Written Answer to Unanswered Oral Question

Reliance on A Few Major Cloud Providers and Assessment of Security Risk to Singapore

4 November 2025 · Ministry of Digital Development and Information

Speakers

Josephine Teo (Minister for Digital Development and Information) Yip Hon Weng

Summary

This question concerns the reliance of Singapore’s critical digital infrastructure on global cloud providers and associated security risks, as raised by Mr Yip Hon Weng. Minister for Digital Development and Information Mrs Josephine Teo explained that Critical Information Infrastructure must meet strict resilience standards under the Cybersecurity Act, including supplier diversity and redundancy. She highlighted that the forthcoming Digital Infrastructure Act will mandate major cloud providers to implement security testing, data governance, and disaster recovery plans. These measures will align with international standards and the February 2025 Advisory Guidelines to enhance the reliability of systemically important digital services. Minister for Digital Development and Information Mrs Josephine Teo also encouraged businesses to adopt contingency plans and diversify service providers to manage potential disruptions.

Transcript

50 Mr Yip Hon Weng asked the Minister for Digital Development and Information (a) what proportion of Singapore’s critical digital infrastructure relies on a few major global cloud providers and what is the assessed national security risk from this concentration; and (b) how will the proposed Digital Infrastructure Act mandate higher reliability, contingency planning and transparency standards for these providers to mitigate this risk.

Mrs Josephine Teo: Critical Information Infrastructure (CII) are computer systems necessary for the provision of essential services in sectors, such as government, telecommunications, and banking and finance. CIIs are required to meet stringent resilience requirements under the Cybersecurity Act and relevant sectoral regulations. For example, they must adopt technology and supplier diversity and cater redundancy for key system components. While CII operators may use the cloud for service delivery, they are required to put in place measures to mitigate the risk of over-dependence on cloud service providers.

CIIs must already conduct exercises and audits to identify potential vulnerabilities and ensure the robustness of these resilience measures. The forthcoming Digital Infrastructure Act will strengthen our regulatory levers for upholding the resilience of systemically important digital infrastructure, such as cloud services and data centres. It will introduce regulatory requirements for major cloud service providers to implement measures, such as security testing, user access controls, proper data governance and planning for disaster recovery. These requirements will reference existing international and industry standards and will be similar to the measures set out in the Advisory Guidelines for the Resilience and Security of Cloud Services, which was developed in consultation with industry stakeholders and released in February 2025.

Even with these efforts, disruptions can be minimised but not completely prevented. We therefore encourage businesses to plan and prepare for contingencies. This includes conducting risk assessments and putting in place appropriate measures, such as diversifying service providers and business continuity plans, to manage risks and reduce the impact should a disruption occur.