Singapore to mandate higher cybersecurity standards for residential routers by 2027
Senior Minister of State Tan Kiat How announced that all residential routers sold in Singapore must meet Cyber Labelling Scheme Level 2 standards by 2027 to combat rising cyberthreats and protect consumer privacy following thousands of device infections in 2025.
- Residential routers must upgrade from Level 1 to Level 2 of the Cyber Labelling Scheme by 2027 to ensure robust data authentication and secure storage.
- The mandate follows a 2025 security breach that saw over 2,700 digital devices, including baby monitors and routers, infected by malicious cyberactors in Singapore.
- Critical information infrastructure owners and auditors face new deadlines to achieve the highest tier of the Cyber Trust Mark for their non-critical supporting systems.
All residential routers sold in Singapore will be required to meet enhanced cybersecurity standards by 2027 to bolster national digital auctions. Senior Minister of State for Digital Development and Information Tan Kiat How announced the initiative on 02 March 2026.
Speaking at the ministry’s Committee of Supply debate, Tan Kiat How stated that the Cyber Security Agency of Singapore (CSA) and the Infocomm Media Development Authority (IMDA) intend to raise minimum requirements to Cyber Labelling Scheme (CLS) Level 2.
The CLS framework currently operates on a scale from Level 1 to Level 4.
Under existing regulations, all home routers are only required to meet Level 1, which represents the most basic security tier for consumer hardware sold in the domestic market.
The transition to Level 2 requires manufacturers to incorporate more sophisticated security measures. These include enhanced protections for communications and sensitive data storage.
Devices must also feature robust authentication mechanisms to safeguard user privacy and personal data from external interference.
This policy shift aims to provide a more resilient defence for consumers against evolving cyberthreats.
It is designed to significantly reduce the risk of personal hardware being compromised or hijacked by malicious cyberactors for use in wider network attacks.
The government noted that this intervention follows a significant security trend observed in the previous year.
In 2025, cyberattackers successfully infected more than 2,700 digital devices across Singapore, with the affected hardware including both residential routers and baby monitors.
Tan Kiat How observed that when such personal devices are hacked, the privacy of citizens is compromised and daily activities are often disrupted. The government views these vulnerabilities as a direct threat to the digital well-being of the general public.
In addition to routers, Internet Protocol (IP) cameras have been identified as frequent targets for exploitation.
Consequently, the CSA is considering making it mandatory for these cameras to meet CLS Level 2 requirements to ensure a uniform standard of home security.
The CSA will maintain an ongoing review process to determine if further categories of digital devices should be brought under these mandatory minimum cybersecurity standards. This forms part of a broader strategy to harden the nation's digital infrastructure.
The cybersecurity upgrades extend beyond consumer hardware to include the management of critical information infrastructure (CII). Tan Kiat How confirmed that organisations managing such infrastructure will now be required to meet specific Cyber Trust Mark (CTM) requirements.
These organisations must obtain CTM Level 5 by the end of 2027.
This represents the highest tier of certification for non-CII systems under their control. These systems typically support essential business operations and services that facilitate daily economic activity.
Auditors of critical information infrastructure are also subject to the new timeline.
They have been given until the end of 2026 to obtain the CTM certification at an organisational level for systems supporting their internal business operations and services.
