On 1 June 2026, two subsidiary codes under Malaysia's Online Safety Act 2025 (Act 866) came into force: the Child Protection Code and the Risk Mitigation Code. Issued by the Malaysian Communications and Multimedia Commission (MCMC) on 22 May, they translate the Act's broad duties into concrete obligations for licensed application and content-application service providers — risk assessments, content-governance systems, advertiser verification, labelling of manipulated media, and child-safety-by-design. For a country positioning itself as a regional digital hub under the MyDigital agenda, the codes are a serious attempt to regulate platform conduct without simply copying the EU's prescriptive rulebook.
The case for the codes
It is worth steelmanning the regulator before critiquing it. Malaysia has a genuine harms problem: online scams, child sexual abuse material, and AI-generated impersonation have all risen sharply, and the Act 866 framework — which received royal assent on 6 May 2025 and took general effect on 1 January 2026 — was designed to give MCMC enforcement tools it previously lacked. Two of the new duties are straightforwardly defensible. Requiring platforms to verify advertisers against government-issued records targets the paid-promotion pipeline that funds investment scams and fake-celebrity fraud, a category that has cost Malaysian consumers heavily. And requiring providers to prominently label generated or manipulated media is a transparency measure, not a speech ban — it tells users what they are looking at rather than deciding what they may say.
The codes' structural choice is also the right one. MCMC has described the framework as outcome-based, setting required results and leaving providers flexibility on implementation, after a public consultation that ran from February to March 2026. That is a meaningful contrast with line-by-line mandates that freeze in a single technical approach and quickly age out. An annual harmful-content risk assessment, an internal assurance function, and written records are the kind of process obligations that scale across very different services — a video platform and a messaging app can comply in ways that fit their architecture.
Where proportionality strains
The weak point is age verification. The Child Protection Code restricts account registration to users aged 16 and above, and requires social-media platforms with at least eight million users in Malaysia to verify age using government-issued identification — MyKad, passports, or equivalent overseas documents — to keep under-16s off the service, as analysed by Rahmat Lim & Partners. This is where a child-protection rationale collides with three hard problems.
First, privacy and security. Mandating that the largest platforms collect government ID to confirm age forces millions of adults to hand identity documents to private companies, creating exactly the kind of centralised honeypot that breach after breach has shown to be indefensible. Malaysia's own Personal Data Protection Act 2010 governs that data, but a data-protection statute mitigates risk; it does not eliminate the attack surface a verification mandate creates.
Age-assurance systems are only as trustworthy as the identity databases behind them — and an ID-gated internet excludes the very people least likely to hold formal documents.
Second, exclusion and accuracy. ID-based verification disadvantages users without ready documentation and pushes others toward VPNs or borrowed credentials, which dilutes the protective intent. Privacy-preserving age-estimation techniques exist, but a hard government-ID requirement for the largest platforms tilts the default toward the most data-hungry option.
Third, proportionality of the threshold itself. The eight-million-user trigger sensibly concentrates the heaviest obligations on the largest actors rather than crushing startups — a genuinely good instinct. But a blanket under-16 registration bar is a blunt instrument compared with the graduated, feature-level restrictions the Code also contemplates for high-risk features. The more surgical approach — limiting recommendation-driven feeds, contact-from-strangers, and engagement loops for minors — protects children without conditioning all access on identity disclosure.
Why the grace period matters
MCMC has, to its credit, provided a transition grace period specifically for verification processes, acknowledging that age-assurance technology is not mature and that a hard switch-on would be unworkable. That pragmatism should extend further: the grace window is the moment to pilot privacy-preserving age estimation, publish accuracy and false-rejection data, and define what effective verification means before penalties bite. Non-compliance can draw a financial penalty of up to RM10 million, so the definitional details are not academic.
The larger lesson for the region is about sequencing. Malaysia has built a flexible, outcome-based core that other ASEAN regulators will study, and the advertiser-verification and synthetic-media-labelling duties are proportionate responses to real fraud. The risk is that a single prescriptive feature — mandatory ID for age — becomes the template others copy without the surrounding restraint. The codes are a credible regulatory product. Keeping them credible means resisting the urge to make identity disclosure the price of admission to the open internet.