Malaysia's AI Compliance Overhaul 2024-2026: What Professional Services Firms Must Know Now
Malaysia has moved decisively to reshape its artificial intelligence and data protection regulatory environment. Between 2024 and 2026, the country has introduced substantive legislative amendments, established new governance institutions, and signalled that a dedicated AI law is on the horizon. For
Malaysia's AI Compliance Overhaul 2024–2026: What Professional Services Firms Must Know Now
Malaysia has moved decisively to reshape its artificial intelligence and data protection regulatory environment. Between 2024 and 2026, the country has introduced substantive legislative amendments, established new governance institutions, and signalled that a dedicated AI law is on the horizon. For international professional services firms and global enterprises operating in or with Malaysia, this is not background noise. It is a compliance agenda that demands immediate attention.
The PDPA Has Teeth Now
The Personal Data Protection (Amendment) Act 2024, passed in July 2024 and rolled out across three phases from January to June 2025, represents the most significant overhaul of Malaysia's data privacy framework since the original act came into force. Firms that treated the old PDPA as a lower-priority jurisdiction obligation will need to reassess that position sharply.
The headline changes are substantial. Maximum financial penalties have risen to RM1,000,000, with custodial sentences of up to three years for breaches of core data protection principles. That combination of financial and criminal exposure should concentrate minds at board level, not just in legal and compliance teams.
Two operational obligations carry particular weight for professional services businesses. First, the mandatory appointment of Data Protection Officers (DPOs) for certain entities, effective June 2025, introduces a structural accountability requirement. Firms must determine whether they fall within scope, designate appropriately qualified individuals, and document that decision. Second, a mandatory breach notification regime is now live. Data controllers must notify the Personal Data Protection Commissioner within 72 hours of becoming aware of a personal data breach, and must inform affected individuals without undue delay where significant harm is likely. Seventy-two hours is an unforgiving window, particularly for organisations without a tested incident response process in place.
The expansion of direct obligations to data processors is equally significant. Previously, accountability sat predominantly with data controllers. That has changed. If your firm acts as a processor of Malaysian personal data — handling client data on behalf of another organisation — you now carry direct legal obligations under the amended PDPA. This affects outsourced service providers, managed service firms, legal process outsourcing operations, and professional consultancies handling client datasets.
On cross-border data transfers, the old whitelist approach has been replaced. From April 2025, transfers are permitted where explicit consent is obtained or where the recipient jurisdiction offers comparable protection. This is a more flexible model, but it requires documented assessments and appropriate safeguards rather than a simple jurisdiction check.
AI Governance: A Framework Is Being Built
Alongside the PDPA amendments, Malaysia has been constructing its AI governance architecture from the ground up. The National Guidelines on AI Governance and Ethics (AIGE), launched by the Ministry of Science, Technology and Innovation in September 2024, establish a reference framework built around seven core principles: Fairness, Reliability, Safety and Control, Privacy and Security, Inclusiveness, Transparency, Accountability, and the Pursuit of Human Benefit and Happiness. These guidelines are currently non-binding, but they signal clearly the direction that forthcoming legislation will travel.
The National AI Office (NAIO), established in August 2024 under the Ministry of Digital, functions as the central coordinating body for AI governance and strategy. Its existence matters because it gives Malaysia a single institutional home for AI policy — a prerequisite for coherent, enforceable regulation.
The most significant development on the horizon is the dedicated AI Governance Bill, which the Ministry of Digital anticipates presenting to Cabinet by mid-2026. This legislation will adopt a risk-based model, addressing AI-related harm, incident reporting, ethical principles, and accountability for both developers and deployers of AI systems. The language closely mirrors approaches taken in the EU AI Act, which is not coincidental. Malaysia is designing a framework that will be recognisable and interoperable with international standards.
For professional services firms already navigating the EU AI Act, the UK's AI governance framework, or Singapore's Model AI Governance Framework, Malaysia's trajectory should look familiar. That is useful, but it does not mean compliance is automatic. Local implementation requirements, enforcement bodies, and penalty structures will differ, and firms cannot assume that readiness in one jurisdiction transfers directly to another.
What This Means for International Operations
The practical implications extend well beyond firms with a physical presence in Malaysia. Any organisation that processes the personal data of Malaysian individuals, deploys AI systems that interact with Malaysian clients or employees, or operates as a data processor for Malaysian entities is within scope of the amended PDPA and the emerging AI governance framework.
Global professional services firms — legal, financial, consulting, technology services — face a multi-layered obligation. They must ensure their data protection policies, DPO structures, and breach response procedures meet Malaysian standards, alongside whatever obligations apply in their other operating jurisdictions. Maintaining separate compliance silos for each country is neither efficient nor sustainable. The more practical approach is to build governance frameworks that are designed for multi-jurisdictional application from the outset, using the highest applicable standard as a baseline where possible.
AI system deployment warrants particular scrutiny. The PDPA applies comprehensively to AI systems that process personal data, and the forthcoming AI Governance Bill will add a further layer of accountability for developers and deployers. Firms using AI tools for client-facing services, internal decision-making, or data analytics must assess whether those systems comply with Malaysian consent, transparency, accuracy, and security requirements. That assessment should be documented and reviewed regularly, not treated as a one-time exercise.
The Immediate Compliance Priorities
Firms should not wait for the AI Governance Bill to begin their Malaysia compliance review. The PDPA amendments are already in force, and enforcement is live. The following actions are non-negotiable for any organisation within scope.
Confirm whether your organisation is required to appoint a DPO under the amended PDPA, and if so, ensure that appointment is made and documented. Review your data breach response procedures against the 72-hour notification requirement — if those procedures do not exist or have not been tested, they need to be built and exercised now. Audit your data processor agreements to ensure they reflect the direct obligations now imposed on processors. Assess your cross-border data transfer mechanisms against the new consent and comparable protection standard. And begin mapping your AI systems against the AIGE principles to prepare for the accountability requirements the AI Governance Bill will introduce.
None of this is speculative horizon-scanning. The PDPA obligations are current law. The AI governance direction is confirmed policy. The firms that will manage this transition most effectively are those that treat it as a structured compliance programme rather than a reactive exercise in damage limitation.
How Ops Intel Can Help
Ops Intel works with international professional services firms and global enterprises to build AI and data protection compliance programmes that hold up across jurisdictions. Whether you are assessing your exposure under Malaysia's amended PDPA, preparing for the forthcoming AI Governance Bill, or seeking to align your multi-jurisdictional AI governance approach, our team provides the technical and legal expertise to move from uncertainty to clarity.
To understand where your firm stands and what needs to change, contact Ops Intel today for a compliance assessment.
Work with Ops Intel
Need help navigating AI compliance?
We build AI compliance frameworks and automation systems for professional services firms worldwide. Book a free 30-minute call or email us directly.