MCMC issues Risk Mitigation Code and Child Protection Code under the Online Safety Act 2025

3 June 2026

On 22 May 2026, the Malaysian Communications and Multimedia Commission (“MCMC”) published the following new codes under the Online Safety Act 2025 (“ONSA”) which came into effect on 1 June 2026:

  • Risk Mitigation Code; and
  • Child Protection Code.

collectively, “Codes”.

This article summarises the Codes and their implications for the relevant service providers.

Background

Pursuant to section 80 of the ONSA, the MCMC is empowered to issue codes prescribing compliance duties for licensed applications service providers and licensed content applications service providers.

The Codes specify outcome-based measures, providing the relevant service providers with the flexibility to implement solutions that are effective, secure, and appropriate for their services. Under the Codes, licensed applications service providers and licensed content applications service providers who utilise internet access service to enable communication between users or to provide content (collectively, “Licensed Service Providers”) must take measures to:

  • mitigate the risk of users being exposed to harmful content; and
  • ensure the safe use of services by child users.

Summary of Codes

Risk Mitigation Code

Licensed Service Providers must implement the following measures, or alternative measures that are more effective, to mitigate the risk of users being exposed to harmful content:

  • Risk assessment: Licensed Service Providers must conduct sufficient risk assessment of their services regarding harmful content exposure, considering factors such as user demographics in Malaysia, service design and features that may increase exposure risks, trends, and platform utilisation during high-risk periods (e.g. national crises). When carrying out a risk assessment, Licensed Service Providers must:
    • establish a skilled and qualified risk assessment team, including expertise in child online safety if the service is likely to be accessed by children;
    • review and update the risk assessment annually;
    • maintain written records of all risk assessments; and
    • process any personal data in accordance with the Personal Data Protection Act 2010 (“PDPA”).
  • Risk mitigation: Based on the risk assessment, Licensed Service Providers must implement proportionate and effective mitigation measures, including the following:
    • Content management and moderation: Establish systems for reporting, identifying, assessing, and removing harmful content, and enforce policies against repeat offenders;
    • User empowerment and controls: Provide user-friendly safety tools and settings that are regularly reviewed, implement educational measures, and ensure anonymity for users reporting harmful content;
    • Child safety: Implement specific measures to ensure the safe use of services by child users;
    • Safe design: Implement strict verification mechanisms for users and advertisers (e.g. against Government-issued records), test algorithmic systems, and prominently label generated or manipulated media; and
    • Safety policies: Periodically develop, adapt, and communicate accessible user-safety policies and terms of service, and maintain clear internal procedures for reporting to the relevant enforcement agencies.

Child Protection Code

Licensed Service Providers must implement the following measures (or alternative measures that are more effective) to limit child users’ exposure to harmful content:

  • Age verification: Licensed Service Providers that operate social media platforms with at least eight million users in Malaysia must implement effective age verification measures using Government-issued records (e.g. MyKad or passports) or equivalent overseas records to ensure only users aged 16 and above are allowed to register for an account and access age-appropriate features. All personal data collected during verification must be processed in compliance with the PDPA.
  • Content moderation: Licensed Service Providers must establish robust systems for detecting and removing harmful content, provide accessible reporting mechanisms for child users and parents, take proportionate steps to prevent repeated exposure to harmful content, and respond promptly to any removal requests from the MCMC or any other enforcement agencies.
  • Parental control: Licensed Service Providers must enable clear, user-friendly parental control features, allowing parents to monitor and manage their children’s online activities.
  • Privacy and safety settings: Licensed Service Providers must provide privacy and safety settings that allow child users to control public visibility of their personal information, limit direct communication features between unrelated adult users and child users, and limit exposure to manipulative design features.
  • Search and recommendation systems: Licensed Service Providers must ensure search and recommendation systems are suitable for child users, by taking proportionate steps to ensure default activation of safe search functions, safe use and management of personalised recommendation systems, and safe design and operation of algorithms.

Consequences of non-compliance

Failure to comply with the Codes may expose a Licensed Service Provider to a financial penalty of up to RM10,000,000 and/or other regulatory actions under the ONSA.

Implementation and upcoming developments

Licensed Service Providers must implement the measures stipulated in the Codes by 1 June 2026. However, for social media services with at least eight million users in Malaysia, a separate grace period will apply specifically for the implementation and completion of the age verification process.

In addition, Licensed Service Providers will soon be required to prepare an online safety plan. The form, manner, and timeline for this requirement will be prescribed in upcoming regulations.

Further information

This article has been prepared with the assistance of Senior Associate Ng Hong Syuen and Associate Muhammad Izzad Danial Bin Yusri Izzudin.