Singapore's Proposed Data Infrastructure Bill is a Preview of where Infrastructure Regulation in APAC may be heading
Takanori Nishiyama, Senior Vice President of APAC & Japan Country Manager, Keeper Security
A business leader with a proven track record of leading high growth businesses across multiple hardware, software and SaaS companies in different segments, Nishiyama San has strong expertise in market transformations, operational management across multiple functions and defining and executing product and GTM strategy.
The proposed Digital Infrastructure Bill marks a defining moment for cybersecurity governance in APAC, reinforcing the need for organisations to move beyond compliance checklists and adopt resilience-first security strategies that can withstand evolving AI-powered and quantum-era cyber threats.
Singapore’s proposed Digital Infrastructure Bill is a signal the region cannot afford to ignore. With potential fines of up to $1 million for cybersecurity and resilience failures, the bill is seeking to designate data centres and cloud providers as critical national infrastructure, alongside power grids, water systems and health care providers.
The bill arrives at a time when frontier AI is accelerating attacks against public infrastructure systems and advancements in quantum computing are compressing the window organisations have to prepare for harvest-now, decrypt-later attacks targeting long-lived data. Traditional perimeter defences were never designed for either.
Keeper Security’s 2026 research found 46% of APAC security leaders point to cloud security gaps, including misconfigurations and excessive permissions, as their biggest security weakness, 12 points above the global average. Just 38% reported privileged access management as fully deployed in their organisations. That gap between regulatory ambition and operational reality is where the next wave of incidents is likely to originate.
Compliance in the region is moving beyond a paperwork exercise. Organisations should start by mapping which systems and vendors actually engage with sensitive or long-lived data, enforce least-privilege access so a single compromised credential cannot move laterally across environments, and build continuous session visibility rather than relying on periodic audits. Data centres, like any critical infrastructure, must be built to contain compromise, not simply to prevent it.

Editor
