Singapore Online Safety Act 2026: A Complete Compliance Guide
Singapore has steadily built one of the most structured online safety frameworks in Asia, and 2026 marks a pivotal year for businesses operating digital services in the city-state. The Online Safety Act, originally introduced as an amendment to the Broadcasting Act in 2023 and expanded through subsequent codes of practice, has matured into a comprehensive regulatory regime covering harmful content, child safety, scams, and platform accountability. This complete guide explains what the Singapore Online Safety Act 2026 covers, who must comply, what penalties apply, and how to prepare your organization.
What Is the Singapore Online Safety Act?
The Singapore Online Safety Act is a regulatory framework administered by the Infocomm Media Development Authority (IMDA) that requires online communication services accessible in Singapore to limit user exposure to harmful content. It empowers IMDA to issue directions to platforms, block access to non-compliant services, and designate large social media providers as Regulated Online Communication Services (ROCS) subject to stricter codes of practice.
By 2026, the Act covers a broader range of services than it did at launch. The original focus on social media has expanded through ministerial designations and an evolving Code of Practice for Online Safety to include messaging platforms with broadcast features, large user-generated content services, and certain app stores. The Online Criminal Harms Act (OCHA) and the upcoming proposed Online Safety (Relief and Accountability) framework also work alongside it to create a layered approach.
Why the 2026 Update Matters
The 2026 changes reflect lessons learned from enforcement actions between 2023 and 2025, including scam-related directions, child-safety audits, and several blocking orders against non-cooperative platforms. Three developments make 2026 a notable inflection point:
- Expanded scope of designated services. More platforms have been designated as ROCS, including services that previously argued they fell outside the social media definition.
- Stronger child safety duties. Updated provisions in the Code of Practice require age-appropriate defaults, stricter recommender system controls, and clearer reporting tools for minors.
- Tighter scam and impersonation rules. Following record scam losses in Singapore, platforms now face explicit obligations to detect, label, and remove impersonation accounts and scam advertising.
For businesses that host user content, run community features, or distribute links and media to Singapore users, these updates change day-to-day operations, not just legal paperwork.
Who Must Comply?
Compliance obligations vary by service type and size. The Act distinguishes between general online communication services and designated Regulated Online Communication Services.
General Online Communication Services
Any service that allows users in Singapore to access content generated by other end-users may receive directions from IMDA to disable access to specified egregious content. This includes:
- Social networks and forums
- Video-sharing platforms
- Live-streaming services
- Large messaging and community apps with public channels
- Online marketplaces with user reviews and listings
Regulated Online Communication Services (ROCS)
Services designated as ROCS face the full Code of Practice for Online Safety. Designation typically applies to services with significant reach in Singapore (the threshold has historically been around one million monthly users, though IMDA retains discretion). ROCS must:
- Implement systems to minimize exposure to harmful content
- Provide user reporting and complaint mechanisms with stated response times
- Offer additional safeguards for users under 18
- Publish annual online safety reports
- Cooperate with IMDA directions promptly
Categories of Harmful Content
The Act and Code of Practice define several categories of regulated content. Understanding these categories is essential because moderation policies, trust and safety staffing, and detection tooling must map to each one.
| Content Category | Description | Required Action |
|---|---|---|
| Sexual harm to children | Child sexual abuse material and grooming content | Immediate removal, proactive detection, reporting to authorities |
| Terrorism content | Promotion, facilitation, or glorification of terrorism | Removal on notice, proactive measures for ROCS |
| Self-harm and suicide | Encouragement or instruction | Removal, safety resources, minor-specific safeguards |
| Violence and incitement | Graphic violence, incitement to violence | Removal or restriction; age gating where applicable |
| Public health misinformation | False content harmful to public health | Labeling, demotion, removal where required by direction |
| Racial and religious disharmony | Content inciting hostility between groups | Removal, given Singapore's social cohesion priorities |
| Scams and impersonation | Phishing, fraudulent ads, impersonation accounts | Detection, labeling, removal, advertiser verification |
Key Duties Under the 2026 Code of Practice
The Code of Practice for Online Safety operationalizes the Act. For 2026, designated services must demonstrate measurable performance across several pillars.
1. User Safety by Design
Platforms must build safety into product features, not bolt it on. This includes default privacy settings for minors, friction in viral sharing of unverified content, and clear labeling of synthetic or AI-generated media.
2. Reporting and Resolution
Users in Singapore must have an easy-to-find reporting tool, receive acknowledgements, and get outcome notifications within published timeframes. ROCS must report on volumes, response times, and action rates in annual transparency reports.
3. Child Safety
For users likely to be under 18, platforms must restrict direct messaging from strangers, limit targeted advertising, default sensitive content filters to on, and provide parental supervision tools where feasible.
4. Algorithmic Accountability
Recommender systems must include controls so users can reduce or reset personalized recommendations. Platforms must also document how they prevent amplification of harmful content categories.
5. Scam Mitigation
This is the most operationally demanding 2026 update. Platforms must verify advertisers, detect impersonation of Singapore government agencies, banks, and public figures, and act on IMDA scam directions rapidly.
Penalties and Enforcement
Non-compliance can be expensive and disruptive. IMDA's toolkit includes:
- Financial penalties of up to S$1 million for serious breaches of directions or Code of Practice obligations
- Daily penalties for ongoing non-compliance, accumulating quickly during prolonged disputes
- Access blocking orders directing internet service providers in Singapore to disable access to the entire service
- Public disclosure of enforcement actions, with reputational consequences
Beyond IMDA, the Online Criminal Harms Act allows the Singapore Police Force to issue directions against scam, malicious cyber activity, and other criminal content. The two regimes are designed to work together.
Practical Compliance Roadmap
If your organization operates a platform or hosts user-generated content accessible to Singapore users, the following roadmap captures what most legal and trust-and-safety teams are doing in 2026.
- Scope assessment. Determine whether your service is likely to be designated as ROCS based on Singapore monthly active users and functionality.
- Gap analysis. Compare current policies and tooling against each pillar of the Code of Practice for Online Safety.
- Local point of contact. Appoint a representative who can respond to IMDA directions within stated timeframes.
- Reporting tool localization. Ensure Singapore users see relevant categories, languages, and outcome notifications.
- Minor protection defaults. Review onboarding flows, age assurance methods, and default settings for likely under-18 users.
- Scam playbook. Build detection for impersonation of Singapore institutions and a fast-lane workflow for IMDA scam directions.
- Transparency reporting. Prepare data pipelines now so the annual online safety report covers the required metrics.
- Tabletop exercises. Rehearse incident response for blocking orders and high-volume scam events.
What It Means for Businesses Sharing Links and Content
Smaller businesses that do not run a platform still feel the Act's effects. If you publish links, run marketing campaigns, or distribute media to Singapore audiences, you need to ensure that the content behind your links does not violate harmful-content rules, and that your brand is not being impersonated.
This is where link integrity becomes part of a wider safety posture. Using a trusted link management service such as Lunyb lets you monitor click activity, retire compromised links quickly, and avoid being mistaken for a scam source. You can read our honest review of Lunyb for a deeper look, or compare options in our 2026 URL shortener buyer's guide. For teams evaluating enterprise branded links specifically, our Rebrandly review is also worth reading.
How the Act Interacts with Other Singapore Laws
The Online Safety Act does not exist in isolation. A compliance program in 2026 needs to map across overlapping regimes.
| Law | Focus | Interaction with Online Safety Act |
|---|---|---|
| Personal Data Protection Act (PDPA) | Personal data handling | Age assurance and reporting tools must respect PDPA |
| Online Criminal Harms Act (OCHA) | Criminal content directions | Police-led directions complement IMDA's content directions |
| Protection from Online Falsehoods and Manipulation Act (POFMA) | False statements of fact | Separate correction and stop-communication directions |
| Broadcasting Act | Statutory basis for IMDA powers | Online Safety Act provisions sit within the Broadcasting Act framework |
| Cybersecurity Act | Critical information infrastructure | Relevant for platforms providing essential services |
Common Pitfalls to Avoid
- Assuming offshore status is a shield. The Act has extraterritorial reach over services accessible to users in Singapore.
- Treating directions as negotiations. IMDA directions have statutory force; missed deadlines trigger penalties.
- Under-resourcing trust and safety in local languages. Effective moderation in English, Mandarin, Malay, and Tamil is expected for services with broad Singapore reach.
- Ignoring synthetic media labeling. AI-generated political and impersonation content is a focus area in 2026.
- Forgetting the annual transparency report. Missing or thin reports invite regulatory scrutiny.
Looking Ahead
Singapore's approach to online safety continues to evolve. Areas to watch beyond 2026 include statutory victim relief mechanisms allowing individuals to seek faster takedowns and disclosures, age assurance technical standards, and tighter rules for AI-generated content. Organizations that invest in solid foundations now, particularly around scam detection, child safety defaults, and transparent reporting, will adapt to future updates with far less disruption.
The bottom line: the Singapore Online Safety Act in 2026 is not just a legal checklist. It is a structural shift that treats online platforms as accountable participants in public safety. Businesses that align early gain trust, reduce regulatory risk, and protect their Singapore users from real harm.
Frequently Asked Questions
1. Does the Singapore Online Safety Act apply to overseas companies?
Yes. The Act applies to online communication services that are accessible to users in Singapore, regardless of where the company is headquartered. IMDA can issue directions to overseas providers and, if ignored, can order local internet service providers to block access to the service in Singapore.
2. What is the difference between the Online Safety Act and POFMA?
The Online Safety Act focuses on categories of harmful content such as child exploitation, terrorism, self-harm, and scams, with system-level duties for designated platforms. POFMA targets specific false statements of fact and uses correction and stop-communication directions. They address different harms and use different mechanisms, but both can apply to the same platform.
3. How are minors protected under the 2026 Code of Practice?
Designated services must apply stricter defaults for likely under-18 users, including limits on unsolicited messages from strangers, restrictions on targeted advertising, sensitive content filters set to on by default, and clearer reporting and parental supervision tools where feasible.
4. What penalties do non-compliant platforms face?
Financial penalties can reach S$1 million for serious breaches, with daily penalties for ongoing non-compliance. IMDA can also order access-blocking by local internet service providers, which effectively removes the platform from the Singapore market until compliance is restored.
5. How can small businesses prepare even if they do not run a platform?
Small businesses should ensure their marketing links and shared content do not point to harmful material, monitor for brand impersonation, use reputable link management tools so compromised links can be retired quickly, and educate teams on recognizing scam impersonation patterns that the Act targets.
Protect your links with Lunyb
Create secure, trackable short links and QR codes in seconds.
Get Started FreeRelated Articles
OAIC Complaints: How to Report a Privacy Breach in Australia
If an Australian organisation mishandles your personal data, you can lodge a free complaint with the Office of the Australian Information Commissioner. This guide walks through eligibility, evidence, the step-by-step process, and what compensation you can realistically expect.
GDPR in Ireland: Your Privacy Rights Explained
A clear, practical guide to your GDPR privacy rights in Ireland — including how to make Subject Access Requests, file complaints with the Data Protection Commission, and protect your personal data online in 2026.
Singapore PDPA vs GDPR: Key Differences for Businesses
Singapore's PDPA and the EU's GDPR both protect personal data, but they differ in scope, consent rules, DPO requirements, penalties, and breach notification timelines. This guide compares the two regimes side-by-side and offers practical compliance tips for businesses operating across both jurisdictions.
Singapore PDPA: Your Personal Data Protection Rights Explained
Singapore's PDPA gives individuals strong rights over their personal data, including access, correction, consent withdrawal, and data portability. This guide explains every key right, how to exercise them, and what to do if an organisation violates the law.