IMDA TS RG-SEC Issue 2: Singapore Router Security Update

Singapore Raises Router Security: IMDA TS RG-SEC Issue 2 Moves Residential Gateways to CLS Level 2

Singapore's Infocomm Media Development Authority (IMDA) has published Issue 2 of IMDA TS RG-SEC, the Technical Specification for Security Requirements for Residential Gateways, dated June 2026. The revised specification is the technical instrument that operationalises Singapore's decision to lift the mandatory cybersecurity baseline for home routers from Cybersecurity Labelling Scheme (CLS) Level 1 to CLS Level 2.

The headline change is straightforward but consequential: Issue 2 replaces the 2020 edition and now references the Cybersecurity Labelling Scheme for IoT Publication No. 4A, aligning residential gateway requirements with the CLS (IoT) Home Gateway Level 2 mandatory provisions. In practical terms, every home Wi-Fi router, fibre modem and broadband hub intended for sale and use in Singapore will eventually need to meet a materially higher security bar.

One point deserves emphasis up front, because it affects how teams should plan. The technical specification is published, but CLS Level 2 is not yet the mandatory requirement. CLS Level 1 remains the in-force baseline today. The transition to mandatory Level 2 is a stated policy target for end 2027, and the precise requirements and timing are still being finalised by IMDA and the Cyber Security Agency of Singapore (CSA) in consultation with industry.

Why Singapore Is Tightening Residential Gateway Rules

Residential gateways sit at the edge of every home network. If compromised, they give attackers a foothold to reach connected devices or to conscript the router itself into a botnet. That risk is no longer hypothetical for Singapore: in a 2025 global operation, more than 2,700 devices in Singapore, routers among them were found to have been infected and pulled into a worldwide botnet capable of launching distributed denial-of-service (DDoS) attacks.

Against that backdrop, the Government announced at the Ministry of Digital Development and Information (MDDI) Committee of Supply Debates in early 2026 that CSA and IMDA would raise the mandatory requirement for residential routers from CLS Level 1 to CLS Level 2, with the new requirements expected to come into force by end 2027. IMDA TS RG-SEC Issue 2 is the engineering specification that puts that policy into effect.

What the IMDA TS RG-SEC Issue 2 Update Actually Changes

Issue 2 supersedes Issue 1 (October 2020). The most significant structural change is the move from CLS Level 1 to CLS Level 2 as the referenced baseline, achieved by pointing to CLS for IoT Publication No. 4A. Clauses already covered by Publication No. 4A were removed from the body of the specification to avoid duplication, while requirements not fully addressed by Publication No. 4A were retained in TS RG-SEC and continue to apply in addition to not instead of the CLS baseline.

The security controls that the specification sets out for residential gateways include, in summary:

• Minimum password strength for administrative access: passwords of at least 10 characters meeting at least two of four complexity rules (uppercase, lowercase, digit, special character), with no consecutive identical characters and no reuse of the login ID as the password.

• Device pre-loaded settings: telemetry that sends network statistics back to the manufacturer must be disabled by default, and IPv6 tunnelling mechanisms (such as Teredo, 6to4 or ISATAP) must be disabled by default to close hidden communication channels.

• Authentication handling: unauthenticated access to the management interface is prohibited, accounts must lock after a set number of failed attempts, and a secure fallback authentication path must be available.

• Credentials handling: password fields must prevent copying, passwords must be masked on screen, and network management credentials (for example, TR-069 remote login data) must not be displayed on the management page.

• Firmware updates: patches must not contain hardcoded credentials and must be delivered over a secured connection.

• Data protection: encryption algorithms must be replaceable so stronger algorithms can be adopted without major device changes.

• CLS Level 2 compliance: the gateway must meet the CLS Level 2 baseline set out in CLS for IoT Publication No. 4A.

  
  

Conformity continues to be demonstrated through a Supplier's Declaration of Conformity, supported by the conformance/verification checklist in the specification's annex.

What This Means for Manufacturers

For manufacturers, importers and brand owners placing residential gateways on the Singapore market, the direction of travel is clear even while the enforcement date is still being confirmed.

• The bar is rising from Level 1 to Level 2. Products that comply with today's CLS Level 1 baseline will not automatically satisfy the new requirements. Level 2 adds stronger expectations around secure communications, secure storage of sensitive data and robust authentication.

• Design and procurement lead times are the real constraint. Hardware refresh cycles, firmware roadmaps and component decisions for models intended to remain on sale into 2028 should already account for Level 2 controls replaceable encryption, secure update delivery and credential handling are not last-minute firmware tweaks.

• Existing registrations are not a free pass. Models registered under the current baseline are likely to require re-assessment and re-declaration against the updated specification once Level 2 becomes mandatory.

• Re-export remains an option for non-compliant stock. Under the established framework, models that do not meet the specification can typically only be imported for re-export rather than local sale a pattern manufacturers should expect to continue.

• Monitor the consultation. Because IMDA has signalled that requirements and timing may still be adjusted through industry engagement, the safe planning posture is to design to Level 2 now and track IMDA/CSA notices for the confirmed effective date and any transition provisions.

  
  

Certification Impact Summary

Timeline and Required Actions

Regulatory timeline

• Oct 2020: IMDA TS RG-SEC Issue 1 published.

• May 2022: CLS Level 1 compliance and IMDA registration become mandatory for residential gateways sold for local use (after industry-requested extensions).

• Early 2026: Government announces, at MDDI Committee of Supply Debates, the move from CLS Level 1 to Level 2 by 2027.

• Jun 2026: IMDA TS RG-SEC Issue 2 published, referencing CLS for IoT Publication No. 4A (CLS Level 2).

• 2026–2027: Industry consultation; requirements and timing finalised by IMDA/CSA.

• End 2027 (target): Mandatory CLS Level 2 enforcement for residential routers. (See verification note on the precise date.)

  
  

Required actions for manufacturers and importers

1. Gap-assess current models against CLS Level 2 / Publication No. 4A and the retained TS RG-SEC Issue 2 controls.

2. Update firmware and security architecture to address authentication, masked/non-copyable credentials, disabled-by-default telemetry and IPv6 tunnelling, secure patch delivery, and replaceable encryption.

3. Plan re-registration of affected models with IMDA against the updated specification once Level 2 is mandatory.

4. Align product roadmaps so any model expected to remain on the Singapore market into 2028 is engineered to Level 2 from the next hardware/firmware revision.

5. Track IMDA and CSA notices for the confirmed effective date, transition window and any grandfathering of existing registrations.

6. Engage a CLS(IoT) testing laboratory early to scope the declaration-of-conformity evidence required for Home Gateway Level 2.