Technology, Media and Telecommunications
Malaysia’s technology, media and telecommunications (“TMT”) sector forms a central pillar of the country’s rapidly expanding digital economy. The sector encompasses digital technology companies, telecommunications infrastructure providers, media and content platforms, and cloud and data centre services that enable the modern digital ecosystem.
Driven by strong government policy support and growing regional demand for digital infrastructure, Malaysia has positioned itself as an emerging digital hub in Southeast Asia. The information and communications technology sector alone contributed approximately 25% of Malaysia’s economy in 2025, highlighting the scale and strategic importance of digital industries in the country.
Regulatory Landscape
The TMT sector in Malaysia is primarily governed by a multi-ministry framework, each overseeing a specific layer of the digital and communications ecosystem:
- Ministry of Communication (KM): Oversees the connectivity and content layers, managing national communication policies and media standards. It is responsible for the Communications and Multimedia Act 1998 (“CMA”) and provides policy direction to the Malaysian Communications and Multimedia Commission (“MCMC”) regarding telecommunications infrastructure and online safety.
- Ministry of Digital (KD): Leads the National Digital Agenda. It is the primary architect for cloud-first policies, sovereign data strategies, and artificial intelligence (“AI”) governance.
- Ministry of Domestic Trade and Cost of Living (KPDN): Regulates the commercial and consumer protection aspects of the digital economy. It oversees the Electronic Commerce Act 2006 (“ECA 2006”), providing legal recognition for electronic contracts and signatures and enforces the Consumer Protection (Electronic Trade Transactions) Regulations 2012, which mandates transparency for online businesses.
- Ministry of Investment, Trade and Industry (MITI): The lead for investment promotion. Through its agency, MIDA, it facilitates TMT-related foreign direct investment (FDI) and manages high-tech tax incentives.
Beyond the ministries, foreign investors must navigate specialised regulators that enforce the day-to-day technical and financial standards:
- Malaysian Communications and Multimedia Commission (“MCMC”): The central regulator for the industry. It manages telecommunications licensing, spectrum allocation, and enforces the Online Safety Act 2025, which requires platforms to mitigate harmful content.
- Securities Commission Malaysia (“SC”): Regulates digital assets, including Digital Currencies and Initial Exchange Offerings (IEOs), ensuring they comply with capital market standards. It also oversees Equity Crowdfunding (ECF) and Peer-to-Peer (P2P) financing platforms.
- National Cyber Security Agency (“NACSA”): Designated as the lead agency under the Cybersecurity Act 2024, responsible for supervising National Critical Information Infrastructure (NCII) entities across eleven (11) sectors, including banking, energy, and digital communications.
- Bank Negara Malaysia (BNM): Manages financial stability risks associated with digital assets and enforces the Risk Management in Technology (RMiT) policy for financial institutions and large merchant acquirers.
Technology and Digital Infrastructure
Cybersecurity Act 2024 (“CSA”) and the National Cyber Security Agency (“NACSA”)
The CSA came into force on 26 August 2024 and acts as Malaysia’s first ever cyber security legislation and aims to create a more comprehensive and encompassing legislative framework to combat cybercrimes.
Under the CSA, entities operating in certain sectors may be designated as national critical information infrastructure entities (“NCII Entities”). An entity is considered to have national critical information infrastructure if it has computers or computer systems which the disruption or destruction of would have a detrimental impact on the delivery of any service essential to the security, defence, foreign relations, economy, public health, public safety or public order of Malaysia, or on the ability of the Federal Government or State Governments to carry out their functions effectively.
The CSA identifies 11 NCII Sectors including: (i) the Government, (ii) banking and finance, (iii) transportation, (iv) defence and national security, (v) information, communication and digital, (vi) healthcare services, (vii) water sewerage and waste management, (viii) energy, (ix) agriculture and plantation, (x) trade, industry and economy, and (xi) science, technology and innovation sectors.
The NACSA was set up under the purview of the National Security Council and prior to the coming into force of the CSA had limited regulatory purview and enforcement powers in relation to cyber security matters. Following the coming into force of the CSA, NACSA was designated as the lead cyber security agency in Malaysia. All NCII entities and licensed cyber security service providers must familiarise themselves with these developments to adhere to the CSA and its subsidiary regulations.
National Cloud Computing Policy (“NCCP”)
The Malaysian Ministry of Digital has introduced NCCP as a strategic framework to accelerate cloud adoption across public and private sectors, positioning Malaysia as a leading regional digital hub by 2030. The NCCP aligns with national initiatives such as MyDIGITAL and the Malaysia Digital Economy Blueprint, providing clear guidance for stakeholders to develop tailored cloud strategies and compliance measures.
The NCCP is built on five (5) core pillars including:
- Enhance Public Sector Transformation: Mandating cloud adoption to modernise government services and improve efficiency;
- Nurture Private Sector Growth: Driving innovation, investment, and collaboration while promoting sovereign cloud infrastructure and certification standards;
- Secure Data Protection: Strengthening cybersecurity, privacy controls, and compliance to build trust in cloud environments;
- Digital Inclusivity: Bridging the digital divide through affordable solutions, skills development, and expanded connectivity; and
- Environmental Sustainability: Encouraging green data centres and energy-efficient practices to support Malaysia’s low-carbon future.
To safeguard data, the NCCP introduces a four-tier classification system, prescribing security measures based on sensitivity, from public to confidential data, alongside compliance with sector-specific requirements and laws. The policy operates within Malaysia’s legal framework, referencing key statutes including the Cyber Security Act 2024, Personal Data Protection Act 2010, and Data Sharing Act.
The NCCP also sets out a framework for monitoring progress, incorporating stakeholder feedback, and ensuring compliance in cloud adoption across Malaysia.
The NCCP marks a significant step in establishing a whole-of-nation approach to cloud adoption and governance across Malaysia’s public and private sectors. It introduces a forward-looking framework designed to position Malaysia as a regional cloud and digital hub, while addressing key national imperatives such as data sovereignty, cybersecurity, innovation, digital inclusivity, and sustainability.
For businesses and cloud service providers, the NCCP provides clear guidance on compliance and consumer protection. They are encouraged to assess how the NCCP aligns with their operations and prepare for compliance and strategic opportunities.
AI Governance
The Government of Malaysia, through the Ministry of Digital, has announced the National Artificial Intelligence Action Plan 2026–2030, expected to be tabled in December 2025. The Plan builds on the existing Artificial Intelligence Governance and Ethics (“AIGE”) framework and forms part of a national strategy to support Malaysia’s objective of becoming an AI-driven nation by 2030.
In November 2025, the Digital Minister indicated that a dedicated AI Governance Bill is being drafted. Businesses operating in Malaysia, especially those within data-intensive and AI-enabled industries, should anticipate that both the Action Plan and the incoming Bill will function as a regulatory, governance, and operational framework applicable across government, societal, and industrial sectors.
Digital Economy and E-Commerce Laws
Several foundational statutes underpin lawful digital commerce and electronic transactions in Malaysia:
- Computer Crimes Act 1997 (“CCA”): The CCA is enacted to criminalise certain forms of conduct targeted at computers and the contents therein, including but not limited to, unauthorised access to computer material, unauthorised modification of the contents of a computer and wrongful communication of passwords. It also carries penalties ranging from maximum fines of RM25,000 to RM150,000 and/ or prison sentences of 3 to 10 years.
However, as of February 2026, the Government has announced a new Cybercrime Bill intended to replace the CCA entirely. This new legislation, expected to be tabled in 2026, aims to address modern technological gaps by: - Holistic Classification: Covering both “cyber-dependent” crimes (attacks on systems) and “cyber-enabled” crimes (fraud/scams via technology);
- AI and Deepfakes: Explicitly regulating the misuse of emerging technologies like Artificial Intelligence and deepfake technology in criminal activities; and
- Data Retention: Introducing new regulations on computer data retention to provide law enforcement with stronger investigative tools.
For foreign investors, this shift indicates a move toward a more robust and sophisticated enforcement regime that aligns with global standards for digital safety and IP protection.
- Digital Signature Act 1997 (“DSA”): The DSA allows for the development of, among others, electronic transactions, by providing an avenue for secure online transactions through the use of digital signatures. The legal recognition of digital signatures allows electronic communications to be transmitted securely, especially on the Internet. It provides an identity verification procedure using encryption techniques to prevent forgery and interception of communication. The DSA further specifies certain certification agencies which issue certificates containing the subscriber’s public key. A list of these certification agencies is provided on a register which can be inspected on the MCMC’s website.
The Ministry of Digital is currently revisiting the DSA to integrate it with the MyDigital ID framework. This will allow for more seamless, mobile-based digital signatures that maintain the highest level of legal non-repudiation while removing the need for physical tokens or complex desktop software.
- Electronic Commerce Act 2006 (“ECA”): The ECA provides legal recognition of electronic messages in commercial transactions, the use of the electronic messages to fulfil legal requirements and to enable and facilitate commercial transactions via electronic means. It confers legal recognition to the formation of a contract via electronic means; recognises electronic messages and electronic signatures; and deems certain electronic documents to be considered original. It further states that the retention of documents in an electronic format fulfils the requirements of the law, provided certain qualifying criteria set out in the ECA are met.
In early 2026, a new Electronic Commerce Bill was tabled in Parliament to replace the 2006 Act. This new law is designed to align Malaysia with the UNCITRAL Model Law on Electronic Transferable Records (MLETR), which will finally allow for the legal digitalization of “transferable documents” like bills of lading and promissory notes, a massive win for logistics and fintech investors.
- Electronic Government Activities Act 2007 (“EGAA”): The EGAA mirrors the Electronic Commerce Act 2006 and was enacted to recognise the legal validity of electronic transactions and records to and from the Government.
- Consumer Protection Act 1999 (“CPA”): The CPA lays down consumer protection principles which applies to all business offerings or supplying services to one or more consumers in trade, including where transactions are conducted through electronic means such as the Internet. Crucially for digital investors, the recently upgraded Consumer Protection (Electronic Trade Transactions) Regulations 2024 impose stringent transparency mandates on e-commerce and cloud operators. Online platforms are now legally required to clearly disclose precise operator identities, detailed service characteristics, and transparent pricing structures to prevent information asymmetry and misleading conduct.
Digital Tax
Malaysia implemented the Service Tax on Digital Services (SToDS) effective 1 January 2020, imposing a service tax on foreign digital service providers supplying digital services to consumers in Malaysia. The service tax rate on digital services was initially set at 6% and was increased to 8% effective 1 March 2024, as announced in the 2024 Budget.
Foreign service providers whose annual revenue from digital services to Malaysian consumers exceeds RM500,000 within any rolling 12-month period are required to register as Foreign Registered Persons (FRP) with the Royal Malaysian Customs Department (RMCD). Digital services subject to SToDS include software and applications, digital content (music, e-books, films), online advertising and platforms, search engines and social networks, database and hosting services, internet-based telecommunications, online training, and subscription services.
Unlike many other jurisdictions, Malaysia’s SToDS applies to both business-to-consumer (B2C) and business-to-business (B2B) digital services.
Registered foreign digital service providers must also file quarterly returns (DST-02 Form) via the MySToDS system and remit service tax by the last day of the month following the end of each taxable period. Non-compliance may result in penalties of up to RM50,000 or imprisonment for up to three years, or both.
Bank Negara Malaysia (BNM) Regulations
BNM regulatory landscape is a sophisticated stack of interlocking policies that transform technical requirements into strict contractual obligations for data centre and cloud providers.
The revised Risk Management in Technology (RMiT) Policy Document, effective 28 November 2025, shifts the focus from simple compliance to “proactive resilience” by broadening its scope to include major non-bank acquirers and mandating a September 2027 deadline for “stand-in processing” capabilities. These updates are deeply integrated with the Policy Document on Business Continuity Management (BCM), which treats data centres as critical infrastructure and necessitates joint disaster recovery drills and documented exit strategies to prevent vendor lock-in and systemic disruptions.
For investors, these regulations “trickle down” directly into IT service agreements through the Policy Document on Outsourcing and the Management of Customer Information and Permitted Disclosures (MCIPD). This legal framework requires that contracts grant both financial institutions and BNM full physical audit and access rights to a provider’s premises and logs, regardless of whether the provider is a global hyperscaler. Furthermore, the MCIPD ensures that the financial institution remains legally accountable for data security, forcing providers to adopt robust “encryption-at-rest” models where the client retains control of cryptographic keys. Navigating this environment early allows foreign investors to align their operational models with Malaysia’s high standards for transparency and digital sovereignty.
Digital Currencies
Digital currencies are “digital money” used on the Internet, or a payment method which exists only in electronic form, including cryptocurrencies such as bitcoin.
Notwithstanding the fact that digital currencies have yet to be recognised as legal tender in Malaysia, digital assets are now regulated as securities under the Capital Markets and Services (Prescription of Securities) (Digital Currency and Digital Token) Order 2019, as amended by the Capital Markets and Services (Prescription of Securities) (Digital Currency and Digital Token) (Amendment) Order 2025. This Order classifies digital currencies and digital tokens that meet certain criteria as securities, bringing them under the regulatory purview of the Securities Commission Malaysia (SC). Digital asset exchanges (DAXs) are required to be registered with the SC as Recognised Market Operators (RMO-DAX) and must comply with the SC’s Guidelines on Recognized Markets, most recently revised on 6 January 2025.
The SC maintains an Investor Alert List of unauthorised platforms and has taken enforcement action against unlicensed exchanges. All digital asset exchanges must implement robust anti-money laundering (AML) and counter-financing of terrorism (CFT) measures, including customer due diligence, transaction monitoring, and suspicious transaction reporting to BNM.
The policy document issued by BNM in February 2018 titled Anti-Money Laundering and Counter Financing of Terrorism (AML/CFT) – Digital Currencies (Sector 6) sets out, amongst others, the minimum requirements and standards that reporting institutions (i.e. any person offering services to exchange digital currencies) must observe when carrying out any one or a combination of the following types of activities:
- exchanging digital currency for money;
- exchanging money for digital currency; or
- exchanging one digital currency for another digital currency, whether in the course of carrying on a digital currency exchange business or otherwise.
BNM has stated that digital currencies are not legal tender in Malaysia but continues to monitor digital asset activities for financial stability risks. BNM announced in March 2025 its intention to explore asset tokenisation and digital asset technologies, with a discussion paper expected to be issued.
Initial Coin Offering (“ICO”) Schemes
ICO refers to fundraising activities / investment schemes through the issuance and sale of digital tokens, in exchange for investors paying for these tokens through cryptocurrencies.
ICOs in Malaysia are regulated through the Initial Exchange Offering (IEO) framework under the SC’s Guidelines on Digital Assets. Token issuers seeking to raise funds must do so through SC-approved IEO platforms. The SC reviews token offerings for compliance with disclosure norms, investment caps, and investor eligibility criteria before approval is granted.
IEO operators must also be registered with the SC and are required to conduct due diligence on issuers, including vetting business viability, financial standing, and team credentials. SC and BNM continue to issue joint cautionary statements reminding the public that digital assets are not legal tender and advising careful evaluation of risks associated with digital asset dealings. Members of the public are still advised to carefully evaluate the risks associated with dealings in digital assets.
In June 2025, SC issued Public Consultation Paper No. 3/2025 proposing amendments to the Guidelines on Recognized Markets relating to digital asset exchanges, including proposals to liberalise the digital asset listing process, increase capital requirements to RM15 million, and enhance client asset safeguarding requirements. The consultation period closed on 11 August 2025.
Equity Crowdfunding (ECF) and Peer-To-Peer Financing (P2P)
Crowdfunding refers to the practice of funding projects or ventures by raising money from members of the public via the Internet. The current methods of crowdfunding are through equity crowdfunding (ECF) and peer-to-peer lending (P2P).
ECF allows members of the public to invest in a company (usually SMEs) in exchange for equity or shares in the company; whereas P2P allows members of the public to lend money to individuals or businesses, which is repaid back at fixed intervals with interest included. Both ECF and P2P are offered and facilitated through online platforms.
In Malaysia, ECF and P2P platforms are regulated by the SC under the Guidelines on Recognized Markets, which has been revised multiple times since its initial issuance on 11 December 2015, with the most recent revision being the 13th Revision dated 6 January 2025. Malaysia was the first country in the ASEAN region to implement a regulatory framework for ECF and P2P financing, through the SC Guidelines on Recognized Markets.
Any person who operates ECF and/or P2P platforms without prior authorisation from the SC may be held liable under section 7 of the Capital Markets and Services Act 2007, which carries a maximum fine of ten million ringgit and/or imprisonment term not exceeding ten years.
As of 2025, the key requirements for ECF and P2P platforms include:
- ECF Platforms:
- ECF operators must be locally incorporated companies with a minimum paid-up share capital of RM5.0 million.
- Issuers may raise a maximum of RM20 million through ECF platforms in their lifetime.
- Investment limits: Sophisticated investors (no limit); Angel investors (RM500,000 within a 12-month period); Retail investors (RM10,000 per issuer, with an aggregate limit of RM50,000 within a 12-month period).
- P2P Platforms:
- P2P operators must be locally incorporated companies with a minimum paid-up capital of RM5 million.
- Retail investors are encouraged to limit their investments to a maximum of RM50,000 at any one time.
The SC has introduced a secondary trading framework for ECF and P2P to provide exit mechanisms for investors, and tax incentives are available for qualifying individual investors in ECF, including an exemption of up to 50% of the total investment made (not exceeding RM50,000 for each year of assessment) for investments made between 1 January 2021 and 31 December 2026.
In 2025, the NIMP2030 Co-Investment Fund (CoSIF) was launched, allocating RM131.5 million to support fundraising campaigns by SMEs and Mid-Tier Companies through ECF and P2P platforms in sectors identified under the New Industrial Master Plan 2030.
Media
Content Regulations
The MCMC has issued the Malaysian Communications and Multimedia Content Code (“Content Code“) which encourages self-regulation by members of the industry in its implementation. The general principle behind the Content Code is to ensure that content shall not be indecent, obscene, false, menacing or offensive. Although compliance with the Content Code is not mandatory, compliance with the Content Code shall be a defence against any prosecution, action or proceeding of any nature, whether in court or otherwise, taken against any person who is subject to the Content Code regarding a matter dealt with in the said Code. Further, the MCMC may direct a person or class of persons to comply with the Content Code.
On 30th May 2022, the Third Edition of the Content Code was released and registered with the MCMC, replacing the Content Code 2020. Key changes include:
- Expansion of the Content Code’s application to include online service providers;
- Introduction of new provisions addressing online abuse, gender-based violence, and protection of persons with disabilities;
- Improved scope, standards and guidelines for the regulation of advertisements and consumer protection; and
- Refinement of provisions on indecent content, use of women, children, religion, cosmetic, financial products and intoxicating liquor in advertisements, and the complaints procedure for content disseminated over electronic networks.
The Communications and Multimedia Content Forum (CMCF) has since initiated a review of the Content Code. Public consultation concluded on 31 May 2025, and a revised draft Content Code is being prepared, with the potential for a second round of public consultation. Once finalised, the revised Content Code will be approved by and registered with the MCMC.
Under the CMA Amendment Act, MCMC’s enforcement powers in relation to content were significantly expanded: Section 211 was amended to apply exclusively to Content Applications Service Providers (“CASPs”) and the prohibited content standard was raised from “offensive” to “indecent, obscene, false, menacing, or grossly offensive”. The new Section 211A additionally empowers MCMC to direct a CASP to suspend its services for a specified period for contraventions of content requirements or licensing conditions relating to content.
Online Safety Act 2025 (“ONSA”)
The ONSA came into force on 1st January 2026. ONSA shifts and imposes the responsibility of protecting users from harmful content (i.e., content that promotes the use or sale of dangerous drugs) and priority harmful content (i.e. child sexual abuse material) onto licensed network service providers, applications service providers and content applications service providers (“Service Providers”) who provide applications services and content applications services which utilise the internet.
Under ONSA, Service Providers will be required among other things to implement measures to mitigate the risk of exposure to harmful content, protect the online safety of child users and establishing mechanisms to report harmful content, obtain user assistance and make prioritised harmful content inaccessible.
MCMC may impose a financial penalty of up to RM10 million for non-compliance with duties under the ONSA. Failure to comply with the prescribed timeframes under the Online Safety (Period) Regulations 2025 is a separate offence carrying a fine of up to RM1 million. An Online Safety Appeal Tribunal has been established to hear appeals against MCMC decisions under the ONSA.
Cyber Courts
The Malaysian Cyber Courts were launched in September 2016 to regulate cyber activities and in particular, to address the increasing number of civil and criminal cyber offences. Although the court is currently restricted to hearing only cases relating to cybercrimes, its jurisdiction is expected to be expanded to include hearing civil cases as well.
Telecommunications and Network Infrastructure
Regulatory Framework
The communications and multimedia industry in Malaysia operates under a convergence regulation model, meaning the boundaries between telecommunications, broadcasting, and computing are managed under a single, streamlined regulatory framework. This model is governed by two primary statutes: the Malaysian Communications and Multimedia Commission Act 1998 (“MCMC Act”) and the CMA.
The main legislation governing this sector is the CMA, which sets out the regulatory licensing regime within the TMT sector. The CMA has been in force since 1 April 1999 and serves to repeal the Telecommunications Act 1950 and Broadcasting Act 1988.
The licensing regime propounded within the CMA mainly functions to control the entry of market players within the industry. However, the rather broadly worded CMA is expanded upon and more clearly spelt out within the numerous guidelines, regulations and plans issued by MCMC, which are to be read together with the Acts, including but not limited to the CMA and MCMC Act.
One of such examples is MCMC’s publication of the Number and Electronic Addressing Plan (“NEAP“) which governs matters pertaining to numbering and electronic addressing. To elaborate, the NEAP serves to ensure the proper and efficacious allocation, distribution and use of land line numbers, mobile numbers, IP telephony numbers, domain names, amongst others, which are considered as national resources that are scarce and finite in amount. Requirements for the approval of the four categories of licences issued by MCMC, which shall be elaborated in further detail below, are also addressed within the NEAP.
The CMA provides the general terms of the licensing regime required. The specific provisions relating to licensing are contained in the Communications and Multimedia (Licensing) Regulations 2000 (“Licensing Regulations“) which needs to be read together with the Communications and Multimedia (Licensing) (Exemption) Order 2000 (“Exemption Order“). The Licensing Regulations sets out in detail, the requirements and procedures to be complied with in order to obtain specific licences. The Exemption Order exempts certain specified activities and services from the requirement to obtain a licence under the CMA.
Licensable Activities
The four (4) categories of licensable activities are described below.
- Network Facilities Provider (“NFP”)
These are the owners of facilities such as earth stations, broadband fibre optic cables, telecommunications lines and exchanges, radio-communications transmission equipment, mobile communications base stations and broadcasting transmission towers and equipment. They are the fundamental building block of the convergence model upon which network applications and content services are provided. - Network Services Providers (“NSP”)
Parties who provide the basic connectivity and bandwidth to support a variety of applications are required to obtain an NSP licence. Network service enables connectivity or transport between different networks. A network service provider is typically also the owner of the network facilities. However, these services may also be provided by a person using network facilities owned by another. - Applications Service Providers (“ASP”)
ASPs are parties who provide particular functions such as voice services, data services, content-based services, electronic commerce and other transmission services. Application services are essentially the functions or capabilities, which are delivered to end-users.
Since 2025, ASPs include social media services, such as YouTube, WhatsApp and Facebook. While social media services were previously exempt from the licensing requirements, the recent amendments under the Communications and Multimedia (Licensing) (Exemption) Order 2000 [P.U. (A) 125/2000] and the use of the deeming provision under Section 46A of the CMA meant that all social media services with over 8 million users in Malaysia are automatically deemed to be licensed under the ASP (Class) Licence. - Content Applications Services Providers (“CASP”)
The CASP licence is for a special subset of application service providers, including traditional broadcast services and online publishing and information services. “Content applications services” are defined as applications which provide sound, text, still picture, moving picture or other audio-visual representation, tactile representation or any combination of the preceding which is capable of being created, manipulated, stored, retrieved or communicated electronically. Across these four categories, the CMA provides for the issuance of two different types of licences, i.e. individual licences and class licences. Generally, an individual licence is granted to providers of services or owners of facilities who are subject to a high degree of regulatory control. For example, the services rendered or the facilities owned by the applicant has national and/or social significance; or there is a need to control market entry, to establish the conditions of operation, or to limit the scope of the licensed activities (i.e. whether there are existing exclusivities, guarantees or other arrangements which must be preserved). A class licence, on the other hand, is relevant to services and facilities which are comparatively minor in nature. It is therefore subject to light-handed regulation and requires only the endorsement of the MCMC on registration notices submitted by the applicants.
The licence application procedure is quite simple. Applications for individual licences are made by completing and submitting a prescribed application form together with any documents that may be requested for by the MCMC and the prescribed licence fee. Individual licences are issued for ten years. In contrast, class licences are valid for only one year and need to be applied for through submitting a prescribed registration notice together with the licence registration fee.
In relation to individual licences, it should be noted that all ASP individual licences have ceased to be valid and new ASP individual licences are no longer issued. Licensees previously holding a valid ASP individual licence and providing licensable applications services must register for an ASP class licence.
Spectrum
Under the Communications and Multimedia Act 1998 (CMA), the Minister responsible for communications and multimedia is empowered to make regulations in relation to technical regulation, including the procedures and charging mechanisms for the assignment of spectrum rights. In the same vein, the Malaysian Communications and Multimedia Commission (MCMC) may develop a spectrum plan for all or part of the spectrum. The Spectrum Plan specifies, among other things, the division of frequency bands for specified uses and the procedures for the assignment of spectrum (for example, by auction, tender or fixed price application), together with any applicable conversion arrangements. MCMC periodically issues revised Spectrum Plans to accommodate evolving technological and market requirements; the current Spectrum Plan 2022 supersedes and revokes the May 2017 Spectrum Plan, which had previously revoked the December 2014 plan.
For spectrum assignments, the Minister may determine that certain frequency bands are to be allocated or reallocated, taking into account recommendations from MCMC, while MCMC is responsible for issuing spectrum assignments that confer rights on persons to use the specified bands. Earlier reallocations of the 900 MHz and 1800 MHz spectrum, for example, were implemented via 2016 ministerial determinations and corresponding specified spectrum assignments; subsequent decisions have since been made in relation to other bands and renewed assignments as Malaysia’s 4G and 5G landscape has evolved.
As prescribed under the CMA, assignments shall be valid for a period of up to twenty (20) years or less as may be specified in the spectrum assignment.
Access Obligations
In promoting an “any-to-any” connectivity network and in order to create a level playing field for the benefit of consumers, regulatory intervention is required to allow competitors access to each other’s network, facilities or services. To this end, the MCMC has put in place three categories of determinations to regulate access obligations among CMA licensees: the Determination on the Access List; the Mandatory Standards on Access; and the Mandatory Standards on Access Pricing.
The Access List lists out the type of services and/or facilities that are regulated by the MCMC which places an obligation on certain licensees (“Access Provider“) to provide access or interconnection to other licensees (“Access Seeker“) and these licensees would be subject to the Mandatory Standards on Access. The Mandatory Standards on Access sets out the minimum standards that are expected in an Access Agreement which governs the relationship between an Access Provider and an Access Seeker to a facility or service. It also sets out certain obligations in relation to non-discriminatory practices, negotiation processes, operational standards and also a dispute resolution process. Further, Access Providers would also be subject to Access Pricing which specifies the wholesale prices that can be offered to an Access Seeker.
Communications and Multimedia (Amendment) Act 2025 (“CMA Amendment Act”)
The CMA Amendment Act introduced significant amendments reflecting the Malaysian government’s commitment to combating cybercrime, ensuring online safety, and addressing network security risks.
Key amendments include:
- Introduction of Section 46A, which allows the Minister of Communications to dispense with the formality of registration under a class licence by declaration, enabling the automatic licensing of social media platforms and messaging services with at least 8 million registered users in Malaysia under the ASP(C) licence from 1 January 2025.
- Replacement of the registration system for access agreements with a lodgement system under the amended Section 150, requiring access agreements to be submitted to MCMC within 30 days of execution.
- Amendment of Section 211 to apply only to Content Applications Service Providers (“CASPs”) and to restrict prohibited content to “indecent, obscene, false, menacing, or grossly offensive” content (replacing the previous “offensive” standard).
- Introduction of Section 211A, empowering MCMC to direct a CASP to suspend its services for a specified period in cases of contravention of content requirements, breach of licensing conditions relating to content, or non-compliance with ministerial or MCMC instruments relating to content.
- Significant amendments to Section 233, expanding prohibited content to include “grossly offensive” content and communications made with intent to commit fraud or dishonesty. The amendments introduce detailed explanations of prohibited content categories including obscene, indecent, false, menacing, and grossly offensive content.
- Introduction of Section 233A, specifically prohibiting the sending of unsolicited commercial electronic messages. MCMC has published a public consultation paper on unsolicited commercial electronic messages to develop a practical mechanism for implementing Section 233A, with feedback sought until 27 August 2025.
Incentives in the TMT sector
The Malaysian government recognises the importance of the TMT sector and has introduced several incentives for industry players.
Malaysia has transitioned from the 26-year-old MSC regime to the Malaysia Digital (MD) initiative, a revamped framework designed to be more agile and location-independent. Unlike the old system, MD Status companies are no longer restricted to specific “Cybercities” and can now operate from any location in Malaysia while retaining a refreshed set of Bills of Guarantee (BoGs). These guarantees include the freedom to source global talent, 100% foreign ownership, and protection against local data-residency requirements, creating a secure and flexible legal environment for international data centre operators and hyperscalers.
For investors, the most significant draw is the Malaysia Digital Tax Incentive, which was further enhanced in late 2025 to support the “AI-Ready” push. This incentive offers a tiered system where eligible companies can choose between a Reduced Tax Rate (RTR) as low as 0% for intellectual property income, or an Investment Tax Allowance (ITA) of up to 100% on qualifying capital expenditure. By coupling MD Status with the Digital Ecosystem Acceleration (DESAC) scheme, investors can effectively offset their massive infrastructure costs while benefiting from MDEC’s streamlined “Green Lane” for fast-tracked immigration and utility approvals.
Conclusion
Malaysia’s TMT sector continues to expand against a backdrop of strong policy support, rising digital investment and increasingly sophisticated regulation. The sector is benefiting from sustained government focus on digital infrastructure, cloud adoption, online safety, cybersecurity resilience and innovation-led growth, all of which reinforce Malaysia’s position as an increasingly important digital market in Southeast Asia.
At the same time, the regulatory landscape is becoming broader and more layered. Market participants must navigate not only core telecommunications and media laws, but also evolving requirements relating to cybersecurity, online platforms, consumer protection, digital taxation, financial regulation and data governance. For foreign investors, the opportunity is significant, but so too is the need to understand how these overlapping rules apply in practice, particularly where a business model cuts across multiple regulated areas.
Against this backdrop, early assessment of licensing requirements, regulatory approvals, tax incentives and compliance obligations will often be critical to a smooth market entry and efficient project execution. Investors who are able to align their commercial strategy with Malaysia’s regulatory and policy direction will be better placed to take advantage of the country’s growing role as a regional digital and infrastructure hub.
Contribution Note
This chapter of the Guide to Doing Business in Malaysia was authored by the Partners listed, with the assistance of Illi Syazwani (Senior Associate, Christopher & Lee Ong) and Sarah San (Associate, Christopher & Lee Ong).
For more information, click here to read more Doing Business Guide.
Notice
The contents of this Guide are owned by CLO and subject to copyright protection under the laws of Malaysia and, through international treaties, in other countries. No part of this Guide may be reproduced, licensed, sold, published, transmitted, modified, adapted, publicly displayed, broadcast (including storage in any medium by electronic means whether or not transiently for any purpose) without the prior written permission of CLO.
Please note also that whilst the information in this Guide is correct to the best of our knowledge and belief at the time of writing, it is only intended to provide a general guide to the subject matter and should not be treated as a substitute for specific professional advice for any particular course of action as such information may not suit your specific business or operational requirements. It is to your advantage to seek legal advice for your specific situation.
Disclaimer
Rajah & Tann Asia is a network of member firms with local legal practices in Cambodia, Indonesia, Lao PDR, Malaysia, Myanmar, the Philippines, Singapore, Thailand and Vietnam. Our Asian network also includes our regional office in China as well as regional desks focused on Brunei, Japan and South Asia. Member firms are independently constituted and regulated in accordance with relevant local requirements.
