MALAYSIA’S commitment to integrate cloud services is profoundly reshaping its regulatory framework. Under the MyDIGITAL initiative, the Malaysian government has embraced a “Cloud First Policy”, marking a strategic pivot to enhance dependence on cloud services.

This transformation has reinforced regulatory requirements for cloud services in Malaysia, to guarantee robust data security and privacy for all cloud consumers.

Under the regulatory framework governing the communications and multimedia industry, as established by the Communications and Multimedia Act 1998 (CMA), two main licence categories exist: individual licences, subject to rigorous regulatory control and foreign ownership restrictions; and class licences, designed for easier market access without such restrictions.

Within these principal categories, the CMA provides four sub-categories of licensable activities, one of which is the Applications Service Providers (ASP) licence, which is issued by the Malaysian Communications and Multimedia Commission (MCMC).

Historically, the CMA did not require specific licences for cloud service providers. However, in 2022, the MCMC, recognising the need to ensure data security, introduced the ASP Class – ASP(C)) – licensing requirement for cloud service providers.

For regulatory purposes, the MCMC defines “cloud services” as “any service accessible to end-users via the internet from a cloud computing provider’s server”.

Under the CMA, cloud service categories requiring licensing are Platform-as-a-Service (PaaS) and Infrastructure-as-a-Service (IaaS). The Software-as-a-Service (SaaS) category is exempt as it relies on other cloud service platforms or infrastructures.

ASP (C) licensing is applicable to locally incorporated cloud service providers and data centres offering cloud services to end-users, in the following scenarios - when a locally incorporated company provides PaaS or IaaS cloud services to end-users in Malaysia; when a locally incorporated company offers PaaS or IaaS cloud services for resale by an agent to end-users in Malaysia; and when a local data centre facilitates foreign cloud providers in delivering their PaaS or IaaS cloud services to end-users in Malaysia.

However, in certain scenarios, an ASP(C) licence is not required. For example, when a foreign cloud service provider operates in Malaysia without local incorporation or through a branch, and provides PaaS or IaaS cloud services directly to end-users; or when a locally incorporated company offers SaaS cloud services using outsourced PaaS or IaaS providers; or when agents resell such services from CMA-licensed providers to end-users in Malaysia.

Upon being granted an ASP(C) licence, the cloud service provider is bound by a spectrum of legal obligations. These include complying with legislative instruments under the CMA; indemnifying the minister and the MCMC against any claims resulting from the licensees’ breach of applicable regulations; ensuring safety measures on equipment used; maintaining accurate charging mechanisms; and annual re-registration. Further, all CMA licensees must hold a valid data user registration certificate under the Personal Data Protection Act 2010.

Cloud service providers serving Malaysian financial institutions must be aware of cloud adoption requirements issued by Bank Negara Malaysia (BNM) for financial institutions.

From June 1, 2024, financial institutions must consult BNM prior to first-time adoption of public cloud services for critical systems, and must perform comprehensive risk assessment before deploying such cloud services. This assessment, guided by the central bank’s criteria, necessitates effective oversight over cloud service providers and entails establishing continuous monitoring mechanisms; defining clear accountabilities; conducting periodic assessments; emphasising business resilience and data security; and promptly adapting to changing risk profiles. Cloud service providers must collaborate with financial institutions to fulfil these obligations by providing transparent and proactive communication about any changes impacting outsourcing arrangements.

Cloud service providers should be aware that financial institutions must safeguard customer information and proprietary data when using cloud services, such as by controlling the management of such data, including managing the cryptographic keys. To support compliance with these requirements, cloud service providers can offer solutions such as encryption, access controls, security assessments, and robust disaster recovery planning.

The dynamic growth of Malaysia’s digital economy demands heightened regulatory oversight, which is exemplified by the introduction of ASP(C) licensing requirements and the enhanced risk assessment process for financial institutions considering cloud adoption.

Given the current digital landscape, it is imperative for cloud service providers to ensure compliance and proactively seek legal counsel to navigate regulatory changes effectively.

This article is contributed by Ili Syazwani Shairi of Christopher & Lee Ong (www.christopherleeong.com).