Singapore Online Safety Act 2026: Complete Guide for Businesses and Users
Singapore has become one of Asia's most active jurisdictions when it comes to digital regulation, and the Singapore Online Safety Act 2026 is the latest milestone. Building on the 2022 amendments to the Broadcasting Act and the Online Criminal Harms Act (OCHA) 2023, the 2026 framework consolidates and strengthens rules on harmful online content, platform accountability, and user redress. This guide breaks down what the Act does, who it applies to, and what businesses and individuals in Singapore need to do about it.
What Is the Singapore Online Safety Act 2026?
The Singapore Online Safety Act 2026 is a consolidated legal framework administered by the Infocomm Media Development Authority (IMDA) that regulates online content, protects users from harmful material, and imposes duties on digital platforms serving Singapore users. It updates and unifies obligations previously spread across the Broadcasting Act, the Online Criminal Harms Act, and various codes of practice.
At its core, the Act aims to make the online environment in Singapore safer, especially for children and vulnerable users, while preserving legitimate speech, commerce, and innovation. It gives regulators clearer powers to order the removal of illegal content, block access to non-compliant services, and require platforms to design their products with safety in mind.
Why a New Act in 2026?
Several trends drove the 2026 update:
- Rapid growth of generative AI, deepfakes, and synthetic scam content.
- Rising incidents of online harassment, doxxing, and image-based abuse.
- Increased sophistication of financial scams targeting Singapore residents.
- Global regulatory momentum, including the UK Online Safety Act, EU Digital Services Act, and Australia's Online Safety reforms.
Rather than layering more amendments onto older statutes, Singapore chose to consolidate obligations into a single, clearer regime.
Who Does the Act Apply To?
The Act applies broadly to any service accessible to users in Singapore, regardless of where the provider is based. Coverage extends across four main categories.
1. Designated Online Services
These are large user-to-user platforms — social media networks, video-sharing sites, messaging services with public features, and app stores — that IMDA formally designates. Designated services carry the heaviest obligations, including systemic risk assessments and annual transparency reports.
2. Search Services
General search engines and vertical search products face specific duties around illegal content indexing, scam links, and child safety.
3. Electronic Services
This broader category covers apps, marketplaces, and interactive websites. Duties scale with size, risk, and content type.
4. Ancillary Services
Hosting providers, CDNs, domain registrars, and even URL shorteners can be pulled into the framework when their infrastructure is used to distribute harmful content. This is why choosing a compliant, transparent link provider such as Lunyb matters for Singapore-based marketers and publishers.
Categories of Harmful Content Covered
The Act defines several classes of regulated content, each with different response timelines and enforcement thresholds.
| Content Category | Examples | Required Response |
|---|---|---|
| Egregious content | Child sexual abuse material, terrorism content | Immediate removal (within hours of notice) |
| Criminal harms | Scams, unlicensed financial services, drug sales | Removal within 24 hours of directive |
| Harassment and abuse | Doxxing, image-based abuse, stalking | Removal within 24–48 hours |
| Youth-harmful content | Suicide/self-harm promotion, extreme violence | Age-gating or removal |
| Election integrity | Deepfakes of candidates, coordinated inauthentic behaviour | Labelling, takedown, or correction |
| Misinformation on public health | False vaccine claims, dangerous "cures" | Correction directions or removal |
Key Obligations for Platforms
Platforms serving Singapore users must build safety into their systems rather than treating it as an afterthought. Below are the main duties introduced or reinforced by the 2026 Act.
1. Systemic Risk Assessments
Designated services must conduct annual risk assessments covering how their algorithms, recommendation systems, and product features contribute to the spread of harmful content. Assessments must be documented and available to IMDA on request.
2. Safety by Design
Providers must integrate safety controls at the design stage — default privacy settings for minors, friction on risky flows (like sending money to new contacts), and clear reporting tools accessible from every piece of user-generated content.
3. User Reporting and Complaints
All in-scope services must offer a locally accessible, easy-to-use reporting mechanism, acknowledge complaints within 48 hours, and provide a substantive response within 10 business days.
4. Age Assurance for Minors
Platforms likely to be accessed by children must deploy proportionate age assurance measures. This does not require mandatory ID for all users, but risk-based measures such as behavioural signals, self-declaration with verification checks, or third-party age estimation services.
5. Scam and Fraud Controls
Given the prevalence of online scams in Singapore, the Act specifically requires:
- Real-time scanning of ads and sponsored content for known fraud indicators.
- Verification of advertiser identity for financial and investment ads.
- Warning banners on suspicious external links.
- Cooperation with the Anti-Scam Centre and Singapore Police Force.
6. Transparency Reporting
Designated services must publish annual transparency reports covering content moderation actions, government requests, and effectiveness of safety measures. Reports must be filed with IMDA and made public.
Enforcement Powers and Penalties
The Act gives IMDA and, in criminal matters, the Singapore Police Force a graduated set of enforcement tools.
Directions IMDA Can Issue
- Removal directions — remove specific content within a set period.
- Disabling directions — disable access from Singapore.
- Account restriction directions — suspend or restrict specific accounts.
- App removal directions — require app stores to delist non-compliant apps.
- Access blocking directions — ISPs must block non-compliant services in extreme cases.
Financial Penalties
Maximum fines have been raised significantly:
- Up to SGD 1 million per breach for designated services, or up to 10% of annual local turnover, whichever is higher.
- Daily penalties of up to SGD 100,000 for continuing non-compliance.
- Personal liability for officers where non-compliance is due to their neglect or consent.
Criminal Offences
Certain acts remain criminal, including knowingly hosting egregious content, failing to comply with a lawful direction, and providing false information to IMDA. Penalties include imprisonment and additional fines.
How the Act Affects Businesses in Singapore
Even businesses that do not think of themselves as "online platforms" can be affected. If your website hosts user comments, reviews, forums, or user-generated media, you may fall within scope.
Marketing and Advertising Teams
Marketers running paid campaigns in Singapore must ensure ad creatives, landing pages, and tracking links comply with the scam-prevention rules. That includes using reputable link infrastructure. Tools like reputable URL shorteners with transparent domains, click analytics, and abuse controls reduce the risk of your links being flagged or blocked.
E-commerce and Marketplaces
Marketplaces must verify sellers, monitor listings for prohibited items, and provide effective complaint channels. Repeat-offender policies are now mandatory for designated services.
Publishers and Content Creators
Creators are not directly regulated as "platforms", but they can receive correction or takedown notices for their own content. Keeping records of sources and editorial decisions is now a practical necessity.
SMEs and Startups
Smaller businesses benefit from a proportionality principle: obligations scale with size and risk. However, all in-scope services must at minimum provide a reporting channel, respond to lawful directions, and avoid hosting egregious content.
User Rights Under the Act
The Act is not just about platform duties — it also strengthens rights for individuals in Singapore.
1. Right to Report Harmful Content
Any user can report content directly to the platform and, if unresolved, escalate to IMDA's online safety portal.
2. Right to Restoration
Users whose content is wrongly removed can request restoration and receive a reasoned decision within a defined period.
3. Right to Information
Users have the right to know when their content has been actioned, why, and how to appeal.
4. Protections Against Image-Based Abuse
Victims of non-consensual intimate images or deepfakes can request expedited takedown, with platforms required to act within 24 hours.
5. Protections for Children
Parents and guardians can request removal of content targeting or exposing minors, and platforms must offer parental controls where relevant.
Compliance Checklist for Businesses
Use the following steps as a starting framework. Larger organisations should complement this with formal legal advice.
- Scope your services. Identify which of your products fall within the Act's categories.
- Map your content flows. Document how user-generated content is created, moderated, and distributed.
- Update your terms and community guidelines. Align them with the Act's content categories.
- Implement a reporting mechanism. Ensure it is accessible, tracked, and auditable.
- Deploy age assurance where required. Choose proportionate measures aligned with your risk profile.
- Review advertising and link infrastructure. Ensure landing pages and shortened URLs are transparent and scam-safe.
- Train staff. Especially trust and safety, marketing, and customer support teams.
- Prepare transparency documentation. Start collecting the data you will need for annual reports.
- Establish a Singapore contact point. Designated services must appoint a local representative.
- Test incident response. Run a tabletop exercise for handling an IMDA direction.
How Singapore's Act Compares Internationally
Singapore's approach shares DNA with other major frameworks but has its own tilt toward scam prevention and rapid enforcement.
| Feature | Singapore OSA 2026 | UK Online Safety Act | EU Digital Services Act |
|---|---|---|---|
| Primary regulator | IMDA | Ofcom | European Commission + national DSCs |
| Max fines | SGD 1M or 10% turnover | £18M or 10% turnover | Up to 6% global turnover |
| Scam-specific duties | Extensive | Moderate | Limited |
| Age assurance | Risk-based | Highly proscriptive | Risk-based |
| Access blocking | Yes | Yes | Rare, last resort |
| Transparency reports | Annual for designated services | Annual | Bi-annual for VLOPs |
Practical Tips for Individuals
While the Act primarily targets platforms, everyday users can benefit by adopting a few habits:
- Use privacy-respecting browsers and encrypted DNS resolvers to reduce exposure to malicious domains.
- Verify shortened links before clicking — most reputable shorteners, including Lunyb, provide preview features or transparent branded domains.
- Enable multi-factor authentication on financial and social accounts.
- Report harmful content through the platform's official channels and, if needed, IMDA.
- Talk to children about online safety and use built-in parental controls.
What to Expect Next
IMDA is expected to publish detailed Codes of Practice through 2026 and 2027, covering topics such as generative AI content labelling, algorithmic transparency, and cross-border cooperation. Businesses should monitor consultations and participate where relevant. Enforcement will likely start with high-profile cases against services that fail to appoint local representatives or ignore takedown directives.
FAQ
Does the Singapore Online Safety Act 2026 apply to foreign companies?
Yes. The Act applies to any service accessible to users in Singapore, regardless of where the provider is headquartered. Designated foreign services must also appoint a local representative to receive directions and communications from IMDA.
Do small businesses and personal blogs need to comply?
Obligations are proportionate to size and risk. Personal blogs and small SMEs generally will not face the full designated-service regime, but they must still remove clearly illegal content when notified and provide a basic way for users to report problems.
How does the Act handle deepfakes and AI-generated content?
Deepfakes that impersonate real people for fraud, harassment, or election interference are treated as harmful content and subject to rapid takedown. Designated platforms are expected to deploy detection tools and label synthetic media where feasible, with more detailed rules coming through IMDA Codes of Practice.
What should I do if my content is wrongly removed?
You have the right to appeal to the platform, which must provide a reasoned response. If unresolved, you can escalate to IMDA's online safety portal. Keep records of the original content, timestamps, and any communications from the platform to support your appeal.
How can businesses reduce the risk of their marketing links being flagged?
Use reputable link infrastructure with transparent domains, click analytics, and abuse-prevention controls. Avoid free or anonymous shorteners commonly associated with spam. Solutions like Lunyb and other established URL shorteners provide the trust signals that scam-detection systems look for, reducing the likelihood of being blocked under the Act's scam-prevention provisions.
Protect your links with Lunyb
Create secure, trackable short links and QR codes in seconds.
Get Started FreeRelated Articles
Data Protection Act 2018 Ireland: Complete Guide
A complete guide to Ireland's Data Protection Act 2018: how it interacts with the GDPR, the rights it protects, DPC enforcement powers, penalties, and the practical compliance steps every Irish organisation needs to take.
GDPR in Ireland: Your Privacy Rights Explained (2026 Guide)
Ireland hosts Europe's biggest tech companies, making the Data Protection Commission one of the world's most influential privacy regulators. This guide explains your eight core GDPR rights, how to make Subject Access Requests, and how to file complaints when your privacy is violated.
ICO Fines 2026: Biggest Data Protection Penalties in the UK
The ICO has continued to issue significant penalties in 2026, targeting cyber security failings, nuisance marketing, and unlawful biometric processing. This guide breaks down the biggest UK data protection fines of the year and how your organisation can stay compliant.
UK Data Protection Act vs GDPR Explained: Key Differences in 2026
The UK Data Protection Act 2018 and the GDPR are often confused, but they work together to protect personal data in Britain. This guide explains the key differences, overlaps, and what UK organisations need to do to stay compliant in 2026.