Malaysia Cybersecurity NACSA Licensed Service Provider: Who Needs It & How to Apply

dptc license malaysia cybersecurity 1 1024x683

Becoming a Malaysia cybersecurity NACSA licensed service provider is now a legal requirement for any company providing prescribed cybersecurity services under the Cyber Security Act 2024. Whether you operate a managed SOC, offer penetration testing, or provide incident response — if you’re a cybersecurity service provider in Malaysia, NACSA licensing directly affects your business.

What Is the Cybersecurity Service Provider (CSSP) License?

The Cybersecurity Service Provider (CSSP) License is a mandatory licence introduced under Malaysia’s Cyber Security Act 2024 (Act 854), which came into force on 26 August 2024. Regulated by the National Cyber Security Agency (NACSA), the licence applies to any individual or company providing prescribed cybersecurity services in Malaysia.

This is one of the most significant new compliance obligations for cybersecurity firms, managed security service providers (MSSPs), penetration testing companies, SOC operators, and incident response teams operating in Malaysia. Non-compliance carries penalties of up to RM 500,000 or imprisonment.

Why Was the CSSP Licence Introduced?

Before the Cyber Security Act 2024, Malaysia had no formal licensing regime for cybersecurity service providers. Any individual or company could offer cybersecurity services without meeting minimum competency, ethical, or security standards. The CSSP licence addresses this by:

  • Setting minimum technical competency requirements for cybersecurity practitioners
  • Creating accountability for service providers handling sensitive client data
  • Establishing NACSA as the national regulator for the cybersecurity services industry
  • Aligning Malaysia with international best practices (Singapore MAS, EU NIS2)
  • Protecting critical national information infrastructure (CNII) clients from substandard providers

Who Needs a CSSP Licence?

Under the Cyber Security Act 2024, any entity providing prescribed cybersecurity services in Malaysia must hold a valid CSSP licence. The prescribed services currently regulated include:

  • Penetration Testing / VAPT — vulnerability assessments and ethical hacking services
  • Security Operations Centre (SOC) Services — 24/7 monitoring, threat detection, incident response
  • Managed Security Services (MSS/MSSP) — outsourced security management
  • Digital Forensics — cyber crime investigation and evidence collection
  • Incident Response Services — emergency response to cyber incidents
  • Security Risk Assessment — formal risk and compliance assessments

If your company provides any of these services — even as a secondary offering — you are required to apply for the relevant CSSP licence category.

Types of CSSP Licences

NACSA issues CSSP licences in two main tiers:

  • Individual Licence — for independent cybersecurity practitioners and consultants
  • Company Licence — for organisations providing cybersecurity services as a business

Each licence is tied to specific service categories. A company providing both VAPT and SOC services must be licensed for both categories separately.

How to Apply for a CSSP Licence

NACSA opened the licence application portal on 1 October 2024. All applications are submitted electronically via licence.nacsa.gov.my.

The application process involves:

  1. Register on the NACSA licensing portal at licence.nacsa.gov.my
  2. Select your service category — choose the prescribed cybersecurity service type(s) you provide
  3. Submit supporting documents — company registration (SSM), staff certifications (CISM, OSCP, CEH, etc.), proof of technical competency, insurance documents
  4. Pay the licence fee — fee schedule published by NACSA (varies by category and licence type)
  5. Await NACSA evaluation — NACSA reviews applications and may conduct interviews or site visits
  6. Receive licence — valid licence is issued with a defined validity period (typically 1–2 years)

Key Compliance Obligations for Licence Holders

Once licensed, CSSP companies must comply with ongoing obligations under the Act:

  • Maintain technical standards — licensed staff must hold relevant certifications and undergo CPD
  • Report incidents — cybersecurity incidents affecting clients must be reported to NACSA within defined timeframes
  • Data handling standards — client data must be handled per PDPA 2010 and NACSA guidelines
  • Renew licence — licences must be renewed before expiry; late renewals attract penalties
  • Non-disclosure obligations — service providers must protect client confidential information
  • Cooperate with NACSA audits — NACSA has powers to inspect and audit licensed entities

Penalties for Non-Compliance

Providing prescribed cybersecurity services without a valid CSSP licence is a criminal offence under the Cyber Security Act 2024. Penalties include:

  • Individuals: fine up to RM 500,000 or imprisonment up to 10 years, or both
  • Companies: fine up to RM 500,000 per offence
  • Continuing offences: additional daily fines for each day the offence continues

What Does This Mean for Malaysian Cybersecurity Buyers?

If you are a Malaysian company buying cybersecurity services, the CSSP licence matters to you too. You should:

  • Always verify your cybersecurity vendor holds a valid CSSP licence before engaging them
  • Request proof of licence number and validity from any VAPT, SOC, or MSSP vendor
  • Include CSSP licence verification in your vendor due diligence checklist
  • Update your third-party risk management policy to reflect this regulatory requirement

Procuring services from an unlicensed provider could expose your organisation to regulatory scrutiny, especially if you are a National Critical Information Infrastructure (NCII) entity.

Simply Data CSSP Licence Status

Simply Data Sdn. Bhd. is fully compliant with Malaysia’s Cyber Security Act 2024 licensing requirements. Our SOC, MSSP, and VAPT services are provided under valid CSSP licences issued by NACSA. We are committed to maintaining the highest standards of professional conduct, technical competency, and data protection for all our clients.

Need to verify a cybersecurity vendor’s licence status or want to learn more about your compliance obligations? Contact our team for a free consultation.

Frequently Asked Questions

Malaysia Cybersecurity NACSA Licensed Service Provider: MyCERT and Incident Reporting

MyCERT (Malaysia Computer Emergency Response Team) plays a complementary role to NACSA in Malaysia’s cybersecurity governance ecosystem. Once you are a NACSA licensed service provider, your team is expected to coordinate with MyCERT during significant cyber incidents — particularly if your clients include CNII operators or regulated financial institutions. MyCERT provides technical incident response support and acts as the national point of contact for cybersecurity incidents affecting Malaysia.

Licensed cybersecurity service providers should maintain a formal working relationship with MyCERT: subscribe to their threat advisories, participate in national cyber exercises where invited, and ensure your incident response playbooks reference MyCERT escalation pathways as required under Malaysia’s national cybersecurity policy framework.

For financial sector organisations, Bank Negara Malaysia (BNM) RMiT guidelines strongly encourage engagement with NACSA-licensed cybersecurity service providers to ensure that critical security functions meet regulatory standards. This alignment between the NACSA licensing framework and BNM RMiT requirements creates a robust compliance foundation for Malaysian businesses operating in regulated industries.

About the Author: This article is written and reviewed by the Simply Data cybersecurity team — certified security professionals with expertise in Malaysian cybersecurity regulations, NACSA compliance, BNM RMiT, and enterprise security operations. Simply Data Sdn. Bhd. is a NACSA-licensed cybersecurity service provider based in Kuala Lumpur, Malaysia.

Do I need a CSSP licence to sell cybersecurity software or hardware?

No. The CSSP licence applies to companies providing prescribed cybersecurity services (VAPT, SOC, forensics, incident response, etc.), not those selling cybersecurity products, software, or hardware. However, if your company provides managed services alongside the product, the services component may require a licence.

What certifications does NACSA require for the CSSP licence application?

NACSA evaluates technical competency based on industry-recognised certifications. Accepted certifications typically include CISSP, CISM, CEH, OSCP, GPEN, CREST, and CompTIA Security+. The specific requirements vary by licence category. Check the NACSA licensing portal at licence.nacsa.gov.my for the latest requirements.

How long is a CSSP licence valid and how do I renew it?

CSSP licences are generally valid for 1–2 years. Renewal applications must be submitted before the expiry date via the NACSA licensing portal (licence.nacsa.gov.my). NACSA will notify licence holders in advance of their renewal deadline. Late or lapsed renewals may require a fresh application and attract penalties.