When Malaysia's Applications Service Provider Class (ASP-C) licensing regime took effect on January 1, 2025, it marked one of Southeast Asia's most assertive attempts to bring foreign-owned platforms under direct domestic regulatory supervision. Sixteen months later, with Meta, TikTok, and others operating under license and X and Telegram having faced public scrutiny over delayed or partial compliance, the contours of the regime — and its costs — are becoming clearer. The verdict from a pro-innovation perspective is mixed at best.
The Architecture of Control
The ASP-C framework, issued by the Malaysian Communications and Multimedia Commission (MCMC) under the Communications and Multimedia Act 1998, applies to any social media or internet messaging service with at least eight million users in Malaysia. The threshold is calibrated to capture the major foreign-owned platforms while sparing smaller and local services. Companies meeting the threshold must register, accept a designated point of contact for regulators, and respond to MCMC directives — including takedown orders covering categories such as online gambling, scams, child sexual abuse material, content deemed offensive to religious or racial harmony, and material relating to the royal institution.
Layered on top is the Online Safety Act 2024 (Act 868), which received royal assent in December 2024 and creates statutory duties of care, age-appropriate design obligations, and significant penalties for non-compliance. Together, the two instruments establish a licensing-plus-duty-of-care architecture that gives Malaysian authorities unusually direct leverage over how platforms moderate content for Malaysian users.
Compliance Reality, 2025-2026
The compliance picture is uneven. Meta — covering Facebook, Instagram, and WhatsApp — and ByteDance's TikTok registered relatively early, as did Google's services where applicable. Telegram, after months of public pressure and reported negotiations, eventually registered in 2025. X (formerly Twitter) has been the most prominent holdout, with MCMC repeatedly stating publicly that the platform did not meet the user threshold based on data X provided — an awkward technical workaround that nonetheless underscored the limits of unilateral national licensing of a global service.
Throughout 2025, MCMC issued thousands of takedown requests to licensed platforms, with reported compliance rates generally high — particularly for online scams, gambling content, and online safety categories where there is broad public consensus. That is precisely the kind of focused, harm-based intervention that proportionate regulation can support. The trouble is the wider envelope of categories the regime sweeps in.
The Proportionality Problem
Three features of the Malaysian regime sit uneasily with proportionate, evidence-based regulation:
- Vague content categories. Concepts like material that is “offensive” or threatens “public order” — alongside Malaysia's existing sedition and Communications and Multimedia Act Section 233 framework — give regulators wide discretion. Platforms facing potential license revocation have strong incentives to over-comply, which translates directly into chilled lawful speech, especially political commentary and criticism of public officials.
- Limited judicial check. The takedown architecture relies primarily on administrative direction rather than independent judicial review. Civil society groups including Article 19 and the Centre for Independent Journalism Malaysia have repeatedly raised concerns that the speed-of-takedown design squeezes out due process for users whose content is removed.
- Sovereignty by leverage. Licensing creates a recurring chokepoint: a platform that displeases regulators on any issue — content, data, market conduct — risks the license. That bundles unrelated questions and concentrates regulatory power in ways that the open-internet design has historically resisted.
Costs Beyond Compliance
The ASP-C regime also has economic and structural consequences worth taking seriously. Foreign platforms now operate in Malaysia under conditions that combine licensing, local representation obligations, and exposure to expansive content rules. For incumbents like Meta and TikTok, the marginal compliance cost is manageable. For mid-sized or emerging services contemplating Malaysian expansion, the calculus is harder. The eight-million-user threshold protects the smallest entrants, but it also creates a cliff: cross it, and a platform suddenly enters a heavyweight regulatory regime built for the largest incumbents. That is a structural disincentive to scale in Malaysia — a counterproductive signal for a country that has explicitly positioned itself as a regional digital hub.
A Better Path
None of this means Malaysia should do nothing. Online scams have caused substantial losses to Malaysian consumers; child safety concerns are real; coordinated influence operations are a legitimate worry. But the experience of the EU's Digital Services Act, the UK's Online Safety Act, and Australia's eSafety regime suggests that the most defensible models share several features: narrowly drawn, harm-specific obligations; transparent appeal mechanisms for affected users; independent oversight bodies separate from the licensing authority; and clear sunset or review clauses.
Malaysia's regime could move closer to that template without abandoning its core public-safety goals. Three concrete reforms would help: (1) narrow the content categories subject to takedown to demonstrably harmful, well-defined harms; (2) introduce a statutory right of appeal for users whose content is removed under MCMC direction; and (3) decouple licensing from content compliance, so that a platform's market access is not held hostage to discretionary editorial decisions.
The Wider Signal
Malaysia's licensing model is being watched closely across ASEAN. Indonesia's PSTE regime, Vietnam's draft amendments, and the Philippines' ongoing platform-accountability debates all bend in similar directions. If the Malaysian template hardens into the regional default, the cumulative effect will be a fragmented, license-by-license internet in Southeast Asia — with higher costs, lower competition, and weaker free-expression guarantees than the open-internet model that helped these economies digitize in the first place. A more proportionate Malaysian design would not just protect Malaysian users; it would set a better regional benchmark.