Singapore’s Ministry of Digital Development and Information (MDDI) and the Infocomm Media Development Authority (IMDA) have proposed a new Digital Infrastructure Bill that could impose fines of up to $1 million, or 10 per cent of annual turnover, on data centre and cloud service operators for failing to meet strict resilience and cybersecurity standards. The legislation aims to address gaps in current regulations by creating a formal licensing regime for foundational digital infrastructure, ensuring that essential services remain operational during major disruptions.
Why is Singapore implementing new digital infrastructure regulations?
The proposed legislation follows a series of high-profile service outages that highlighted the fragility of critical digital systems. In October 2023, a cooling system failure at a data centre disrupted over 2.5 million ATM and payment transactions across two banks. Earlier, in April 2023, a fire at a Global Switch facility in Paris crippled Google Cloud services for European customers for several weeks. According to MDDI and IMDA, while the 2024 Cybersecurity Act amendments addressed specific cyber threats, no existing statutory framework ensures broader operational resilience for the digital backbone of the economy.

Did you know? Data centres accounted for approximately 7 per cent of Singapore’s total electricity consumption in 2020, up from 5.3 per cent in 2019, as the pandemic accelerated the nation’s push toward total digitalization.
What defines “Foundational Digital Infrastructure”?
Under the proposed Bill, the government will categorize specific facilities and services as Foundational Digital Infrastructure (FDI). To qualify as an FDI data centre, a facility must provide services to other businesses and require at least 10 megawatts (MW) of electrical power. Cloud computing services are also classified as FDI if they generate an average annual revenue exceeding $100 million from Singapore-based users over a three-year period.
Operators of these facilities will be required to hold a major FDI licence. This license mandates the implementation of rigorous physical and digital security protocols, comprehensive disaster recovery plans, and mandatory reporting of any service disruptions or cybersecurity breaches to the IMDA.
How will sustainability requirements affect data centre operations?
Beyond cybersecurity, the government is focusing on environmental efficiency. Operators utilizing at least 3MW of electricity must obtain a data centre (DC) licence. A key metric for these operators is Power Usage Effectiveness (PUE), where a score closer to 1 indicates higher energy efficiency. This builds on the 2022 policy shift that lifted a temporary pause on new data centres, requiring projects to maintain a PUE of 1.3 or lower.

Future regulations may also introduce strict requirements regarding water efficiency and the use of renewable energy sources. Operators are increasingly encouraged to adopt advanced technologies, such as immersion cooling, which consumes significantly less energy than traditional air-cooling systems.
Pro Tip: Infrastructure operators should begin aligning their internal protocols with the advisory guidelines issued in February 2025, which detail specific expectations for fire and flood mitigation, privileged account access, and supply chain security.
Frequently Asked Questions
- What is the penalty for non-compliance? Operators could face fines of up to $1 million or 10 per cent of their annual turnover in Singapore.
- When does the public consultation end? The consultation period for the Digital Infrastructure Bill closes on July 22 at 10 am.
- Does this apply to all data centres? No, licensing requirements for major FDI focus on facilities with 10MW capacity or higher, while sustainability licenses apply to those using at least 3MW.
What are your thoughts on the impact of these new resilience standards on the cloud industry? Share your perspectives in the comments section below or subscribe to our newsletter for the latest updates on digital policy.
