Online safety in Malaysia: What you should know about the Online Safety Act 2025 and its subsidiary legislation

23 January 2026

On 1 January 2026, the Online Safety Act 2025 (“ONSA”) came into force, together with four sets of subsidiary legislation:

collectively, “Regulations”.

The Malaysian Communications and Multimedia Commission (“MCMC”) also published a media statement and a frequently asked questions document (“FAQ”) to explain, among other things, the purpose of the ONSA and its scope of application.

This article summarises the new statutory framework introduced by the ONSA and the Regulations.

Background

The ONSA is introduced to combat harmful online content and enhance online safety in Malaysia, particularly in view of the recent rise in cyberbullying cases and use of artificial intelligence (AI) to disseminate misinformation and deepfakes without individuals’ consent. The ONSA complements the regulatory framework for social media and internet messaging service providers set out by the Communications and Multimedia Act 1998 (“CMA”).

To recap:

Summary of ONSA

Duties of ASPs and CASPs

With the coming into force of the ONSA and the Regulations, licensed applications service providers (“ASPs”) (including those deemed registered under section 46A of the CMA) and licensed content applications service providers (“CASPs”) (collectively, “Providers”) must comply with the following duties under the ONSA to mitigate the risk of exposure to harmful content:

  • Implement measures to mitigate the risk of exposure to harmful content;
  • Issue guidelines to users;
  • Enable users to manage online safety;
  • Make available a mechanism for reporting harmful content;
  • Make available a mechanism for user assistance;
  • Protect online safety of child users;
  • Establish a mechanism for making priority harmful content inaccessible; and
  • Prepare an online safety plan.

collectively, the “Prescribed Duties”. An overview of the Prescribed Duties can be read in our article “Online Safety Bill 2024: Enhancing online safety in Malaysia”.

The FAQ states that the ONSA only applies to Providers but not the individual users of the online platforms operated by Providers.

Non-compliance with any of the Prescribed Duties may expose Providers to a financial penalty of up to RM10,000,000.

Duties of network service providers

Compared with Providers, licensed network service providers (“NSPs”) have duties that arise only when:

  • a user reports harmful content to the MCMC;
  • the harmful content is hosted outside the service of an ASP or CASP; and
  • the MCMC issues a written instruction to the NSP to restrict the relevant materials within its network service.

In such circumstances, the NSP must:

  • comply with the written instruction within the period as prescribed in the written instruction, making the content permanently inaccessible to all users; and
  • notify the MCMC in writing of any action taken, so that the MCMC can notify the user.

Reporting of harmful content and priority harmful content

The ONSA also distinguishes between “harmful content” and “priority harmful content”. The latter is subject to a shorter response time for Providers when handling user reports.

Summary of Regulations

Online Safety (Form of Undertaking) Regulations 2025

These regulations prescribe the form of undertaking that may be provided by Providers to the MCMC pursuant to section 36(1) of the ONSA, before a notice of non-compliance is issued to them, detailing the actions to be taken to ensure compliance with the Prescribed Duties under the ONSA.

Online Safety (Period) Regulations 2025

These regulations prescribe specific timeframes under the ONSA, principally for the reporting and handling of harmful content under Part IV of the ONSA. Some key prescribed timeframes are set out below:

  • Acknowledgement of a user report: Upon receipt of a user report of any harmful content, the Provider must acknowledge receipt within 1 hour, complete an initial assessment of the report and notify the user of the report’s status within 12 hours of acknowledgement of receipt;
  • Priority harmful content: For priority harmful content (i.e. content on child sexual abuse material and financial fraud), the Provider must immediately make the content inaccessible to all users for 24 hours. If the content is confirmed to be priority harmful content after further assessment, the Provider must make the content permanently inaccessible within one hour from the time of determination that it is a priority harmful content; otherwise, it must be restored within one hour from the time of such determination;
  • Harmful content: For harmful content other than priority harmful content, the Provider must, within four hours from the time the report is not dismissed, make the content inaccessible to all users for 24 hours. If it is confirmed to be harmful content after further assessment, the Provider must make the content permanently inaccessible within 12 hours from the time of determination that it is a harmful content; otherwise, it must be restored within four hours from the time of such determination;
  • Aggrieved User’s inquiry: Any aggrieved user may inquire into the Provider’s action or dismissal of a report within 15 days of notification of its action or dismissal; and
  • Response to an inquiry: Upon receipt of an aggrieved user’s inquiry, the Provider may review its decision and must notify the aggrieved user of its decision within five days (for priority harmful content) or seven days (for non-priority harmful content). 

Non-compliance with the prescribed periods above may result in regulatory action and a fine of up to RM1,000,000.

Online Safety (Online Safety Appeal Tribunal) Regulations 2025

These regulations set out, among other things, the procedure and manner for appealing to the Online Safety Appeals Tribunal by any person aggrieved by a written instruction, determination, direction or decision issued by the MCMC, and the conduct of the hearing.

Online Safety (Fees) Regulations 2025

These regulations stipulate the fees payable to the MCMC in respect of the inspection of and the obtaining of extracts from the register of directions recording MCMC’s directions to Providers and NSPs relating to compliance with the ONSA.

Conclusion and upcoming developments

Providers should ensure full compliance with ONSA by implementing the measures and mechanisms required to enhance online safety in Malaysia.

Further, we set out below the anticipated developments in the online safety landscape in Malaysia:

  • Further subsidiary legislation: The MCMC is likely to issue additional subsidiary legislation in the upcoming months to fill gaps that remain “yet to be prescribed” under the ONSA;
  • Age verification mechanism: One of the forthcoming regulations is expected to prescribe a mandatory age verification mechanism to ensure that users are above a certain age limit. The exact technological solution is still being evaluated by the MCMC; and
  • Lowering of user threshold for deemed registration: The user threshold for internet messaging and social media providers to be deemed registered as ASPs under section 46A of the CMA may be reduced from the current “eight million users in Malaysia” threshold to a lower figure. This potential change would likely bring platforms such as X (formerly Twitter) within the social media licensing regime.

Further information

This article has been prepared with the assistance of Senior Associate Ng Hong Syuen and Pupil Chong Phui Mun.

 

More