Malaysia's Cyber Security Bill 2024 — What Businesses Need to Know

Malaysia's Cyber Security Act 2024 (Act 854) represents the most significant piece of cybersecurity legislation the country has ever enacted. Passed in Parliament and gazetted in June 2024, this law establishes a comprehensive framework for protecting the nation's critical infrastructure from cyber threats.

If your business operates in or supplies services to critical sectors, this law applies to you. Here is what you need to understand.

What Is the Cyber Security Act 2024?

The Act establishes the National Cyber Security Committee (NCSC), chaired by the Prime Minister, and empowers the Chief Executive of the National Cyber Security Agency (NACSA) to enforce cybersecurity standards across designated critical sectors.

Its primary focus is protecting National Critical Information Infrastructure (NCII) — the digital systems that underpin essential services Malaysians rely on daily.

Who Does It Apply To?

The Act designates 11 NCII sectors:

1. Government and public services
2. Banking and finance
3. Transportation
4. Healthcare
5. Water and sewerage
6. Energy
7. Agriculture and food
8. Telecommunications and digital infrastructure
9. Information, communication, and digital
10. Science, technology, and innovation
11. Defence and national security

Each sector has a designated Sector Lead — a government agency responsible for identifying NCII entities within their sector and enforcing compliance.

The key point for SMEs: You do not need to be a large corporation to be caught by this law. If you provide IT services, cloud hosting, managed security, software development, or other digital services to any NCII entity, you may be classified as part of that critical infrastructure supply chain.

Key Obligations

For NCII Entities

Organisations designated as NCII entities must:

• Appoint a responsible person to oversee cybersecurity compliance
• Conduct risk assessments in accordance with standards set by their Sector Lead
• Implement cybersecurity measures that meet the prescribed codes of practice
• Report cybersecurity incidents to NACSA within prescribed timeframes (typically 6 hours for critical incidents)
• Undergo cybersecurity audits conducted by authorised auditors
• Comply with directions issued by the Chief Executive during cyber crises

For Service Providers and Suppliers

If you are a cybersecurity service provider conducting assessments, audits, or penetration testing on NCII entities, you must be licensed by NACSA. Operating without a licence is an offence.

Penalties for Non-Compliance

The Act introduces serious penalties. Failure to comply with NCII measures carries a maximum fine of RM200,000 and up to 3 years imprisonment. Failure to report incidents carries the same penalties. Providing false information also attracts RM200,000 and 3 years. Unauthorised cybersecurity services carry the heaviest penalty: RM500,000 and up to 10 years imprisonment. Obstruction of authorised officers carries RM100,000 and 2 years.

For company directors and officers: if the offence was committed with your consent or due to your negligence, you can be personally liable.

How It Relates to the PDPA 2010

The Cyber Security Act 2024 complements but does not replace the Personal Data Protection Act 2010 (PDPA). Key differences:

• PDPA focuses on protecting personal data — how you collect, store, process, and share individuals' information
• Cyber Security Act focuses on protecting critical infrastructure systems — the availability, integrity, and security of systems themselves

A business can be subject to both laws simultaneously. A data breach at a hospital, for example, could trigger obligations under both the PDPA (for the patient data compromised) and the Cyber Security Act (for the NCII system that was breached).

Implementation Timeline

The Act received Royal Assent in June 2024 and came into force on 26 August 2024. However, implementation is phased:

• Sector Leads are progressively identifying and notifying NCII entities within their sectors
• Codes of practice are being developed sector by sector
• Licensing requirements for cybersecurity service providers are being rolled out
• Full enforcement with audits and penalties is expected to be operational across all 11 sectors by end of 2026

What SMEs Should Do Now

1. Determine If You Are Affected

Ask yourself: Do you supply digital services or products to any organisation in the 11 NCII sectors? If yes, you may be part of the supply chain that the Sector Lead is mapping.

2. Review Your Contracts

Check your existing contracts with government agencies, banks, hospitals, utilities, and telcos. New cybersecurity clauses are increasingly being inserted into procurement requirements.

3. Establish Basic Cybersecurity Hygiene

Even if you are not directly designated as an NCII entity, demonstrating cybersecurity maturity will become a competitive advantage when bidding for contracts in regulated sectors. Start with:

• A documented cybersecurity policy
• Regular vulnerability assessments
• Incident response procedures
• Staff awareness training
• Access control and logging

4. Understand Your Incident Reporting Obligations

If you discover a cybersecurity incident affecting a client who is an NCII entity, you may be required to assist with reporting. Ensure your incident response plan includes notification procedures for clients in regulated sectors.

5. Consider Certification

Frameworks like Cyber Security Malaysia's Cyber Security Trustmark or ISO 27001 certification signal to potential clients and regulators that your organisation takes security seriously. This is increasingly becoming a requirement for government tenders.