July 03, 2026

Short Deadlines, Significant Penalties: Malaysia's Online Safety Act in Focus

Share

On 1 January 2026, Malaysia's online-safety framework came into force, comprised of the Online Safety Act 2025 ("ONSA") and four subsidiary instruments: the (Period) Regulations, Online Safety (Fees) Regulations, (Form of Undertaking) Regulations, and (Online Safety Appeal Tribunal) Regulations. Further to our previous Legal Update, Malaysia's Proposed Social Media Ban for Children: How It Compares with Australia and Singapore, these rules turn platform safety from a policy discussion into a set of legal duties, short response deadlines, and significant penalties.

ONSA stands out in the Asia-Pacific region because it is detailed and operational. It sets response periods as short as one hour and includes penalties that may affect both companies and individual officers. For many platforms, trust-and-safety functions will now need to be treated as a formal compliance function.

Scope and Definitions

ONSA applies to three categories of licensee under the Communications and Multimedia Act 1998 ("CMA"): applications service providers ("ASPs"), which enable user-to-user communications over internet access; content applications service providers ("CASPs"), which provide content over the internet; and network service providers ("NSPs").

Service providers that are not formally licensed may still be brought within scope where they are required or deemed to be registered under the CMA licensing framework, including through the deemed-registration mechanism for qualifying internet messaging and social media service providers pursuant to section 46A of the CMA. Specifically, from 1 January 2025, service providers with at least eight million Malaysian users were required to hold applications service provider class licences from the Malaysian Communications and Multimedia Commission ("MCMC"), rendering them now subject to ONSA.

Three further points regarding scope are particularly important:

  • ONSA does not impose obligations on individual users;
  • ONSA does not apply to private messaging features; and
  • ONSA applies outside Malaysia when a person provides covered services in Malaysia and holds a CMA licence.

ONSA's scope is also determined with reference to content definitions, establishing when reporting, assessment and takedown obligations apply. ONSA's First Schedule lists nine categories of harmful content: child sexual abuse material ("CSAM"); financial fraud; obscene content; indecent content; content that may cause harassment, distress, fear or alarm through threatening, abusive or insulting words, communication or acts; content that may incite violence or terrorism; content that may induce a child to harm himself or herself; content that may promote ill-will, hostility or disturbance of public tranquillity; and content that promotes the use or sale of dangerous drugs. CSAM and financial fraud are classified separately as "priority harmful content" and, as discussed below, are subject to the shortest response times.

Key Duties and Substantive Obligations

ONSA adds substantive duties that sit behind the CMA licensing framework. Part III of ONSA sets out the core statutory duties for ASPs and CASPs. In broad terms, service providers must, without unreasonably or disproportionately limiting user expression:

  • Implement measures specified in the applicable code, or MCMC-approved alternative measures, to reduce users' exposure to harmful content;
  • Issue clear and accessible guidelines for users;
  • Provide tools and settings that help users manage their online safety;
  • Provide mechanisms for reporting harmful content and obtaining user assistance;
  • Protect child users through safe-by-design measures;
  • Establish a mechanism to make priority harmful content inaccessible; and
  • Prepare, publish, maintain and submit an Online Safety Plan to MCMC.

The duty to protect child users is supported by more specific design obligations. For services likely to be accessed by child users, service providers must:

  • Prevent identified child users from accessing suspected harmful content;
  • Limit communication between adults and children;
  • Limit features that increase, sustain or extend use by child users;
  • Prevent adults from viewing children's personal information available on the service; and
  • Ensure personalised recommendation systems are suitable for child users.

In terms of age-verification rules, reported verification methods include MyKad, passports and MyDigital ID. MCMC's approach remains outcome-based, technology-neutral and risk-based, with no single prescribed technology so long as the measures adopted satisfy accuracy, privacy and security requirements. The key issue will be how to build a workable age-assurance process without creating unnecessary data-protection and privacy risks.

Once these duties apply, timing becomes critical. ONSA's report-handling and content-inaccessibility obligations are supported by the Period Regulations, which prescribe how quickly service providers must act, including the following key deadlines:

  • User reports: Acknowledge within one hour and complete the initial assessment within twelve hours.
  • Priority harmful content: Make the reported content inaccessible immediately for 24 hours after deciding not to dismiss the report; if confirmed, make it permanently inaccessible within one hour of the decision.
  • Other harmful content: Make the reported content inaccessible within four hours after deciding not to dismiss the report; if confirmed, make it permanently inaccessible within 12 hours of the decision.

Penalties, Personal Liability and Review Mechanisms

The significance of the duties and timelines above is reinforced by ONSA's enforcement structure. ONSA uses a mix of civil penalties and criminal offences:

  • Failure to comply with a Part III duty: Financial penalty of up to RM10 million, recoverable as a civil debt.
  • Failure to comply with written instructions, directions and prescribed takedown periods: Fines of up to RM1 million and, in specified continuing cases, daily fines of up to RM100,000.
  • Failure to comply with data preservation, disclosure and information-gathering: Fines of up to RM1 million and daily continuing fines in specified cases; false or misleading responses to the MCMC may attract fines of up to RM500,000.

There are also provisions for personal liability—if a corporate body commits an offence, directors, compliance officers, partners, managers, and secretaries may be charged jointly or severally, and may be deemed guilty unless they can prove either that the offence was committed without their knowledge, or that it was committed without their consent or connivance, and that they took all reasonable precautions and exercised due diligence to prevent it. In practice, this makes online-safety compliance a governance issue as well as an operational one.

Before MCMC issues a notice of non-compliance, a provider may give an undertaking in the prescribed form, committing itself unconditionally and irrevocably to comply with Part III. ONSA also establishes the Online Safety Appeal Tribunal to review certain MCMC instructions, determinations, and directions. Tribunal decisions are final and binding and are not subject to further appeal. Judicial review of Minister or MCMC decisions remains available, but only after the other remedies under ONSA have been exhausted.

A Comparative Lens

ONSA should be viewed against the wider regional movement towards greater platform accountability. The comparisons below seek to place ONSA in regional context and to highlight broad differences in regulatory approach—they are necessarily selective and brief, with a detailed jurisdiction-by-jurisdiction analysis outside the scope of this article.

Australia uses a more principles-based model. Under the Online Safety Act 2021 and the Social Media Minimum Age framework that came in effect in December 2025, platforms must take "reasonable steps" to prevent under-16s from holding accounts. The Australian regime relies more heavily on regulatory guidance and discretion, and less on fixed statutory response times. ONSA is more prescriptive.

Singapore has taken a legally binding code-based approach through the Infocomm Media Development Authority ("IMDA"). IMDA codes for designated social media services, and designated app distribution services require features such as system-level safety measures, age assurance, and annual reporting. ONSA is similar in focusing on systems and processes, but differs by setting specific statutory takedown timelines and attaching criminal consequences to certain prescribed failures.

Indonesia introduced under-16 restrictions in March 2026 for designated high-risk digital platforms, including YouTube, TikTok, Facebook and Instagram. Introduced through Ministerial Regulation No. 9 of 2026, issued under Government Regulation No. 17 of 2025 on governance of electronic system operation for child protection, the framework is risk-based and also includes child-protection obligations such as risk self-assessments, privacy settings at the highest level by default for child-facing products, and personal data protection impact assessments for products used by children. ONSA shares the focus on child protection, but sits within a broader platform-accountability regime that combines licensing, harmful-content taxonomy, statutory response periods and enforcement powers.

China's Regulations on the Protection of Minors in Cyberspace (未成年人网络保护条例), effective from 1 January 2024, are broader. They cover cyberbullying, personal information protection, anti-addiction measures, and multi-departmental oversight. ONSA is narrower, but it is similar in using safe design, controls over recommendation systems and child-specific protections.

Practical Steps for Technology Companies

For technology companies, the practical task is to translate ONSA's scope, duties, timelines and enforcement risks into operational controls. The following steps are a useful starting point:

  • Licensing and threshold monitoring: Check whether the service meets the eight-million-user threshold, and monitor any move to lower it. Offshore hosting does not by itself avoid ONSA if the service is licensed and provided in Malaysia.
  • Content-classification systems: Make sure internal taxonomies map the nine harmful-content categories and separately identify priority harmful content, namely CSAM and financial fraud.
  • Operational deadlines: Ensure the Period Regulations are treated as legal deadlines, not internal targets. Trust-and-safety teams may need 24/7 coverage and clear escalation paths to meet the one-hour and four-hour requirements.
  • Online Safety Plans: Prepare, publish and file the Online Safety Plan with MCMC, and keep it under regular review.
  • Age verification and child-account controls: Review onboarding, account-opening and age-assurance processes against the Child Protection Code and Risk Mitigation Code, including verification using MyKad, passports, MyDigital ID or other acceptable mechanisms, while minimising unnecessary collection, disclosure or retention of identity and biometric data.
  • Child-safety design: Review recommendation systems, engagement features, communication settings and data practices against ONSA's child-safety requirements, and prepare for future age-verification rules.
  • Governance: Make sure responsibility for ONSA compliance sits at an appropriate management and board level, given the officer-liability provisions.
  • Data-handling procedures: Review protocols for data preservation, disclosure, and responses to MCMC information requests so that legal and incident-response teams can respond quickly and accurately.
  • Regional compliance planning: Compare Malaysia's requirements with those in Australia, Singapore, Indonesia, and China (and other relevant jurisdictions) so that common controls and local differences are clearly understood.

Conclusion

As the law and practice are still developing, technology companies should remain flexible. Additional subsidiary legislation may follow, and MCMC can issue guidelines and codes. Areas to watch include the implementation and enforcement of age-verification requirements under the Child Protection Code and Risk Mitigation Code, further operational requirements under ONSA, and any reduction of the current eight-million-user threshold for deemed ASP registration.

For technology companies operating across the Asia-Pacific region, the main challenge lies in the cumulative weight of regulatory complexity. Each regime employs different definitions, timelines and enforcement tools. Companies are likely to be better placed if they approach online-safety compliance as a regional programme—one capable of adapting to new rules, rather than as a series of country-specific exercises. 

Stay Up To Date With Our Insights

See how we use a multidisciplinary, integrated approach to meet our clients' needs.
Subscribe