Singapore Online Safety Act 2026: Complete Guide for Businesses and Users
Singapore has long taken a proactive stance on digital safety, and the Singapore Online Safety Act 2026 represents the next major evolution of that framework. Building on the original 2022 amendments to the Broadcasting Act and the Online Criminal Harms Act (OCHA), the 2026 updates expand the obligations placed on online platforms, content providers, and even smaller intermediaries operating in or targeting Singapore users.
This guide breaks down what the Act covers, who it applies to, what businesses must do to comply, and how individuals can use its protections. Whether you run a marketing agency, manage a social platform, operate an e-commerce site, or simply want to understand your digital rights, this article will walk you through everything you need to know.
What Is the Singapore Online Safety Act 2026?
The Singapore Online Safety Act 2026 is a consolidated legislative framework that governs harmful online content, platform accountability, and user protections in Singapore. It expands on the Online Safety (Miscellaneous Amendments) Act 2022 and harmonizes overlapping provisions from the Broadcasting Act, the Online Criminal Harms Act, and the Protection from Online Falsehoods and Manipulation Act (POFMA).
The Act is administered primarily by the Infocomm Media Development Authority (IMDA), with enforcement support from the Singapore Police Force and the Ministry of Home Affairs for criminal-related provisions. Its overarching goals are to:
- Reduce the prevalence of egregious harmful content (such as child sexual exploitation material, terrorism content, and incitement to violence).
- Hold online service providers accountable for content moderation and user safety.
- Protect Singapore users — especially minors — from scams, cyberbullying, and harmful algorithmic exposure.
- Provide faster remedies for victims of online harms, including non-consensual intimate imagery and doxxing.
Key Changes Introduced in 2026
The 2026 updates focus on closing loopholes that emerged from the rise of generative AI, decentralized platforms, and cross-border messaging services. Below are the most significant changes.
1. Expanded Definition of "Online Communication Service"
The definition now explicitly includes generative AI platforms, encrypted messaging apps with public discovery features, decentralized social networks (e.g., federated platforms), and large URL-sharing tools where content is publicly accessible. This means even niche services with Singapore-based users can fall under the Act's scope.
2. New Designated Online Service (DOS) Tier
A new "High-Reach Designated Online Service" tier has been introduced for platforms with over 500,000 monthly active Singapore users. These services face heightened obligations, including independent safety audits, mandatory transparency reports, and a Singapore-based safety officer.
3. Scam and Phishing Content Provisions
For the first time, the Act explicitly addresses scam content, including phishing links, fake investment schemes, and impersonation accounts. Platforms must implement proactive detection systems and respond to IMDA takedown directions within 24 hours.
4. Child Online Safety Code
A binding Code of Practice for services likely to be accessed by children introduces age assurance requirements, default privacy settings for minor accounts, and restrictions on algorithmic content recommendations involving self-harm, eating disorders, or extreme content.
5. AI-Generated Content and Deepfakes
The Act criminalizes the non-consensual creation and distribution of intimate deepfakes and requires platforms to label AI-generated political content during election periods.
Who Does the Act Apply To?
The Act has broad extraterritorial reach. It applies to any online service that is accessible to Singapore users, regardless of where the provider is headquartered. The following table summarizes how obligations scale with service size and type.
| Service Type | Threshold | Key Obligations |
|---|---|---|
| General Online Service | Any service accessible in SG | Comply with takedown directions; remove illegal content |
| Designated Online Service (DOS) | Significant SG user base (typically 100k+) | Code of Practice compliance, transparency reports, user reporting tools |
| High-Reach DOS | 500,000+ monthly SG users | Independent audits, SG safety officer, proactive scam detection |
| Services Likely Accessed by Children | Any service with notable minor usage | Age assurance, default privacy, algorithmic safeguards |
Categories of Harmful Content Covered
The Act categorizes harmful content into priority tiers, each with different response timelines.
Tier 1: Egregious Content (Immediate Action Required)
- Child sexual exploitation material (CSAM)
- Terrorism content and incitement to violence
- Content endangering public health or security
- Non-consensual intimate imagery (including deepfakes)
Tier 2: Serious Harms (24–48 Hour Response)
- Scam and phishing content
- Cyberbullying targeting identifiable individuals
- Doxxing and harassment
- Content promoting self-harm or suicide
Tier 3: Regulated Content (Code of Practice)
- Misinformation during emergencies
- Age-inappropriate content accessible to minors
- Unlabeled synthetic political content during elections
Penalties for Non-Compliance
The 2026 Act significantly increases penalties to reflect the scale of modern platforms. Non-compliance can result in:
- Financial penalties: Up to S$1 million per breach, or 10% of annual Singapore-derived turnover for High-Reach DOS providers — whichever is higher.
- Access blocking orders: IMDA may direct internet service providers to block non-compliant services from being accessed in Singapore.
- Criminal liability: For senior officers who knowingly enable serious breaches, including imprisonment of up to 3 years.
- App store removal: Directions to Apple, Google, and other app distributors to delist non-compliant apps.
Compliance Checklist for Businesses
If your business operates an online service accessible to Singapore users, the following steps will help you align with the Act.
- Assess your scope: Determine whether you qualify as a General Service, DOS, or High-Reach DOS based on Singapore user metrics.
- Update your Terms of Service: Reflect prohibited content categories and user reporting mechanisms.
- Implement reporting tools: Provide clear, accessible ways for users to flag harmful content, with confirmation receipts.
- Establish content moderation workflows: Ensure 24-hour response capability for Tier 1 and Tier 2 content.
- Conduct risk assessments: Document risks related to scams, child safety, and harmful algorithms.
- Designate a safety contact: Required for DOS; a local safety officer is required for High-Reach DOS.
- Maintain transparency: Publish annual reports detailing moderation actions and user complaints.
- Audit links and outbound content: Use trusted link management tools that scan for malicious or phishing destinations.
For marketers and businesses that share links at scale — for example, on social media or in email campaigns — using a reputable URL shortener with built-in malware detection helps ensure you don't inadvertently distribute harmful destinations. Tools like Lunyb include link scanning, click analytics, and privacy-respecting redirects that make compliance reviews easier. You can also explore our 2026 buyer's guide to URL shorteners for comparison.
What the Act Means for Individual Users
Beyond business obligations, the Act strengthens rights for everyday Singaporeans. Users now have clearer pathways to seek redress when targeted by online harms.
Faster Takedown for Victims
Victims of doxxing, harassment, or non-consensual intimate imagery can file a complaint with IMDA, which can issue a binding takedown direction to the platform — typically requiring removal within 24 hours.
Stronger Protections for Minors
Children's accounts on covered services must default to private settings. Direct messaging from unknown adults is restricted, and algorithmic recommendations cannot push harmful self-harm or extreme content to minor accounts.
Scam Reporting
Users can report scam content directly through new in-platform mechanisms, and IMDA maintains a coordinated reporting channel with the Anti-Scam Centre.
How the Act Compares to Other Regional Frameworks
Singapore's approach blends elements from several international frameworks. Here's how it compares:
| Framework | Region | Focus | Max Penalty |
|---|---|---|---|
| Online Safety Act 2026 | Singapore | Harmful content, scams, child safety | 10% of SG turnover |
| Digital Services Act (DSA) | EU | Systemic risks, transparency | 6% of global turnover |
| Online Safety Act 2023 | UK | Illegal content, child safety | 10% of global turnover |
| Online Safety Amendment Act | Australia | Cyberbullying, image abuse | A$782,500 per breach |
Practical Tips for Singapore Businesses
Whether you're a startup founder, marketing manager, or compliance officer, here are pragmatic steps to take in 2026:
- Run a content audit: Identify user-generated content surfaces in your product and assess moderation maturity.
- Train your support team: Frontline staff should know how to escalate Tier 1 reports within minutes, not hours.
- Vet third-party tools: Any tool you use to publish, shorten, or distribute links should have abuse-prevention features. Read independent reviews — for instance, our honest review of Lunyb or our Rebrandly 2026 review.
- Document everything: Maintain logs of moderation decisions, user complaints, and risk assessments for at least 24 months.
- Engage legal counsel early: Especially for cross-border services, scope assessment is best done with Singapore-qualified legal advice.
Timeline and Enforcement Phases
The Act is being rolled out in phases throughout 2026 to give businesses time to adapt:
- Q1 2026: Codes of Practice for High-Reach DOS take effect.
- Q2 2026: Scam content provisions and 24-hour response requirements begin.
- Q3 2026: Child Online Safety Code becomes enforceable.
- Q4 2026: Full enforcement of penalties, including turnover-based fines.
Frequently Asked Questions
Does the Singapore Online Safety Act 2026 apply to overseas businesses?
Yes. The Act has extraterritorial reach and applies to any online service accessible to Singapore users, regardless of where the provider is incorporated. Overseas businesses with significant Singapore user bases may be designated as DOS or High-Reach DOS and face the same obligations as local providers.
What is the difference between OCHA and the Online Safety Act?
The Online Criminal Harms Act (OCHA) focuses on criminal content like scams and offences against persons, allowing the Police to issue directions. The Online Safety Act focuses more broadly on harmful (not necessarily criminal) content, platform-level obligations, and user safety codes, administered primarily by IMDA. The 2026 framework harmonizes them so businesses can navigate compliance more efficiently.
How do I report harmful content under the Act?
You can report directly through the platform's in-app reporting tool, which is now mandatory for covered services. For serious cases — such as non-consensual intimate imagery or doxxing — you can also file a complaint with IMDA via their online portal, which can issue binding takedown orders.
Are small businesses and individual creators affected?
Small businesses and creators are generally not classified as DOS, but they must still avoid hosting or distributing illegal content. If you run a blog, newsletter, or shared community space, ensure you have basic moderation policies and respond promptly to user complaints. You're unlikely to face turnover-based fines, but you can still be required to remove illegal content.
How does the Act handle encrypted messaging services?
The Act applies to encrypted services that have public discovery or broadcast features (such as public channels). Private one-to-one encrypted messages are generally outside scope, preserving end-to-end encryption. However, providers must still act on reports of harmful content shared in public-facing channels.
Final Thoughts
The Singapore Online Safety Act 2026 reflects a global trend toward holding online platforms accountable while preserving user freedoms and innovation. For businesses, the message is clear: build safety into your product design from the start, document your processes, and use trustworthy tools for content distribution. For users, the Act provides faster, more meaningful remedies when things go wrong online.
Compliance isn't a one-time project — it's an ongoing commitment. Start with a scoping assessment, build your moderation workflows, and revisit your tooling regularly. The earlier you embed online safety into your operations, the smoother your 2026 will be.
Protect your links with Lunyb
Create secure, trackable short links and QR codes in seconds.
Get Started FreeRelated Articles
GDPR in Ireland: Your Privacy Rights Explained (2026 Guide)
A complete plain-English guide to your GDPR rights in Ireland — covering Subject Access Requests, complaints to the Data Protection Commission, cookie rules, compensation claims, and practical steps to protect your personal data.
ICO Fines 2026: Biggest Data Protection Penalties in the UK
The ICO issued record-breaking fines in 2026, targeting cybersecurity failings, AI misuse, and unlawful marketing. Here's a full breakdown of the biggest UK data protection penalties of the year, why they happened, and how your business can avoid being next.
Singapore PDPA: Your Personal Data Protection Rights Explained
Singapore's PDPA gives individuals strong rights over how their personal data is collected, used, and disclosed. This guide explains each right in plain English, shows you how to exercise them, and outlines what to do when organisations fall short.
Australian Data Breach Notification Scheme: Complete 2026 Compliance Guide
The Australian Notifiable Data Breaches (NDB) scheme requires covered entities to report eligible breaches to the OAIC and affected individuals. This complete 2026 guide explains obligations, the 30-day assessment window, penalties up to AUD $50M, and how to build a compliant response plan.