Malaysia Moves to Tighten Cybersecurity with New Draft Bill
Malaysia Introduces New Draft Bill to Strengthen Cybersecurity
Malaysia is moving to tighten its cybersecurity framework with a new draft bill that builds on the Cyber Security Act 2024. The proposed legislation signals the government's intent to close regulatory gaps and impose stricter requirements on businesses operating in the digital economy.
This development follows a year of record cybercrime losses — RM 2.97 billion in 2025 — and growing pressure on businesses to demonstrate cyber resilience. For Malaysian SMEs, understanding what this bill requires is essential to avoid compliance surprises.
What the New Bill Addresses
The draft bill is expected to expand the scope of cybersecurity obligations beyond the critical national information infrastructure (CNII) sectors covered by the Cyber Security Act 2024. This means more businesses — including mid-sized enterprises in finance, healthcare, education, and retail — may fall under mandatory cybersecurity requirements.
Key areas expected to be covered include mandatory cyber risk assessments, incident reporting timelines, minimum security standards for businesses handling personal data, and penalties for non-compliance.
The bill also aims to strengthen NACSA's (National Cyber Security Agency) authority to coordinate national cyber incident response and mandate information sharing between the private sector and government during major cyber events.
What This Means for Malaysian Businesses
Businesses that have not yet invested in cybersecurity compliance should begin preparing now. The combination of the existing Cyber Security Act 2024, PDPA amendments (72-hour breach notification, RM 1 million fines), and this new draft bill creates a regulatory environment where cyber negligence carries real financial and legal consequences.
Practical steps include conducting a baseline security assessment, documenting your incident response plan, ensuring staff receive regular cybersecurity awareness training, and engaging with a qualified security provider if you do not have in-house expertise.
Timeline and What to Watch
The bill is in the draft consultation phase. Businesses should monitor announcements from the Ministry of Communications and Digital (KKD) and NACSA for public comment periods and implementation timelines.
Key Takeaway
Malaysian businesses should not wait for the bill to pass. Start with PDPA compliance and a basic security assessment now — these requirements will only increase under the new legislation.
Frequently Asked Questions
Does this new bill replace the Cyber Security Act 2024?
No. It builds on the existing act by expanding the scope of regulated entities and introducing additional requirements. The Cyber Security Act 2024 remains in force.
Will SMEs be affected by the new cybersecurity bill?
It depends on the final scope, but the trend is clear — cybersecurity requirements are expanding beyond critical infrastructure to include more business categories. SMEs handling customer data are likely to be affected.
What should businesses do to prepare?
Start with a cyber health check, ensure PDPA compliance, document an incident response plan, and provide staff with phishing awareness training. These steps align with both current and anticipated requirements.
Need help with cybersecurity compliance?
Cyberkiz helps Sarawak SMEs meet PDPA and NIST CSF requirements.
Learn More