Public Consultation on Digital Infrastructure Bill on Security of Digital Infrastructure Services and Environmental Sustainability of Data Centre Operations

Introduction

Digital infrastructure services such as Data Centre (“DC“) Facility Services and Cloud Computing Services play a key role in Singapore’s burgeoning digital economy. Given their importance, Singapore is looking to establish a statutory framework to ensure that providers take measures to protect their security and resilience. The framework also aims to ensure that regulated DC operators meet baseline environmental sustainability requirements, in light of their environmental footprint and intensive use of resources.

The Ministry of Digital Development and Information and the Infocomm Media Development Authority (“IMDA“) have, on 1 July 2026, published a draft Digital Infrastructure Bill (“Bill“). The draft Bill is open for public consultation until 22 July 2026. It seeks to achieve the following:

Ensure that providers of major DC Facility Services and Cloud Computing Services take measures to maintain an adequate level of security and resilience;

  1. Enhance regulatory visibility of cybersecurity incidents and service delivery disruptions affecting major DC Facility Services and Cloud Computing Services; and
  2. Impose and uplift baseline environmental sustainability standards across the DC sector.

This Update highlights the key features of the draft Bill, including the following:

  1. Introduction of a new licensing regime and regulatory framework for major foundational digital infrastructure (“FDI“) service providers;
  2. Introduction of a new licensing regime and regulatory framework for DC Operators; and
  3. Empowering IMDA to administer and enforce the regimes.

FDI Framework

The Bill introduces a new licensing regime and regulatory framework for providers of major FDI services to users in Singapore.

Scope

A major FDI service is defined as a digital infrastructure service: (i) of which the loss or impairment is likely to lead to widespread disruption or deterioration of the operations of businesses or organisations in Singapore; and (ii) which is specified in the Schedule of the Bill as a major FDI service. The Schedule provides that a major FDI Service includes:

  1. A DC Facility Service provided in a DC which has a critical IT load (“CIL“) of ≥ 10 megawatts (MW), which is used to serve other parties unrelated to the operator of the DC (i.e. Cloud and Co-Location DCs); and
  2. A Cloud Computing Service that has generated revenue from users in Singapore of ≥ S$100 million per year on average over the three preceding years, and falls within the categories of Infrastructure-as-a-Service (IaaS) or Platform-as-a-Service (PaaS) but not Software-as-a-Service (SaaS).

Licensing

Providers of these major DC Facility Services and Cloud Computing Services will have to apply to IMDA for a major FDI licence. IMDA may impose conditions on such licences as it deems appropriate.

In considering such applications, IMDA will consider, among other factors: (i) the experience of the applicant; and (ii) whether it would be contrary to the public interest.

Obligations

Licensees must take measures to ensure the security and resilience of their services, including the following obligations:

  1. Implement processes and measures to ensure the security, including the physical security and cybersecurity, of their services;
  2. Implement business continuity and disaster recovery plans to ensure timely resumption of their services from interruptions to their business activities and processes; and
  3. Notify IMDA of the occurrence of cybersecurity incidents or service delivery disruptions.

If a licensee fails to comply with the above obligations, the conditions of their licence, or IMDA directions, they may be subject to a financial penalty not exceeding the higher of (i) S$1 million; and (ii) 10% of the licensee’s annual turnover in Singapore.

DC Operator Framework

Operators of DCs (i.e. with a CIL of ≥ 3 MW) will have to apply to IMDA for a DC licence. Notably, the DC licence regime applies to all operators of DCs meeting the CIL threshold, regardless of whether the DC is operated for the purposes of providing a DC Facility Service to third parties or for the operator’s own use.

Licensing

When assessing an application for a DC licence, IMDA will consider, among other factors:

  1. The experience of the applicant and its ability to perform the relevant duties;
  2. The energy efficiency and water efficiency of the DC; and
  3. Whether it would be contrary to the public interest.

IMDA may also have regard to:

  1. The characteristics of the energy sources from which electricity to be used by the applicant is generated (i.e. renewability, greenhouse gases, etc.);
  2. Whether emissions produced will be disposed of, processed, stored, or mitigated;
  3. The bearing that the energy consumption of the DC may have on Singapore’s international commitments to reducing greenhouse gases; and
  4. The extent to which the applicant’s business operations will be of economic or strategic importance to Singapore’s economy.

Obligations

IMDA may impose conditions on such licences as it deems appropriate. Conditions may include:

  1. Payment of licensing fees;
  2. Commencement of operations within a specified period;
  3. Performance of specified tasks or achievement of specified goals that the licensee had undertaken as part their application;
  4. Identification of a suitable low-carbon energy project to be located in Singapore to supply electricity, and drawing from the project by a specified date;
  5. Arranging for emissions to be disposed of, processed, stored, or mitigated;
  6. Arranging for electricity to be imported and used to operate the DC; and
  7. Requiring the licensee not to use more than a specified amount or proportion of electricity generated from any specified energy source.

Licensed DC operators will be required to meet facility-level energy efficiency requirements, including ensuring that the DC complies with prescribed minimum energy efficiency requirements relating to: (i) facility-level energy efficiency; (ii) equipment-level energy efficiency of information technology equipment; and (iii) facility-level water efficiency.

Licensed DC operators must also submit to IMDA an annual report on compliance with the statutory obligations, the conditions of the licence, and any applicable code of practice.

If a licensee fails to comply with the above obligations, the conditions of their licence, or IMDA directions, they may be subject to a financial penalty not exceeding the higher of (i) S$1 million; and (ii) 10% of the licensee’s annual turnover in Singapore.

IMDA Powers

If the Bill is passed, IMDA will be given the function of administering the resultant Act, and will be endowed with the following key powers:

  1. Licensing powers: IMDA may grant, renew, suspend or revoke major FDI licences and DC licences, and impose and/or modify the conditions of such licences, in appropriate cases.
  2. Codes of practice and directions: IMDA may issue codes of practice and directions to licensees, including directions to require compliance with any code of practice applicable to the licensee.
  3. Financial penalties: IMDA may impose financial penalties for non-compliance in appropriate cases.
  4. Enforcement and investigation: IMDA enforcement officers will be empowered to carry out enforcement and investigation actions, including requiring the furnishing of evidence, documents, and information. 

Practical Implications

For Cloud Computing Services, the threshold for “major regulated cloud computing service” is average annual revenue of at least S$100 million from “users in Singapore” over the three preceding years. The draft Bill does not expressly set out a test for how “users in Singapore” will be determined.

Potential questions include whether revenue is attributed based on billing entity, account location, service consumption location, customer headquarters, workload location, or end-user location. Related issues include whether intra-group usage counts towards the threshold, how marketplace or reseller revenue is treated, whether gross or net revenue is measured, how global contracts with Singapore users are apportioned, and how new entrants or newly reorganised providers are assessed if they lack a three-year revenue record.

For DC Facility Services and DC licences, the key practical question is who qualifies as the relevant “operator” where ownership, operation and occupation are split across different entities. For example, the regulatory responsibility may need to be distinguished between an owner-lessor, master lessee, colocation operator, cloud provider operating its own facility, facilities manager, joint venture vehicle, or outsourced technical operator. This distinction is particularly important because licensing and sustainability obligations may not sit neatly with legal ownership/title to the property.

Additionally, given that the DC licence threshold (CIL of ≥ 3 MW) is lower than the major FDI licence threshold (CIL of ≥ 10 MW), a DC requiring a major FDI licence will necessarily also require a DC licence. The two regimes have different scope and policy objectives — the major FDI licence regime focuses on security and resilience, whereas the DC licence regime focuses on environmental sustainability. A DC operator with more than 10 MW CIL serving third parties will be required to comply with both sets of requirements. This is confirmed in the public consultation document, and IMDA has indicated that it will streamline the application process for DC operators meeting both thresholds.

Interaction with Existing Regulation 

The draft Bill is intended to complement the Cybersecurity Act framework by addressing broader operational resilience beyond cybersecurity. The practical issue is not simply the introduction of a new licensing regime, but how the proposed obligations will interact with existing cybersecurity, operational resilience, business continuity and sector-specific regulatory requirements. Providers with existing global operational frameworks may need to map Singapore-specific obligations against their global policies and customer commitments to identify areas of overlap, conflict or additional compliance requirements.

Contractual and Commercial Implications 

Once passed, the Bill may affect various contractual arrangements including cloud customer terms, service level commitments, incident notification clauses, audit and information rights, regulatory disclosure clauses, confidentiality carve-outs, and sub-processor or vendor obligations. DC owners, operators, tenants and colocation providers should also review how regulatory responsibility is allocated under existing facility, lease, colocation, energy procurement and service arrangements, particularly where the party operating the facility is not the same as the party owning the premises or contracting with end customers.

Concluding Words

If passed, the proposed Bill will introduce significant obligations on the part of digital infrastructure service providers. While the Bill is framed as a security and sustainability measure, it also represents a significant expansion of regulatory oversight of Singapore’s digital infrastructure sector. Stakeholders should assess not only whether they fall within the proposed licensing regimes, but also whether existing operational, contractual and governance arrangements are capable of supporting compliance with the proposed obligations.

In preparation, affected providers should assess whether their Singapore operations fall within the proposed thresholds, map existing cyber, resilience, business continuity, disaster recovery, incident response and sustainability controls against the proposed obligations, and identify any areas where clarification should be sought through the consultation process. Stakeholders are encouraged to submit feedback on the proposed Bill, particularly in relation to the licensing thresholds, treatment of multi-tenanted facilities, treatment of outsourced operators, interaction with existing regulatory requirements, and implementation timelines. If you wish to seek advice on the submission of feedback, please feel free to contact our team set out on this page, who will be glad to assist.

The full public consultation is available here

For regional technology law matters, please see Rajah & Tann Asia’s Regional Data & Digital Economy Practice for more information. For regional sustainability matters, please see Rajah & Tann Asia’s Regional Sustainability Practice for more information.


 

Disclaimer

Rajah & Tann Asia is a network of member firms with local legal practices in Cambodia, Indonesia, Lao PDR, Malaysia, Myanmar, the Philippines, Singapore, Thailand and Vietnam. Our Asian network also includes our regional office in China as well as regional desks focused on Brunei, Japan and South Asia. Member firms are independently constituted and regulated in accordance with relevant local requirements.

The contents of this publication are owned by Rajah & Tann Asia together with each of its member firms and are subject to all relevant protection (including but not limited to copyright protection) under the laws of each of the countries where the member firm operates and, through international treaties, other countries. No part of this publication may be reproduced, licensed, sold, published, transmitted, modified, adapted, publicly displayed, broadcast (including storage in any medium by electronic means whether or not transiently for any purpose save as permitted herein) without the prior written permission of Rajah & Tann Asia or its respective member firms.

Please note also that whilst the information in this publication is correct to the best of our knowledge and belief at the time of writing, it is only intended to provide a general guide to the subject matter and should not be treated as legal advice or a substitute for specific professional advice for any particular course of action as such information may not suit your specific business and operational requirements. You should seek legal advice for your specific situation. In addition, the information in this publication does not create any relationship, whether legally binding or otherwise. Rajah & Tann Asia and its member firms do not accept, and fully disclaim, responsibility for any loss or damage which may result from accessing or relying on the information in this publication.

CONTACTS

Singapore,
+65 6232 0693
Singapore,
+65 6232 0375
Singapore,
+65 6232 0275
Brunei, Singapore,
+65 6232 0707
China, Singapore,
+65 6232 0550
Brunei, Singapore,
+65 6232 0751
Singapore,
+65 6232 0786
China, Singapore,
+65 6232 0738

Country

Share

Rajah & Tann Asia is a network of legal practices based in Asia.

Member firms are independently constituted and regulated in accordance with relevant local legal requirements. Services provided by a member firm are governed by the terms of engagement between the member firm and the client.

This website is solely intended to provide general information and does not provide any advice or create any relationship, whether legally binding or otherwise. Rajah & Tann Asia and its member firms do not accept, and fully disclaim, responsibility for any loss or damage which may result from accessing or relying on this website.

© 2024 Rajah & Tann Asia. All Rights Reserved. All trademarks are property of their respective owners.