On 3 April 2024, the Malaysian Parliament passed the Cyber Security Bill ("Bill"), which establishes a legal framework for the oversight and maintenance of national cyber security in Malaysia, while also strengthening the protection of National Critical Information Infrastructures ("NCIIs") against cyber security threats and incidents. The Bill achieves these objectives by:
- defining the regulatory and enforcement authority of the Chief Executive of the National Cyber Security Agency ("NACSA") over cyber security matters;
- establishing a framework for the designation of "NCII Entities" and clarifying the obligations of such Entities to proactively protect NCII owned or operated by them from cyber security threats and incidents; and
- regulating the provision of certain types of cyber security services through a new licensing regime.
In the Bill, NCIIs refer to computers or computer systems whose disruption or destruction would have a detrimental impact on Malaysia's economy, public safety, public order, or the effective functioning of the Government.
The framework established by the Bill enables the designation of entities that own or operate NCIIs in 11 sectors ("NCII Sectors") identified in the Bill as "NCII Entities". The Bill identifies NCII Sectors to include (i) the Government, (ii) banking and finance, (iii) transportation, (iv) defence and national security, (v) information, communication and digital, (vi) healthcare services, (vii) water sewerage and waste management, (viii) energy, (ix) agriculture and plantation, (x) trade, industry and economy, and (xi) science, technology and innovation sectors.
NCII Entities designated under the Bill are subject to various obligations, including:
- compliance with minimum security measures, standards and processes specified in sector-specific Codes of Practice to be drawn up pursuant to the Bill;
- fulfilment of cyber security incident notification obligations;
- conduct of cyber security audits and risk assessments for the NCIIs owned and operated by them;
- participation in cyber security exercises conducted by the Chief Executive of NACSA; and
- compliance with various directives issued under the Bill.
For more information, click here to read our Legal Update.
