At a glance
- Malaysia is centralising tech-governance by establishing bodies like the National AI Office (NAIO) and empowered agencies under the Cybersecurity Act 2024 to lead in AI, cyber and critical infrastructure.
- The country is shifting regulation from broad “move-fast” rules to more principle-based, flexible frameworks that balance innovation with trust and protection of society.
- Regional alignment is growing: Malaysia is moving to join global cybercrime conventions, and via its ASEAN chairmanship is pushing for shared tools on online safety and AI governance across Southeast Asia.
Share this insight
Introduction: Malaysia’s tech-governance context
Malaysia’s tech governance landscape in the first half of 2025 is built on existing progress from announcements and efforts made in 2024. The Communications and Multimedia Act (CMA), for example, is primed for enforcement with charges and investigations already made in 2025 on uploads for false statements.
On the other hand, the Online Safety Act is waiting for the Minister of Communications’ signature for the enforcement order. The practical details of implementation for the above laws are also discussed in public engagements, such as the consultation on the Regulatory Framework for the Retention, Preservation and Disclosure of Communications data.
Key Governance Trends
Meanwhile, the Cybersecurity Act is advancing through directives issued by the National Cybersecurity Agency (NACSA). This includes guidelines for cybersecurity service provider licenses, code of practice for critical information infrastructure (CII) leads, and CII cybersecurity audits.
In 2025, it is clear that the direction is heading towards doubling down on the developments made in AI and cybersecurity. On top of these key trends, there is also growing interest in Malaysia to strengthen the safeguards around ensuring that society benefits equitably from new innovative products and services.
These updates focus on both governance and policy trends. Two aspects that are closely related and shape Malaysia’s digital future in distinct ways. Policy refers to the specific laws and regulations guiding digital development, while governance encompasses the structures and processes through which these policies are designed and implemented. Considering both offers a comprehensive perspective on Malaysia’s digital transformation.
“In the face of fast-evolving technologies and limited institutional capacity, platforms are increasingly seen not just as regulated entities, but as potential partners in regime development.”
Major Policy Shifts
Centralising Cybersecurity Leadership
- The National Cybersecurity Committee outlined 2025 goals, which included updating Malaysia’s Cyber Security Strategy to 2025-2030, pursuing cryptography, and presenting a new cybercrime bill to replace the outdated Computer Crimes Act 1997. The National Cyber Security Strategy builds on the Cybersecurity Act passed in 2024, especially to refine a National Cyber Crisis Management Plan (NCCMP) for National Critical Information Infrastructure (NCII) response in the event of a cyberattack. Key stakeholders affected by current cybersecurity policies are mainly critical infrastructure operators. However, a Cyber Security (Exemption) Order 2025 was introduced in January for a number of cloud operators, prompting discussions about the uneven enforcement. Nonetheless, it is important to note that these technology companies remain accountable under Malaysian law and are expected to cooperate on issues concerning national security and public safety.
Institutionalising AI Governance
- The end of 2024 saw the launch of the National AI Office (NAIO), where the office has 7 deliverables by 2025. These are the AI Technology Action Plan 2026-2030, AI adoption Regulatory Framework, Acceleration of AI Technology Adaptation, AI Code of Ethics, AI Impact Study for Government, National AI Trend Report, and datasets related to AI technology. These deliverables and guidelines are expected to influence how AI developers and service providers operate. This is especially the case if datasets are made available, a code of ethics is mainstreamed, and regulatory frameworks mandate compliance. Additionally, the AI Impact Study for Government would look at strengthening government adoption of AI, while a technology action plan and technology adaptation plans would impact how AI is integrated across industries.
Meanwhile, discussions are underway on the AI Adaptation Regulatory Framework, which aims to address the use of AI in criminal activities. The initiative is expected to focus more on cooperation between the ministry and enforcement bodies, which may also lead to forming sectoral enforcement bodies or could require a separate overseeing institution.
Adopting International Commitments to Combat Cybercrime
- Malaysia seeks to accede to two international conventions by year’s end. These are the Council of Europe Convention on Cybercrime, also known as the Budapest Convention, and the United Nations Convention against Cybercrime.
To fully commit and participate in these international conventions, they have to be backed by local legislation. Thus, Malaysia has updated to a newer Cybercrime Bill, which includes provisions on the expansion of investigative powers and harmonising offences to international conventions. It is worth noting that some aspects of the international convention were also addressed in the amended CMA, especially on data retention in the case of investigations.
To fully commit and participate in these international conventions, they have to be backed by local legislation. Thus, Malaysia has updated to a newer Cybercrime Bill, which includes provisions on the expansion of investigative powers and harmonising offences to international conventions. It is worth noting that some aspects of the international convention were also addressed in the amended CMA, especially on data retention in the case of investigations
Key Policy Trends
Enhancing Cybersecurity and Quantum-Safe Infrastructure
- Malaysia’s updated National Cyber Security Strategy aims to cover areas such as (i) protecting critical infrastructure, (ii) strengthening governance and legal frameworks, (iii) building national and regional capacity, (iv) advancing research and innovation, and (v) fostering a cyber-aware society. The framework would be relevant to researchers, cybersecurity practitioners and innovators, and international diplomatic communities.
Malaysia is also concerned with quantum migration, especially where large-scale quantum computers could potentially decipher secure communications or banking transactions. Malaysia established the Malaysian Cryptology Technology and Management Centre through a collaboration between Universiti Putra Malaysia and the National Cyber Security Agency to fortify Malaysia’s mathematical capacity to produce stronger encryption. Quantum and cryptography would impact critical sectors, such as banks, telecommunications companies, and data operators.
AI Safety
- Discussions on AI and safety have also progressed. In the first quarter of 2025, the Minister of Digital shared an update on the AI adaptation framework. This update included the introduction of the AI Adaptation Guidelines for the Public Sector that articulated the principles of ethical AI, the steps to use AI in the public sector, and the risks of its adoption. The guideline also offers a self-assessment and checklist for the adoption of AI that asks the user to assess impact and install feedback loops.
Emerging Platform Regulations
- Another emerging regulation is the Gig Worker’s Bill, which aims to address four key areas, (i) definition of gig workers, (ii) mechanisms of earnings, (iii) mechanisms for disputes, and (iv) social protection. Initial conversations on the gig workers bill featured broad definitions of gig workers, where performing artists are captured alongside food and delivery riders in Malaysia. Additionally, there are also conversations for minimum wage, provisions for the Employees Provident Fund contributions, and to consider a retirement security plan for gig workers. The Bill is expected to impact gig workers and platform operators. It will be tabled as early as September 2025.
Regulation in line with the ASEAN Chairmanship
It would be remiss to mention Malaysia’s evolution of tech governance in 2025 without mentioning Malaysia’s ASEAN Chairmanship, themed “Inclusivity and Sustainability”. The Chairmanship has a number of deliverables for cyber and digital goals and governance.
The Kuala Lumpur Declaration on the Safe and Responsible Use of Social Media Platforms would be adopted during the 47th ASEAN Summit in October 2025 and could also include the mention of an ASEAN Toolkit for Online Safety. Such regional efforts could complement Malaysia’s tools to improve governance of digital spaces, such as the Social Media License, which has been in effect since January 1, 2025.
Secondly, the development of the ASEAN AI Safety Network strengthens governance and insights into the emerging technology. While the modality of the networks is still in discussions, it is expected to facilitate AI safety research, promote responsible development of AI, and scale safe and inclusive practices through partnership with private and public stakeholders.
Finally, the ASEAN Cybersecurity Cooperation Strategy 2026-2030 is also being developed, which could strengthen cross-border management of cybersecurity. This would set ASEAN’s regional goals for incident response, information sharing, and responsible state behaviour capacity.
Looking Ahead: on the Direction of Evolution
Malaysia’s recent digital ambitions are stated in the Malaysia Digital Economy Blueprint (MDEB), the National Fourth Industrial Revolution (4IR) Policy, and the 13th Malaysia Plan. These strategies aim to build Malaysia’s competitiveness in the digital sector, from semiconductors to software. Achieving this requires two components: trust and growth. Trust is built on good governance, digital transformation of the public sector, cybersecurity, and a digital safety ecosystem. Growth is possible with infrastructure, talent, and policies which enable digitalisation and participation in the digital economy.
By 2025, Malaysia should have completed the second phase of MDEB, which looks at digital adoption foundations and inclusive digital transformation. Meanwhile, the National 4IR Policy’s goal is to build digital awareness and adoption, on top of building the necessary foundations for creating an innovative ecosystem capable of harnessing the potential of the fourth industrial revolution. Building these foundations requires necessary governance mechanisms such as the Cybersecurity Act, holistic efforts to combat cybercrime, and effective methods to govern safety on platforms.
Moving forward, the policies would have to consider the 13th Malaysia Plan (RMK-13) goals, which further strengthen the country’s competitiveness in advanced technologies, specifically in AI. Thus, leadership in ASEAN on AI, AI safety goals, and strengthening AI governance institutions would be necessary to realise the vision of Malaysia as an AI nation.
The views and recommendations expressed in this article are solely of the author/s and do not necessarily reflect the views and position of the Tech for Good Institute.
