Malaysia’s Cybersecurity Act 2024 (Act 854): Building trust and seizing global opportunities

• Act 854 establishes a secure and resilient digital ecosystem in Malaysia
• Sets standards for NCII sectors & regulates cybersecurity services to combat threats

In today’s interconnected world, communications security and data integrity are critical priorities for governments and organisations. In fast-growing digital economies like Malaysia, this requires adequate regulatory guardrails to reduce exposure to risk and foster growth. The introduction of Malaysia’s Cybersecurity Act 2024 (Act 854) was designed to do just that, protecting citizens, safeguarding critical infrastructure, and overall enhancing the nation’s resilience to rising threats.

The legislation is designed to help fortify digital defences among the nation’s most critical organisations and positions Malaysian businesses for success both locally and globally. Dr Megat Zuhairy, CEO of the National Cyber Security Agency (NACSA), previously said, “The Act strengthens Malaysia’s cyber-resilience, protects key infrastructure, and drives economic growth by enhancing business confidence and enabling smoother international trade and cooperation.”

It also paves the way for future amendments and new regulations, such as a new Malaysia Cybercrime Bill being drafted to tackle modern threats in an evolving risk landscape.  This has the potential to address the rising threats to network and communications security, as well as enhancements to protect against online harm.

Dr Megat said this new Cybercrime Bill, to be tabled in October, was crucial for Malaysia to join the Budapest Convention on Cybercrime and the United Nations Convention Against Cybercrime in June 2025, as part of the country's commitment to tackling cybercrime both domestically and internationally.

Laying the foundation for a secure digital future

Act 854 lays a strong foundation for a secure and resilient digital ecosystem in Malaysia. It focuses on safeguarding National Critical Information Infrastructure (NCII), encompassing 11 vital sectors, including government, banking, defence, and healthcare, where disruptions could endanger national security, the economy, or public stability. The Act also establishes a comprehensive regulatory framework, mandating measures, standards, and protocols for NCII sectors while regulating the cybersecurity service industry, ensuring robust protection against evolving threats and vulnerabilities.

Key features include the formation of the National Cyber Security Committee, the roles and powers of the National Cyber Security Agency (NACSA) Chief Executive, and clearly defined responsibilities for NCII sector leads and entities.

The legislation mandates that businesses and service providers adopt rigorous cybersecurity practices, conduct regular risk assessments, report incidents promptly, and comply with licensing and incident management protocols. Organisations operating critical systems within NCII sectors must adhere to these stringent requirements.

Beyond its protective functions, Act 854 is a strategic enabler. The growing interconnectivity of global trade makes robust cybersecurity systems essential for businesses not only to comply with regulations but also to ensure secure cross-border operations and growth.

By aligning with global standards like ISO/IEC 27001 and NIST, Act 854 strengthens Malaysia’s cybersecurity framework and positions businesses as credible global players. This, in turn, attracts investors who prioritise data protection and supply chain security.

Mitigating supply chain risks – The first step to compliance with Act 854

In an era of increasing digital interconnectivity, no nation can achieve cyber-resilience and trusted, secure communications in isolation. Recognising this, Malaysia has taken proactive steps, including its collaboration with global secure communications company, BlackBerry, to enhance the nation’s digital defences and support cyber workforce development through capacity building and innovation.

One key initiative is the establishment of Cybersecurity Center of Excellence (CCoE) in Kuala Lumpur. Operational since March 26, 2024, this world-class facility, supported by a C$3.9 million (RM12.2 million) investment from the Government of Canada, focuses on building cyber capacity through upskilling and training to bolster overall resilience in Malaysia and ASEAN.  To date, nearly 2000 men and women have completed courses at the CCOE, at a range of skill levels.

Compliance with Act 854 starts with organisations addressing supply chain risks, particularly in high-risk areas such as operating systems and IoT components.  A survey commissioned by BlackBerry, unveiled by Christine Gadsby, (pic) vice president and chief information security officer of BlackBerry in 2024, revealed alarming findings.

Gadsby pointed out, “79% of Malaysian software supply chains were targeted by cyberattacks in 2023, surpassing the global average of 76%.” And if that wasn’t bad enough, there was more grim news. “Moreover, 81% of respondents discovered hidden members (unauthorised or unaccounted-for third-party entities) within their supply chains,” she added.

Gadsby stressed, “IT leaders must tackle the lack of visibility as a priority,” warning that hidden supply chain vulnerabilities expose businesses to significant risks. She further emphasised the financial and operational toll of these attacks, stating, “The repercussions are considerable: 71% of businesses reported financial losses, 66% suffered reputational damage, and 59% experienced data breaches.”

The findings underscore the urgent need for robust security measures like endpoint protection and ‘out of band’ secure communications solutions to safeguard supply chains, ensure operational continuity when outages or attacks happen, and meet stringent global standards.

Growing trust in Malaysia’s digital economy

The  BlackBerry solutions deployed in Malaysia equips government departments with a comprehensive suite of scalable software solutions, designed to ensure data integrity, sovereignty and communication resilience at every level.

This includes SecuSUITE® for secure communications up to classified level, UEM (Unified Endpoint Management) for secure management of workforce devices anywhere, and BlackBerry AtHoc® for mission-critical communications and incident response.  Trusted by NATO and governments worldwide, including all of the G7 and majority of the G20, these solutions offer complete digital sovereignty, giving organisations full control over communications data, infrastructure, and operations.

AtHoc, a critical event management (CEM) platform, is already used by more than 70% of US Federal government departments. In Malaysia, it can also support NCII by improving compliance, streamlining incident response, and providing real-time situational awareness. It helps customers to adhere to Act 854 by enabling timely notifications to relevant authorities, automating regulatory reporting, and supporting crisis management drills. The platform’s secure communication channels protect sensitive data, while its ability to issue public alerts during emergencies boosts coordination, readiness, and effectiveness in critical situations.

Fostering a security-first culture

Building a strong security-first culture is essential for long-term resilience, as human error remains a primary cause of security breaches. This is an increasing concern as threat actors become more sophisticated in the way they engineer attacks using communication tools like Whatsapp or successfully intercepting telco-networks, as reported last year by the FBI and CISA in the United States. 

Such tactics may include using AI to create voice-spoofing in a very targeted way for financial or political gain.  Alternatively, AI technology can also be used to analyse stolen communications metadata on the web or via consumer-messaging apps, such as location, contacts and more, to gather valuable intelligence on high-value targets. 

As well as ensuring the use of adequate tools for work communications in this new era, it is key to bridge knowledge gaps with continuous training and positive reinforcement. Equipping employees with the tools to recognise ‘Deepfakes’ and respond to threats effectively, or have more responsible mobile and cyber-hygiene practices – will minimise your risk exposure.

BlackBerry emphasises the importance of weaving a strong sense of cybersecurity best practices into the fabric of organisational culture, advocating for a sustained and collaborative commitment.  A well-established cybersecurity culture unites employees, leaders, and stakeholders, turning compliance into a proactive, organisation-wide initiative. By cultivating this approach, businesses can reduce insider risks, safeguard critical assets, and fortify their overall security posture.

Conclusion

Malaysia’s Cybersecurity Act 2024 (Act 854) and the forthcoming Cybercrime Bill being introduced later this year, helps to pave the way for a more secure digital future. In tandem with robust regulation and the adoption of advanced solutions, government and businesses are working together locally and across borders to foster a security-first culture that drives compliance and global competitiveness. Supported by people-focused initiatives like the Cybersecurity Center of Excellence, organisations and their people are empowered to protect digital assets and thrive in an interconnected, fast-evolving economy.