From Platform Discretion To Statutory Oversight: Malaysia’s Online Safety Act 2025

The Online Safety Act 2025 (ONSA) came into force on 1 January 2026. Malaysia has now joined a growing group of jurisdictions that do not leave online safety to platform discretion alone. With the coming into force of ONSA, Parliament has introduced a statutory framework aimed squarely at how licensed online service providers manage harmful content, respond to complaints, and design safety into their systems.

Over the past decade, digital platforms have become central to commerce, communication, advertising and public discourse. At the same time, concerns over online fraud, child safety, harassment and impersonation have intensified, often with real-world financial and personal consequences. In announcing the legislation, the Government framed the Act as a necessary response to these risks, particularly the rise in online scams and child sexual exploitation facilitated through digital services.

What distinguishes ONSA from earlier regulatory efforts is its emphasis on process rather than prohibition. The law does not criminalise speech, nor does it seek to police individual users. Instead, it imposes structured duties on licensed service providers to assess risk, implement safeguards, respond within prescribed timelines, and document their approach through an Online Safety Plan. In that sense, it reflects a regulatory direction increasingly seen in the United Kingdom, Australia and the European Union, where online safety is treated as a matter of systems design and governance rather than content censorship.

ONSA At A Glance

The ONSA applies primarily to licensed service providers under the Communications and Multimedia Act 1998. These are Application Service Providers (ASPs), Content Application Service Providers

(CASPs), and Network Service Providers (NSPs), collectively referred to as Licensed Service Providers. Importantly, the Act has extraterritorial reach, meaning that overseas operators may be caught where their services are accessible in Malaysia and fall within the licensing framework.

Of particular practical significance is the deeming provision under Section 46A of the Communications and Multimedia Act 1998. Under this provision, the Minister of Communications issued a ministerial declaration No. 87 of 2025 (with effect from 1 January 2026) and a media statement which provided that all internet messaging and social media service providers with eight million or more users in Malaysia are automatically deemed to be registered as ASP Class licensees and therefore subject to the full suite of ONSA obligations. This brings major international platforms including those operating outside Malaysia squarely within the regulatory framework without requiring a formal licensing application.

The Act defines “harmful content” to include a broad range of material, such as child sexual abuse material, content facilitating financial fraud, and other categories associated with harassment, terrorism or violence and indecent content amongst others. Two categories are elevated as “priority harmful content”, namely child sexual abuse material and financial fraud. These attract heightened obligations and faster response expectations.

A notable exclusion under the Act is private messaging features, as defined, which falls outside the scope of the Act’s principal obligations. However, the Minister retains the power to prescribe additional characteristics by regulation. This reflects a calibrated approach that distinguishes between public or semi-public dissemination and private communications.

Core Obligations And Enforcement Mechanics

The ONSA places defined duties on Licensed Service Providers to manage online harm through identifiable mechanisms mandated under Part III of the Act. These include the obligation to implement measures prescribed under applicable codes to reduce user exposure to harmful content, to maintain mechanisms through which users may report harmful content and seek assistance, and to take action where harmful or priority harmful content is identified. Subsidiary legislation further prescribes response periods for certain actions, converting content moderation into a compliance obligation governed by statutory timelines. Failure to comply with these response periods is an offence attracting a fine of up to RM1 million upon conviction.

A central governance requirement under Part III is the preparation and publication of an Online Safety Plan. Licensed Service Providers must document their approach to risk mitigation, reporting, user protection and compliance, submit the Plan to the Malaysian Communications and Multimedia Commission, and keep it updated. The Act also requires providers to maintain mechanisms specifically capable of rendering priority harmful content, including financial fraud and child sexual abuse material, inaccessible to all users.

Enforcement powers under the Act are extensive. The Commission may require the production of information, accept undertakings before issuing non-compliance notices, and impose financial penalties of up to RM10 million for breaches of statutory duties. The Act also establishes an Online Safety Appeal Tribunal to hear appeals against specified regulatory decisions. Taken together, the framework reflects a move towards ongoing regulatory supervision, with an emphasis on documented controls and accountability rather than reactive enforcement alone.

Business Impact And Concluding Observations

While the ONSA applies directly to Licensed Service Providers, its practical effects extend well beyond regulated platforms. Financial fraud and impersonation are expressly prioritised harms, placing brand owners, advertisers, marketplaces, recruiters and payment-enabled businesses within the Act’s reach. As in the United Kingdom under the Online Safety Act 2023, and in Australia under its Online Safety Act 2021, the effectiveness of the regime will often depend on how quickly platforms can act on credible, well-supported complaints from affected businesses. This is likely to drive greater reliance on structured enforcement procedures, clearer contractual expectations and the strategic use of intellectual property rights (especially for financial fraud and impersonation) to establish misuse.

It is clear that affected service providers are required to appoint a local representative to facilitate communications with the Malaysian Communications and Multimedia Commission and align its online safety procedures and policy with the ONSA.

From a broader perspective, Malaysia’s approach aligns with the direction taken in the EU under the Digital Services Act (2022/2065), where online safety is treated as a matter of platform governance rather than user censorship. Whether the balance struck between regulatory burden and innovation proves optimal remains to be seen. What is clear is the trajectory. Online safety is increasingly embedded into the commercial infrastructure of the digital economy, and businesses that adapt early are likely to navigate this shift with greater confidence.

3 April 2026