Cybersecurity - Malaysia

The Cyber Security Act 2024 (Act 854) was gazetted on 26 June 2024 and came into operation on 26 August 2024, creating a National Cyber Security Committee (JKSN) and defining the powers of NACSA's Chief Executive and the roles of NCII sector leads and entities.

The Act centres on protecting National Critical Information Infrastructure across 11 vital sectors (including government, banking/finance, defence, healthcare, energy and transport), imposing duties such as mandatory cyber security risk assessments and audits within prescribed periods.

Under the Cyber Security (Notification of Cyber Security Incident) Regulations 2024, NCII entities must give immediate electronic notification, an initial submission within 6 hours, and a supplemental report within 14 days; failure can lead to fines up to RM500,000 and/or imprisonment up to 10 years.

The Act is operationalised by four regulations: Notification of Cyber Security Incident; Period for Cyber Security Risk Assessment and Audit; Compounding of Offences; and Licensing of Cyber Security Service Provider Regulations 2024.

Providers of two prescribed services — managed security operation centre (SOC) monitoring and penetration testing — must hold a NACSA-issued licence; the regime applies to providers offering these services in Malaysia.

Separate from Act 854, the Personal Data Protection (Amendment) Act 2024 introduced mandatory breach notification effective 1 June 2025: notify the Commissioner within 72 hours and affected individuals within 7 days where there is risk of significant harm; max fines raised to RM1,000,000.