When Malaysia's Cyber Security Act 2024 (Act 854) came into force on 26 August 2024, it marked the country's first horizontal cybersecurity statute — a long-awaited successor to the patchwork of sectoral guidelines that had governed digital risk since the 1990s. The Act establishes the National Cyber Security Committee, empowers the National Cyber Security Agency (NACSA) as the lead regulator, and obliges entities designated as National Critical Information Infrastructure (NCII) across eleven sectors — government, banking and finance, transportation, defence and national security, information and communications, digital, healthcare, water and waste, energy, agriculture, trade and industry, and science and technology — to comply with a baseline of cybersecurity measures.
Four implementing regulations gazetted in late 2024 fleshed out the regime: rules on risk assessment and audit, incident reporting, the designation of NCII entities, and the licensing of cybersecurity service providers. Taken together, they put Malaysia broadly in line with the EU's NIS2 Directive and Singapore's Cybersecurity Act, while creating the country's first formal cybersecurity licensing framework.
The IoT Gap
The framework is a meaningful upgrade — but it was drafted around an enterprise-IT mental model. The legislation says little, explicitly, about the connected devices and operational technology that increasingly populate the eleven NCII sectors: programmable logic controllers in water utilities, smart meters in the grid, CCTV and access-control sensors in transport hubs, networked infusion pumps in hospitals, telemetry in palm-oil estates and precision-agriculture systems, fleet trackers in logistics, and the rapidly growing constellation of industrial IoT (IIoT) gateways stitched into 5G deployments under MyDIGITAL.
Industry surveys consistently find that IoT endpoints in operational environments outnumber traditional IT endpoints by an order of magnitude, and that a substantial share run unpatched firmware or default credentials. That asymmetry — a tiny attack on a cheap sensor cascading into a critical-infrastructure incident — is exactly the risk the Act is meant to address. Yet "connected device" appears nowhere in the statute as a defined term.
What Act 854 Does Well
Before prescribing fixes, it is worth crediting what Putrajaya got right. The Act sensibly avoids the temptation to write device-specific technical mandates into primary legislation, leaving the detail to subsidiary instruments that can evolve with the threat landscape. The incident-reporting clock — six hours for an initial notification, with a fuller report inside 14 days, per the 2024 regulations — is stringent but workable, and tracks the direction of travel in Europe and Australia.
The licensing regime for cybersecurity service providers, while novel for Malaysia, is narrowly scoped to managed SOC, penetration testing, and similar professional services rather than general security software. That matters: a broader licensing net would have risked walling off the open-source tools and global vendor ecosystem that Malaysian firms — especially SMEs — depend on.
Where a Proportionate IoT Layer Is Needed
The next phase of rulemaking should treat connected devices as a first-class category, but resist the urge to import every fashionable mandate. Three principles should guide it:
- Outcomes over prescriptions. Rather than enumerating device requirements (password length, update cadence, cryptographic primitives), NACSA's Codes of Practice should set capability outcomes — patchability, unique credentials, defined support lifetimes, logging — and let NCII entities choose conforming products. The UK's Product Security and Telecommunications Infrastructure (PSTI) Act 2022 and the EU's Cyber Resilience Act (CRA), finalised in 2024, offer ready-made baselines Malaysia can recognise via mutual conformity, sparing local firms duplicate certification costs.
- Risk-tiered obligations. A smart streetlight and an ICS controller in a substation do not pose comparable risks. Subsidiary regulation should distinguish between safety-critical OT, sensitive IoT (medical, payment), and ambient connected devices — applying the heaviest obligations only where consequence-of-failure warrants them.
- Procurement leverage, not import bans. The fastest way to raise the IoT security floor in NCII is through procurement standards for government and NCII operators, not blanket bans on "untrusted" vendors. The latter approach risks fragmenting Malaysia's supply chain and undermining ASEAN digital integration just as the country chairs ASEAN in 2025.
The Innovation Stakes
Malaysia has stated ambitions to become an ASEAN data-centre and semiconductor hub, with multi-billion-dollar investments announced by global hyperscalers and chipmakers in Johor, Selangor and Kedah over 2023-2025. Much of the value those investments unlock — automated manufacturing, smart logistics, AI-enabled energy management — depends on dense connected-device deployments. Overly prescriptive IoT rules, particularly if they require local certification or in-country data residency for device telemetry, would tax exactly the workloads Malaysia is courting.
Conversely, a clear, internationally-aligned IoT security regime would be a quiet competitive advantage. It would give buyers in regulated NCII sectors confidence to deploy connected devices at scale, signal to insurers that Malaysian operators are credible counterparties, and let Malaysian device makers — a small but growing cluster around Penang and Cyberjaya — sell into the EU under the CRA without bespoke retesting.
The Next 12 Months
Act 854's first anniversary in August 2026 will be a natural inflection point. NACSA has signalled that sector-specific Codes of Practice are forthcoming; the IoT question should be tackled in that workstream, with public consultation, industry sandboxes, and an explicit commitment to recognise leading international standards (IEC 62443 for OT, ETSI EN 303 645 for consumer IoT, NIST IR 8259 for device manufacturers).
Malaysia has built a credible cybersecurity scaffolding. The job now is to fill it in with rules that are tough where it counts, light where it doesn't, and aligned with the regimes Malaysia's trading partners are already converging on. The connected-device question is where that balance will be most tested.