Key Takeaways
- Malaysia’s Cybersecurity Act 2024 came into force on 26 August 2024. NCII entities must run annual risk assessments, biennial audits, and report cybersecurity incidents to NACSA.
- The PDPA Amendment 2024 makes data processors (including cloud vendors) directly liable under the Security Principle.
- Four controls form the baseline: identity and access management, encryption at rest and in transit, continuous monitoring, and a documented incident response plan.
- ISO/IEC 27001, CSA STAR, and SOC 2 are the international standards procurement teams use to assess cloud provider security.
- The shared responsibility model puts infrastructure security on the cloud provider, but data, access, and configuration remain the enterprise’s job.
- Managed cybersecurity providers in Malaysia must now hold a NACSA licence. Engaging unlicensed vendors creates additional legal exposure.
Two pieces of legislation changed the rules for Malaysian enterprises in the last 18 months. The Cybersecurity Act 2024 came into force in August 2024, and the PDPA Amendment finished rolling out in June 2025. Both land on the same question: Is your cloud environment secure enough to stand up to scrutiny?
If you’re an enterprise running workloads across AWS, Azure, or hybrid environments, the answer depends on how well your controls align with both regulatory and international standards.
In this blog, we take a practical look at what security is required for cloud systems in Malaysian enterprises, the standards your cloud provider should meet, and where the responsibility lies when something goes wrong.
The Regulatory Picture: PDPA, CSA, and Sector Rules
Three frameworks apply to most enterprises with cloud workloads in Malaysia:
- Personal Data Protection Act (Amendment) 2024. Fully in force from 1 June 2025. Data controllers and data processors (including cloud vendors) must meet the Security Principle, appoint a DPO, report breaches within 72 hours, and ensure cross-border transfers go to jurisdictions with equivalent protection.
- Cybersecurity Act 2024 (CSA). In force from 26 August 2024. Entities designated as National Critical Information Infrastructure (NCII) across 11 sectors, including banking, healthcare, government, and energy, must run annual risk assessments, biennial audits, and report incidents to NACSA. Penalties reach RM500,000 and 10 years’ imprisonment for serious violations.
- Bank Negara’s Risk Management in Technology (RMiT). Financial institutions carry an additional regulatory layer covering cloud concentration risk, data residency, and third-party governance.
One change from the CSA deserves attention: managed security service providers now need an NACSA licence to operate in Malaysia. If you’re an enterprise procuring external SOC monitoring or penetration testing, you now need to verify that your vendor is licensed as part of your due diligence.
What Security Is Required for Cloud Systems in Malaysia
While regulations cover outcomes, they don’t describe the implementation steps to achieve them, so which controls actually satisfy them?
Here’s a checklist of cloud security requirements that Malaysian enterprises should follow for most enterprise environments.
Identity and access management (IAM)
- Multi-factor authentication on all privileged accounts
- Role-based access controls tied to job function
- Privileged access management for admin credentials
- Regular access reviews to remove stale permissions
Encryption
- Data is encrypted at rest across all cloud storage and databases
- Encryption in transit using TLS 1.2 or higher for every external-facing service
- Customer-managed keys where data sensitivity warrants it
Continuous monitoring
- Centralised logging across cloud workloads, endpoints, and network traffic
- A SIEM or managed detection and response capability that surfaces anomalies in real time
- 24/7 coverage for incidents that can’t wait for business hours
Incident response
- A documented playbook covering detection, containment, eradication, and recovery
- A breach notification workflow that can meet the PDPA’s 72-hour window
- Tabletop exercises at least annually
Network segmentation
- Production workloads isolated from corporate networks
- Microsegmentation within cloud environments to contain lateral movement
- Zero-trust principles applied to service-to-service communication
Backup and recovery
- Immutable backups stored separately from production
- Tested recovery procedures with measurable RTO and RPO
- Ransomware-specific recovery scenarios, given the 153% annual increase in ransomware incidents Kaspersky reported for Malaysia in 2024
For any enterprise running regulated data or operating in an NCII sector, these are the fundamental security building blocks.
Enterprise Cloud Security Standards in Malaysia Worth Knowing
International certifications give procurement teams a shorthand for evaluating cloud provider security.
There are three that matter most for Malaysian enterprises:
- ISO/IEC 27001. The global standard for information security management systems (ISMS). A certified organisation has documented security controls, a risk treatment process, and annual surveillance audits. Required by many enterprise procurement teams as a minimum.
- CSA STAR. Cloud-specific certification built on top of ISO 27001 using the Cloud Controls Matrix. Designed specifically for cloud service providers, STAR Level 2 is a third-party audit that maps security controls to cloud-specific risks like multi-tenancy and shared responsibility.
- SOC 2 Type II. An audit report (not a certification) evaluated over a defined period, typically 6 to 12 months. Widely recognised in the US, useful for Malaysian enterprises working with US-based clients or investors.
A provider holding ISO 27001 plus CSA STAR Level 2 covers most enterprise procurement requirements. If your business handles US customer data, add SOC 2 Type II to the list.
Certifications demonstrate process maturity, but they don’t guarantee you’ll be totally free of vulnerabilities. Having continuous evidence (audit logs, pen test reports, control assessments) is just as important.
The Shared Responsibility Model Explained
Most cloud breaches happen on the customer side of the line, not the provider’s, so it’s important to understand the shared responsibility model to do your part in preventing them.
The principle is straightforward: the cloud provider secures the infrastructure. The customer secures what runs on it.
- The cloud provider handles: physical data centre security, network infrastructure, hypervisor hardening, and the availability of the underlying platform.
- The enterprise handles: operating system patching (for IaaS), application security, data classification and encryption, user access and identity, network configuration within their environment, and compliance with applicable regulations.
- Joint effort: incident response coordination, compliance reporting, and monitoring for indicators of compromise.
A misconfigured S3 bucket isn’t AWS’s fault, nor is a compromised privileged account Azure’s problem. Most regulatory penalties and reputational damage follow failures on the customer side of the model.
Build a Cloud Security Posture That Scales
Meeting all of these requirements with internal staff alone is difficult for any enterprise. Running a 24/7 SOC, maintaining ISO 27001 certification, and keeping pace with regulatory changes requires specialised skills that are expensive to hire and harder to retain. But a cloud security provider can help you keep it all under control and in compliance.
If you’re running cloud workloads without a clear compliance posture against PDPA and the Cybersecurity Act, operating without 24/7 monitoring, or evaluating managed providers after being designated an NCII entity, it’s best to bring in a NACSA-licensed partner sooner rather than later.
At Net Onboard, our AmplifyControl pillar covers identity, data protection, endpoint security, and security operations for enterprise cloud environments, designed around the Malaysian regulatory context.
Find out how our cloud security services in Malaysia can support your compliance and security programme today. Reach out to our team today to see what we can do for you.
References:
1. Cyber Security Act 2024 [Act 854]. Retrieved on 15 April 2026 from https://www.nacsa.gov.my/act854.php
2. Cyber Security Act 2024: A New Era for Cybersecurity in Malaysia. Retrieved on 15 April 2026 from https://www.pwc.com/my/en/assets/publications/2024/pwc-my-cyber-security-act-2024-new-era-for-cybersecurity-in-malaysia.pdf
3. Malaysia’s New Cyber Security Act 2024: A Summary and Brief Comparative Analysis. Retrieved on 15 April 2026 from https://www.mayerbrown.com/en/insights/publications/2024/12/malaysias-new-cyber-security-act-2024-a-summary-and-brief-comparative-analysis
4. CSA Security, Trust, Assurance and Risk (STAR). Retrieved on 15 April 2026 from https://cloudsecurityalliance.org/star
5. Understanding Malaysia’s Cyber Threat Landscape: A 2025 Outlook. Retrieved on 15 April 2026 from https://securityquotient.io/understanding-malaysias-cyber-threat-landscape-a-2025-outlook
6. Countdown to Compliance: Personal Data Protection (Amendment) Act 2024 in Force Starting 1 January 2025. Retrieved on 15 April 2026 from https://www.legal500.com/developments/thought-leadership/countdown-to-compliance-personal-data-protection-amendment-act-2024-in-force-starting-1-january-2025/
Frequently Asked Questions About Cloud Security Requirements in Malaysia
1) What are the key cloud security requirements for enterprises in Malaysia?
A: Enterprise cloud environments in Malaysia must meet three regulatory frameworks: the PDPA Amendment 2024 (data protection and breach notification), the Cybersecurity Act 2024 (risk assessments, audits, and incident reporting for NCII entities), and sector-specific rules such as Bank Negara’s RMiT for financial institutions. Core controls include identity and access management, encryption at rest and in transit, continuous monitoring, documented incident response, network segmentation, and tested backup and recovery procedures.
2) What is an NCII entity under Malaysia’s Cybersecurity Act 2024?
A: NCII stands for National Critical Information Infrastructure. An NCII entity is an organisation whose computer systems, if disrupted, would significantly impact essential services related to Malaysia’s security, economy, or public safety. NCII entities are designated across 11 sectors including banking, healthcare, government, energy, and telecommunications. They must conduct annual risk assessments, undergo biennial audits, and notify NACSA of cybersecurity incidents.
3) What certifications should a Malaysian enterprise look for in a cloud security provider?
A: ISO/IEC 27001 is the global baseline for information security management. CSA STAR is cloud-specific and maps controls to shared responsibility and multi-tenancy risks. SOC 2 Type II is an audit report useful for businesses with US-based clients. A cloud provider holding ISO 27001 plus CSA STAR Level 2 covers most enterprise procurement requirements. For managed security service providers, confirm they hold a NACSA licence under the Cybersecurity Act 2024.
4) Who is responsible for security in a cloud environment?
A: Responsibility is shared between the cloud provider and the customer. The provider secures the physical data centre, network infrastructure, and hypervisor. The customer is responsible for operating system patching (for IaaS), application security, data classification and encryption, user access and identity, and compliance with applicable regulations. Most cloud breaches stem from failures on the customer side, particularly misconfigurations and compromised credentials.
5) Do Malaysian SMEs need to meet the same cloud security requirements as enterprises?
A: PDPA obligations apply regardless of organisation size, so SMEs must meet data protection requirements including breach notification and DPO appointment. Cybersecurity Act obligations only apply to designated NCII entities, which are typically larger organisations. However, SMEs in regulated sectors (financial services, healthcare) or working as suppliers to NCII entities often need to meet equivalent controls contractually.