On 25 February 2025, Singapore’s Infocomm Media Development Authority (IMDA) published two Advisory Guidelines on the Resilience and Security of Data Centres (DC Guidelines) and Cloud Services (CS Guidelines) (collectively, the Advisory Guidelines). The Advisory Guidelines provide guidance and a set of best practices for data centre operators (DCOs) and cloud service providers (CSPs) to minimise service disruptions and mitigate risks pertaining to their operations. As these Advisory Guidelines are potentially a precursor to the forthcoming Digital Infrastructure Act (DIA), DCOs and CSPs are advised to implement the Advisory Guidelines’ best practices to stay ahead of future compliance requirements.

Summary of the DC Guidelines

The DC Guidelines identify key categories of risk relating to infrastructure, governance and cyber that may compromise the security and resiliency of data centres. Examples include:

Examples of Security and Resiliency Risks Facing Data Centres
Infrastructure risks
  • Power disruptions caused by insufficient back-up power contingencies during planned maintenance work.
  • Risks of loss of network connectivity.
  • Risks of unauthorised access arising from insufficient access controls.
  • Risks of water damage from lack of protection against flooding.
Governance risks
  • Inadequate monitoring of power supply and environmental control systems.
  • Weak incident management and service recovery processes.
  • Weak change management processes.
Cyber risks
  • Operating systems compromised by cyberattacks may result in unauthorised or unintended temperature changes.

To address these risks, and to bolster DCOs’ resilience and service continuity in the event of unforeseen disruptions, the DC Guidelines recommend that DCOs implement a business continuity management system (BCMS) which enacts a continuous process loop of “Plan”, “Do”, “Check”, and “Act”.

Plan Do Check Act

The DC Guidelines provide guidance on specific action items DCOs can undertake with respect to each stage of a BCMS:

Key Action Items for DCOs under Business Continuity Management System (BCMS)
(1) PLAN  Objective  Establish scope and policies of BCMS.
Action Items
  •  Publish and implement business continuity policies (BCPs) outlining objectives and scope of BCMS.
  • Identify critical business products and services (e.g., DC power supply, connectivity).
  • Obtain support from senior management on BCPs.
  • Update BCMS to reflect changes to DCO’s business, such as new products (e.g., Lithium-ion batteries), suppliers, or new business models.
  • Allocate sufficient resources to BCMS
  • Ensure personnel involved in BCMS are knowledgeable about BCPs and their roles and responsibilities before, during and after any disruption.
(2) DO Objective  Implement and operate BCP, including its controls, processes and procedures.
Action Items
  • Conduct business impact analysis to determine key business functions and potential impact of disruptions.
  • Conduct risk assessment to identify potential threats, and evaluate severity of potential consequences and likelihood of identified threats.
  • Implement a range of solutions, such as back-up power supply, lightning protection and fire suppression tools, to reduce likelihood of service disruptions.
  • Draw up detailed recovery plan specifying actions to be taken during and after service disruption, with a view to restoring normal operations quickly.
  • Train employees and suppliers on how to effectively respond during any service disruption.
  • Conduct regular testing and exercises to identify gaps in Recovery Plan.
(3) CHECK    Objective Monitor and review BCMS performance against its goals and objectives.
Action Items   
  •  Establish key performance indicators to measure effectiveness and performance of BCPs.
  • Conduct internal audits and feedback sessions regularly to identify weak areas for improvement.
  • Present results of BCMS assessment to senior management.
 (4) ACT Objective Improve and update BCMS.
Action Items
  • Encourage a culture of continuous improvement.
  • Review effectiveness of any improvements to BCMS.
  • Ensure employees keep up-to-date with new threats that have the potential to cause service disruptions.

Summary of the CS Guidelines

Similarly, the CS Guidelines identify key security and resiliency risks facing CSPs and recommend that CSPs implement a set of measures (based on industry standards such as Multi-Tier Cloud Security, ISO 27001 and the Cloud Security Alliance’s Cloud Controls Matrix) to mitigate these risks:

Category  Recommended Measures  
Cloud Governance
  •  Manage information security within the CSP’s overall administrative structure.
  • Ensure all CSP employees and third parties are suited for, and understand, their roles and responsibilities.
  • Establish and maintain cloud services-specific risk management program.
  • Ensure effective control over third-party service providers.
  • Ensure compliance with information and risk management policies, standards and procedures.
  • Incorporate incident management controls so weaknesses affecting information assets and systems in the cloud environment are communicated in a timely manner.
  • Ensure only authorised users have access to data stored in the cloud environment.
Cloud Infrastructure Security
  • Log and monitor activities and events occurring in the cloud environment to detect any unauthorised activities and to facilitate investigations and the resolution of security incidents (e.g. access violations).
  • Design and securely configure systems in the cloud infrastructure and its supporting networks to prevent unauthorised entry points or malicious activities via weak configurations.
  • Conduct security testing and monitoring across the cloud infrastructure.
  • Implement security controls for system acquisitions and developments.
  • Deploy encryption and secure cryptographic key management.
Cloud Operations Management
  • Implement security controls to ensure cloud service operations are documented, secure, reliable, resilient and recoverable.
  • Apply change management controls to ensure changes to cloud services infrastructure are carried out in an authorised manner.
Cloud Service Administration
  • Deploy administration controls to ensure that policies, standards, and procedures relating to the creation, maintenance and removal of privileged accounts for managing cloud services and supporting networks are enforced
Cloud Service Customer Access
  • Establish user access controls to ensure that there are policies and procedures governing the creation, maintenance and removal of user accounts to restrict user access and safeguard user credentials.
Tenancy and Customer Isolation
  • Implement tenancy and customer isolation controls to restrict user access within the same physical resource, segregate network and systems environments, and avoid data loss and misuse.
Cloud Resilience
  • Deploy physical and environmental security controls to avoid unauthorised physical access, damage or interference.
  • Implement BCPs and disaster recovery mechanisms to ensure service resumption and avoid possible interruptions

Key Takeaways and Recommendations

  • DCOs and CSPs are encouraged to implement the measures recommended by the Advisory Guidelines. While voluntary, the Advisory Guidelines provide a set of best practices for DCOs and CSPs and establish a baseline that will likely form the foundation for mandatory requirements under the upcoming DIA.
  • The publication of these Advisory Guidelines is timely. Recently, in 2024, Singapore announced plans to expand its data centre capacity following the relaxation of a moratorium on new data centre developments previously imposed in 2019. This expansion is part of a broader strategy to support the growth of the digital economy while ensuring sustainable practices.
  • At the same time, these policy shifts which aim to expand data centre capacity and attract further capital have been accompanied by increased regulation. Regulatory scrutiny of the data centre and cloud services industries is increasing and DCOs and CSPs should keep track of legislative and policy developments.
  • In addition to the Advisory Guidelines, the amendments to Singapore's Cyber Security Act 2018 expand regulatory oversight to cover the cybersecurity of DCOs and CSPs, particularly those providing foundational digital infrastructure, requiring them to adhere to cybersecurity standards and report incidents to the Cyber Security Agency of Singapore. DCOs and CSPs must ensure compliance not only for their own systems but also for third-party infrastructure used by essential service providers. Non-compliance can result in significant civil penalties of up to 10% of the entity's annual turnover in Singapore, emphasising the importance of robust cybersecurity practices for DCOs and CSPs.
  • The anticipated growth in the data centre and cloud services sectors, driven by the increasing demand for AI-centric applications, present a significant opportunity for businesses. By adopting the Advisory Guidelines, DCOs and CSPs can position themselves as secure and resilient during a time when cyber attacks from threat actors are on the rise, and attract clients who value data protection and cybersecurity. Prominent stakeholders in the DC and CS sectors have already publicly endorsed the Advisory Guidelines, showcasing their commitment to industry-leading practices in security and resilience.
  • DCO and CSP customers are advised to update their due diligence processes when selecting or renewing contracts with DCOs and CSPs to ensure alignment with these new guidelines and potential future regulatory requirements. Customers may consider imposing additional contractual obligations on contracting DCOs and CSPs who have not implemented the Advisory Guidelines.

We would like to thank Jainthan Jayaretnam for his assistance in preparing this article.



作者

Wilson Ang
Wilson Ang
Partner
Email
wilson.ang@nortonrosefulbright.com
T: +65 63095392
Jeremy Lua
Jeremy Lua
Counsel
Email
jeremy.lua@nortonrosefulbright.com
T: +65 63095336
Jeremiah Chew
Jeremiah Chew
Counsel
Email
jeremiah.chew@nortonrosefulbright.com
T: +65 63095414
Terence De Silva
Terence De Silva
Associate
Email
terence.desilva@nortonrosefulbright.com
T: +65 63095331
default contact photo
Rebecca Tan
Associate
Email
rebecca.tan@nortonrosefulbright.com
T: +65 63095334

Practice area:

Recent publications

M&A_Outlook_2025_Crop_1

出版物

Asia M&A trends: Future outlook

Whilst global M&A rose in deal value terms in 2024, both deal values and volumes fell in most parts of Asia.

Asia | 一月 29, 2025

公司、并购及证券
M&A Outlook 2025 Crop 5

出版物

Foreign Subsidies Regulation: Year 2 of EU’s newest trade defence tool

This year, is expected to be as active as 2024, providing further clarity on both the obligations of notifying parties and the EC's review methodology.

United Kingdom | 一月 27, 2025

公司、并购及证券
Pacific globe

出版物

Insurance regulation in Asia Pacific

Ten things to know about insurance regulation in 19 countries.

Global | 一月 14, 2025

保险
Site search

Subscribe and stay up to date with the latest legal news, information and events . . .

Register now