Cybersecurity regulation in Malaysia (2026)

The PDPA amendment rolled out in three phases (1 Jan, 1 Apr, 1 Jun 2025), introducing mandatory 72-hour breach notification to the Personal Data Protection Commissioner, compulsory appointment of Data Protection Officers, direct Security Principle obligations on processors, and penalties up to RM 1 million per offence. This is the most significant expansion of cybersecurity compliance duties on private-sector data handlers since the PDPA's 2013 commencement.

Malaysia's first standalone cybersecurity statute came into force alongside the Cyber Security (Notification of Cyber Security Incident) Regulations, the Risk Assessment and Audit Regulations, the Licensing of Cyber Security Service Provider Regulations, and the Compounding of Offences Regulations. NCII entities across 11 sectors must now conduct annual risk assessments, biennial audits, and report incidents to NACSA; cybersecurity service providers must hold a NACSA licence. Non-compliance attracts fines up to RM 500,000 and/or imprisonment.

The RansomHub ransomware group exfiltrated 316 GB of operational and corporate data from Prasarana, operator of Klang Valley's LRT, MRT and Rapid Bus network. The Personal Data Protection Commissioner launched a formal investigation — a high-profile test of PDPA enforcement against a government-linked company — and the incident occurred just one day before the Cyber Security Act entered force.

Hacktivist group R00tK1T announced and executed a targeted campaign against Malaysian government agencies, national databases (including EPF and the Election Commission), and private firms, causing web defacements, data breaches, and unauthorised access before halting approximately one month later. The episode exposed gaps in pre-CSA 2024 incident-coordination frameworks and accelerated parliamentary passage of the Cyber Security Bill.

The MCSS 2020–2024, built around five strategic pillars (governance, legislative reform, cyber resilience, capacity building, and international cooperation) and 113 programmes, was launched by the government with a RM 1.8 billion budget. Its Pillar 2 explicitly called for sector-specific cybersecurity legislation, providing the direct policy mandate that produced the Cyber Security Act 2024.

NACSA was established in February 2017 as Malaysia's single national lead agency for cybersecurity policy, NCII protection, threat response, and international engagement, consolidating responsibilities that had been fragmented across MOSTI, CyberSecurity Malaysia, and the National Security Council. NACSA became the Chief Executive authority under the Cyber Security Act 2024.

Three years after enactment, the PDPA 2010 commenced in November 2013, making the Security Principle — requiring data controllers to take practical steps to protect personal data from loss, misuse, modification, and unauthorised access — legally enforceable. This was the first time cybersecurity obligations under statute applied broadly to private commercial entities in Malaysia.

The National ICT Security and Emergency Response Centre (NISER), founded in 1997, was restructured and rebranded as CyberSecurity Malaysia under the Ministry of Science, Technology and Innovation, becoming the national technical agency for cybersecurity operations, the MyCERT incident-response centre, digital forensics, and cryptography accreditation — functions it retains today.

Malaysia became one of the first Southeast Asian nations to adopt a comprehensive National Cyber Security Policy, defining ten Critical National Information Infrastructure (CNII) sectors and establishing a whole-of-government protection framework. The NCSP anchored subsequent institutional developments including NACSA, and its CNII sector model was directly codified in the Cyber Security Act 2024.

Act 588 entered force on 1 April 1999, creating a technology-neutral regulatory framework for converging ICT and broadcast industries. It imposed network-security obligations on licensees and established the MCMC as a regulator with enforcement powers over communications infrastructure — providing the first mandatory cybersecurity standards for network operators.

Enacted as part of the Multimedia Super Corridor (MSC) cyber-law package alongside the Digital Signature Act 1997, the CCA 1997 criminalised unauthorised access to computer systems, data interception, data alteration, and misuse of computer programs. It established the foundational criminal liability framework for cybersecurity offences that remains in force today.