Singapore Online Safety Act 2026: Complete Guide for Businesses and Users
Singapore has steadily built one of the most comprehensive digital safety frameworks in Asia, and the Online Safety Act (OSA) sits at the heart of that effort. As we move through 2026, the Act and its supporting Codes of Practice now affect a wider range of platforms, businesses, and individual users than ever before. Whether you operate a social media service, run a small e-commerce site, or simply share links online, understanding the Singapore Online Safety Act 2026 is essential.
This complete guide explains what the Online Safety Act covers, who must comply, what changed for 2026, and the practical steps you can take to align your operations with Singapore's online safety regime.
What Is the Singapore Online Safety Act?
The Singapore Online Safety Act is a law passed as an amendment to the Broadcasting Act that empowers the Infocomm Media Development Authority (IMDA) to regulate harmful online content accessible to users in Singapore. It targets online communication services — primarily social media platforms — and gives regulators tools to issue directions, block content, and require systemic safety measures.
The Act was first introduced in 2022 and came into force in 2023. Since then, it has been reinforced by the Code of Practice for Online Safety, sector-specific guidelines, and, in 2024–2025, the Online Criminal Harms Act (OCHA), which works in tandem with the OSA. The 2026 update consolidates lessons learned over three years of enforcement and broadens obligations to mid-sized services.
Core Objectives
- Reduce Singapore users' exposure to harmful online content, especially minors.
- Require platforms to put proactive safety systems in place.
- Give IMDA fast-acting powers to direct content removal or access blocking.
- Increase platform accountability through transparency reporting.
What Changed in 2026
The 2026 iteration of Singapore's online safety regime expands the original Act in several meaningful ways. While the foundational law remains intact, new subsidiary regulations and enforcement priorities reshape day-to-day compliance.
Key Updates for 2026
- Expanded designation criteria: More online communication services now qualify as "regulated" once they reach a lower monthly Singapore user threshold.
- Generative AI content: Synthetic media, deepfakes, and AI-generated child sexual abuse material are explicitly named as priority harms.
- Stricter timelines: Removal directions for egregious content must now generally be actioned within hours, not days.
- Sector codes: New codes apply to app stores, messaging services, and certain online marketplaces.
- Cross-border coordination: Closer cooperation with regulators in the EU, UK, and Australia, aligning Singapore with global trust-and-safety norms.
Categories of Harmful Content
The Act focuses on what it terms "egregious content" — material so harmful that platforms are expected to actively prevent Singapore users from encountering it. Understanding these categories is the first step toward compliance.
Egregious Content Categories
- Content advocating suicide or self-harm.
- Content depicting child sexual exploitation (including AI-generated material).
- Content endangering public health.
- Content advocating terrorism.
- Content inciting racial or religious disharmony.
- Content depicting extreme violence or cruelty.
- Content facilitating organized crime, including scam-related material.
Who Must Comply?
Compliance obligations under the Online Safety Act vary depending on the type and size of the service. The table below summarizes the main categories under the 2026 framework.
| Entity Type | Examples | Primary Obligations |
|---|---|---|
| Designated Social Media Services | Large global platforms with significant SG reach | Full Code of Practice compliance, annual reporting, child safety standards |
| Regulated Online Communication Services | Mid-sized social platforms, forums, messaging apps | Removal directions, content moderation systems, user reporting tools |
| App Distribution Services | App stores accessible in Singapore | Age assurance, app review for safety, takedown cooperation |
| Internet Access Service Providers | Local ISPs | Access blocking directions from IMDA |
| End Users / SMEs | Businesses, content creators, link sharers | Avoid creating, hosting, or amplifying egregious content |
Obligations Under the Code of Practice
The Code of Practice for Online Safety is the operational rulebook that designated services must follow. The 2026 refresh introduces stronger requirements around minors, algorithmic recommendations, and scam content.
1. User Safety Measures
- Easy-to-use, in-product reporting mechanisms.
- Clear community standards published in English and where possible other official languages.
- Tools to mute, block, and filter unwanted content or contacts.
2. Child Safety Measures
- Age assurance mechanisms (not necessarily strict verification, but reasonable estimation).
- Stricter default privacy settings for accounts likely belonging to minors.
- Restrictions on targeted advertising to minors.
- Proactive detection of grooming and child exploitation material.
3. Transparency and Reporting
Designated services must publish annual online safety reports describing the prevalence of harmful content, action taken, and effectiveness of safety systems. Reports are submitted to IMDA and made publicly accessible.
Powers of IMDA Under the Act
IMDA is the lead regulator and has been granted significant enforcement powers under the Online Safety Act, expanded further in 2026.
Direction Types
- Disabling Direction: Requires a service to disable Singapore user access to specific content.
- Stop Communication Direction: Orders a service to stop a specific account from communicating with Singapore users.
- Access Blocking Direction: Issued to ISPs to block an entire service that refuses to comply.
- Account Restriction Direction (new in 2026): Targets repeat offenders by limiting account features rather than full removal.
Penalties and Enforcement
Penalties under the OSA are substantial and designed to be material even for global platforms. The 2026 amendments increased maximum fines and clarified individual director liability for repeated non-compliance.
| Violation | Maximum Penalty (2026) |
|---|---|
| Non-compliance with a direction by a designated service | Up to SGD 1 million, plus SGD 100,000 per day continuing |
| Non-compliance by an ISP | Up to SGD 20,000 per day, capped at SGD 500,000 |
| Failure to file safety report | Up to SGD 200,000 |
| Repeat or willful non-compliance | Service blocking + potential director liability |
How the OSA Interacts With Other Laws
The Online Safety Act does not operate in isolation. Several Singapore laws overlap with or complement it, and understanding the interplay is essential for compliance teams.
Related Laws
- Online Criminal Harms Act (OCHA): Targets criminal content like scams and malicious cyber activities, working in parallel with the OSA.
- Protection from Online Falsehoods and Manipulation Act (POFMA): Addresses misinformation rather than safety harms.
- Personal Data Protection Act (PDPA): Governs personal data handling — relevant whenever safety measures involve user data.
- Broadcasting Act: The OSA is technically a set of amendments to this Act.
- Cybersecurity Act: Applies to critical information infrastructure operators with overlapping incident reporting duties.
Practical Compliance Steps for Businesses
Even if your business is not a "designated" service, the Online Safety Act increasingly influences how Singapore-facing platforms operate. A practical, risk-based approach is the most efficient route to compliance.
Compliance Checklist
- Map your service: Determine if your platform falls within "online communication service" definitions and estimate Singapore user reach.
- Update community standards: Ensure your policies cover all egregious content categories explicitly.
- Build reporting tools: Make user reporting visible, fast, and multilingual.
- Document moderation processes: Maintain auditable logs of decisions, especially for content involving minors.
- Establish a regulatory contact: Nominate a Singapore-based or regional point of contact for IMDA notices.
- Train staff: Trust-and-safety, legal, and engineering teams should understand direction response timelines.
- Conduct annual risk assessments: Document harms specific to your service and mitigation effectiveness.
What the Act Means for Everyday Users
The Online Safety Act is largely directed at platforms, but everyday users in Singapore benefit from — and play a role in — its enforcement. Users gain stronger reporting tools, faster takedowns of egregious content, and clearer recourse when harm occurs online.
At the same time, users sharing links, running small communities, or operating creator pages should be mindful of what they amplify. Sharing scam links, manipulated media, or content that targets minors can attract action even if the original poster is offshore. Tools that emphasize trust and traceability — including reputable link management platforms like Lunyb, which offers branded short links with built-in safety checks — help creators and small businesses share content responsibly. You can read more in our honest review of Lunyb or compare it with alternatives in our 2026 URL shorteners buyer's guide.
Online Safety Act vs. Regional Equivalents
Singapore's OSA is often compared with the UK's Online Safety Act and the EU's Digital Services Act. The table below highlights the differences as of 2026.
| Feature | Singapore OSA | UK Online Safety Act | EU Digital Services Act |
|---|---|---|---|
| Primary Regulator | IMDA | Ofcom | European Commission + national DSCs |
| Scope | Online communication services | User-to-user and search services | Intermediary, hosting, online platforms |
| Risk Assessment | Limited, sector-based | Mandatory, detailed | Mandatory for VLOPs/VLOSEs |
| Max Fine | SGD 1M + daily penalties | £18M or 10% global turnover | 6% global turnover |
| Focus | Egregious content, minors | Illegal + legal but harmful | Systemic risks, transparency |
Pros and Cons of the 2026 Framework
Pros
- Clear, well-defined categories of egregious content.
- Strong child safety provisions aligned with international norms.
- Tiered obligations that scale with platform size.
- Fast-acting direction powers reduce real-world harm.
- Improved coordination with anti-scam frameworks under OCHA.
Cons
- Mid-sized platforms face significant new compliance overhead.
- Age assurance requirements remain technically challenging.
- Potential for over-removal as platforms err on the side of caution.
- Cross-border enforcement against non-cooperating services still relies on access blocking.
Frequently Asked Questions
Does the Singapore Online Safety Act apply to overseas platforms?
Yes. The Act applies to any online communication service accessible to users in Singapore, regardless of where the operator is based. Overseas platforms that ignore directions can be blocked by Singapore ISPs.
What is considered a "designated" online communication service?
IMDA designates services based on factors like the number of monthly Singapore users and the level of risk the service poses. Designated services face the strictest obligations under the Code of Practice, including transparency reports and enhanced child safety duties.
Can individual users be fined under the Online Safety Act?
The OSA itself focuses on platforms, not individual posters. However, users who create or distribute egregious content may face liability under related laws such as the Penal Code, the Online Criminal Harms Act, or specific anti-scam legislation.
How quickly must platforms act on IMDA directions?
Timelines depend on the direction type and content severity. For egregious content involving child safety or terrorism, action is typically expected within hours. Other directions usually specify a compliance window of 24 hours or less.
How does the OSA affect small businesses and creators?
Small businesses are unlikely to be designated services but should still ensure their websites, communities, and shared links do not host or amplify egregious content. Using reputable tools for content sharing, maintaining clear moderation policies, and responding promptly to user reports are practical safeguards.
Conclusion
The Singapore Online Safety Act 2026 represents a maturing of the country's digital safety regime. With broader coverage, stronger penalties, and clearer expectations for platforms of all sizes, the Act pushes the online ecosystem toward greater accountability — particularly when it comes to protecting minors and combating scams. For businesses, the message is straightforward: build safety into your product, document your processes, and be ready to respond quickly to IMDA. For users, the framework offers stronger protections and clearer avenues for reporting harm, while encouraging everyone to share content responsibly.
Protect your links with Lunyb
Create secure, trackable short links and QR codes in seconds.
Get Started FreeRelated Articles
ICO Fines 2026: Biggest Data Protection Penalties in the UK
From a £12.4 million retail ransomware penalty to ad-tech and dark-pattern fines, 2026 has been a record year for ICO enforcement. We break down the biggest UK data protection penalties, the trends behind them, and what your business must do to avoid joining the list.
Singapore PDPA: Your Personal Data Protection Rights Explained
Singapore's PDPA gives individuals enforceable rights over their personal data, from access and correction to breach notification. This guide explains your rights, organisational obligations, and how to take action when your data is mishandled.
UK Data Protection Act vs GDPR Explained: Key Differences in 2026
The UK Data Protection Act 2018 and the EU GDPR share the same DNA but are starting to diverge. This guide explains the key differences in scope, enforcement, fines, and compliance for UK businesses in 2026.
OAIC Complaints: How to Report a Privacy Breach in Australia
Australians have strong rights when their personal information is mishandled. This guide walks through how to lodge an OAIC complaint, what evidence to gather, realistic timelines, and the outcomes — including compensation — you can pursue under the Privacy Act 1988.