Public Consultation on Digital Infrastructure Bill
1 July 2026
Part I: Introduction
The Ministry of Digital Development and Information (MDDI) and the Infocomm Media Development Authority (IMDA) invite members of the public to provide feedback on the draft Digital Infrastructure Bill (Bill), which seeks to uplift the security and resilience of digital infrastructure services, and the environmental sustainability of data centre (DC) operations in Singapore. The draft Bill is attached as Annex A.
Digital infrastructure services are a foundational part of our growing digital economy. They underpin Singapore’s digital connectivity, enabling the digital services that are used by businesses and consumers, from digital banking to ride-hailing to e-commerce. Digital infrastructure services like DC Facility Services and Cloud Computing Services, among others, have become more essential, in addition to traditional mobile and broadband connectivity services. Globally, there is likewise increasing recognition of the role of digital infrastructure services.
Given the importance of DC Facility Services and Cloud Computing Services, we must ensure that providers take measures to ensure the security and resilience of such services. While the Cybersecurity Act amendments in 2024 established requirements to address the cybersecurity risks faced by major foundational digital infrastructure (FDI) services, there is no statutory framework to ensure their broader operational resilience. The Bill thus complements the Cybersecurity Act amendments in requiring regulated providers to take measures to ensure the security and resilience of major DC Facility Services and Cloud Computing Services.
At the same time, DCs operations must be environmentally sustainable and energy efficient because of their environmental footprint and intensive use of resources. Recognising this, we have launched the Green DC Roadmap to chart a sustainable pathway for DC growth and also worked with industry to launch several standards to drive the energy efficiency of DCs. We will continue to grow our DC industry in a sustainable manner by ensuring that our new DCs are best-in-class, through capacity allocation exercises such as the Data Centre – Call For Application (DC-CFA). While our efforts have catalysed voluntary DC energy efficiency improvements, voluntary measures alone cannot ensure consistent sustainability outcomes across the sector. The Bill will require all regulated DC operators to ensure that the operation of their DCs meets baseline environmental sustainability requirements.
Through the Bill, MDDI and IMDA seek to achieve the following policy objectives:
Ensure that providers of major DC Facility Services and Cloud Computing Services take measures to maintain an adequate level of security and resilience, so as to reduce the risks and mitigate the impact of disruptions;
Enhance regulatory visibility of cybersecurity incidents and service delivery disruptions affecting major DC Facility Services and Cloud Computing Services; and
Impose and uplift baseline environmental sustainability standards across the DC sector.
In developing the draft Bill, MDDI and IMDA have studied overseas developments, referenced domestic legislation (e.g., the Cybersecurity Act), and conducted extensive engagements with companies and professionals from the digital infrastructure sector.
Part II: Key Features of the Bill
New Licensing Regime for Major FDI Service Providers to Enhance Security and Resilience
The Bill will establish a new licensing regime and regulatory framework for major FDI services provided to users in Singapore. A major FDI service is a digital infrastructure service – (1) for which the loss or impairment of the provision of the service is likely to lead to or cause widespread disruption or deterioration of the operations of businesses or organisations in Singapore, and (2) which is specified in the Schedule as a major FDI service. The Schedule will specify the following as major FDI services:
A DC Facility Service provided in a DC which has a critical IT load1 (CIL) of ≥ 10 megawatts (MW), which is used to serve other parties unrelated to the operator of the DC (i.e., Cloud and Co-Location DCs); and
A Cloud Computing Service that has generated revenue from users in Singapore of ≥ S$100 million per year on average over the 3 preceding years, and falls within the categories of Infrastructure-as-a-Service (IaaS) or Platform-as-a-Service (PaaS) but not Software-as-a-Service (SaaS).
Providers of these major DC Facility Services and Cloud Computing Services will have to apply to IMDA for a major FDI licence. Licensees must take measures to ensure the security and resilience of their major FDI services. They will be required to:
Implement processes and measures to ensure the security, including the physical security and cybersecurity, of their services;
Implement business continuity and disaster recovery plans to ensure timely resumption of their services from interruptions to their business activities and processes; and
Notify IMDA of the occurrence of cybersecurity incidents or service delivery disruptions.
Detailed requirements and practices for major FDI service providers will be set out in relevant instruments (e.g., regulations and codes of practice). They will take reference from the published Advisory Guidelines for Resilience and Security of Cloud Services and DCs.
New Licensing Regime for DC Operators to Enhance Sustainability
Operators of DCs (i.e. with a CIL of ≥ 3 MW) will have to apply to IMDA for a DC licence. The requirements applicable to holders of a DC licence primarily aim to impose and uplift baseline sustainability standards across the DC sector. An operator of a DC that also provides a DC Facility Service described in paragraph 7(a) will be required to hold both a major FDI licence and a DC licence. Operationally, IMDA will streamline the application process for applicants applying for both licences.
When assessing an application for a DC licence, in addition to the applicant’s experience and capability in operating a DC, IMDA will also consider the energy efficiency and water efficiency of the DC. IMDA may also consider other matters, including but not limited to the characteristics of the DC’s energy sources (e.g. the renewability of its energy sources, and the extent of greenhouse gas emissions from the generation of electricity used), and the extent to which the applicant’s current and proposed business operations are or will be of economic or strategic importance to Singapore’s economy.
Licensed DC operators will be required to meet facility-level energy efficiency requirements, specifically, power usage effectiveness (PUE) requirements. The Bill also enables IMDA to provide for requirements and practices relating to information technology equipment energy efficiency and facility-level water efficiency requirements in the future. Similar to ongoing consultations on PUE requirements, IMDA will consult DC operators before finalising such requirements and practices which will be set out in relevant instruments (i.e., regulations and codes of practice). IMDA will continue our engagements with DC operators on the specific requirements and practices which will be finalised after the passage of the Bill.
Administering and Enforcing the Act
IMDA will be given the function of administering the Act (if passed) and the following key powers:
Licensing powers. IMDA may grant, renew, suspend or revoke major FDI licences and DC licences, and impose or modify the conditions of such licences, in appropriate cases.
Codes of practice and directions. IMDA may issue codes of practice and directions to licensees, including directions to require compliance with any code of practice applicable to the licensee.
Financial penalties. IMDA may impose financial penalties for non-compliance in appropriate cases.
Enforcement and investigation. IMDA enforcement officers will be empowered to carry out enforcement and investigation actions.
Related Amendments to the Cybersecurity Act 2018 and Cybersecurity (Amendment) Act 2024
For consistency between regulatory frameworks for major FDI services, the Bill also makes related amendments to the Cybersecurity Act 2018 and Cybersecurity (Amendment) Act 2024, to align the definitions of “foundational digital infrastructure service” and “data centre facility service”.
Part III: Invitation for Feedback
MDDI and IMDA are seeking views from members of the public on the draft Bill. Please note that the information in this document and the draft Bill are being released only for the purpose of consultation and does not represent the final legislation.
All submissions should reach MDDI and IMDA within 3 weeks, no later than 22 July 2026, 10am. Respondents are to adhere to this timeline, and MDDI and IMDA reserve the right to reject late submissions. Submissions are to be in softcopy only (in Microsoft Word or PDF format). Please submit your soft copies, with the email subject “Public Consultation on the Draft Digital Infrastructure Bill [name of individual or organisation making the submission]”, to: DigitalInfrastructure@mddi.gov.sg.
MDDI and IMDA reserve the right to make public all or parts of any written submission, and/or to disclose the identity of individuals and organisations that have made submissions. Respondents may request confidential treatment for any part of the submission. Any such information should be clearly marked and placed in a separate annex. Respondents are also required to substantiate with reasons any request for confidential treatment. If MDDI and IMDA grant confidential treatment, it will consider, but will not publicly disclose, the information. If MDDI and IMDA reject the request for confidential treatment, it will return the information to the respondent that submitted it and will not consider this information as part of its review. As far as possible, respondents should limit any request for confidential treatment of information submitted. MDDI and IMDA will not accept any submission that requests confidential treatment of all, or a substantial part of, the submission.
1 Defined as the maximum electrical power capacity for which the DC is designed to supply electrical power to the information technology and network telecommunications equipment (including computer servers) which provide storage, processing and transport of data, that are housed within the DC.
