Cyber Security Act 2024 Malaysia: What Every Business Must Know

What Is the Cyber Security Act 2024 (CSA 2024) Malaysia?

The Cyber Security Act 2024 Malaysia (CSA 2024) is Malaysia’s first standalone cybersecurity legislation, gazetted in mid-2024. It establishes a mandatory regulatory framework for cybersecurity in Malaysia, with the National Cyber Security Agency (NACSA) as the designated regulator. For businesses operating in Malaysia — whether in critical national information infrastructure (CNII) or otherwise — understanding CSA 2024 is no longer optional.

The Act introduces a formal licensing regime for cybersecurity service providers, mandatory incident reporting obligations, and significant penalties for non-compliance. With fines of up to RM 500,000 and potential imprisonment, Malaysian business owners and IT managers must act now to understand their obligations.

Who Does the Cyber Security Act 2024 Apply To?

The CSA 2024 applies to two broad groups: National Critical Information Infrastructure (NCII) entities and cybersecurity service providers operating in Malaysia.

Malaysia has designated 11 CNII sectors under the Act, including:

• Government services and national defence
• Banking and finance (including institutions regulated by Bank Negara Malaysia)
• Transportation and logistics
• Energy and utilities
• Healthcare
• Water services
• Information and communications
• Food and agriculture
• Emergency services
• Space (satellites, ground stations)
• Digital economy services

If your organisation falls within any of these sectors, you are a CNII entity and must comply with the full suite of obligations under the CSA 2024, including mandatory cybersecurity assessments, incident reporting, and compliance with NACSA’s codes of practice.

Non-CNII businesses that provide cybersecurity services (such as managed security service providers, penetration testing firms, and security operations centres) must obtain a licence from NACSA under the Designated Prescribed Technology (DPT) licensing regime.

Key Obligations Under CSA 2024 Malaysia

1. Mandatory Cybersecurity Incident Reporting

CNII entities must report cybersecurity incidents to NACSA within a prescribed timeframe. The Act defines a cybersecurity incident broadly — covering unauthorised access, data breaches, service disruptions, and more. Failure to report is an offence attracting fines up to RM 500,000.

This reporting obligation aligns with Malaysia’s Personal Data Protection Act (PDPA) breach notification requirements, which also carry independent penalties. Organisations must ensure their incident response plan addresses both obligations simultaneously.

2. Cybersecurity Assessment and Audit Requirements

CNII entities must conduct periodic cybersecurity assessments and submit reports to NACSA. These assessments must be performed by licensed cybersecurity service providers (post-licensing regime implementation). The NACSA Cybersecurity Assessment framework covers governance, risk management, technical controls, and resilience capabilities.

3. Licensing for Cybersecurity Service Providers

Any company providing prescribed cybersecurity services in Malaysia must obtain a licence from NACSA. The 11 designated prescribed services include penetration testing, security operations centre (SOC) services, vulnerability assessments, digital forensics, and cybersecurity consulting. Operating without a licence is a criminal offence.

Simply Data Sdn. Bhd. operates in full compliance with Malaysian cybersecurity regulations and is pursuing the relevant NACSA licences under the CSA 2024 framework.

4. Codes of Practice and Standards Compliance

NACSA is empowered to issue Codes of Practice that CNII entities must comply with. These codes will cover areas such as access control, vulnerability management, security monitoring, and incident response — closely aligned with international standards like ISO/IEC 27001, NIST Cybersecurity Framework, and CIS Controls.

CSA 2024 Penalties — What Malaysian Businesses Risk

The penalties under CSA 2024 are significant and serve as a strong deterrent:

• Failure to report an incident: Fine up to RM 500,000 and/or imprisonment up to 10 years
• Operating without a NACSA licence (service providers): Fine up to RM 500,000 per offence
• Non-compliance with an issued order: Fine up to RM 1,000,000 for organisations
• Providing false information to NACSA: Criminal liability for individuals and organisations

These penalties apply in addition to those under the PDPA 2010 (as amended), BNM RMiT, and other sector-specific regulations.

CSA 2024 Compliance Checklist for Malaysian Businesses

Here is a practical step-by-step compliance checklist for Malaysian organisations:

1. Determine your CNII status: Assess whether your organisation falls within the 11 designated CNII sectors. If yes, full compliance obligations apply.
2. Review your cybersecurity service providers: Ensure vendors providing security services to your organisation are licensed under the CSA 2024 DPT regime (once implemented).
3. Establish an incident response plan (IRP): Your IRP must include clear reporting workflows to NACSA within the required timeframe.
4. Conduct a cybersecurity baseline assessment: Map your current security controls against NACSA’s expected framework requirements and identify gaps.
5. Update governance policies: Revise your cybersecurity policy, acceptable use policy, and vendor management framework to reference CSA 2024 obligations.
6. Train key personnel: IT, compliance, legal, and C-suite staff must understand CSA 2024 reporting obligations and penalties.
7. Engage a licensed cybersecurity partner: Work with a licensed Managed Security Service Provider (MSSP) to ensure continuous compliance and monitoring.

Simply Data’s cybersecurity team can assist with all of the above — from gap assessments to managed SOC services aligned with CSA 2024 requirements. Contact us for a free consultation.

How CSA 2024 Relates to Other Malaysian Regulations

The CSA 2024 does not operate in isolation. It forms part of an evolving regulatory ecosystem for cybersecurity and data protection in Malaysia:

• PDPA 2010 (amended 2024): Data protection obligations including mandatory breach notification — applies to all data processors handling personal data of Malaysian data subjects.
• BNM RMiT: Technology risk management framework for financial institutions — highly aligned with CSA 2024 requirements for the banking and finance CNII sector.
• Communications and Multimedia Act (CMA) 1998: Applies to licensees in the ICT sector, which is also a CNII sector under CSA 2024.
• Securities Commission (SC) Cybersecurity Guidelines: Mandatory for capital market intermediaries, requiring alignment with CIS18 controls.

Organisations operating across multiple sectors face overlapping compliance obligations. A structured cybersecurity programme built on internationally recognised frameworks (ISO 27001, NIST CSF, CIS Controls) will address multiple regulatory requirements simultaneously.

Conclusion

The Cyber Security Act 2024 marks a significant shift in Malaysia’s cybersecurity regulatory landscape. CNII entities and cybersecurity service providers must act now to understand their obligations, assess compliance gaps, and implement the necessary controls. With penalties of up to RM 500,000 per offence, the cost of non-compliance far exceeds the investment in a robust cybersecurity programme.

Simply Data provides comprehensive cybersecurity services aligned with CSA 2024, PDPA, BNM RMiT, and ISO 27001 for Malaysian businesses. For the latest cybersecurity advisories and incident reporting in Malaysia, refer to MyCERT (Malaysia Computer Emergency Response Team). Learn more about our Managed SOC service or our VAPT and cybersecurity assessment services.

About the Author: This article is written and reviewed by the Simply Data cybersecurity team — certified security professionals with expertise in Malaysian cybersecurity regulations, NACSA compliance, BNM RMiT, and enterprise security operations. Simply Data Sdn. Bhd. is a NACSA-licensed cybersecurity service provider based in Kuala Lumpur, Malaysia.