Singapore: New advisory guidelines to bolster resilience and security of cloud services and data centers

Voluntary best practices

While not mandatory, the Advisory Guidelines on Resilience and Security of Data Centres (DCOAG) and Advisory Guidelines on Resilience and Security of Cloud Services (CSPAG) are strongly encouraged for adoption by data center operators (DCO) and cloud service providers (CSP) respectively.

The Advisory Guidelines recommend concrete measures to prevent, mitigate and recover from disruptions such as cyberattacks, hardware failures, fires and misconfigurations. These are aligned with global standards (e.g., ISO 22301 and ISO 27001) and draw on lessons from past incidents and industry consultations.

Cloud services

The CSPAG seek to strengthen the following key domains:

• Cloud governance, such as sound information security, data governance and risk management
• Infrastructure security, such as secure configurations, monitoring, encryption, and regular security testing
• Operations management, such as robust change and incident management practices
• Service administration, which includes control of privileged account access
• Customer access, which addresses user authentication and access controls
• Tenancy isolation, which ensures effective segregation between customers in shared environments
• Cloud resilience, which includes physical and environmental protections, disaster recovery, and business continuity planning

To these ends, the CSPAG set out detailed recommendations that CSPs are encouraged to adopt to strengthen their resilience and security postures, some of which are summarized below:

• Strengthen governance and accountability structures. CSPs should embed information security into their broader governance framework, with defined responsibilities, formalized policies and oversight mechanisms.
• Implement rigorous human resource and third-party controls. Before and during engagement, CSPs are expected to vet personnel and contractors, ensure appropriate training, and enforce disciplinary measures for breaches.
• Adopt comprehensive risk management processes. CSPs should maintain a cloud-specific risk framework that addresses identification, assessment and mitigation.
• Secure infrastructure through technical controls and monitoring. Detailed measures are recommended to manage configurations, logging, system development and vulnerability testing.
• Manage change and operations with discipline. Changes to cloud infrastructure should follow a formal process, including impact assessments, rollback plans, and separation of development and production environments.
• Control privileged access and user management. CSPs should manage both administrative and user access through layered security, such as password policies, session management, least privilege access and strong authentication methods.
• Ensure strong customer and tenant isolation. Multitenant environments should be architected to prevent unauthorized access between customers.
• Prepare for disruptions with robust continuity plans. CSPs are advised to establish and test their business continuity and disaster recovery plans, including simulations of failover scenarios.
• Appoint a senior-level officer to lead implementation.

Data centers

The DCOAG identifies key risk categories that DCOs need to address:

• Infrastructure risk: This relates to physical and engineering issues in the design or setup of the data center that could lead to service disruptions, for example, power issues, cooling failures, cable damage, fire and intrusion risks, and water ingress.
• Governance risk: This relates to operational oversight gaps, including monitoring lapses, slow incident responses and uncontrolled change management.
• Cybersecurity risk: This encompasses threats to digital systems and network infrastructure, such as malware or ransomware attacks, supply chain vulnerabilities, and exploitation of outdated systems.

To address these risks, the DCOAG encourages DCOs to implement a business continuity management system (BCMS) built around a four-stage cycle: Plan, Do, Check, Act:

• Plan: define continuity objectives and ensure top-level support.
• Do: conduct impact and risk assessments, prepare recovery strategies and test readiness.
• Check: monitor BCMS performance and conduct regular audits.
• Act: update systems based on reviews, feedback and evolving threats.

Beyond the BCMS implementation, the DCOAG set out several additional technical and governance measures that DCOs are encouraged to adopt to bolster cyber resilience, including the following:

• Maintaining a certified information security framework
• Ensuring strong oversight of third-party providers
• Enforcing personnel checks and training
• Implementing secure system configurations
• Conducting vulnerability testing and penetration assessments
• Implementing end-to-end encryption and lifecycle key management
• Implementing role-based access control
• Implementing network segmentation and intrusion and intrusion detection

To anchor accountability and ensure organization-wide alignment, DCOs are encouraged to appoint a senior officer responsible for driving implementation of resilience and security measures.

Consultation

The Advisory Guidelines were shaped through consultation with major CSPs, DCOs and end-user enterprises across the banking, healthcare and tech sectors. Industry players have expressed strong support, citing the Advisory Guidelines as a critical step toward maintaining Singapore's leadership in digital reliability and innovation.

Key takeaways

These Advisory Guidelines complement other regulatory efforts, including the Cybersecurity Act amendments in 2024 that expanded coverage to digital infrastructure. The Advisory Guidelines may also serve as a precursor to future legislation, perhaps in the forthcoming Digital Infrastructure Act, which will formally regulate systemically important digital infrastructure such as major CSPs and DCOs to address emerging threats in a rapidly digitalizing economy. Organizations that rely on cloud and data center services, particularly those in regulated or customer-facing sectors, should review their service providers' alignment with the Advisory Guidelines. Service providers should consider adopting the Advisory Guidelines not only to mitigate risk but also to strengthen their operational reputation and market position. Please contact our team for further information.

* * * * *

© 2025 Baker & McKenzie. Wong & Leow. All rights reserved. Baker & McKenzie. Wong & Leow is incorporated with limited liability and is a member firm of Baker & McKenzie International, a global law firm with member law firms around the world. In accordance with the common terminology used in professional service organizations, reference to a "principal" means a person who is a partner, or equivalent, in such a law firm. Similarly, reference to an "office" means an office of any such law firm. This may qualify as "Attorney Advertising" requiring notice in some jurisdictions. Prior results do not guarantee a similar outcome.