On 1 January 2025, Malaysia became one of the few countries in the world to require major social media and messaging platforms to obtain a formal operating licence. Under the Class Licence framework administered by the Malaysian Communications and Multimedia Commission (MCMC), any internet messaging or social media service with at least eight million Malaysian users — roughly a quarter of the country's population — must register under the Communications and Multimedia Act 1998 (CMA). Eighteen months in, the regime is shaping up as the single biggest test of whether Malaysia's much-touted MyDigital agenda can deliver an open, investable digital economy, or whether it will harden into a thicket of overlapping mandates that pushes capital and talent elsewhere in ASEAN.
The official rationale is familiar: tackling online scams, child sexual abuse material, cyberbullying, and what the government broadly labels "harmful" content. Few would argue with those goals. But the mechanism — bringing global platforms inside a pre-existing telecoms-style licensing regime designed in 1998 for network operators — is a category error that risks unintended consequences for the very innovation and inward investment that Malaysia's MyDigital Blueprint set out to attract.
What the Class Licence actually does
The framework, gazetted in 2024 and effective from the start of 2025, sweeps platforms into the CMA's "applications service provider" category. Licensees take on duties to remove specified categories of content, cooperate with law-enforcement requests, and submit to MCMC's standards and direction-issuing powers. The threshold of eight million users is calibrated to capture the obvious incumbents — Meta's Facebook, Instagram and WhatsApp, TikTok, Telegram, X, YouTube — while exempting smaller and emerging services.
Reports through 2025 and into 2026 suggest a mixed compliance picture. TikTok and Telegram have publicly engaged with the licensing process; Meta and X have moved more cautiously, citing concerns about the breadth of the obligations and the absence of clear due-process safeguards before content removals or service-level directions. Public messaging from MCMC has oscillated between deadlines, grace periods, and warnings of enforcement — a pattern that itself imposes real costs on platforms attempting to plan compliance work.
Layering on the Online Safety Act
The Class Licence does not exist in isolation. Parliament passed the Online Safety Act 2024 in December that year, creating a separate set of duties on "online service providers" to tackle priority harmful content, with phased implementation through 2025–2026. Layered above both is the broader Personal Data Protection (Amendment) Act 2024, which tightens cross-border transfer rules and introduces mandatory breach notification and data protection officers.
Each of these instruments has a defensible purpose. The problem is the cumulative compliance surface. A single platform operating in Malaysia now faces:
- A CMA-derived licence with content-removal and direction powers vested in MCMC;
- A parallel Online Safety Act duty-of-care regime with separate notices and penalties;
- An updated data protection framework with its own regulator and timelines;
- Sectoral rules on copyright, gambling, and political content that pre-date all of the above.
Each layer was drafted independently, and the interfaces between them — what happens, for instance, when MCMC's licensing direction conflicts with an Online Safety Act notice or a court order — remain underspecified. For startups and mid-sized international entrants below the eight-million-user threshold, the message is still chilling: scale into Malaysia and you scale into a bespoke licensing relationship with a regulator that can suspend service.
The MyDigital contradiction
The Malaysia Digital Economy Blueprint (MyDigital), launched in 2021, set headline targets for the digital economy to contribute over a fifth of GDP, attract significant cloud and data-centre investment, and position the country as a regional digital hub. The blueprint's logic depended on regulatory predictability — the very thing a discretionary licensing regime undermines.
Malaysia has, to its credit, attracted multi-billion-dollar hyperscaler commitments from Microsoft, Google, AWS and ByteDance, anchored in Johor and the Klang Valley. That capital is sticky once deployed, but the next wave — generative-AI infrastructure, fintech, cross-border B2B SaaS — is more mobile. Singapore's lighter-touch IMDA codes, Indonesia's evolving but rules-based approach, and even Vietnam's recent shift toward clearer decrees all compete for the same investment. A regime in which a regulator can require licensing, then quietly extend deadlines, then threaten enforcement, is precisely the kind of unpredictability that risk committees flag.
A proportionate path
None of this is an argument against platform accountability. Scams cost Malaysians an estimated multi-billion-ringgit sum annually according to police and MCMC statements, and platform-mediated harms to minors are real. But proportionate, evidence-based regulation — the kind that civil-society groups including EFF have argued for globally — depends on three features the current Malaysian stack largely lacks:
- Clear statutory scope. Define "harmful content" in legislation, not in subsidiary direction. The CMA's section 233 remains notoriously broad; bolting licensing duties onto it amplifies that vagueness.
- Independent oversight of removal orders. Pre- or post-action judicial review is the single most effective check against scope creep and political misuse.
- Risk-tiered duties. Distinguish systemic risk (large platforms, recommender systems, ads) from baseline duties — much as the EU's Digital Services Act does — rather than treating every covered service identically.
Malaysia still has the opportunity to consolidate the Class Licence, the Online Safety Act, and the data-protection rules into a single coherent framework with clearer scope and meaningful procedural rights. Doing so would protect users and deliver on the open, investable digital economy MyDigital promised. Doubling down on the current trajectory risks the worst of both worlds: a regulatory maze that frustrates platforms, chills smaller entrants, and ultimately leaves Malaysian users less, not more, safe online.