Singapore yesterday rolled out a new set of guidelines that seek to build up the resilience of cloud services and data centres that are crucial to its digital infrastructure.
The message from the government regulator is clear – as the city-state deepens its reliance on digital infrastructure, it cannot afford outages, cyberattacks, or catastrophic failures.
The stakes are high. A Microsoft Azure outage in November 2024 took down critical Singapore-based websites, including those of the CPF Board and Nanyang Technological University.
In 2023, DBS Bank and Citibank faced a major disruption in Singapore due to a cooling system failure at a data centre provided by Equinix. These incidents serve as stark reminders that digital resilience is not just an IT issue – it has economic and national security imperative.
The new Infocomm Media Development Authority (IMDA) guidelines focus on a broad spectrum of risks, from technical vulnerabilities and cyber threats to physical hazards like fires and water leaks.
For cloud service providers (CSPs), the playbook emphasises security testing, access controls, data governance, staff due diligence and disaster recovery.
Data centre operators, on the other hand, are urged to implement robust business continuity plans to maintain uptime even in the face of cyber attacks or operational failures.
The guidelines were drawn up in consultation with industry operators and service providers, particularly those in high-need scenarios, such as in banking and healthcare.
Minister for Digital Development and Information Josephine Teo said that digital services need a special set of infrastructure.
“We will need cloud service providers, which serve more like digital super highways to make those connections,” she said on the sidelines of a visit to a Microsoft data centre in Singapore yesterday.
“We also have data centres that serve like record-keepers, and they will be able to retain some copy of the transactions that we complete online,” she added.
When these service providers encounter difficulties or when these kinds of infrastructure are disrupted one way or the other, consumers, the government and the business community will experience inconveniences in their day-to-day activities.
“However, at the moment, if we look at the requirements for security and resilience of these kinds of foundational digital infrastructure, there is no set requirement yet,” said Teo.
“And in terms of being able to ensure the resilience and security of such services, I think it’s timely for us to raise the standards in the industry,” she added.
The guidelines are also a good way to “ground-test a set of practices”, she said, which can be put into deployment. Her ministry and IMDA will continue to receive feedback on what is useful and which areas can be further refined.
“I think it will help us shape a set of requirements in the Digital Infrastructure Act that is more responsive to their needs and will bring about greater assurance to the public,” she noted.
However, here’s the conundrum: While major cloud and data centre providers have the resources to comply, smaller players may struggle with the financial and operational burdens of implementing these stringent measures.
Will the industry self-regulate effectively, or will the upcoming Act impose tighter controls? And as AI-driven cyber attacks grow more sophisticated, will these measures be enough?
This move is not just about risk management. It is about positioning Singapore as a global leader in digital trust. As the government pushes for AI-driven innovation and a smart nation agenda, a strong foundation in cloud and datacentre security is non-negotiable.
Businesses that rely on cloud computing, from financial institutions to e-commerce giants, will need to align with these best practices or risk falling behind.
With the DIA set to be tabled in Parliament later this year, expect Singapore to set new benchmarks for digital resilience in the region. Australia and the European Union are already moving this way. Will other Asean nations follow suit, or will they be forced to react when the next major outage hits?
