Singapore Online Safety Act 2026: Complete Guide for Businesses & Users
Singapore has steadily built one of the most comprehensive online safety frameworks in Asia, and the 2026 evolution of the Online Safety Act marks a significant tightening of obligations for digital platforms, content hosts, and even smaller online services serving Singapore users. Whether you operate a social platform, run a marketing campaign targeting Singaporeans, or simply want to understand your rights as a user, this guide breaks down everything you need to know about the Singapore Online Safety Act 2026.
What Is the Singapore Online Safety Act 2026?
The Singapore Online Safety Act 2026 is the updated legislative framework that governs how online communication services, content-sharing platforms, and certain digital intermediaries must prevent, detect, and remove harmful online content accessible to users in Singapore. It builds on the original Online Safety (Miscellaneous Amendments) Act 2022 and the Code of Practice for Online Safety administered by the Infocomm Media Development Authority (IMDA).
The 2026 update expands the scope beyond designated social media services to include a wider range of platforms — messaging services, app stores, generative AI platforms, and online marketplaces — and introduces tougher penalties, faster takedown timelines, and clearer duties of care toward minors.
Why the 2026 Update Matters
Three drivers shaped the 2026 amendments:
- Generative AI harms: Deepfakes, synthetic CSAM, and AI-generated scam content have surged in Singapore.
- Scam economy: Singapore lost more than S$1.1 billion to scams in 2024, prompting calls for stricter intermediary liability.
- Youth mental health: Pressure from parents and educators to enforce age-appropriate design.
Who Does the Act Apply To?
The Act applies extraterritorially. If your service is accessible to end-users in Singapore — regardless of where your company is headquartered — you may fall within scope. The 2026 amendments classify regulated entities into tiers based on user reach, content risk, and service type.
Categories of Regulated Services
- Designated Online Communication Services (DOCS): Large social media and content-sharing platforms with significant Singapore reach (typically 100,000+ monthly users).
- App Distribution Services: Major app stores must verify age, label risky apps, and police scam apps.
- Generative AI Services: Providers of public-facing generative models must implement provenance tools, watermarking, and abuse mitigations.
- Electronic Service Providers: Messaging, email, and communication platforms now have specific scam-related duties.
- Online Marketplaces: E-commerce intermediaries must verify sellers and remove fraudulent listings.
Key Obligations Under the 2026 Act
Regulated services must adopt systemic safeguards, not merely react to complaints. The core obligations fall into five categories.
1. Content Moderation and Takedown
Platforms must remove specified categories of "egregious content" within strict timelines once notified by the IMDA or a credible reporter:
- Child sexual exploitation material — immediate removal (within hours).
- Terrorism and violent extremism — within 24 hours.
- Content inciting racial or religious disharmony — within 24 hours.
- Cyberbullying and intimate image abuse targeting Singapore users — within 48 hours.
- Scam content and impersonation of Singapore institutions — within 24 hours.
2. Duty of Care to Minors
Services likely accessed by users under 18 must implement age-appropriate design, including:
- Default private accounts for minors.
- Restricted direct messaging from unknown adults.
- Limits on algorithmic recommendation of harmful content.
- Transparent reporting tools accessible to younger users.
3. Scam Prevention Duties
One of the most distinctive features of the 2026 update is its explicit anti-scam obligations. Platforms must:
- Maintain a verified-identity framework for advertisers in regulated sectors (finance, crypto, investments).
- Deploy automated detection for impersonation of Singapore government agencies, banks, and major brands.
- Cooperate with the Anti-Scam Command for rapid takedown.
- Provide transparent in-app warnings on suspicious links and accounts.
4. Algorithmic Transparency
Larger platforms must publish annual transparency reports covering moderation actions, complaint volumes, response times, and how recommender systems handle sensitive content categories.
5. Local Point of Contact
Every regulated foreign service must appoint a Singapore-based representative authorised to receive IMDA directions and respond within statutory timelines.
Penalties and Enforcement
The IMDA has expanded enforcement powers under the 2026 Act, including the ability to issue directions, financial penalties, access blocking orders, and — in extreme cases — refer matters for criminal prosecution.
| Violation Type | Maximum Penalty (2026) | Additional Consequences |
|---|---|---|
| Failure to comply with takedown direction | S$1 million per offence | Daily fines for continuing breach |
| Systemic moderation failures | Up to 10% of annual Singapore turnover | Public censure, audit obligations |
| Failure to protect minors | S$1 million + officer liability | Mandatory remediation plan |
| Refusal to appoint local rep | S$500,000 | Access blocking by ISPs |
| Scam-related non-compliance | S$1 million per direction | Anti-Scam Command involvement |
Impact on Different Stakeholders
For Platforms and Tech Companies
Compliance costs will rise. Even mid-sized platforms with Singapore audiences will need dedicated trust & safety workflows, localised reporting channels, and legal counsel familiar with Singapore's regulatory ecosystem (which also includes the PDPA, Cybersecurity Act, and Protection from Online Falsehoods and Manipulation Act).
For Marketers and Brand Owners
Marketers using social platforms, paid ads, or short links to reach Singapore audiences must ensure their campaigns don't accidentally trigger scam-prevention filters. Using a reputable link infrastructure — such as Lunyb for branded, trackable short URLs — helps maintain trust signals and provides audit trails should a campaign be flagged. For a wider comparison of options, see our 2026 buyer's guide to URL shorteners.
For Individual Users
Singapore users gain stronger reporting rights, clearer appeal mechanisms, and faster removal of harmful content targeting them. Parents gain new tools to control minors' exposure on regulated platforms.
For SMEs and Content Creators
Smaller services aren't entirely off the hook. The Act introduces a baseline duty for any service operator to remove illegal content when notified, even if they fall below the DOCS threshold.
Compliance Roadmap: A 7-Step Plan
If your organisation is in scope (or wants to be ready), here is a practical compliance roadmap:
- Scoping assessment: Determine whether you meet user-reach thresholds or fall into a specific category (AI, marketplace, app store).
- Gap analysis: Map current trust & safety practices against the Code of Practice for Online Safety.
- Appoint a Singapore representative: Required for foreign-headquartered services.
- Update terms and community guidelines: Reflect Singapore-specific prohibitions and reporting rights.
- Build a localised reporting tool: Accessible in English, Mandarin, Malay, and Tamil where reasonable.
- Implement age-assurance and minor-safety defaults: Particularly for services with under-18 users.
- Prepare transparency reporting: Establish data collection now so the first annual report is credible.
How the Act Interacts With Other Singapore Laws
The Online Safety Act 2026 doesn't exist in isolation. It overlaps and interacts with several other key statutes.
| Law | Primary Focus | Interaction with OSA 2026 |
|---|---|---|
| PDPA | Personal data protection | Moderation tools must respect data minimisation |
| POFMA | Online falsehoods | OSA covers safety harms; POFMA covers misinformation |
| Cybersecurity Act | Critical infrastructure | Overlaps on incident reporting for large platforms |
| Broadcasting Act | Content licensing | OSA largely supersedes for online content |
| Online Criminal Harms Act | Scams, malicious cyber activity | Works alongside OSA on scam takedowns |
Privacy and Security Considerations for Users
The Act increases platform accountability, but personal digital hygiene still matters. Singaporean users should:
- Use encrypted DNS resolvers to reduce exposure to malicious domains.
- Enable two-factor authentication on all financial and social accounts.
- Verify shortened links before clicking — services like Lunyb provide link previews and analytics that help separate legitimate marketing links from suspicious ones. Our honest Lunyb review covers the safety features in detail.
- Report harmful content directly through in-platform tools — under the 2026 Act, platforms must acknowledge and act within strict timelines.
- Use the ScamShield app and check suspicious numbers and websites.
What Marketers Should Do Differently in 2026
Marketing teams running Singapore campaigns need to adapt creative, link strategy, and ad targeting.
Branded Links Build Trust
Generic shortlinks are increasingly flagged by platform scam filters. Branded short links with a verified custom domain are less likely to be misclassified. Compare alternatives in our Rebrandly review and the broader URL shortener comparison.
Verified Advertiser Status
If you advertise in financial services, crypto, or investments to Singapore audiences, expect to complete platform verification tied to UEN and director identity checks.
Disclosure of AI-Generated Content
Ads using generative AI imagery of real people, public figures, or synthetic voices must disclose AI generation under the new rules.
Pros and Cons of the 2026 Framework
Pros
- Clearer obligations across more service types, reducing regulatory ambiguity.
- Stronger protections for minors and victims of online abuse.
- Faster scam takedowns will reduce financial harm.
- Mandatory transparency reporting improves public trust.
- Local representative requirement gives Singapore users a real point of contact.
Cons
- Compliance costs may push smaller foreign platforms to geo-block Singapore.
- Aggressive takedown timelines risk over-removal of legitimate content.
- Age-assurance technology raises its own privacy concerns.
- Extraterritorial reach creates conflict-of-laws issues for global services.
- SMEs may struggle to interpret and apply the Code of Practice.
Timeline: Key Dates to Remember
- Q1 2026: Final Code of Practice for Online Safety (2026 edition) published.
- Q2 2026: New categories of designated services notified by IMDA.
- Q3 2026: Local representative appointment deadlines for foreign services.
- Q4 2026: First transparency reports due for largest platforms.
- 2027: Full enforcement of scam-prevention duties and AI provenance rules.
Frequently Asked Questions
Does the Singapore Online Safety Act 2026 apply to overseas companies?
Yes. The Act applies extraterritorially to any online service accessible to users in Singapore that meets the relevant thresholds. Foreign companies must appoint a Singapore-based representative and respond to IMDA directions within statutory timelines, regardless of where they're headquartered.
What counts as "egregious content" under the Act?
Egregious content includes child sexual exploitation material, terrorism and violent extremism content, material inciting racial or religious disharmony, intimate image abuse, cyberbullying, and content used in scams or impersonation of Singapore institutions. Each category has its own takedown timeline.
How does the Act affect small businesses and content creators?
Small businesses below the DOCS threshold aren't subject to the full Code of Practice, but they still must remove illegal content when notified and may be subject to baseline duties. Content creators should review platform community guidelines, disclose AI-generated content, and avoid practices that could be flagged as scam-like behaviour.
What are the penalties for non-compliance?
Penalties range from S$500,000 for failing to appoint a local representative to up to 10% of annual Singapore turnover for systemic moderation failures. The IMDA can also issue access-blocking directions to ISPs, effectively cutting off non-compliant services from Singapore users.
How can I report harmful content under the new rules?
Use the in-platform reporting tools, which regulated services must make easily accessible. For unresponsive platforms or serious harms, you can escalate to the IMDA via its online safety portal. For scams, report to ScamShield and the Singapore Police Force's Anti-Scam Centre.
Final Thoughts
The Singapore Online Safety Act 2026 represents a maturation of the city-state's digital regulation playbook. It blends strict obligations with practical enforcement mechanisms and recognises that online safety is no longer just a content problem — it's a scam problem, an AI problem, and a youth wellbeing problem all at once. Platforms, marketers, and users all have a role to play, and those who prepare now will navigate the new landscape with far less friction. Whether you're building compliant link infrastructure, updating moderation systems, or simply protecting your family online, treat the 2026 update as the new baseline for doing business in Singapore's digital economy.
Protect your links with Lunyb
Create secure, trackable short links and QR codes in seconds.
Get Started FreeRelated Articles
GDPR in Ireland: Your Privacy Rights Explained
A clear, practical guide to your GDPR rights in Ireland, from Subject Access Requests to filing complaints with the Data Protection Commission. Learn what businesses must do, how to enforce your rights, and how to protect your privacy day to day.
OAIC Complaints: How to Report a Privacy Breach in Australia
A complete Australian guide to lodging OAIC complaints after a privacy breach. Learn who is covered by the Privacy Act, how to gather evidence, the step-by-step lodgement process, likely outcomes and compensation, plus mistakes to avoid.
Singapore PDPA vs GDPR: Key Differences for Businesses in 2026
Singapore's PDPA and the EU's GDPR share the same goal but differ in scope, consent rules, DPO requirements, breach timelines, and penalties. This guide breaks down the key differences for businesses operating in 2026 and provides a practical compliance checklist.
ePrivacy Regulations Ireland: Latest Updates for 2026
Ireland's ePrivacy rules under S.I. 336/2011 govern cookies, electronic marketing and confidentiality of communications. This 2026 guide explains the latest DPC enforcement trends, what's changing as the EU finalises the new ePrivacy Regulation, and how Irish businesses can stay compliant.