The Cybersecurity Act 854 has caused a change in the cybersecurity policy of organizations in Malaysia, putting into place several new cybersecurity measures, risk assessments, and incident response requirements for organizations that deal with critical information. If your business is part of the National Critical Information Infrastructure (NCII), then it is mandatory to comply with the set requirements. At AKATI Sekurity, we make the process of compliance easier through risk assessments, penetration testing (VAPT), security audits and incident response services to ensure that your organization is secure and in full compliance with the necessary regulations.

What Is the Cybersecurity Act 854?

The Cybersecurity Act 854 is the most far-reaching cybersecurity regulation in Malaysia to date. The purpose of this legislation is to support the protection of critical information infrastructure (NCII) and to ensure that cyber security practices are adhered to, and it requires:

• The establishment of the National Cyber Security Committee to provide leadership in cyber security.

• The identification of NCII entities (National Critical Information Infrastructure) to shield vital services including financial, health and telecommunications.

• Strict incident reporting and compliance measures to enhance the effectiveness of the cybersecurity governance model.

• Extra-territorial enforcement, this means that companies located overseas that process critical data of Malaysia are also subject to these standards.

This law is significant because it marks a change in the way cybersecurity is supervised in Malaysia, from a more reactive approach to regulation to a more proactive one.

Who Must Comply with Cybersecurity Act 854?

The Cybersecurity Act 854 applies to National Critical Information Infrastructure (NCII) entities. A NCII entity is an organization that owns or operates cyber systems that are critical to the nation’s security, economy or public services if compromised or attacked. Section 17 of the Cybersecurity Act 854 defines an NCII entity as one that is recognized by the National Cyber Security Agency (NACSA) or the relevant sector lead based on the importance of its infrastructure.

Industries classified as NCII (Schedule 4, Cybersecurity Act 854) include:

01. Government – Ministries, regulatory bodies, and public service agencies
02. Banking & Finance – Banks, insurance companies, stock exchanges, payment service providers
03. Transportation – Airlines, rail networks, shipping & logistics companies
04. Defence & National Security – Military, law enforcement, intelligence agencies
05. Information, Communication & Digital – ISPs, telecom providers, data centers, cloud service providers
06. Healthcare Services – Hospitals, pharmaceutical firms, medical research institutions
07. Water, Sewerage & Waste Management – Utility providers, environmental agencies
08. Energy – Power plants, oil & gas companies, renewable energy providers
09. Agriculture & Plantation – Food production, livestock, agrotech firms
10. Trade, Industry & Economy – Large-scale manufacturers, exporters, economic regulators
11. Science, Technology & Innovation – Research institutions, AI & IoT developers, tech firms

If your organization falls into any of these industries, compliance with Cybersecurity Act 854 is mandatory.

Non-compliance is not an option—violations can lead to severe penalties, including hefty fines and criminal liability for executives.

Key Compliance Requirements Under Cybersecurity Act 854

To comply with this law, organizations must implement several mandatory security measures. Here’s what businesses need to do:

[1] Conduct Cybersecurity Risk Assessments & Audits

Who is affected?

Organizations designated as NCII entities must conduct regular cybersecurity audits and risk assessments to identify vulnerabilities.

Regulatory Requirement:

The Chief Executive of the National Cyber Security Agency (NACSA) has the authority to demand audit reports and verify compliance.

Your Action Plan:

• Partner with a certified cybersecurity provider to conduct penetration testing (VAPT) and security audits.

• Implement continuous security monitoring to detect and respond to threats in real time.

💡 Pro Tip: A trusted cybersecurity firm like AKATI Sekurity can conduct in-depth security assessments tailored to your industry’s compliance needs.

[2] Implement a Cyber Incident Reporting System

Who is affected?

All NCII-designated businesses and cybersecurity service providers.

Regulatory Requirement:

Any cyber incident that affects NCII entities must be reported immediately to the National Cyber Security Agency (NACSA).

Your Action Plan:

• Establish a robust incident response framework to detect, contain, and report breaches swiftly.

• Train IT and security teams to recognize and escalate cybersecurity incidents in compliance with reporting guidelines.

💡 Pro Tip: Companies without an incident response plan risk non-compliance penalties and operational disruptions.

[3] Enforce Cybersecurity Codes of Practice

Who is affected?

All organizations managing critical digital infrastructure.

Regulatory Requirement:

Organizations must adopt industry-standard cybersecurity measures in line with the government’s Cybersecurity Code of Practice.

Your Action Plan:

• Align security policies with ISO 27001, NIST, and other global cybersecurity frameworks.

• Conduct regular compliance audits to ensure adherence to sector-specific security standards.

💡 Pro Tip: Businesses that fail to meet these standards could face operational shutdowns or legal action.

[4] Obtain Licensing for Cybersecurity Service Providers

Who is affected?

Any company that provides penetration testing, SOC services, MDR, or digital forensics.

Regulatory Requirement:

Cybersecurity provider in Malaysia must obtain a government-issued license to operate legally.

Your Action Plan:

• Apply for a cybersecurity service provider license to continue operations in Malaysia.

• Ensure your firm meets regulatory security standards before applying for certification.

💡 Pro Tip: Need help navigating the complex licensing process? AKATI Sekurity offers consulting services to guide cybersecurity firms through compliance procedures.

Penalties for Non-Compliance

Not complying with the Cybersecurity Act 854 has severe legal and financial consequences:

• Penalty of up to RM500,000 for not fulfilling the compliance standards.

• Imprisonment of up to 10 years for corporate officers in charge of cybersecurity oversight.

• Cancelling the licence of cybersecurity service providers who work without the government’s accreditation.

💡 Businesses must prepare now for these penalties and for the fact that they must comply with this new law.

Which Package is Right For You ?

Tip: Many businesses start with Annual Compliance Services. However comprehensive protection comes from 24/7 continuous monitoring & response. 

How AKATI Sekurity Helps You Stay Compliant

In AKATI Sekurity, we assist firms in navigating through complex cybersecurity regulations through security solutions which guarantee full compliance to the Cybersecurity Act 854. Our services include:

• Cyber Risk Assessments & Audits. Our assessment aims to identify risks and vulnerabilities before attackers do.

• Penetration Testing & VAPT. Our VAPT aims to discover vulnerabilities and potential exploitations to ensure that your defenses are unbreakable.

• Incident Response & Forensics. We will provide expert guidance to detect, contain and respond to breaches.

• Security Operations Center (SOC) Services. Our Managed SOC service offers around the clock monitoring for your organization.

💡 Regulatory compliance is more than a legal requirement—it’s a competitive advantage.

Final Thoughts on Cybersecurity Act 854

Cybersecurity is no longer a luxury—it’s a necessity. With Cybersecurity Act 854 now in effect, organizations in Malaysia must prioritize compliance, adopt best security practices, and strengthen their cybersecurity posture.

Proactive security measures today will prevent costly breaches and legal repercussions tomorrow.

Get ahead of compliance challenges with AKATI Sekurity—your trusted cybersecurity consulting company.

📢 Visit www.akati.com to secure your business today.