The Info-communications and Media Development Authority (IMDA) on 25 February 2025 released the Advisory Guidelines for Cloud Service Providers (CSP Guidelines), and the Advisory Guidelines for Data Centres (DC Guidelines) (collectively, the Guidelines). The voluntary Guidelines aim to reduce the frequency and impact of service disruptions on Singapore’s economy and society. The Guidelines outline industry best practices, incorporating lessons learned from past incidents and advancements in technology.
The Guidelines outline best practices to address risks to CSPs and DCs, covering issues from technical misconfigurations and physical threats (such as fires, water leaks and cooling system failures) to cyberattacks. This will complement the proposed Digital Infrastructure Act (DIA), which is expected to be introduced later in 2025 (see our article on the Digital Infrastructure Act).
IMDA urges CSPs and DC operators to adopt the recommended measures in the Guidelines. The Guidelines are an additional step to increase Singapore’s cybersecurity resilience following the amendments to the Cybersecurity Act last year (see our article on the Cybersecurity Act amendments).
The CSP Guidelines outline 7 categories of measures which can be adopted to address cybersecurity and operational risks in cloud environments:
CSPs are encouraged to designate a senior representative to take charge of the resilience and security effort and review all applicable, published security standards.
On the other hand, IMDA has identified 3 key risks for the resilience and security of DCs:
To address these risks, IMDA urges DC operators to implement a business continuity management system (BCMS) to enhance their resilience against disruption. DC operators should refer to relevant international standards for specific BCMS measures to adopt.
DC operators should also prepare for the risk of cyber threats (e.g., supply chain attacks, malware attacks, ransomware, etc.) based on each DC operator’s circumstances, and ensure adequate cybersecurity control measures are in place for its network and system. The DC Guidelines set out possible measures, including controls over third party service providers, activity logging and network segmentation.
CSPs and DC operators should review the Guidelines and implement measures to increase and maintain the resilience and security of their systems. They should also continue to monitor this space, in light of the upcoming DIA.
OrionW regularly advises clients on cybersecurity and data protection matters. For more information about compliance with Singapore data protection and cybersecurity laws and regulations, or if you have questions about this article, please contact us at info@orionw.com.
Disclaimer: This article is for general information only and does not constitute legal advice.
