Singapore Online Safety Act 2026: Complete Guide for Businesses and Users
Singapore continues to refine one of Asia's most ambitious digital safety frameworks. The Singapore Online Safety Act 2026 builds on amendments to the Broadcasting Act and the newer Online Criminal Harms Act, expanding obligations for online platforms, businesses, and even individual content creators. Whether you operate a social media service, run an e-commerce store, or simply share links online, understanding these rules is now essential.
This complete guide breaks down what the Act covers in 2026, who must comply, what penalties apply, and the practical steps you can take to stay on the right side of the Infocomm Media Development Authority (IMDA).
What Is the Singapore Online Safety Act 2026?
The Singapore Online Safety Act 2026 is the consolidated framework of online safety obligations enforced by the IMDA, drawing from the Online Safety (Miscellaneous Amendments) Act 2022, the Online Criminal Harms Act 2023, and subsequent codes of practice updated through 2025-2026. It governs how online communication services must handle harmful content accessible to Singapore users.
In practice, the framework gives Singapore regulators the power to:
- Order the removal of egregious content within hours of notice.
- Compel platforms to block access to non-compliant services.
- Require designated platforms to implement child safety, scam prevention, and user reporting systems.
- Issue directions to stop the communication of suspected criminal content, including scams and malicious cyber activities.
Why Singapore Updated the Framework
Singapore has consistently ranked among the world's most scam-targeted jurisdictions per capita. Phishing links, investment scams, deepfake impersonations, and child sexual exploitation material drove the government to tighten obligations. The 2026 refresh emphasizes scam prevention, deepfake regulation, and platform accountability, aligning Singapore with comparable laws in the UK (Online Safety Act 2023) and Australia (Online Safety Act 2021).
Who Must Comply With the Act?
The Act applies broadly, but obligations scale with the size and risk profile of the service. Three categories matter most in 2026:
1. Designated Online Communication Services (DOCS)
These are large social media platforms with significant reach in Singapore — typically services like Facebook, Instagram, TikTok, X, YouTube, and HardwareZone. Designation is made by the IMDA based on user numbers and risk. DOCS must comply with the Code of Practice for Online Safety, including child safety standards, transparency reporting, and rapid response to user reports.
2. Online Services Generally
Any online service accessible to Singapore end-users — including forums, messaging apps, marketplaces, and even URL shorteners — can be served with directives if their service is being used to facilitate egregious or criminal content. This includes smaller platforms, app developers, and SaaS tools.
3. Individuals and Businesses Sharing Content
Individual users, influencers, and businesses that post, repost, or facilitate the spread of prohibited content may also be subject to stop communication directions and, in serious cases, criminal liability.
Categories of Content Regulated
The Act focuses on several content types that pose harm to Singapore users. Understanding the categories helps platforms build appropriate moderation systems.
| Content Category | Examples | Response Required |
|---|---|---|
| Egregious Content | Child sexual exploitation, terrorism content, content inciting violence | Disable access within hours of IMDA direction |
| Scam Content | Phishing pages, fake investment schemes, impersonation accounts | Stop communication; restrict accounts |
| Malicious Cyber Activity | Malware distribution, credential harvesting, fraud infrastructure | Block, remove, or disable |
| Harmful Content (children) | Sexual content, self-harm promotion, cyberbullying targeting minors | Apply child safety standards |
| Deepfake Election Content | Synthetic media of candidates during election periods | Remove under Elections (Integrity of Online Advertising) provisions |
Key Obligations Under the 2026 Framework
Designated platforms and online services face a layered set of duties. The most consequential obligations in 2026 are summarized below.
1. User Reporting and Resolution
Platforms must provide clear, easy-to-use reporting tools for Singapore users and must act on reports of harmful content with reasonable speed. Status updates to reporters are encouraged as part of the Code of Practice.
2. Proactive Child Safety Measures
Services likely accessible to minors must implement age-appropriate defaults, content filtering, and safer recommendation systems. This includes default-off direct messaging from strangers, limits on adult content in feeds aimed at minors, and stricter advertising rules.
3. Transparency Reporting
Designated platforms must publish annual online safety reports detailing the volume of harmful content detected, enforcement actions, and user reports handled. These reports are reviewed by the IMDA.
4. Scam and Malicious Activity Controls
Under the Online Criminal Harms Act provisions, platforms can be ordered to:
- Disable specific URLs, accounts, or content within tight timelines.
- Restrict accounts engaging in scam activity.
- Apply proactive scam detection on high-risk services.
- Cooperate with law enforcement on cross-border cases.
5. Deepfake and Synthetic Media Rules
Following the 2024 Elections (Integrity of Online Advertising) Act and 2025 expansions, platforms must rapidly remove digitally generated or manipulated content misrepresenting candidates during election periods. Broader deepfake provisions targeting non-consensual intimate imagery are also strengthened.
Penalties for Non-Compliance
Penalties under the Singapore framework are significant and designed to ensure even large overseas platforms take notice.
| Violation | Maximum Penalty |
|---|---|
| Failure to comply with IMDA direction (corporate) | Up to SGD 1,000,000 fine |
| Continued non-compliance (daily fine) | Up to SGD 100,000 per day |
| Access blocking order against the service | ISP-level blocking in Singapore |
| Individual non-compliance with stop communication direction | Fines and/or imprisonment up to 12 months |
| Election deepfake violations | Fines plus criminal liability |
In addition to financial penalties, the IMDA can issue access blocking directions requiring Singapore internet service providers to block non-compliant services entirely — a commercially devastating outcome for any platform targeting Singapore users.
How the Act Compares Regionally
Singapore's approach sits between the EU's Digital Services Act and Australia's Online Safety Act in terms of strictness. Below is a quick comparison.
| Feature | Singapore (2026) | UK Online Safety Act | Australia Online Safety Act |
|---|---|---|---|
| Regulator | IMDA | Ofcom | eSafety Commissioner |
| Scam focus | Very strong | Strong (fraudulent ads) | Moderate |
| Deepfake election rules | Yes (specific Act) | Partial | Partial |
| Child safety code | Yes | Yes | Yes (BOSE) |
| Maximum fine | SGD 1M + daily | £18M or 10% turnover | AUD 782,500 per breach |
| Access blocking | Yes | Yes | Yes |
Practical Compliance Steps for Businesses
If your business operates an online service touching Singapore users — even if you are based overseas — you should treat the Act as in-scope. Here is a practical compliance roadmap.
Step 1: Determine Your Scope
Assess whether your service is an "online communication service" or otherwise accessible to Singapore end-users. E-commerce sites, marketplaces, link-sharing tools, and SaaS communication platforms typically fall in scope.
Step 2: Map Your Risk Surface
Identify where harmful content could appear: user-generated posts, comments, direct messages, listings, profile fields, uploaded media, and outbound links.
Step 3: Build a Reporting Mechanism
Provide an accessible reporting tool, in English, that allows Singapore users to flag content. Track resolution times and document outcomes.
Step 4: Establish a Direction Response Workflow
Ensure your legal or trust and safety team can act on IMDA directions within the required timeframe. Establish a Singapore point of contact if you are an overseas service.
Step 5: Implement Scam and Phishing Detection
Use automated link scanning, domain reputation services, and pattern detection to catch scam content early. If your service issues short links, choose providers that include malware and phishing screening. Privacy-respecting tools such as Lunyb include link safety checks that help reduce the risk of scam URLs spreading through your platform — useful for marketing teams concerned about brand safety and regulatory exposure.
Step 6: Train Your Team
Moderators, customer support, and legal staff should be trained on the categories of harmful content, escalation procedures, and timelines under the Act.
Step 7: Document Everything
Maintain logs of reports received, actions taken, and IMDA correspondence. These records are essential if the IMDA audits or investigates your service.
What Individual Users Should Know
The Act is not only about big platforms. Individual users in Singapore should understand a few critical points.
You Can Be Issued a Direction
If you post, share, or repost scam content, deepfake election content, or other prohibited material, you can receive a stop communication direction. Ignoring it may result in fines or, for serious cases, imprisonment.
Reporting Is Easier Than Before
Both major platforms and the ScamShield and IMDA reporting portals offer streamlined ways to escalate harmful content. Use them — particularly for scam links, impersonation accounts, and content harming children.
Be Cautious With Links
Shortened URLs remain a popular vector for scams. Before clicking, hover to preview, or use a link expander. When creating short links for your own use, choose a shortener that includes link safety scanning. Our roundup of the best URL shorteners reviewed and compared in 2026 evaluates security features alongside analytics and pricing. If you are considering a specific provider, our Rebrandly review for 2026 and our honest review of Lunyb can help you compare.
Cross-Border Considerations
The Act applies extraterritorially. If your service is accessible to Singapore users — even without a local office — the IMDA can issue directions. Overseas operators should:
- Designate a Singapore representative or legal counsel for handling notices.
- Ensure technical capability to geo-restrict or remove content if directed.
- Monitor IMDA publications and updated codes of practice.
- Treat Singapore as a distinct jurisdiction in your trust and safety playbook, similar to the UK or EU.
Outlook: What May Change After 2026
Singapore has signaled further evolution of online safety law. Expect the following developments in the next 12-24 months:
- Expanded deepfake provisions covering non-election contexts such as fraud and defamation.
- Stronger age assurance requirements for services likely accessed by minors, aligned with UK and Australian developments.
- Tighter rules on AI-generated content disclosure, including watermarking expectations.
- Sector-specific scam codes, with banks, telcos, and platforms sharing responsibility under the Shared Responsibility Framework.
FAQ
Does the Singapore Online Safety Act apply to overseas websites?
Yes. The Act applies extraterritorially to any online service accessible to end-users in Singapore. The IMDA can issue directions to overseas operators and, if ignored, order access blocking through Singapore internet service providers.
What is the difference between the Online Safety Act and the Online Criminal Harms Act?
The Online Safety (Miscellaneous Amendments) Act focuses on harmful content like child exploitation and content inciting violence, regulated by the IMDA. The Online Criminal Harms Act targets criminal activity such as scams and malicious cyber activity, with directions issued by the Ministry of Home Affairs. Together with related codes, they form the 2026 framework commonly referred to as the Singapore Online Safety Act.
What happens if my business ignores an IMDA direction?
Fines can reach SGD 1,000,000 for corporate non-compliance, with additional daily fines up to SGD 100,000. The IMDA can also order Singapore ISPs to block access to your entire service, effectively cutting you off from the Singapore market.
Are URL shorteners regulated under the Act?
URL shorteners are not specifically named, but they qualify as online services and can receive directions if their links are used to facilitate scams, phishing, or other prohibited content. Operators should implement link scanning and abuse reporting mechanisms.
How can individuals report harmful content in Singapore?
Use in-platform reporting tools first. For scams, report to ScamShield and the Singapore Police Force. For other harmful content, the IMDA provides an online reporting portal. Keep evidence such as screenshots, URLs, and timestamps when filing reports.
Protect your links with Lunyb
Create secure, trackable short links and QR codes in seconds.
Get Started FreeRelated Articles
How Canadian Businesses Should Handle Data Privacy in 2026
Canadian businesses face a rapidly evolving privacy landscape, from PIPEDA and Quebec's Law 25 to the proposed CPPA under Bill C-27. This guide walks through the laws, a step-by-step privacy program roadmap, breach response, and how to turn compliance into a competitive advantage.
DPC Ireland: How to File a Privacy Complaint (2026 Guide)
A practical 2026 guide to filing a privacy complaint with the Data Protection Commission (DPC) Ireland. Learn the step-by-step process, what evidence to gather, realistic timelines, and what outcomes to expect under GDPR.
Data Protection Act 2018 Ireland: Complete Guide
A practical, up-to-date guide to Ireland's Data Protection Act 2018: how it works with the GDPR, the rights it grants, the obligations it imposes on organisations, and how the Data Protection Commission enforces it.
UK Online Safety Act: What It Means for Your Privacy
The UK Online Safety Act introduces sweeping new duties for online platforms, but it also creates fresh privacy risks around age verification, encryption, and identity-linked accounts. Here's what every UK internet user needs to know in 2026, and the practical steps you can take to stay in control of your data.