Singapore

Singapore MAS updates technology risk management guidelines for AI in banking

The Monetary Authority of Singapore issued updated Technology Risk Management Guidelines with expanded provisions for AI and machine learning systems in banking, including requirements for model validation, data quality, and algorithmic fairness testing.

Infocomm Media Development Authority's assessment of X's compliance with detection and removal of child sexual exploitation material and terrorism content

On 31 March 2026, the Infocomm Media Development Authority (IMDA) issued a letter of caution to X following a 120% increase in child sexual exploitation and abuse material (CSEM) cases with a Singapore nexus, rising from 33 cases in 2024 to 73 in 2025. All 73 cases violated X's own policies and were only removed after IMDA flagged them directly, despite IMDA having shared its analysis of CSEM indicators with X in 2024. It was stated that X has been placed under enhanced supervision and is req...

Guidelines on Artificial Intelligence Risk Management

On 20 March 2026, the Monetary Authority of Singapore (MAS) published an Artificial Intelligence (AI) risk management toolkit for the financial services sector, developed collaboratively by a consortium of 24 banks, insurance companies, capital market firms, and other industry partners. The toolkit applies to financial institutions across the sector and covers traditional AI, generative AI, and emerging agentic AI technologies. It comprises two main resources, including an AI risk management ...

Cyber Trust Mark requirements in critical information infrastructure and cybersecurity industries

On 2 March 2026, the Cyber Security Agency (CSA) adopted a requirement for Critical Information Infrastructure Owners (CIIOs) and CII auditors to obtain the Cyber Trust Mark (CTM) Level 5 certification. The mandate aims to establish a consistent national baseline for cybersecurity standards across organisations managing sensitive data or critical systems. The CTM serves as a tiered certification framework that validates an organisation's cybersecurity measures according to its specific risk p...

Cybersecurity labelling scheme

On 2 March 2026, the Cyber Security Agency of Singapore (CSA) announced a revision of the mandatory cybersecurity requirements for residential routers under the Cybersecurity Labelling Scheme (CLS), raising the requirement from Level 1 to Level 2. The policy applies to manufacturers of residential routers sold in Singapore. Under the revised requirements, routers must implement additional security measures, including secure communications, secure storage of sensitive data, and stronger authen...

Model AI Governance Framework for Agentic AI (Version 1.0)

On 22 January 2026, the Ministry of Digital Development and Information (MDDI) released the Model AI Governance Framework for Agentic AI (Version 1.0). The Model AI Governance Framework for Agentic AI was developed by the Infocomm Media Development Authority (IMDA). The framework applies to organisations that develop or deploy agentic AI systems capable of multi-step planning, autonomous action-taking, adaptation to new information, and interaction with other agents and external systems. The ...

Infocomm Media Development Authority Code of Practice for Online Safety for App Distribution Services including age assurance measures

On 1 April 2026, the obligations under the code of practice for online safety for application (app) distribution services, including age assurance measures, enter into force. The code requires service providers to implement content guidelines and moderation measures covering six categories of harmful content, including sexual content, violent content, and cyberbullying, with pre-release app reviews and enforcement powers against non-compliant app providers. Providers must proactively detect a...

Singapore and United Kingdom's Memorandum of Understanding on mutual recognition of consumer Internet-of-Things cybersecurity regimes

On 1 January 2026, Singapore’s Cyber Security Agency (CSA) and the United Kingdom’s Department for Science, Innovation and Technology (DSIT)'s Memorandum of Understanding (MoU) on mutual recognition of consumer Internet-of-Things (IoT) cybersecurity regimes enters into force. The MoU applies to manufacturers of smart consumer devices, including home assistants, automation systems, and IoT hubs. It allows products certified under Singapore’s Cybersecurity Labelling Scheme for IoT (CLS(IoT)) to...

Addendum to guidelines and companion guide on securing Artificial Intelligence systems

On 31 December 2025, the Cyber Security Agency of Singapore (CSA) closes the public consultation on an addendum to its guidelines and companion guide on securing Artificial Intelligence (AI) systems. The addendum focuses on securing agentic AI systems that can plan, act, and make decisions independently. It provides voluntary, risk-based measures for system owners, AI practitioners, and cybersecurity professionals. The guidance covers controls including supply chain security, model and system...

Guidance on quantum-safe migration

On 31 December 2025, the Cyber Security Agency of Singapore (CSA), the Government Technology Agency of Singapore (GovTech), and the Infocomm Media Development Authority (IMDA) close the consultation on a draft guidance on quantum-safe migration. The guidance notes that future quantum computers could compromise current public-key cryptography and offers voluntary recommendations to support organisations in planning a phased transition to quantum-safe systems. It advises conducting risk assessm...

Quantum Readiness Index

On 31 December 2025, the Cyber Security Agency of Singapore, the Government Technology Agency of Singapore, and the Infocomm Media Development Authority close the consultation on the draft Quantum Readiness Index (QRI). The QRI is a voluntary self-assessment tool designed to help organisations evaluate their preparedness for future quantum computing risks. It targets technology strategists, including Chief Technology and Chief Information Officers, and assesses readiness across five domains: ...

Criminal Law (Miscellaneous Amendments) Bill 2025

On 25 November 2025, the President signed the Criminal Law (Miscellaneous Amendments) Act 2025. It expands the definition of “intimate image” under Section 377BE to include AI-generated material, criminalises the non-consensual production of images, and explicitly prohibits computer-generated child sexual abuse material. The Act also amends Section 292 to criminalise online platforms that distribute obscene content and introduces graduated penalties for offences involving materials depicting ...

Police Force's assessment of Apple's and Google's measures to prevent spoofing of government agencies

On 24 November 2025, the Singapore Police Force (SPF) issued implementation directives requiring Apple and Google to introduce measures to prevent the spoofing of government agencies on their messaging services by 30 November 2025. The companies must block or filter messages from accounts or group chats that impersonate "gov.sg” and ensure that unknown profile names are either not displayed or shown less prominently than messages from known contacts. Singapore government agencies have used th...

Ministry of Home Affairs investigation regarding published falsehoods by SDP on TikTok, Facebook and Instagram

On 11 April 2025, the Minister for Home Affairs and Law rejected an application by the Singapore Democratic Party (SDP) to amend the Correction Direction initially issued on 29 June 2024. The Correction Direction was a response to false statements disseminated by the SDP on its social media platforms, including Facebook, Instagram, and TikTok, regarding the legal proceedings against three women under the Public Order Act 2009. The Minister determined that there was no merit in the SDP's recen...

Tan Hai Peng Micheal and another

Lawyer used Unidentified in proceedings before the High Court. Fabricated: Case Law | Defendants' closing submissions cited a non-existent authority at paragraph 67; the court found the authority fictitious and disregarded it; counsel later admitted the authority was provided by a colleague and could not identify the AI tool used.

Tan Hai Peng Micheal and another

Fabricated: Case Law | Defendants' closing submissions cited a non-existent authority at paragraph 67; the court found the authority fictitious and disregarded it; counsel later admitted the authority was provided by a colleague and could not identify the AI tool used. || Fabricated: Case Law | Defendants' closing submissions cited a second non-existent authority at paragraph 68; the court found this authority fictitious as well and declined to repeat the citation; admissions were made that the references originated from the solicitor assisting and the specific AI tool was not identified.

Tan Hai Peng Micheal and another

Global AI Assurance Pilot Initiative

On 11 February 2025, the Ministry of Digital Development and Information announced the launch of the Global AI Assurance Pilot at the AI Action Summit in Paris, France. Led by the AI Verify Foundation and the Infocomm Media Development Authority (IMDA), this initiative aims to establish global best practices for technical testing of GenAI applications. It brings together AI assurance vendors and companies deploying real-world GenAI systems to develop technical testing standards and strengthen...

IMDA and Humane Intelligence inquiry into large language models' cultural bias stereotypes in non-English languages

On 11 February 2025, the Minister for Digital Development and Information published the AI Safety Red Teaming Challenge Evaluation Report 2025 at the Global AI Action Summit in France. The evaluation assessed the performance of Large Language Models (LLMs) across different languages and cultural contexts in the Asia Pacific region. Conducted by the Infocomm Media Development Authority (IMDA) and Humane Intelligence, the challenge involved over 50 participants from nine countries testing four ...

Cybersecurity (Amendment) Act

On 31 October 2025, sections 2 to 15, 18, 19, 22, 23(b), 24, 25, 28(a) to (g), 29, 31 and 32(1) to (4), (6) and (7) of the Cybersecurity (Amendment) Act 2024 entered into operation pursuant to the Cybersecurity (Amendment) Act 2024 (Commencement) Notification 2025. These amendments expand the scope of the Cybersecurity Act 2018 by extending jurisdiction to computers and computer systems located wholly outside Singapore where necessary for the continuous delivery of essential services, and upd...

Cybersecurity (Systems of Temporary Cybersecurity Concern) Regulations

On 31 October 2025, the Cybersecurity (Systems of Temporary Cybersecurity Concern) Regulations 2025 entered into force. The Regulations establish requirements for issuing notices to obtain information under section 17A(2)to determine whether a computer or computer system meets the criteria of a system of temporary cybersecurity concern. The Regulations set obligations for owners of such systems to provide detailed information under section 17D(1), including information on system design, confi...

Cybersecurity (Appeals) Regulations

On 31 October 2025, the Government implemented the Cybersecurity (Appeals) Regulations 2025, which sets out the appeals procedure under Section 35B(2) of the Cybersecurity Act 2018, whereby licensees providing licensable cybersecurity services can appeal decisions to make their licenses subject to certain conditions. The Regulations provide for the form of the notice of appeal, the possibility of summary dismissal where no valid ground exists or time limits are missed, and the process for rej...

Cybersecurity (Critical Information Infrastructure) (Amendment) Regulations

On 31 October 2025, the Cybersecurity (Critical Information Infrastructure) (Amendment) Regulations 2025 entered into force. The Amendment revises definitions to cover owner-controlled interconnected and non-interconnected systems, supplier-controlled interconnected systems, and “relevant computer or computer system.” It also introduces rules specific to virtualisation locations. Incident-reporting duties are updated. Initial details must be provided “to the fullest extent practicable.” Suppl...

User identification requirement in Online Safety (Relief and Accountability) Bill (Bill No. 18/2025)

On 15 October 2025, the Online Safety (Relief and Accountability) Bill (Bill No. 18/2025) was introduced to Parliament. The Bill would authorise the Commissioner of Online Safety to require online service providers to collect and disclose identity information and contact details of users suspected of online harmful activity. These obligations would apply to providers not established in Singapore where their services are accessible to users located in Singapore. Criminal penalties could apply ...

Content moderation authority governance in Online Safety (Relief and Accountability) Bill (Bill No. 18/2025)

On 15 October 2025, the Online Safety (Relief and Accountability) Bill (Bill No. 18/2025) was introduced to Parliament. The Bill would establish the Commissioner of Online Safety with investigative, administrative and enforcement powers relating to online harmful activity affecting users in Singapore and would apply to online service providers irrespective of physical presence in Singapore. The Commissioner would be supported by appointed Deputy Commissioners, Assistant Commissioners and auth...

Ministry of Law Guide for Using Generative Artificial Intelligence in Legal Sector

On 30 September 2025, the Singapore Ministry of Law closes the consultation on the Guide for Using Generative Artificial Intelligence in the Legal Sector. The Guide sets out principles and provides practical guidance to support the responsible, ethical, and effective use of GenAI tools in Singapore’s legal sector. To protect the security of data entered into the AI system, the Guide recommends that when processing sensitive contract information using generative AI tools, legal offices conside...

Monetary Authority of Singapore and six financial institutions' inquiry into quantum-safe communications in financial sector

On 29 September 2025, the Monetary Authority of Singapore (MAS), together with Development Bank of Singapore, Hongkong and Shanghai Banking Corporation, Oversea-Chinese Banking Corporation, United Overseas Bank, Singapore Power Telecommunications and SpeQtral, published a technical report after completing a proof-of-concept sandbox on Quantum Key Distribution (QKD) for secure financial communications. The initiative applies to financial institutions involved in data transfer and communication...

Tajudin bin Gulam Rasul and another v Suriaya bte Haja Mohideen

Lawyer used Unidentified in proceedings before the High Court. Fabricated: Case Law | CC cited a non-existent, AI-generated case in the Claimants' Written Submissions (cited at para 49) to support a proposition under the Moneylenders Act; the case was absent from the bundle of authorities and the case name was fabricated while the citation number related to ... Outcome: Costs and order to inform client.

Tajudin bin Gulam Rasul and another v Suriaya bte Haja Mohideen

Fabricated: Case Law | CC cited a non-existent, AI-generated case in the Claimants' Written Submissions (cited at para 49) to support a proposition under the Moneylenders Act; the case was absent from the bundle of authorities and the case name was fabricated while the citation number related to an unrelated matter.

Tajudin bin Gulam Rasul and another v Suriaya bte Haja Mohideen

XAI v XAH and another matter

Pro Se Litigant used ChatGPT in proceedings before the Family Court. Outdated Advice: Repealed Law | Father makes reference to the provisions of the Women’s Charter that were in force prior to the 2nd of January 2025 Outcome: Order to pay costs; Required written declaration of generative AI use.

XAI v XAH and another matter

Outdated Advice: Repealed Law | Father makes reference to the provisions of the Women’s Charter that were in force prior to the 2nd of January 2025 || Fabricated: Case Law | Father cited 'AAU v AAT [2015] SGFC 114'; LawNet revealed the citation corresponds to TEI v TEJ [2015] SGFC 114 (a different matter). || Fabricated: Case Law | Father cited 'Chong Yoke Fong v Tan Siew Chin [2014] SGDC 285'; LawNet showed the neutral citation belongs to Public Prosecutor v Quek Keng Siang Billy [2014] SGDC 285. || Fabricated: Case Law | Father cited 'UVH v UVI [2019] SGFC 98'; LawNet showed the citation corresponds to VAO v VAP [2019] SGFC 98 (a different divorce matter). || Fabricated: Case Law | Father cited 'WRS v WRT [2018] SGFC 132'; LawNet search revealed there was no such case under that neutral citation/name. || Fabricated: Case Law | Father cited 'TBU v TBV [2016] SGFC 98'; LawNet showed the neutral citation corresponds to Re TQR [2016] SGFC 98 (different subject). || Fabricated: Case Law | Father cited 'VZO v VZP [2021] SGFC 11'; LawNet revealed the citation corresponds to VOX v VOY [2021] SGFC 11 (different matter). || Fabricated: Case Law | Father cited 'CAF v CAG [2010] SGDC 176'; LawNet showed the neutral citation corresponds to Public Prosecutor v Toh Soon Seng [2010] SGDC 176. || Fabricated: Case Law | Father cited 'XP v XQ [2005] SGDC 203'; LawNet showed the neutral citation corresponds to KV v KW [2005] SGDC 203 (different matter). || Fabricated: Case Law | Father included 'Huang v Lee [2018] SGFC' in submissions; LawNet search revealed no such case and the citation is not genuine. || Fabricated: Case Law | Father included 'Lee Siew Kuen v Foo [2020] SGFC' in submissions; LawNet search revealed no such case and citation is not genuine. || Fabricated: Case Law | Father cited 'Re SS 1234/2019' (an application number) which has no published judgment and is not the proper form of Family Court citation. || Fabricated: Case Law | Father included 'Lim Bee Eng v Teo [20

XAI v XAH and another matter

Cyber Security Agency of Singapore advisory on protection of systems and data from ransomware attacks

On 8 April 2025, the Cyber Security Agency of Singapore (CSA) issued an advisory released advisory on the protection of systems and data from ransomware attacks. The advisory highlights the escalating threat of ransomware attacks, which employ advanced tactics such as double and triple extortion, exploitation of vulnerabilities, and social engineering. The advisory emphasised the need for a multi-layered defence strategy, including regular patching, network segmentation, strong authentication...

Infocomm Media Development Authority's Privacy Enhancing Technologies Adoption Guide

On 7 July 2025, the Infocomm Media Development Authority (IMDA) adopted the Privacy Enhancing Technologies (PETs) Adoption Guide. The guide is intended as a resource to support the secure and effective deployment of PETs. Developed using insights from real-world deployments within the IMDA PET Sandbox, the guide provides a Use Case Evaluation Tool for selecting appropriate PETs based on industry and specific use case, and an implementation checklist outlining legal, technical, and operational...

Infocomm Media Development Authority and AI Verify Foundation launched Global AI Assurance Sandbox

On 7 July 2025, the Infocomm Media Development Authority (IMDA) and the AI Verify Foundation (AIVF) formally launched the Global Artificial Intelligence (AI) Assurance Sandbox as a continuation of the pilot initiative introduced in February 2025. The Sandbox serves as a global platform for builders or deployers of generative AI (GenAI) applications, not the underlying foundation models, to conduct technical testing in collaboration with specialist testers. The pilot phase paired 17 AI deployers

Cyber Security Agency of Singapore investigation into ransomware attack at Toppan Next Tech

On 7 April 2025, the Cyber Security Agency of Singapore (CSA) and the Monetary Authority of Singapore (MAS) confirmed awareness of a ransomware attack reported by Toppan Next Tech (TNT) to the Personal Data Protection Commission on 6 April 2025, which resulted in the extraction of customer data from DBS Bank and Bank of China Limited, Singapore branch, though no log-in credentials were compromised. CSA is assisting TNT with investigations and containment measures, while MAS is working with th...

Cybersecurity regulation in Health Information Bill (Bill No. 20/2025)

On 5 November 2025, the Government of Singapore introduced the Health Information Bill (Bill No. 20/2025) in Parliament, establishing the Health Information Act 2025 to regulate cybersecurity measures in systems processing health information. The Bill sets up a framework setting out the conditions under which healthcare providers would have to contribute health data to a national electronic records system. It would mandate data and cybersecurity requirements ensuring the confidentiality, inte...

Cyber Security Agency announced cyber essentials and cyber trust marks were expanded to include cloud security, AI and operational technology

On 15 April 2025, the Cyber Security Agency of Singapore (CSA) expanded Cyber Essentials and Cyber Trust certification marks. The updated certifications now include coverage of cloud security, artificial intelligence (AI) security, and operational technology (OT) security. The Cyber Essentials mark offers guidance on mitigating common cyber threats related to these technologies, with the aim of making cybersecurity requirements more accessible, particularly for small businesses. The Cyber Trust

Ministry of Digital Development and Information investigation into false statements over Arts Entertainment License application under the Protection from Online Falsehoods and Manipulation Act

On 4 September 2025, the Minister for Digital Development and Information instructed the Protection from Online Falsehoods and Manipulation Act (POFMA) Office to issue Targeted Correction Directions (TCDs) to Meta Platforms and X Corp. after non-compliance with a Correction Direction issued on 1 September 2025 concerning false statements published on 27 August 2025. The false statements alleged that the Infocomm Media Development Authority (IMDA) required multiple edits to submitted material,...