AI Regulation in Malaysia

An overview of the Malaysian regulatory landscape governing artificial intelligence — covering PDPA, sectoral guidelines, national AI policy, and Malaysia's approach to the global AI governance debate.

5 min readLast updated May 2026Malaysia

Malaysia is navigating the global AI governance landscape with a pro-innovation, risk-aware stance. Unlike the European Union — which enacted the binding AI Act (Regulation EU 2024/1689) — Malaysia has not yet introduced a standalone AI statute. Regulation is instead administered through a combination of existing legislation, sector-specific guidelines, and national policy frameworks.

Policy Framework

National AI Roadmap 2021–2025 (NAIR)

Published by the Ministry of Science, Technology and Innovation (MOSTI), the NAIR is Malaysia's primary strategic document for AI. It identifies five pillars:

Governance — establishing responsible AI frameworks and public trust
Investment — attracting AI-related FDI and growing domestic AI companies
Talent — building a pipeline of AI-skilled workers
Data — improving data infrastructure, quality, and access
Adoption — accelerating AI uptake in key economic sectors

The NAIR does not carry legislative force; it guides agency priorities and funding allocation.

MyDIGITAL Blueprint (2021)

Malaysia's overarching digital transformation agenda commits to 25.3% digital economy contribution to GDP by 2025. AI is explicitly named as a key enabler alongside 5G, cloud, and the Industrial Internet of Things (IIoT).

National Fourth Industrial Revolution (4IR) Policy

Focuses on manufacturing and services transformation through automation, AI, and advanced manufacturing. The 4IR Policy coordinates with MITI (Ministry of Investment, Trade and Industry) to attract AI-adjacent FDI.

Applicable Legislation

Personal Data Protection Act 2010 (PDPA)

The PDPA is the primary legislative constraint on AI systems that process personal data of Malaysian data subjects. Key obligations under the seven principles:

General Principle — personal data may only be processed with consent or under one of the specified exceptions
Notice and Choice — data subjects must be informed of processing purposes
Disclosure Principle — data may only be disclosed for the purpose it was collected
Security Principle — reasonable security measures are required
Retention Principle — personal data must not be retained longer than necessary

PDPA Amendment 2024 — The Personal Data Protection (Amendment) Act 2024 introduced mandatory breach notification (within 72 hours of awareness), a Data Protection Officer (DPO) obligation for prescribed categories of data users, and strengthened enforcement powers for the JPDP (Commissioner's Department).

AI-specific PDPA implications:

Automated decision-making is not yet explicitly regulated under PDPA
Using personal data to train AI models without consent may constitute a PDPA breach
Cross-border transfer of personal data to LLM APIs (US-based) requires safeguards

Communications and Multimedia Act 1998 (CMA)

Covers online content and communications. The CMA's prohibition on offensive or false content has been applied to deepfakes and AI-generated disinformation, though specific deepfake legislation has been proposed separately.

Financial Services Act 2013 / Islamic Financial Services Act 2013

Bank Negara Malaysia (BNM) regulates AI in financial services through:

Risk Management in Technology (RMiT) policy document — requires explainability and human oversight for automated credit decisions
Responsible AI in Financial Services guidance (2023) — principles for fairness, accountability, transparency, and ethics (FATE)
Stress-testing requirements that now include AI model risk

Securities Commission (SC) Guidelines

The SC's MyFintech initiative governs AI use by capital market intermediaries. Algorithmic trading systems require SC approval and must include circuit-breakers and audit trails.

Malaysian Context — Regulatory Landscape Compared

Malaysia vs EU AI Act — The EU AI Act (in force August 2024) establishes a risk-tiered framework with banned practices, high-risk system requirements, and general-purpose AI (GPAI) rules. Malaysia has not announced a comparable risk-tier framework, though MOSTI has commissioned comparative studies.

ASEAN AI Governance Framework — Malaysia endorsed the ASEAN Guide on AI Governance and Ethics (2019, updated 2023). This non-binding framework provides shared principles for ASEAN member states. Malaysia participates in the ASEAN Digital Ministers' Meeting (ADGMIN) where AI governance is a standing agenda item.

Key regulatory contacts:

JPDP (Personal Data Protection Department) — jpdp.gov.my — for PDPA queries
MOSTI AI unit — leads national AI policy
MDEC — mdec.com.my — AI adoption programmes
BNM FinTech Regulatory Sandbox — for testing AI in financial services
SC Innovation Office — for capital markets AI applications

Compliance checklist for Malaysian AI deployments:

Conduct PDPA Data Impact Assessment before collecting personal data for training
Appoint DPO if operating in prescribed sectors post-2024 amendment
Ensure BNM RMiT compliance for financial AI (explainability, human oversight)
Review MyDIGITAL and NAIR alignment for grant eligibility
Document model governance and audit trail for any automated decisions

Enforcement

PDPA enforcement is handled by the JPDP. Penalties under the amended PDPA include fines up to RM 1 million and/or imprisonment for aggravated breaches. To date, enforcement has focused on data breach notification failures and unsolicited direct marketing rather than AI-specific issues, but this is expected to evolve.

Outlook

Malaysia is expected to develop more AI-specific regulation between 2025 and 2028. Key expected developments:

Deepfake regulation — proposed amendments to the CMA or a standalone Digital Harms Act
PDPA automated decision-making provisions — modelled on GDPR Article 22
Sector-specific AI guidelines — MOH for healthcare AI, MCMC for media AI
National AI Registry — proposed database of high-risk AI deployments

References

MOSTI (2021). Malaysia National AI Roadmap 2021–2025.
Attorney General's Chambers (2024). Personal Data Protection (Amendment) Act 2024. Laws of Malaysia.
BNM (2023). Responsible AI in Financial Services. Bank Negara Malaysia Discussion Paper.
ASEAN (2023). ASEAN Guide on AI Governance and Ethics (2nd ed.). ASEAN Secretariat.

Tags:Malaysia PDPA regulation governance MDEC MOSTI policy

Status	No standalone AI Act (2026)
Primary law	PDPA 2010 (amended 2024)
Regulator	MOSTI, JPDP, BNM, SC, MOH
Policy doc	National AI Roadmap 2021–2025
EU alignment	Under discussion