Technology, Media and Telecoms Archives

On 19 August 2025, the Ministry of Science and Technology (“MOST”) unveiled the second draft of the Law on Digital Transition (“Draft Law”) for public consultation. This marks a bold step in Vietnam’s ambition to position itself as a regional digital powerhouse, laying the groundwork for widespread adoption of AI, big data, IoT, cloud computing, and blockchain.

If adopted, the Draft Law will not only reshape how organizations operate in Vietnam but also redefine the country’s digital economy and governance model.

Key Takeaways

Three digital pillars: Data, infrastructure, and platforms form the foundation for nationwide digital transformation.
Strict prohibitions: Misuse of data, AI, or platforms that threaten security, spread misinformation, or undermine competition will be outlawed.
Public sector leadership: State agencies must deliver secure, transparent, and citizen-focused digital services.
Expansive digital economy: Covering platforms, sector-specific applications, and the data economy – with sandboxing and incentives to drive growth.
Platform obligations: New rules for administrators, business users, and consumers, including transparency around algorithms and oversight of dominant players.

1. A National Digital Framework

The Draft Law defines Vietnam’s digital transformation through three core pillars: digital data, digital infrastructure, and digital platforms. Together, they form the backbone of the nation’s digital journey. Telecoms networks, data centers, cloud facilities, and IoT connectivity are prioritized for fast-track investment, with preferential policies on tax, land, and industry support to attract private capital and fuel innovation.

2. Drawing the Red Lines

Article 5 sets out a hard list of prohibitions, signalling Vietnam’s determination to guard its digital sovereignty. Banned activities include:

Exploiting digital transformation to threaten national security or disrupt order;
Unauthorized data use and sabotage of digital infrastructure;
Misuse of AI for deception or deepfakes, or embedding state secrets into AI systems; and
Unfair competition on digital platforms.

These prohibitions underline a central theme: innovation yes, abuse no.

3. Government as the Digital Trailblazer

State agencies are tasked with leading by example. They must:

Build citizen- and business-centric digital services;
Keep data systems secure, resilient, and transparent; and
Deploy AI responsibly, ensuring compliance with personal data, cybersecurity, and state secrecy rules.

This push aims to reinforce trust in digital governance while unlocking efficiency gains across the public sector.

4. Defining the Digital Economy

The Draft Law casts a wide net:

Platform economy: Digital platforms connecting buyers, sellers, and users;
Sectoral economy: Industry-specific platforms boosting productivity and reshaping business models;
Data economy: Treating data itself as a tradable commodity – from collection and processing to monetization.

To catalyse growth, the Government promises tax and credit incentives, advisory programs, and controlled “sandbox” pilots to safely test new digital business models.

5. Clear Duties for Digital Actors

The Draft Law assigns obligations across the ecosystem:

Platform administrators: Must disclose terms, safeguard users, moderate content, and establish transparency around the “black box” of algorithms, explain how they work and ensure they do not stifle competition.
Business users: Ensure goods and services are legal, protect consumers, and respect IP and competition rules.
Consumers: Provide accurate information and comply with platform terms.
Dominant platforms: Face stricter oversight, including interoperability requirements and regular reporting.

Vietnam’s Draft Law on Digital Transition signals a new era for the country’s digital economy. With strong guardrails, incentives for growth, and a focus on trust and transparency, the law aims to create an ecosystem where innovation thrives within clear boundaries.

The consultation period offers stakeholders a valuable opportunity to shape the rules that will define Vietnam’s digital future. For further insights on the Draft Law on Digital Transition or other regulatory developments in Vietnam, please contact DFDL.

The information provided here is for information purposes only and is not intended to constitute legal advice. Legal advice should be obtained from qualified legal counsel for all specific situations.

On 14 June 2025, the National Assembly of Vietnam passed the Law on Digital Technology Industry (the “Law”), marking a significant milestone in the country’s digital transformation journey. Effective from 1 January 2026, the Law introduces Vietnam’s first comprehensive legal framework for digital assets and sets forth core principles for artificial intelligence (AI) governance.

This legislative development demonstrates Vietnam’s commitment to fostering innovation while ensuring regulatory oversight in line with international standards. Below is a summary of the Law’s key provisions on AI and digital assets and their implications for businesses and stakeholders.

1. Overview of the Law

The Law governs the development, deployment, and regulation of digital technologies in Vietnam. It covers a broad range of areas including digital infrastructure, data governance, cybersecurity, and emerging technologies. Key objectives include:

Promoting research and development (R&D) in AI, blockchain, semiconductors, and other digital technologies;
Establishing a legal regime for digital and coded assets;
Supporting startups and technology enterprises through incentives; and
Enhancing Vietnam’s global competitiveness in the digital economy.

Chapters IV and V of the Law – focused on Artificial Intelligence and Digital Assets, respectively – are especially notable for businesses operating in these sectors.

2. Key Provisions on Artificial Intelligence (AI)

2.1 Definition and Scope

The Law defines AI as a machine-based system capable of learning from data to generate decisions, predictions, or content that affects physical or digital environments. AI systems are considered digital technology products comprising software, hardware, and data.

2.2 Principles of AI Governance

The Law establishes foundational principles for the safe and ethical use of AI:

Transparency: AI systems must be transparent about their functionality and decision-making rationale.
Accountability: Developers and operators bear responsibility for legal and ethical compliance.
Safety and Security: AI must be designed to prevent harm and misuse.
Non-Discrimination: AI must not exhibit biases or discriminatory behavior.

2.3 Regulatory Requirements

Licensing of High-Risk AI: Government approval is required for AI applications in sensitive sectors such as critical infrastructure and law enforcement.
Data Compliance: AI developers must adhere to Vietnam’s data protection laws.
R&D Incentives: Tax relief and public funding are available for AI-related research and collaboration.

2.4 Implications for Business

The prospect of generous government incentives may create strong opportunities for R&D and commercialization of AI systems in Vietnam. On the other hand, businesses developing and operating AI systems will need to develop compliance protocols, particularly for high-risk use cases.

3. Key Provisions on Digital Assets

3.1 Definition and Classification

The Law defines a digital asset as a property right under the Civil Code, expressed in digital form and authenticated via digital technologies. It recognizes two primary categories:

Virtual Assets: Digitally transferable representations of value (excluding coded assets); and
Coded Assets: Cryptographically secured blockchain-based assets, including cryptocurrencies.

Interestingly, the Law expressly excludes securities, digital forms of fiat currency, and other financial assets as prescribed by civil and financial laws from the definition of both virtual and coded assets. But a third category of “other assets” leaves room for future treatment of such financial assets as digital assets.

3.2 Regulatory Framework

Civil Law Protections: Digital assets are granted full legal recognition as property under Vietnam’s Civil Code.
AML/CFT Compliance: Businesses dealing with digital assets must comply with anti-money laundering (AML) and counter-financing of terrorism (CFT) obligations aligned with FATF standards.
Licensing Requirements: Entities providing digital asset services must meet business conditions set by the Government.
Tax Incentives: The Law introduces preferential tax treatment for digital asset startups; details will be provided in forthcoming regulations.

3.3 Implications for Business

The recognition of digital assets under civil law provides more legal certainty for market participants. While regulatory compliance will require investment, especially in AML/CFT measures, and there are still many open questions to be addressed through regulation, Vietnam is positioning itself as a digital asset-friendly jurisdiction with favorable policies for innovation.

4. Outlook and Next Steps

The Law will take effect on 1 January 2026. It represents a foundational shift for Vietnam’s digital regulatory landscape. Its key impacts include:

For AI developers: A framework that encourages growth, balanced by safeguards for public trust;
For digital asset stakeholders: Legal recognition and the prospect of more structured compliance requirements could bolster market confidence; and
For the national economy: An enabling environment, including state funding and concentrated digital technology zones, to attract foreign investment and nurture high-tech job creation.

The Government will issue detailed implementing regulations, clarifying, among others, issues in relation to AI and digital assets. Businesses should closely monitor these developments and seek legal counsel to ensure readiness.

Conclusion

Vietnam’s new Law on Digital Technology Industry signals a decisive step toward a secure, innovation-driven digital economy. By establishing basic principles for AI and digital assets, the Law not only fills longstanding legal gaps but also takes a step towards aligning Vietnam’s regulatory architecture with global trends. While further guidance is expected, the Law lays a more robust foundation for the country’s digital future.

On 3 June 2025, the Government of Vietnam issued Decree No. 115/2025/ND-CP (“Decree 115“) to provide detailed implementation guidance for various provisions of the Law on Telecommunications 2023. Decree 115 introduces a clearer and more structured legal framework for the management and allocation of telecom numbers and Internet resources, as well as rules on leasing and compensation mechanisms.

Key Objectives of Decree 115:

Establish a comprehensive framework for managing telecom number inventories and Internet resources;
Set out principles for state compensation when telecom resources are reclaimed; and
Clarify technical and commercial aspects of telecom resource governance.

In particular, the Decree introduces the following changes:

1. Dual-Track Procedures for Telecom Number Allocation

Decree 115 introduces two distinct methods for telecom number allocation:

Direct Assignment: Applicable to general telecom number requests. Enterprises must submit required documents to the Ministry of Information and Communications (MIC). These applications are to be processed within 10 working days; and
Public Auction: Applicable to high-value number blocks (e.g., short codes or premium mobile prefixes). The auction process can take up to 45 working days.

Articles 6 and 7 of Decree 115 outline detailed procedures for both mechanisms, improving transparency and providing applicants with greater predictability.

2. Utilization Thresholds for Subsequent Allocations

To promote efficient usage and prevent number hoarding, Decree 115 sets out minimum utilization thresholds that applicants must meet before seeking additional allocations. Articles 8 to 16 of Decree 115 specify that:

From the second application onward, an enterprise must demonstrate that at least 70% of previously allocated numbers are in active use;
Utilization calculations may include subleased numbers, provided they are actively used; and
These thresholds apply to various telecom services, including fixed-line, mobile (H2H and M2M), satellite, and Internet-based telephony.

3. Legal Framework for Leasing Telecom Numbers

For the first time, Vietnam formally recognizes the practice of leasing telecom numbers between licensed operators. Articles 30 to 34 of Decree 115 introduce:

Authorization for leasing arrangements, provided they are linked to telecom service resale activities;
A requirement for a written contract that includes details such as lease term, pricing, number type, quantity, and a three-year utilization plan; and
Reporting obligations: Lessees must submit monthly usage reports, while lessors report quarterly to the Department of Telecommunications using prescribed forms in the Decree’s Appendix.

4. Compensation Mechanisms for Reclaimed Telecom Resources

Decree 115 establishes a compensation regime for cases where telecom numbers or Internet resources are reclaimed outside of enterprise fault. Key points under Articles 35 and 36 of Decree 115 include:

For directly assigned numbers, compensation is equal to one year’s usage fee;
For auctioned resources, the compensation equals the winning bid amount;
Affected parties must receive at least three months’ prior notice; and
Compensation is not available in force majeure events, in accordance with relevant laws.

5. Auction Procedures for “.vn” Domains and High-Demand Numbers

Articles 37 to 45 of Decree 115 introduce new procedures for the auction of high-value telecom numbers and certain “.vn” domain names. Highlights include:

Eligible domain names include premium one- and two-character names (e.g., a.vn, 88.vn);
Desirable mobile prefixes and short codes may also be subject to auction;
Auctions must be publicly listed for at least 30 days and conducted via licensed auction organizations; and
Bidders must meet eligibility criteria and comply with bidding regulations.

Implications for the Telecom Sector

Decree 115 marks a significant step forward in modernizing Vietnam’s telecommunications regulatory regime. It provides a unified and enforceable legal structure, replacing the previous patchwork of rules and circulars. Key provisions on number allocation, leasing, and compensation increase regulatory clarity and reduce market uncertainty.

Enterprises operating in the telecom and digital services sectors should closely review Decree 115 to align internal compliance protocols and take advantage of new opportunities created by the updated framework.

For further advice on the implications of Decree 115 or support with regulatory procedures, please contact our team.

The Indonesian government has issued a new regulation, PP No. 17/2025, concerning the governance of electronic systems for child protection. This regulation aims to ensure the safety and well-being of children using electronic systems. Key highlights include:

Protection Measures: Electronic system providers must implement safeguards, such as age verification and abuse reporting mechanisms.
Risk Assessment: Providers must assess and mitigate risks associated with their products, services, and features.
Parental Consent: Requires parental consent for children under 18 to use certain electronic services.
Privacy and Data Security: Emphasizes the protection of children’s personal data and privacy.
Administrative Sanctions: Outlines penalties for non-compliance, including fines and service suspension.

This regulation is a significant step towards creating a safer digital environment for children. If you’re an electronic system provider, tech company, or legal/compliance professional, it’s time to take note!

On 12 April 2025, the Emergency Decree on Digital Asset Businesses B.E. 2561, the primary law governing digital assets in Thailand, was amended.

The amendment is called the Emergency Decree on Digital Asset Businesses (No. 2) B.E. 2568 (the “Emergency Decree (No. 2)”) and had effect immediately upon its publication in the Royal Thai Government Gazette.

The primary focus of Emergency Decree (No. 2) is to clarify and codify the extraterritorial application of the original digital asset law. Businesses subject to the law, called “digital asset business operators,”1 now include those “operating outside the Kingdom of Thailand but providing services to persons within the Kingdom of Thailand, except for those providing services as prescribed by the S.E.C. [The Thai Securities and Exchange Commission].”2

Accordingly, unless falling under an exception prescribed by the S.E.C., digital asset business operators based outside of Thailand but providing services to Thai residents or other persons located in Thailand are now subject to this Thai digital asset law. The S.E.C.’s definition of digital asset business operators includes exchanges, brokers, dealers, fund managers, advisors and custodians dealing with cryptocurrencies or digital tokens.3

Emergency Decree (No. 2) sets forth seven bright-line factors to determine whether a digital business operator is deemed to have provided services to people located within Thailand. This is pursuant to a new Section 26/14:

The digital asset business operator displays content, in whole or in part, in Thai language;
The digital asset business operator is registered using a domain name with the extension “.th” or “.ไทย”, or any other name that signifies Thailand, the Kingdom, or the Kingdom of Thailand, or using a domain name in Thai language;
The digital asset business operator requires or allows for the option of payment to be made in the currency of Thai baht, or accepts payments through electronic money accounts or deposit accounts in Thailand;
There are conditions that require Thai law to be the governing law for digital asset trading transactions, or that require dispute cases be resolved in a Thai court;
Remuneration has been paid to the provider of search engines to specifically facilitate access by users within the Kingdom of Thailand to the digital asset business operator’s services;
There is an office or entity established, or having personnel to support or assist users within the Kingdom of Thailand;
There are any other characteristics as prescribed by the S.E.C.

These seven factors closely resemble those introduced in 2022 in the Royal Decree on the Operation of Digital Platform Service Businesses that are Subject to Prior Notification B.E. 2565 (the “Royal Decree”). The interpretation of those factors may be instructive for determining how the S.E.C. will interpret these seven newly codified factors.5

In contrast to the unofficial “reverse solicitation” safe harbor often invoked by foreign service providers,6 the new seven factors of the Emergency Decree (No. 2) establish a bright-line test when a digital asset business operator is considered to be soliciting customers within Thailand:

Focusing on servicing Thai customers by including Thai language7, by accepting Thai baht payments8, or by having a dedicated office or hiring dedicated staff to service Thai customers9;
Representing a connection with Thailand by having a Thai-based domain name10 or by stating that Thai law is to be the governing law of customer agreements or that Thai courts are to be the forum to settle disputes11; or
Targeting a local Thai location for advertising or marketing12.

The S.E.C. may also add to this list under Section 26/1(7). Further, the S.E.C. may issue interpretative guidance to resolve ambiguities and to add details to the other six factors.

1See Emergency Decree on Digital Asset Businesses B.E. 2561, Section 3

2Unofficial translation of Emergency Decree (No. 2), Section 3. While we have taken every effort to convey meaning and effect accurately in our unofficial translation, we disclaim responsibility and liability if our unofficial translation differs materially from any translation published by the S.E.C. in the future. Only the original Thai version carries legal authority.

3See the Notification of the Ministry of Finance regarding licensing of digital asset businesses B.E. 2561 (Consolidated), Section 2.

4Unofficial translation of Emergency Decree (No. 2), Section 4. While we have taken every effort to convey meaning and effect accurately in our unofficial translation, we disclaim responsibility and liability if our unofficial translation differs materially from any translation published by the S.E.C. in the future. Only the original Thai version carries legal authority.

5Section 10 of the Royal Decree lists seven basic factors with very similar wording to determine whether a foreign service provider has provided services to users located within Thailand. The legal interpretation of these factors may be useful as guidance as to how the Emergency Decree (No. 2) factors will be interpreted. However, we advise caution to not rely completely on prior interpretations of the Royal Decree factors. First, several of the Emergency Decree (No. 2) factors have been written with minor changes to the Royal Decree factors. Second, and more importantly, the Royal Decree is implemented by a different government agency, the Electronic Transactions Development Agency, operating under a different ministry than the S.E.C.

6“Reverse solicitation” is a concept relied upon by some foreign companies to argue that Thai law should not apply to them, even though they provide goods or services to customers within Thailand. The argument is that Thai law should not extend to a foreign goods or service provider if it does not actively solicit customers in Thailand. Instead, if it happens to gain customers in Thailand because those customers reach out on their own to buy its goods or service, then it should not be subject to Thai law. There are uncodified factors that seem to have been at least acknowledged by some Thai regulators to determine whether a goods or service provider solicited the customer in Thailand, or whether the customer reached out and “reverse solicited” the goods or service provider.

7See Emergency Decree (No. 2), Section 26/1(1).

8See Emergency Decree (No. 2), Section 26/1(3).

9See Emergency Decree (No. 2), Section 26/1(6).

10See Emergency Decree (No. 2), Section 26/1(2).

11See Emergency Decree (No. 2), Section 26/1(4).

12See Emergency Decree (No. 2), Section 26/1(5).

Key Highlights:

The Ministry of Environment (“MOE”) issued Prakas No. 2196/0325 dated 18 March 2025 on the liabilities of exclusive manufacturers, importers or suppliers of electrical and electronic equipment concerning e-waste management (“Prakas on E-waste Liability”). The Prakas on E-waste Liability aims to improve the e-waste management practices, reduce environmental impact, and ensure proper handling of e-waste after use.

This Prakas on E-waste Liability serves as an implementing instrument of Section 2, Chapter 4 (liabilities of manufacturers, importers, or suppliers of electrical and electronic products and hazardous waste) of the Code of Environment and Natural Resources, dated 29 June 2023 (“Environmental Code”).

Under the Prakas on E-waste Liability, the exclusive manufacturers, importers or suppliers of electrical and electronic products are required to:
- Be liable for the e-waste management;
- Collect, manage, and treat e-waste after use or disposal. E-waste can be treated by a licensed waste management company or re-exported to the country of origin in accordance with applicable laws of Cambodia;
- Develop their owned e-waste collection system permitted by the MOE; or cooperate with an e-waste collection company permitted by the MOE; and
- Report the quantity and types of imported electrical and electronic products and waste collected after use every six months.

For more detailed information on the Prakas above, please click on download button below.

We are proud to share that DFDL Cambodia acted as lead counsel for the sellers in relation to Grab Inc.’s acquisition of Nham24, Cambodia’s leading food delivery and e-commerce platform. The team comprised of Chris Robinson, Clint O’Connell, Benjamine Medeville and Samnangvathana Sor. This transaction brings together Nham24’s local expertise and Grab’s advanced AI-driven technology, paving the way for innovation and growth in Cambodia’s digital economy. The business combination aims to drive sustainable, long-term growth for on-demand services like food delivery, grocery delivery and ride-hailing in Cambodia, creating more opportunities for everyday entrepreneurs.

We are honoured to have participated in this landmark transaction and look forward to seeing the positive impact that it will bring to the Cambodian economy.

The Government of Vietnam has officially issued Decree No. 147/2024/ND-CP on the management, provision, and use of internet services and online information (“Decree 147“). This new regulation, dated 9 November 2024, will take effect on 25 December 2024, replacing the earlier Decree No. 72/2013/ND-CP (“Decree 72“). This Decree 147 will affect domestic and foreign entities involved in managing, providing, or using internet services and online information, including social network service providers, online application providers, app stores, and online game providers.

Key Updates in Decree 147

1. Stricter Regulations for Social Networks

Under Decree 147, offshore social networks are classified as cross-border information provision services. Foreign enterprises providing such services into Vietnam, if they use data storage services in Vietnam, or they attract over 100,000 visits per month from Vietnam (calculated as an average over six consecutive months), they will have additional obligations beyond those stipulated in Decree 72 (e.g. notifying contact information to the Vietnamese Ministry of Information and Communications (“MIC”) and cooperating with the MIC to handle violations), in particular:

User Data Storage: Providers must store Vietnamese users’ information (full name, date of birth, and Vietnam-based mobile phone number or personal identification number). For users under 16 years old, their accounts must be registered by parents or legal guardians, who are also responsible for monitoring their activity.

Account Verification: User accounts must be verified using a Vietnam-based mobile phone number or, if unavailable, a personal identification number.

Commercial Livestreams: Accounts using livestream features for commercial purposes must undergo verification through personal identification numbers. Only verified accounts can post, comment, livestream, or share content.

Child Protection: Providers must classify and label inappropriate content for children and implement online safety measures.

Content Regulation: Providers must cooperate with Vietnamese authorities to offer search tools, scan content, and establish agreements with Vietnamese press agencies for media use. Unauthorized use of Vietnamese media sources is prohibited.

Compliance and Reporting: Providers must disseminate Vietnamese laws on internet use and cybersecurity to users and submit annual reports to the MIC by 25 November.

Notably, foreign providers that do not notify their contact information to the MIC are prohibited from offering livestream features or conducting revenue-generating activities for Vietnamese users.

2. Changes for Online Game Providers

The cross-border provision of online games remains prohibited, as stipulated in Decree 72. Offshore game publishers must establish a local entity in Vietnam to operate legally.

New Age Categories: A 16+ category has been introduced for games suitable only for users aged 16 and above.

License Name Changes: The “Decision on Approval of Content and Script for G1 Online Games” is now the “Decision on Issuance of G1 Online Games.” Meanwhile, the “Certificate of Notification for Providing G2, G3, G4 Online Game Services” is now the “Certificate of Notification for Issuance of G2, G3, G4 Online Games.”

While licensing procedures remain largely unchanged, technical systems must now manage daily playtime for users under 18, limiting it to: 60 minutes per game, and 180 minutes across all games provided by the same enterprise.

Games must prominently display a warning every 30 minutes: “Playing more than 180 minutes a day will negatively affect health.”

3. Increased Oversight of Offshore App Stores

Foreign app stores face stricter cooperation requirements with local authorities. They must:

Remove illegal applications within 24 hours of receiving written requests from the MIC, the Ministry of Public Security or other authorities;
Adhere to Vietnam’s payment regulations; and
Ensure online game providers present valid approval certificates before uploading games to their platforms.

In addition, Online game providers bear full responsibility for the accuracy of submitted information and documents.

Implications for Enterprises

Decree 147 introduces comprehensive regulations aimed at enhancing state oversight of internet services, particularly those provided by cross-border entities. Both domestic and foreign enterprises must carefully review the new requirements to ensure compliance.

It is strongly recommended that foreign service providers offering cross-border services to Vietnamese users seek legal advice to navigate the decree’s obligations effectively before it comes into effect on 25 December 2024.

The information provided is for information purposes only and is not intended to constitute legal advice. Legal advice should be obtained from qualified legal counsel for all specific situations.

On 27 March 2024, the Cyber Security Bill 2024 (“Bill”) was passed by the Dewan Rakyat.

Malaysia does not currently have an all-encompassing cyber security legislation to safeguard digital infrastructure and the cyber domain. Cyber security requirements currently exist across multiple legislations, from the Personal Data Protection Act 2010, the Communications and Multimedia Act 1998, Computer Crimes Act 1997, and others. Regulated entities are also subject to cyber security standards prescribed by the regulating authority, e.g. the Securities Commission of Malaysia has issued the Guidelines on Management of Cyber Risk in October 2016 and the Guidelines on Technology Risk Management in August 2023.

A summary of the key provisions of the Bill is set out below:

1. Applicability

The Bill has extra-territorial effect and applies in relation to any person, regardless of nationality or citizenship, within as well as outside Malaysia where, for the offence in question, the national critical information infrastructure (“NCII”) is wholly or partly in Malaysia.

While the Federal Government and State Governments will be bound by the Bill when it comes into force, they are not liable to prosecution for any offence under it.

2. National Cyber Security Committee (“NCSC”)

The Bill establishes the NCSC which is tasked with the responsibility of, among others:

planning, formulating and deciding on policies relating to national cyber security;
deciding on strategies to address national cyber security matters as well as monitoring the implementation of such strategies;
advising and making recommendations to the Federal Government on policies and measures to strengthen national cyber security;
giving directions to the Chief Executive of the National Cyber Security Agency and NCII sector leads on national cyber security matters; and
overseeing the effective implementation of the Bill when it comes into force.

3. Chief Executive of the National Cyber Security Agency (“Chief Executive”)

The National Cyber Security Agency (NACSA) was established in February 2017 as the national lead agency for cyber security matters. Under the Bill, the Chief Executive has, among others, the following duties:

advising and making recommendations to the NCSC on policies and measures relating to national cyber security, implementing such policies and measures and monitoring the implementation of the foregoing;
collecting, coordinating, evaluating and correlating data, information or intelligence relating to national cyber security and disseminating the foregoing to the NCII sector leads or NCII entities if deemed essential in the interest of national cyber security; and
establishing and maintaining the “National Cyber Coordination and Command Centre System”, a national cyber security system for dealing with cyber security threats and cyber security incidents.

4. NCII Sectors

The following have been specified as NCII sectors under the Bill:

the Government;
banking and finance;
transportation;
defence and national security;
information, communication and digital;
healthcare services;
water, sewerage and waste management;
energy;
agriculture and plantation;
trade, industry and economy; and
science, technology and innovation.

5. NCII Sector Lead(s)

Under the Bill, the Minister charged with the responsibility of cyber security (“Minister”), may, upon the recommendation of the Chief Executive, appoint any government entity or person to be the NCII sector lead(s) for each of the NCII sectors.

Functions of the NCII sector lead(s), in respect of the NCII sector for which it is appointed, include among others:

designating any government entity or person as an NCII entity (further details below);
preparing a code of practice (“Practice Codes”) and guidelines on best practices in relation to cyber security management;
implementing the decisions of the NCSC and directives made under the Bill when it comes into force; and
monitoring and ensuring that NCII entities carry out obligatory duties imposed upon them.

6. NCII Entities

Where an NCII sector lead is satisfied that a government entity or person owns or operates an NCII, such government entity or person may be designated as an NCII entity, provided that a government entity can only be designated as an NCII entity by an NCII sector lead which is itself a government entity. An NCII sector lead may also be designated as an NCII entity by the Chief Executive.

Under the Bill, “NCII” is defined as a computer or computer system which the disruption to or destruction of the computer or computer system would have a detrimental impact on the delivery of any service essential to the security, defence, foreign relations, economy, public health, public safety or public order of Malaysia, or on the ability of the Federal Government or any of the State Governments to carry out its functions effectively.

NCII entities may lose their designations as an NCII entity where the NCII sector lead or, in the case of an NCII sector lead which has been designated as an NCII entity, the Chief Executive is satisfied that the NCII entity no longer owns or operates any NCII.

7. Requirements of NCII Entities

Under the Bill, NCII entities are required to, among others:

implement the measures, standards and processes as specified in the Practice Codes;
conduct a cyber security risk assessment in respect of the NCII owned or operated;
cause to be carried out an audit by an approved auditor to determine compliance with the Bill;
submit the cyber security risk assessment or audit report to the Chief Executive within 30 days from completion of the assessment or audit;
notify the Chief Executive and the relevant NCII sector lead(s) on any cyber security incident which has or might have occurred in respect of the NCII owned or operated; and
provide information relating to NCII owned or operated upon a request by the NCII sector lead(s) or when the NCII entity procures or has come into possession or control of any additional computer or computer system which, in its opinion, is an NCII.

8. Cyber Security Incidents

Where a cyber security incident report has been made by an NCII entity, under the Bill, the Chief Executive is required to instruct an authorised officer to investigate the cyber security incident to determine if it has in fact occurred and, where it has, determine measures necessary to respond or recover from such incident and prevent a recurrence.

9. Licensing Requirement for Cyber Security Service Providers

Under the Bill, any person who provides a cyber security service or advertises, or in any way holds himself out as a cyber security service provider is required to hold a licence unless the service is being provided by a company to its related company.

The Bill does not specify what constitutes a “cyber security service”, the scope of which is left to the determination of the Minister.

Moving Forward

In compliance with the relevant regulatory guidelines, some regulated entities such as those regulated by the Bank Negara Malaysia, Securities Commission Malaysia, and the Labuan Financial Services Authority would already have cyber security policies, incident reporting obligations, business continuity systems, and emergency communications plans in place. The extension of such cyber security measures to the other identified NCII sectors where NCII sector lead(s) are empowered to issue industry-specific Practice Codes that are tailored to the nuances and unique risks of the industry will further strengthen Malaysia’s cyber security posture.

The establishment of the NCSC as a centralised authority to streamline efforts and ensure coordination among the different NCII sector lead(s) and industry stakeholders is crucial. Malaysia will undoubtedly benefit from a centralised committee to oversee cyber security threats and vulnerabilities of the Malaysian digital ecosystem, with a consolidated view and cohesive approach to identifying such threats and vulnerabilities, assessing cyber risks, and developing a national strategy to implement mitigation measures.

Cyber security has been identified as a tech enabler under the Program Mangkin Malaysia Digital (Pemangkin). In 2023, the Malaysia Digital Economy Corporation (MDEC) allocated RM238 million for the 2023-2025 period to support new initiatives under Pemangkin, including RM45 million for tech enablers. In light of these initiatives, cyber security service providers such as those in the business of penetration testing, independent cyber audits, and cloud security services will inevitably play an increasingly important role in the country’s digital scene. Through the Malaysia Digital initiative, cyber security providers may apply for the Malaysia Digital Status which offers tax incentives, foreign knowledge worker quota and passes, and community benefits such as business matching and partnerships.

The passing of the Bill is laudable and a timely step in the digital age where cyber attackers and defenders are drawn into a continuous cat-and-mouse game amidst the dynamic cyber threat landscape. It demonstrates the country’s commitment to building its digital infrastructure ecosystem to further spur the digital evolution in Malaysia. As Malaysia advances towards a tech-driven economy, bolstering the nation’s cyber security posture with a robust cyber security framework is likely to promote greater confidence among international partners and investors and bring the country closer towards becoming ASEAN’s digital capital.

The information provided is for information purposes only and is not intended to constitute legal advice. Legal advice should be obtained from qualified legal counsel for all specific situations.

We are pleased to announce that DFDL is extending its PRC network of collaborating firms through a cooperation agreement with Leaf, a distinguished law firm renowned for its expertise in Greater China, and offices in Shanghai, Beijing and Paris. Leaf’s Sino-European team has been recognized for its expertise on cross-border M&A transactions, corporate finance and fundraising. Leaf also has a significant cybersecurity and data protection law practice complemented by a team of technical experts. This collaboration initiative will strengthen DFDL’s European Desk and allow us to join a hub of professionals to coordinate work for Asian projects from Europe, both inbound and outbound, with a primary focus on European clients.

Established in 1994, DFDL is a leading international legal, tax and investment advisory firm with a robust presence across South-East Asia, boasting twelve offices across 10 countries including Bangladesh, Cambodia, Indonesia, Lao PDR, Malaysia, Myanmar, Philippines, Singapore, Thailand and Vietnam. DFDL and Leaf are multi-awarded law firms highly recognized for their knowledge and understanding of the legal and regulatory landscapes within their respective markets.

We are looking forward to this cooperation to expand our business horizons and, most importantly, to ensure that we continuously deliver seamless service to our valued clients.

For additional information, please feel free to contact Guillaume Massin ([email protected]) and Bruno Grangier ([email protected]).