Data centers could be classed as critical infrastructure under new legislation in Singapore

Data centers could be classed as critical infrastructure according to a recently published consultation paper in which the Cyber Security Agency of Singapore (CSA) proposed amendments to Singapore’s 2018 cyber security act.

The original act defined critical infrastructure as computer systems necessary for the “continuous delivery of an essential service”, citing examples such as energy, water, healthcare, and transport. 

In the proposed amendments, foundational digital infrastructure, including data center facilities located within Singapore, could be added to the list. This would have the potential to impact big name cloud companies like Google and AWS. 

The changes would also see the CSA commissioner take on a bigger role, giving them the final say on which computer systems are designated as critical infrastructure. Data centers would also be required to comply with the CSA commissioners requests. 

A global push toward data regulation 

Singapore isn’t the only country moving towards a new classification of data as critical infrastructure. 

The UK recently announced its own proposal to class data centers as critical infrastructure, with the Department for Science, Innovation, and Technology (DSIT) arguing that existing data regulations don't go far enough.

Australia also expanded its definition of critical infrastructure in 2022, while Germany has been regulating data centers since 2016. 

“Since the Act was enacted, the cyber threat landscape and business environment have been continually changing” said the CSA.

“Singapore is now amongst one (sic) of the most digitally connected countries in the world,” it added.  “These developments have accelerated our connectivity, computing and data storage needs.  These bring about new considerations for cybersecurity.”

Stakeholders and members of the public can share their views on the proposed changes here, before the end of the consultation period on 15 January 2024.