Eighteen months after Prime Minister Shehbaz Sharif's October 2024 visit to Kuala Lumpur produced a clutch of bilateral IT and digital-economy memoranda, the strategic logic of that trip is becoming clearer. The Special Investment Facilitation Council (SIFC), Islamabad's civilian-military fast-track for foreign investment, has spent 2025-2026 leaning hard on Southeast Asian capital — and Malaysia, with its MyDigital Blueprint and the steadily expanding MyDigital ID scheme launched in beta in 2024, is being marketed inside Pakistan as the regional template to follow.
There is a genuine opportunity here. There is also a genuine risk. Pakistan has the demographic and engineering depth to build a first-rate digital public infrastructure (DPI) stack on top of NADRA's existing CNIC and Pak ID biometric base. But importing Malaysia's architecture without first fixing Pakistan's privacy, oversight, and interoperability gaps would lock in a system that maximises state visibility over citizens while doing relatively little to expand their access to services, credit, or trade.
What MyDigital ID actually is — and isn't
MyDigital ID, administered under Malaysia's Digital Ministry, is best understood not as a new identity card but as a federated authentication layer that lets citizens log in to government and selected private services using a verified, biometric-backed digital credential on a smartphone. Crucially, Putrajaya has — at least on paper — emphasised that MyDigital ID is opt-in, that participation is consent-based, and that the system is designed to sit alongside, rather than replace, the long-running MyKad national ID card. The MyDigital Blueprint frames the ID as one component of a broader push that also includes 5G rollout via the Digital Nasional Berhad single wholesale network, cloud-first government procurement, and digital-economy investment targets stretching to 2030.
That framing matters. It is a deliberate contrast with India's Aadhaar, where mandatory linkage to welfare, banking, and tax filings produced both extraordinary inclusion gains and a long-running constitutional litigation track culminating in the Supreme Court's 2018 Puttaswamy II judgment, which struck down several mandatory uses and reaffirmed privacy as a fundamental right. Malaysia is, in effect, trying to capture Aadhaar's economic upside while avoiding its coercion downside.
Why Islamabad finds this attractive
For SIFC and the Ministry of IT and Telecommunication, the appeal is straightforward. Pakistan's IT services exports have hit successive monthly highs through 2024 and 2025 — the State Bank of Pakistan's data shows the sector is one of the few reliable sources of foreign currency. NADRA already operates one of the largest civil registries in the developing world, with biometric coverage of the adult population well above many regional peers. Adding a smartphone-based authentication layer on top would, in principle, unlock e-KYC for fintech, simpler tax onboarding, and friction-free access to provincial e-services.
Malaysian vendors and government-linked companies — TM, Axiata, the MyDigital ecosystem partners — are well placed to help build that layer, and the October 2024 MOUs signalled exactly that direction of travel. Reported follow-ups in 2025 included cooperation on cloud, cybersecurity, and digital-economy workforce training.
The three things Pakistan must do first
A pro-innovation digital identity rollout is not an argument against digital identity; it is an argument for building the trust scaffolding before the scheme scales. Three priorities should come ahead of any large MyDigital-style deployment in Pakistan:
- Pass a credible data protection law. Pakistan's Personal Data Protection Bill has been sitting in parliamentary limbo since its 2023 cabinet approval. Without an independent regulator, statutory purpose limitation, and meaningful breach notification, a federated digital ID becomes a single point of surveillance failure rather than a single sign-on convenience.
- Make participation genuinely voluntary — and keep it that way. The single most important lesson from both Aadhaar and the European eIDAS 2.0 wallet debates is that the political economy of digital ID drifts inexorably toward mandatory linkage unless statute, courts, and regulators push back. Pakistan's enabling legislation should hard-code opt-in defaults and prohibit private services from refusing offline alternatives.
- Build for interoperability, not vendor lock-in. The MOSIP open-source identity stack now deployed in the Philippines, Ethiopia, Morocco, and elsewhere shows that countries can adopt international standards (W3C verifiable credentials, OpenID for Verifiable Credentials) without surrendering sovereignty to a single foreign supplier. Pakistan should insist any Malaysian-supported deployment uses open APIs and exportable data formats.
Avoiding the surveillance trap
Pakistan's recent track record on speech and platform regulation — the prolonged restrictions on X, the expanded Prevention of Electronic Crimes Act (PECA) amendments, and reported plans to route more online services through state-controlled gateways — should make every civil libertarian cautious about layering a powerful new identity rail on top of an opaque enforcement architecture. A MyDigital-style system in the hands of a state that has not first committed to proportionate content rules and an independent privacy regulator risks becoming a compliance chokepoint rather than an enabler.
Digital identity is infrastructure. Like any infrastructure, it amplifies whatever institutional culture surrounds it. Build it on top of weak rights protections and it will amplify those weaknesses.
The proportionate path forward
None of this is an argument for Pakistan to forgo the Malaysian partnership. The bilateral cooperation that came out of the Sharif visit could legitimately accelerate cloud adoption, cybersecurity capacity, and skills migration in both directions. But the sequencing matters. Pakistan should treat MyDigital ID as a useful reference architecture, not a turnkey import; pass the PDPB with genuine independence baked in; pilot Pak ID-based authentication in narrow, voluntary use cases (tax filing, optional fintech KYC) before any expansion; and make clear, in statute, that the digital credential is a convenience, not a permission slip to participate in Pakistani public life. Get that sequencing right and the Kuala Lumpur pivot becomes a genuine modernisation story. Get it wrong and Pakistan will have imported the hardware of a digital state without the software of a liberal one.