facebook-pixel

Singapore Online Safety Act 2026: Complete Guide for Businesses and Users

L
Lunyb Security Team
··10 min read

Singapore has become one of Asia's most active jurisdictions when it comes to digital regulation, and the Singapore Online Safety Act 2026 is the latest milestone. Building on the 2022 amendments to the Broadcasting Act and the Online Criminal Harms Act (OCHA) 2023, the 2026 framework consolidates and strengthens rules on harmful online content, platform accountability, and user redress. This guide breaks down what the Act does, who it applies to, and what businesses and individuals in Singapore need to do about it.

What Is the Singapore Online Safety Act 2026?

The Singapore Online Safety Act 2026 is a consolidated legal framework administered by the Infocomm Media Development Authority (IMDA) that regulates online content, protects users from harmful material, and imposes duties on digital platforms serving Singapore users. It updates and unifies obligations previously spread across the Broadcasting Act, the Online Criminal Harms Act, and various codes of practice.

At its core, the Act aims to make the online environment in Singapore safer, especially for children and vulnerable users, while preserving legitimate speech, commerce, and innovation. It gives regulators clearer powers to order the removal of illegal content, block access to non-compliant services, and require platforms to design their products with safety in mind.

Why a New Act in 2026?

Several trends drove the 2026 update:

  • Rapid growth of generative AI, deepfakes, and synthetic scam content.
  • Rising incidents of online harassment, doxxing, and image-based abuse.
  • Increased sophistication of financial scams targeting Singapore residents.
  • Global regulatory momentum, including the UK Online Safety Act, EU Digital Services Act, and Australia's Online Safety reforms.

Rather than layering more amendments onto older statutes, Singapore chose to consolidate obligations into a single, clearer regime.

Who Does the Act Apply To?

The Act applies broadly to any service accessible to users in Singapore, regardless of where the provider is based. Coverage extends across four main categories.

1. Designated Online Services

These are large user-to-user platforms — social media networks, video-sharing sites, messaging services with public features, and app stores — that IMDA formally designates. Designated services carry the heaviest obligations, including systemic risk assessments and annual transparency reports.

2. Search Services

General search engines and vertical search products face specific duties around illegal content indexing, scam links, and child safety.

3. Electronic Services

This broader category covers apps, marketplaces, and interactive websites. Duties scale with size, risk, and content type.

4. Ancillary Services

Hosting providers, CDNs, domain registrars, and even URL shorteners can be pulled into the framework when their infrastructure is used to distribute harmful content. This is why choosing a compliant, transparent link provider such as Lunyb matters for Singapore-based marketers and publishers.

Categories of Harmful Content Covered

The Act defines several classes of regulated content, each with different response timelines and enforcement thresholds.

Content CategoryExamplesRequired Response
Egregious contentChild sexual abuse material, terrorism contentImmediate removal (within hours of notice)
Criminal harmsScams, unlicensed financial services, drug salesRemoval within 24 hours of directive
Harassment and abuseDoxxing, image-based abuse, stalkingRemoval within 24–48 hours
Youth-harmful contentSuicide/self-harm promotion, extreme violenceAge-gating or removal
Election integrityDeepfakes of candidates, coordinated inauthentic behaviourLabelling, takedown, or correction
Misinformation on public healthFalse vaccine claims, dangerous "cures"Correction directions or removal

Key Obligations for Platforms

Platforms serving Singapore users must build safety into their systems rather than treating it as an afterthought. Below are the main duties introduced or reinforced by the 2026 Act.

1. Systemic Risk Assessments

Designated services must conduct annual risk assessments covering how their algorithms, recommendation systems, and product features contribute to the spread of harmful content. Assessments must be documented and available to IMDA on request.

2. Safety by Design

Providers must integrate safety controls at the design stage — default privacy settings for minors, friction on risky flows (like sending money to new contacts), and clear reporting tools accessible from every piece of user-generated content.

3. User Reporting and Complaints

All in-scope services must offer a locally accessible, easy-to-use reporting mechanism, acknowledge complaints within 48 hours, and provide a substantive response within 10 business days.

4. Age Assurance for Minors

Platforms likely to be accessed by children must deploy proportionate age assurance measures. This does not require mandatory ID for all users, but risk-based measures such as behavioural signals, self-declaration with verification checks, or third-party age estimation services.

5. Scam and Fraud Controls

Given the prevalence of online scams in Singapore, the Act specifically requires:

  1. Real-time scanning of ads and sponsored content for known fraud indicators.
  2. Verification of advertiser identity for financial and investment ads.
  3. Warning banners on suspicious external links.
  4. Cooperation with the Anti-Scam Centre and Singapore Police Force.

6. Transparency Reporting

Designated services must publish annual transparency reports covering content moderation actions, government requests, and effectiveness of safety measures. Reports must be filed with IMDA and made public.

Enforcement Powers and Penalties

The Act gives IMDA and, in criminal matters, the Singapore Police Force a graduated set of enforcement tools.

Directions IMDA Can Issue

  • Removal directions — remove specific content within a set period.
  • Disabling directions — disable access from Singapore.
  • Account restriction directions — suspend or restrict specific accounts.
  • App removal directions — require app stores to delist non-compliant apps.
  • Access blocking directions — ISPs must block non-compliant services in extreme cases.

Financial Penalties

Maximum fines have been raised significantly:

  • Up to SGD 1 million per breach for designated services, or up to 10% of annual local turnover, whichever is higher.
  • Daily penalties of up to SGD 100,000 for continuing non-compliance.
  • Personal liability for officers where non-compliance is due to their neglect or consent.

Criminal Offences

Certain acts remain criminal, including knowingly hosting egregious content, failing to comply with a lawful direction, and providing false information to IMDA. Penalties include imprisonment and additional fines.

How the Act Affects Businesses in Singapore

Even businesses that do not think of themselves as "online platforms" can be affected. If your website hosts user comments, reviews, forums, or user-generated media, you may fall within scope.

Marketing and Advertising Teams

Marketers running paid campaigns in Singapore must ensure ad creatives, landing pages, and tracking links comply with the scam-prevention rules. That includes using reputable link infrastructure. Tools like reputable URL shorteners with transparent domains, click analytics, and abuse controls reduce the risk of your links being flagged or blocked.

E-commerce and Marketplaces

Marketplaces must verify sellers, monitor listings for prohibited items, and provide effective complaint channels. Repeat-offender policies are now mandatory for designated services.

Publishers and Content Creators

Creators are not directly regulated as "platforms", but they can receive correction or takedown notices for their own content. Keeping records of sources and editorial decisions is now a practical necessity.

SMEs and Startups

Smaller businesses benefit from a proportionality principle: obligations scale with size and risk. However, all in-scope services must at minimum provide a reporting channel, respond to lawful directions, and avoid hosting egregious content.

User Rights Under the Act

The Act is not just about platform duties — it also strengthens rights for individuals in Singapore.

1. Right to Report Harmful Content

Any user can report content directly to the platform and, if unresolved, escalate to IMDA's online safety portal.

2. Right to Restoration

Users whose content is wrongly removed can request restoration and receive a reasoned decision within a defined period.

3. Right to Information

Users have the right to know when their content has been actioned, why, and how to appeal.

4. Protections Against Image-Based Abuse

Victims of non-consensual intimate images or deepfakes can request expedited takedown, with platforms required to act within 24 hours.

5. Protections for Children

Parents and guardians can request removal of content targeting or exposing minors, and platforms must offer parental controls where relevant.

Compliance Checklist for Businesses

Use the following steps as a starting framework. Larger organisations should complement this with formal legal advice.

  1. Scope your services. Identify which of your products fall within the Act's categories.
  2. Map your content flows. Document how user-generated content is created, moderated, and distributed.
  3. Update your terms and community guidelines. Align them with the Act's content categories.
  4. Implement a reporting mechanism. Ensure it is accessible, tracked, and auditable.
  5. Deploy age assurance where required. Choose proportionate measures aligned with your risk profile.
  6. Review advertising and link infrastructure. Ensure landing pages and shortened URLs are transparent and scam-safe.
  7. Train staff. Especially trust and safety, marketing, and customer support teams.
  8. Prepare transparency documentation. Start collecting the data you will need for annual reports.
  9. Establish a Singapore contact point. Designated services must appoint a local representative.
  10. Test incident response. Run a tabletop exercise for handling an IMDA direction.

How Singapore's Act Compares Internationally

Singapore's approach shares DNA with other major frameworks but has its own tilt toward scam prevention and rapid enforcement.

FeatureSingapore OSA 2026UK Online Safety ActEU Digital Services Act
Primary regulatorIMDAOfcomEuropean Commission + national DSCs
Max finesSGD 1M or 10% turnover£18M or 10% turnoverUp to 6% global turnover
Scam-specific dutiesExtensiveModerateLimited
Age assuranceRisk-basedHighly proscriptiveRisk-based
Access blockingYesYesRare, last resort
Transparency reportsAnnual for designated servicesAnnualBi-annual for VLOPs

Practical Tips for Individuals

While the Act primarily targets platforms, everyday users can benefit by adopting a few habits:

  • Use privacy-respecting browsers and encrypted DNS resolvers to reduce exposure to malicious domains.
  • Verify shortened links before clicking — most reputable shorteners, including Lunyb, provide preview features or transparent branded domains.
  • Enable multi-factor authentication on financial and social accounts.
  • Report harmful content through the platform's official channels and, if needed, IMDA.
  • Talk to children about online safety and use built-in parental controls.

What to Expect Next

IMDA is expected to publish detailed Codes of Practice through 2026 and 2027, covering topics such as generative AI content labelling, algorithmic transparency, and cross-border cooperation. Businesses should monitor consultations and participate where relevant. Enforcement will likely start with high-profile cases against services that fail to appoint local representatives or ignore takedown directives.

FAQ

Does the Singapore Online Safety Act 2026 apply to foreign companies?

Yes. The Act applies to any service accessible to users in Singapore, regardless of where the provider is headquartered. Designated foreign services must also appoint a local representative to receive directions and communications from IMDA.

Do small businesses and personal blogs need to comply?

Obligations are proportionate to size and risk. Personal blogs and small SMEs generally will not face the full designated-service regime, but they must still remove clearly illegal content when notified and provide a basic way for users to report problems.

How does the Act handle deepfakes and AI-generated content?

Deepfakes that impersonate real people for fraud, harassment, or election interference are treated as harmful content and subject to rapid takedown. Designated platforms are expected to deploy detection tools and label synthetic media where feasible, with more detailed rules coming through IMDA Codes of Practice.

What should I do if my content is wrongly removed?

You have the right to appeal to the platform, which must provide a reasoned response. If unresolved, you can escalate to IMDA's online safety portal. Keep records of the original content, timestamps, and any communications from the platform to support your appeal.

How can businesses reduce the risk of their marketing links being flagged?

Use reputable link infrastructure with transparent domains, click analytics, and abuse-prevention controls. Avoid free or anonymous shorteners commonly associated with spam. Solutions like Lunyb and other established URL shorteners provide the trust signals that scam-detection systems look for, reducing the likelihood of being blocked under the Act's scam-prevention provisions.

Protect your links with Lunyb

Create secure, trackable short links and QR codes in seconds.

Get Started Free

Related Articles