Singapore is preparing to tighten its mandatory cybersecurity requirements for residential routers, with the Cyber Security Agency of Singapore (CSA) and the Infocomm Media Development Authority (IMDA) set to raise standards under the Cybersecurity Labelling Scheme (CLS). The move, announced during the Ministry of Digital Development and Information (MDDI) Committee of Supply Debates 2026, will require all locally sold residential routers to meet CLS Level 2 standards by the end of 2027. 

The decision reflects growing concern over the security of home network devices, which are targeted by cybercriminals. As gateways to household internet connections, residential routers can be exploited to infiltrate other connected systems within a home network or hijacked to participate in broader cyberattacks. Both the CSA and IMDA said the strengthened mandatory cybersecurity requirements are intended to address such cyber threats.  

Why CSA and IMDA Are Raising Mandatory Cybersecurity Requirements 

The policy shift follows Singapore’s participation in a global cybersecurity operation in 2025. During that exercise, authorities discovered that more than 2,700 devices in Singapore, including residential routers, had been compromised. These infected devices were part of a global botnet, a network comprising hundreds of thousands of everyday internet-connected devices that had been infiltrated with malicious software. 

Botnets are frequently deployed to conduct Distributed Denial of Service (DDoS) attacks, overwhelming targeted systems with traffic and disrupting services. The incident underscored how vulnerable home routers can become entry points for malicious cyber actors. According to CSA and IMDA, the findings highlighted the need to strengthen mandatory cybersecurity requirements beyond existing baseline protections. 

The Role of the Cybersecurity Labelling Scheme (CLS) 

Launched in 2020, the Cybersecurity Labelling Scheme rates the cybersecurity provisions of Internet-of-Things (IoT) devices using a tiered framework. The scheme was designed to give consumers greater visibility into the security standards of connected products while encouraging manufacturers to adopt stronger protection. 

As of mid-February 2026, 870 products had attained the CLS label. Currently, all residential routers sold in Singapore must comply with CLS Level 1 standards. These Level 1 mandatory cybersecurity requirements include unique default passwords, established vulnerability management processes, and regular software updates. 

While CLS Level 1 addresses fundamental vulnerabilities, CSA and IMDA have determined that these protections are no longer sufficient. Authorities noted that Level 1 standards, though effective against basic security gaps, do not adequately defend against more advanced attacks that exploit weaknesses in encryption protocols, authentication systems, and secure data storage. 

What CLS Level 2 Means for Manufacturers and Consumers 

Under the revised framework, CSA and IMDA will require residential routers to meet CLS Level 2 standards by end-2027. The upgraded mandatory cybersecurity requirements will introduce stronger protection designed to better protect user data and privacy. 

Manufacturers will need to implement secure communications protocols, ensuring that data transmitted through routers is properly encrypted. They must also provide secure storage for sensitive information and incorporate robust authentication mechanisms to prevent unauthorized access. These additional measures aim to reduce the likelihood of routers being compromised and recruited into botnets or used as entry points for broader network intrusions. 

By strengthening mandatory cybersecurity requirements to CLS Level 2, CSA and IMDA intend to close gaps that attackers exploit. The agencies emphasized that encryption, authentication, and secure storage are critical components in mitigating emerging threats. 

Implementation Timeline and Regulatory Coordination 

CSA is working closely with IMDA to update the regulatory framework governing residential routers. The new mandatory cybersecurity requirements are expected to take effect by the end of 2027, providing manufacturers with a transition period to align their products with CLS Level 2 standards. 

The agencies’ collaboration reflects a coordinated approach to digital infrastructure security. As connected devices continue to proliferate in homes, regulators are seeking to ensure that cybersecurity measures keep pace with technological adoption and the evolving tactics of malicious actors. 

The announcement at the MDDI Committee of Supply Debates 2026 signals the government’s broader commitment to strengthening national cyber resilience. By raising mandatory cybersecurity requirements under the CLS and working jointly through CSA and IMDA, Singapore aims to better protect households against complex cyber threats while maintaining clear, enforceable standards for device manufacturers.