facebook-pixel

Singapore Online Safety Act 2026: Complete Guide for Users and Businesses

L
Lunyb Security Team
··10 min read

Singapore has steadily built one of Asia's most comprehensive digital safety frameworks, and the 2026 evolution of the Online Safety Act pushes that agenda even further. Whether you run a social media service, operate a marketing platform, or simply want to understand your rights as a user in Singapore, this guide breaks down what the law covers, who it applies to, and what practical steps you should take this year.

What Is the Singapore Online Safety Act?

The Singapore Online Safety Act is a legislative framework administered by the Infocomm Media Development Authority (IMDA) that regulates harmful online content accessible to users in Singapore. It amends the Broadcasting Act to give regulators direct powers over online communication services, particularly social media platforms with significant local reach.

Originally passed in 2022 and progressively expanded, the 2026 update strengthens child safety provisions, introduces stricter rules on deepfakes and generative AI content, and formalises new duties for platforms hosting user-generated media. It sits alongside the Online Criminal Harms Act (OCHA) and the Personal Data Protection Act (PDPA) to form Singapore's core digital governance stack.

Why the 2026 Update Matters

The 2026 amendments respond to three fast-moving problems: the surge of AI-generated impersonation content, scam ecosystems targeting Singapore residents, and the exposure of minors to harmful material on messaging and short-video platforms. Regulators have signalled a clear shift from voluntary industry codes toward enforceable statutory duties with meaningful financial penalties.

Who Does the Act Apply To?

The Act applies to "online communication services" (OCS) accessible to end users in Singapore, with additional obligations for services designated by IMDA due to their scale or risk profile.

  • Regulated Online Communication Services: Social media, video-sharing, messaging, and community platforms with users in Singapore.
  • Designated Online Communication Services (DOCS): Larger platforms with significant local reach — think Facebook, Instagram, TikTok, X, YouTube, HardwareZone, and comparable services.
  • Third-Party Service Providers: Ad networks, link infrastructure, hosting providers, and content delivery services that materially support regulated platforms.
  • Businesses Operating in Singapore: Any organisation using digital channels to reach Singapore consumers may be indirectly affected through takedown and disclosure directions.

Individual users are not directly regulated by the Act, but content they publish can be subject to takedown, access-blocking, or account restriction directions.

Core Categories of Harmful Content

The Act identifies specific categories of "egregious content" that platforms must actively guard against. In 2026, this list has expanded to reflect emerging AI-driven harms.

  1. Child sexual exploitation material — including AI-generated depictions of minors.
  2. Terrorism content — recruitment, instructional, and glorification material.
  3. Content inciting violence against individuals or communities.
  4. Content endangering public health or public security.
  5. Content promoting racial or religious disharmony — a longstanding Singapore priority.
  6. Non-consensual intimate imagery, including deepfake pornography.
  7. Suicide and self-harm content, with heightened rules for services accessible to minors.
  8. Scam and fraudulent content, harmonised with obligations under the Online Criminal Harms Act.

Key Obligations for Platforms in 2026

Platforms now face a tiered set of duties. General regulated services must meet baseline safety standards, while designated services face significantly deeper obligations.

1. Content Moderation and Takedown

Designated services must remove or disable access to egregious content accessible to Singapore users when directed by IMDA. Response windows are typically measured in hours, not days, and non-compliance can trigger access-blocking orders against the entire service.

2. Systems and Processes Requirements

Designated platforms must implement and evidence:

  • Community guidelines aligned with the Code of Practice for Online Safety.
  • User reporting mechanisms that are easy to find and use.
  • Proactive detection tools for child safety violations.
  • Default safety settings for minors, including limits on unsolicited direct messages.
  • Transparency reporting published annually.

3. Deepfake and Synthetic Media Rules

New in 2026, platforms must label AI-generated media where technically feasible and provide fast-track removal channels for non-consensual synthetic content — particularly during election periods, where the Elections (Integrity of Online Advertising) Act complements the Online Safety Act.

4. Child Safety Duties

Services likely to be accessed by minors must run age-appropriate design assessments, restrict targeted advertising to under-18s, and implement default-on protections such as private accounts and screen-time nudges.

Enforcement and Penalties

IMDA's enforcement toolkit under the 2026 framework is broader than earlier versions of the law.

Enforcement ActionWhen It AppliesMaximum Consequence
Content Takedown DirectionEgregious content accessible in SingaporeFines up to SGD 1 million per breach
Access Blocking OrderPersistent non-compliance by a serviceISP-level blocking of the platform in Singapore
App Store RemovalRepeat or severe violationsDe-listing from Singapore app stores
Financial PenaltyBreach of Code of PracticeUp to 10% of annual local turnover (designated services)
Criminal LiabilityWilful non-compliance by officersFines and imprisonment for individuals

Importantly, IMDA can act on content hosted overseas as long as it is accessible in Singapore, giving the Act meaningful extraterritorial reach.

Implications for Singapore Businesses

Even if you are not a platform, the Act shapes how you operate online in Singapore.

Marketing and Communications Teams

Marketers must ensure paid campaigns, influencer content, and user-generated campaign assets do not fall into egregious categories. Scam-adjacent tactics — clickbait redirects, misleading celebrity endorsements, or unverified investment claims — are increasingly enforced against under both the Online Safety Act and OCHA.

If you use link management or branded short links in your campaigns, choose infrastructure that offers transparent redirects, malware scanning, and audit logs. A trustworthy shortener like Lunyb can help demonstrate that your links are safe, traceable, and not being used to disguise harmful destinations — a factor that matters when platforms review your ads or when regulators trace scam infrastructure. For a broader look at options, see our 2026 buyer's guide to URL shorteners.

Community Managers and Publishers

Businesses that operate their own forums, comment sections, or Discord/Telegram communities should establish written moderation policies, a clear reporting channel, and evidence retention procedures. If IMDA issues a direction relating to content on your channels, quick documented action is your best defence.

Legal, Risk, and Compliance

Boards should treat online safety as a governance issue, not just a marketing hygiene problem. Recommended actions include:

  1. Mapping which services and touchpoints could be captured by the Act.
  2. Updating vendor contracts to require cooperation with lawful directions.
  3. Aligning incident response plans with IMDA notification timelines.
  4. Integrating online safety metrics into ESG and risk reporting.

Implications for Everyday Users

For Singapore residents, the Act delivers stronger protections but also new responsibilities.

Your Rights

  • Faster removal of harmful content, particularly non-consensual imagery and scams.
  • Clearer reporting tools on major platforms.
  • Additional protections for minors by default.
  • Right to appeal certain moderation actions taken under Singapore directions.

Your Responsibilities

Users remain accountable under existing laws — including the Protection from Harassment Act and OCHA — for content they post. Sharing scams, doxxing content, or AI-generated impersonations of others can trigger takedowns, account restrictions, and in serious cases, criminal investigation.

How the Act Interacts With Other Singapore Laws

Understanding the wider legal landscape helps clarify where the Online Safety Act begins and ends.

LawPrimary FocusRelationship to Online Safety Act
Online Criminal Harms Act (OCHA)Scams, malicious cyber activity, criminal contentComplements OSA; both can apply to the same content
Personal Data Protection Act (PDPA)Personal data handlingGoverns data used in moderation and reporting
Protection from Online Falsehoods and Manipulation Act (POFMA)False statements of factTargets misinformation; OSA targets harmful content categories
Protection from Harassment Act (POHA)Harassment, stalking, doxxingProvides individual remedies alongside OSA takedowns
Broadcasting ActTraditional and online broadcastingStatutory home of the Online Safety Act provisions

Compliance Checklist for 2026

If you operate a platform, publisher site, or marketing channel that reaches Singapore users, work through this practical checklist.

  1. Scoping: Confirm whether your service is a regulated OCS or likely to be designated.
  2. Policies: Publish community guidelines addressing all egregious content categories.
  3. Reporting: Provide a Singapore-accessible reporting tool that acknowledges submissions within defined SLAs.
  4. Moderation: Combine automated detection with human review, especially for child safety, deepfakes, and scams.
  5. Minors: Implement age-appropriate default settings and restrict targeted ads to under-18s.
  6. Transparency: Prepare annual transparency reports covering volumes, response times, and appeals.
  7. Incident Response: Document workflows for IMDA directions with clear ownership and legal review.
  8. Vendors: Audit link infrastructure, ad partners, and hosting providers for compliance readiness.
  9. Training: Train marketing, community, and legal teams annually on Singapore-specific obligations.
  10. Records: Retain evidence of moderation decisions and safety measures for at least three years.

Best Practices for Safer Online Operations

Beyond strict compliance, several practices reduce risk and build user trust.

Use Trustworthy Link Infrastructure

Scam operators frequently rely on disposable shorteners to disguise harmful destinations. Businesses should standardise on link tools that offer scan-on-click checks, branded domains, and analytics. If you are comparing options, our reviews of Rebrandly and Lunyb walk through the practical differences.

Harden Account Security

Hijacked corporate accounts are a top vector for scam content that ends up triggering OSA directions. Enforce multi-factor authentication, review admin access quarterly, and rotate API keys for social publishing tools.

Protect Privacy at the Network Layer

Individuals concerned about safer browsing in Singapore can adopt privacy-respecting browsers, enable encrypted DNS (DNS-over-HTTPS), keep operating systems patched, and be cautious about installing unverified apps. These measures reduce exposure to scam links and tracking without conflicting with Singapore law.

Prepare for Deepfake Incidents

Every mid-size business should have a playbook for the moment a deepfake of an executive, customer, or product appears online. That playbook should cover verification, evidence collection, reporting to IMDA and the platform, and internal and external communications.

Frequently Asked Questions

Does the Singapore Online Safety Act apply to overseas platforms?

Yes. If a service is accessible to end users in Singapore, IMDA can issue directions regardless of where the platform is headquartered. Designated services with significant local reach face the deepest obligations, and non-cooperation can lead to access-blocking within Singapore.

What penalties do platforms face for non-compliance in 2026?

Penalties range from fines of up to SGD 1 million per breach for specific violations, to financial penalties of up to 10% of local annual turnover for designated services that breach the Code of Practice. Persistent non-compliance can also trigger access-blocking orders and app store de-listing.

How does the Act affect individual users in Singapore?

Users benefit from stronger default protections, faster removal of harmful content, and clearer reporting tools. However, users remain responsible under other laws — including OCHA and POHA — for content they post. Sharing scams, doxxing content, or non-consensual imagery can trigger takedowns and, in serious cases, criminal investigation.

How is the Online Safety Act different from OCHA?

The Online Safety Act focuses on categories of harmful content on online communication services, with duties centred on IMDA and platform obligations. OCHA targets criminal harms — particularly scams and malicious cyber activity — and gives law enforcement direct disruption powers. Both laws can apply to the same content, and they are increasingly enforced in a coordinated manner.

What should small businesses in Singapore do first?

Start by mapping your digital footprint: which platforms you post on, whose communities you moderate, and which vendors handle your links, hosting, and ads. Then update your content policies, secure your accounts, and choose reputable link and analytics infrastructure. Small businesses are unlikely to be designated services, but they can still be affected by takedown directions and reputational harm if their channels are misused.

Final Thoughts

The Singapore Online Safety Act 2026 represents a mature, risk-based approach to digital harm — one that balances user protection with practical obligations for platforms and businesses. For most organisations, compliance is less about legal gymnastics and more about doing the fundamentals well: clear policies, responsive moderation, secure accounts, and trustworthy infrastructure. Get those right, and the Act becomes a framework you can operate confidently within, rather than a compliance burden to fear.

Protect your links with Lunyb

Create secure, trackable short links and QR codes in seconds.

Get Started Free

Related Articles