The Cyber Security Bill 2024 ("Bill"), aimed at enhancing the country's cybersecurity and strengthening the protection of the National Critical Information Infrastructure ("NCII") from cyber threats and incidents, was passed by the Malaysian Parliament in April 2024.
The Bill has since received royal assent and was gazetted as the Cyber Security Act 2024 (Act 854) ("CSA") on 26 June 2024, although it has yet to come into force, and will only take effect on a future date to be gazetted by the Malaysian Government. This is expected to occur by the third quarter of 2024.
Now that the CSA has been gazetted, businesses can expect the following to happen next:
- Publication of the Names of NCII Sector Leads
The Minister will designate one or more NCII Sector Leads for each of the identified 11 NCII Sectors, by publishing the names of the appointed NCII Sector Leads on the National Cyber Security Agency ("NACSA") website.
- Issuance of Subsidiary Regulations
The Malaysian Government and NACSA are currently developing subsidiary regulations to supplement the CSA including:
- the Cyber Security (Licensing of Cyber Security Service Providers) Regulations 2024, which will clarify the licensing requirements for cybersecurity service providers;
- the Cyber Security (Compounding of Offences) Regulations 2024, which will identify the relevant offences under the CSA which are compoundable, and other ancillary procedural requirements;
- the Cyber Security (Risk Assessment and Audit) Regulations 2024, which will clarify the requirements of cybersecurity risk assessment and audit that NCII Entities will be required to carry out under section 22 of the CSA; and
- the Cyber Security (Cyber Security Incident Notification) Regulations 2024, which will set out further details regarding the cybersecurity incident notification obligation to the Chief Executive of NACSA and NCII Sector Leads imposed on NCII Entities.
c. Preparation of Codes of Practice
Once the NCII Sector Leads for the identified 11 NCII Sectors are appointed, they will develop sector-specific codes of practice for their respective sectors that set out the minimum cybersecurity measures, standards and processes that NCII Entities must implement and comply with to protect their NCII.
All relevant businesses and stakeholders should stay abreast of developments relating to the implementation of the CSA, and initiate steps and allocate resources in preparation for compliance with the CSA.
For more information on the regulatory structure and key requirements introduced by the CSA, click here for our previous Legal Update and here for our Snapshot Deck.
