDI) and the Infocomm Media Development Authority (IMDA) on 1st July 2026 released the draft Digital Infrastructure Bill for public consultation.

Running through July 22, 2026, this consultation is for a new Bill that introduces a legal framework to regulate broader operational resilience, physical security, and environmental sustainability for major digital infrastructure providers.

As Singapore tightens governance over its digital foundation, companies operating within the tech, data, and cloud ecosystems must understand their upcoming compliance obligations. Below, we address the core legal and operational implications of the draft legislation.

What is the primary objective of the Digital Infrastructure Bill?

The Bill aims to safeguard Singapore’s digital economy by ensuring that critical digital infrastructure providers maintain high standards of service continuity, physical security, and resource efficiency. It addresses regulatory gaps beyond traditional cyber threats such as physical hazards (fires or floods), system misconfigurations, and supply chain disruptions, while legally enforcing environmental sustainability targets for power and water usage.

 Who falls under the scope of the proposed licensing regimes?

The draft Bill introduces two distinct licensing frameworks based on operational capacity and resource consumption:

  • Major Foundational Digital Infrastructure (FDI) Licence: Mandatory for third-party co-location and cloud data centers with a critical IT load of 10 megawatts (MW) or more, as well as major cloud computing providers (IaaS/PaaS) generating an average annual revenue of S$100 million or more from Singapore-based users over the preceding three years.
  • Data Centre (DC) Licence: Focused primarily on resource efficiency, this applies to data centers with a critical IT load of 3 MW or more.

What are the key operational obligations for licensed providers?

Designated operators under the Major FDI and DC licensing frameworks will be legally mandated to implement:

  • Resilience & Security Controls: Strict physical security, fire/flood mitigation measures, and robust access controls for privileged accounts.
  • Business Continuity: Comprehensive disaster recovery protocols to minimise service outages.
  • Incident Reporting: Mandatory, prompt notification to IMDA regarding any significant cybersecurity incidents or severe service delivery disruptions.
  • Sustainability Metrics: Compliance with baseline Power Usage Effectiveness (PUE) requirements, water efficiency standards, and greenhouse gas emission reporting. The specific PUE thresholds have not yet been set and will be worked out through separate regulations and codes of practice after the Bill is passed.

How does this Bill interface with the existing Cybersecurity Act?

The Digital Infrastructure Bill complements and amends the Cybersecurity Act. The 2024 updates to the Cybersecurity Act focused on digital vulnerabilities, data breaches, and malicious cyberattacks. This new Bill expands the statutory framework to govern non-cyber operational risks, infrastructure governance, and environmental footprints, creating a wider regulatory net for digital utilities.

What are the financial penalties for non-compliance under the draft Bill?

To enforce strict accountability, the draft legislation proposes severe financial penalties for operators who fail to meet security, business continuity, or incident reporting criteria. Non-compliant licensed providers could face statutory fines of up to S$1 million, or up to 10% of their annual turnover in Singapore, whichever amount is higher.

What is the timeline for the consultation, and what are the next steps?

The public consultation window closes on July 22, 2026, at 10:00 AM. Stakeholders, industry players, and legal teams are invited to submit softcopy feedback on the draft Bill and its proposed codes of practice directly to MDDI. Following the review of public submissions, the refined Bill will be formally table in Parliament to be enacted into law, with subsequent subsidiary legislation providing granular technical directives.

Navigating Regulatory Compliance with OTP Law

As regulatory oversight intensifies across Singapore’s technology landscape, proactive legal planning is essential to mitigate compliance risks. If your corporate operations, data center frameworks, or cloud infrastructure fall within these newly proposed thresholds, early alignment with IMDA’s upcoming codes of practice is critical.

Contact OTP Law Corporation today to schedule a comprehensive regulatory impact assessment. Use our Contact Page. Our dedicated corporate and technology law team is ready to help you analyse your statutory exposure, refine your business continuity protocols, and ensure your organisational frameworks remain resilient and fully compliant.

By