MDDI's response to PQ on Reliance on a few Major Cloud Providers and Assessment of Security Risk to Singapore

Parliament Sitting on 4 Novmber 2025

Question for written answer

*50. Mr Yip Hon Weng asked the Minister for Digital Development and Information (a) what proportion of Singapore's critical digital infrastructure relies on a few major global cloud providers and what is the assessed national security risk from this concentration; and (b) how will the proposed Digital Infrastructure Act mandate higher reliability, contingency planning, and transparency standards for these providers to mitigate this risk.

Answer

Critical Information Infrastructure (CII) are computer systems necessary for the provision of essential services in sectors such as government, telecommunications, and banking and finance. CIIs are required to meet stringent resilience requirements under the Cybersecurity Act and relevant sectoral regulations. For example, they must adopt technology and supplier diversity, and cater redundancy for key system components. While CII operators may use the cloud for service delivery, they are required to put in place measures to mitigate the risk of over-dependence on cloud service providers.

CIIs must already conduct exercises and audits to identify potential vulnerabilities and ensure the robustness of these resilience measures. The forthcoming Digital Infrastructure Act (DIA) will strengthen our regulatory levers for upholding the resilience of systemically important digital infrastructure such as cloud services and data centres. It will introduce regulatory requirements for major cloud service providers to implement measures such as security testing, user access controls, proper data governance, and planning for disaster recovery. These requirements will reference existing international and industry standards, and will be similar to the measures set out in the Advisory Guidelines for the Resilience and Security of Cloud Services which was developed in consultation with industry stakeholders and released in February 2025.

Even with these efforts, disruptions can be minimised but not completely prevented. We therefore encourage businesses to plan and prepare for contingencies. This includes conducting risk assessments and putting in place appropriate measures, such as diversifying service providers and business continuity plans, to manage risks and reduce the impact should a disruption occur.

*Converted to written answer