CSA, IMDA mandate Level 2 cyber labels for routers to thwart botnets

The move follows a 2025 breach where over 2,700 devices were compromised.

The Cyber Security Agency of Singapore and the Infocomm Media Development Authority (IMDA) will raise mandatory cybersecurity requirements for residential routers from the Cybersecurity Labelling Scheme (CLS) to Level 2 by 2027.

Under CLS Level 2 requirements, manufacturers need to ensure that residential routers incorporate stronger security measures.

Key measures include secure communications, secure storage of sensitive data, and stronger authentication mechanisms to better protect users' data and privacy.

The scheme, launched in 2020, rates the cybersecurity levels of Internet-of-Things devices through a tiered labelling system. As of mid-February 2026, 870 products have attained the CLS label.

Currently, all residential routers sold must meet Level 1 requirements, such as having unique default passwords, vulnerability management processes, and keeping software updated.

Residential routers are common targets for cyber attackers, as they can provide access to home networks or be used as bots to launch attacks on other systems, according to the IMDA in a press release.

In 2025, a global operation found that attackers had infected over 2,700 Singapore devices, including routers.

The new measure was announced at the Ministry of Digital Development and Information Committee of Supply Debates 2026.