The Infocomm Media Development Authority (IMDA) has issued new Advisory Guidelines (AGs) intended to support the resilience and security of Cloud Services and Data Centres (DCs) in Singapore. The guidelines set out best practices for Cloud Service Providers (CSPs) and DC operators, aiming to reduce service disruptions and limit their potential impact on economic and social functions.

A wide range of digital services-including online banking, ride-hailing, e-commerce, and digital identity systems-depend on the continued availability of cloud infrastructure and data centre operations. Service interruptions may affect the delivery of these services.

The AGs encourage service providers to adopt measures that improve their ability to recover from outages and maintain operational continuity. The AGs recommend various practices to address risks associated with technical misconfigurations, physical incidents, and cybersecurity threats.

Key proposals include conducting risk and business impact assessments, establishing business continuity arrangements, and strengthening cybersecurity capabilities. For Cloud Services, the guidelines outline seven measures to reinforce security and resilience.

These cover security testing, access controls, data governance, and disaster recovery planning. Concerning Data Centres, the AGs provide a framework for business continuity management to minimise operational disruptions and maintain high service availability.

That involves the implementation of relevant policies, operational controls, and ongoing review processes. The development of the AGs forms part of wider national efforts led by the inter-agency task force on the Resilience and Security of Digital Infrastructure and Services.

These guidelines are intended to complement regulatory initiatives, including planned amendments to the Cybersecurity Act and the Digital Infrastructure Act (DIA) introduction, which will establish requirements for critical digital infrastructure providers such as major CSPs and DC operators. To inform the guidelines, the IMDA conducted consultations with a broad range of stakeholders, including CSPs, DC operators, and end user enterprises across sectors such as banking, healthcare, and digital platforms.

The AGs will be updated periodically to reflect technological developments, incident learnings, and further industry input. A coordinated approach is encouraged across the digital services ecosystem. Businesses that provide digital services are advised to assess operational risks and establish appropriate business continuity plans to support service reliability.

The AGs also refer to international standards, including IMDA's Multi-Tier Cloud Security Standard, the Cloud Security Alliance Cloud Controls Matrix, ISO 27001, and ISO 22301. Providers are encouraged to designate responsible personnel to oversee resilience and security efforts.

These guidelines form part of Singapore's broader strategy to strengthen its digital infrastructure. The government will continue to engage with sectoral regulators and stakeholders to promote resilience, cybersecurity awareness, and preparedness across industries and society.

As digital systems evolve, sustained attention to infrastructure resilience and security remains essential. The AGs are intended to support organisations in maintaining reliable services while aligning with recognised standards and best practices.