The New Cybercrimes Bill – Necessary Protection Or Overregulating The Digital Space
Introduction
The Cybercrimes Bill 2026 (“the Bill”) would repeal the Computer Crimes Act 1997 and establish a broader Malaysian framework for preventing, investigating and prosecuting cybercrimes.
In its efforts to become a global technological hub by 2030, the Malaysian government designed this Bill to complement the other existing laws on online harm including the Online Safety Act 2025 and the Cyber Security Act 2024, in order to enhance Malaysia’s national cybersecurity.
The Bill has extra-territorial effect where the relevant computer system, programme or computer data is in Malaysia, connected to Malaysia, sent to or used with a Malaysian system, or where the affected person is a Malaysian citizen. This means offshore platform operations may still be caught where Malaysian users, systems or data flows are involved.
Service Providers
A key issue for platforms is the Bill’s broad definition of “service provider”. It covers persons, whether licensed under the Communications and Multimedia Act 1998 or not, who enable users to communicate via computer systems, process or store computer data for communications services or users, or provide information and communication services.
Social media, messaging, hosting and similar services are therefore likely to fall within the Bill’s service-provider duties, data-retention requirements and law-enforcement assistance obligations.
Key Offences
The Bill enhances the CCA’s offences for unauthorised access, interception, interference with computer data or systems, misuse of devices or credentials, computer-related forgery and computer-related fraud.
These provisions primarily target bad actors. However, they have been enhanced and are relevant to platform security, incident response, evidence preservation and cooperation with investigations.
The content-related offences are particularly noteworthy.
- Section 22 recognises the offence of identity theft by criminalising the possession or control of any identity information of another person with the intention to commit or facilitate the commission of an offence.
- Section 23 criminalises making available computer-generated or manipulated audio or visual content that resembles a real person, object, place, entity or event, falsely appears authentic, and is intended to commit or facilitate an offence.
- Section 24 criminalises making intimate images available by means of a computer system, with higher penalties where the conduct is intended to humiliate, harm, coerce or intimidate the person depicted. The explanatory statement expressly covers AI-generated, manipulated or synthesised intimate images, including content generated using generative AI platforms.
The Bill imposes a general duty on service providers to take “necessary measures” to prevent their services from being used for cybercrimes. The scope of “necessary measures” is not clearly defined and creates compliance uncertainty.
An authorised officer, in consultation with the Malaysian Communications and Multimedia Commission, may issue written notices requiring service providers to prevent cybercrimes or assist enforcement, with non-compliance punishable by a fine of up to RM1 million, imprisonment of up to 10 years, or both.
Investigation Powers
The Bill gives the relevant law enforcement authorities sweeping investigation powers, including preservation and disclosure of computer data, real-time collection of traffic data, and interception or retention of content data within a service provider’s technical capability.
The Bill also places an obligation on platforms to supply the authorities with the necessary password, encryption code, decryption code, software or hardware and any other means required to enable comprehension of recorded information in the computer system or computer data during investigations.
Section 41 of the Bill grants the Public Prosecutor discretionary powers to authorise an enforcement officer to enter any premises and install any device for the interception, retention, collection or recording of content data.
These powers are accompanied by confidentiality obligations and significant penalties for non-compliance.
The Minister may also require service providers to retain specified non-content computer data where necessary for national security or public safety and proportionate to law-enforcement purposes.
Comments
Overall, platforms should expect increased exposure to law enforcement requests, data-handling obligations, confidentiality restrictions and operational requirements to prevent misuse of their services.
Collectively, the social media and internet messaging licensing regime under the Communications and Multimedia Act 1998, the Cyber Security Act 2024, the Online Safety Act 2025 and this Bill create a dense web of regulatory obligations for digital platforms.
While the policy intent of combating cybercrimes and harmful content is well-intentioned, there is a risk of regulatory overreach. The cumulative effect of expansive content-takedown powers, broadly-defined “necessary measures” obligations, mandatory data retention requirements, and wide-ranging enforcement discretions may have an impact on freedom of speech and burden platforms with disproportionate compliance costs.
In practice, law enforcement authorities may focus on policing platform operators rather than pursuing actual threat actors and irresponsible users who create and disseminate harmful content. The scope for regulatory intrusion into user privacy—through data retention and real-time interception powers—also warrants careful monitoring.
A proportionate and effective framework should balance online safety objectives against free expression, privacy interests, and the need to target enforcement resources at those who cause actual harm.
This article is for general informational purposes only and does not constitute legal advice. Please contact us if you require advice on how these developments may affect your business.
-yellow.webp)