Are You an (NACSA) NCII Entity Without Knowing It?

When Act 854 came into force in August 2024, most Malaysian boards filed it under someone else's problem. The Act protects national critical information infrastructure, and a board that does not run a power grid or a national bank tends to assume the law was written for organisations larger than its own. Section 17 does not read that way. It gives a sector lead the power to designate almost any organisation, including a privately held company, the moment that organisation owns or operates a system whose failure would disrupt an essential service.

That gap, between what a board assumes about its exposure and what the statute actually says, is the subject of this post. Before anyone drafts a compliance plan, the board needs a clear answer to a prior question: is the company in scope at all, and if it is not today, what would put it there tomorrow.

The misconception, named

The common reading of Act 854 is that it covers eleven industries, and that a company either sits inside one of them or it does not. Boards reach for the industry label on their own letterhead, decide they are not "banking" or "energy," and move on.

Section 17 turns on a different test. The Act, published by the National Cyber Security Agency (NACSA), defines national critical information infrastructure as a computer or computer system whose disruption or destruction would have a detrimental impact on the delivery of a service essential to Malaysia's security, defence, economy, public health, public safety, or public order, or on the ability of government to function. The unit of analysis is the system and what depends on it, not the SIC code of the company that runs it.

Section 17 turns on a single test: do you own or operate a computer system whose disruption would damage an essential national service. The industry on your letterhead does not enter into it.

How the designation actually works

Three roles decide who is in scope, and they sit in a clear chain.

The Minister responsible for cyber security appoints a national critical information infrastructure sector lead for each sector, on the recommendation of the Chief Executive of NACSA. The sector lead is the body that knows its own sector well enough to see which systems matter.

Under Section 17, that sector lead may designate any Government Entity or any person as a national critical information infrastructure entity if it is satisfied that the entity owns or operates such infrastructure. Section 18 covers the related case where a sector lead is itself designated as an entity. The same section sets out how a sector lead reaches that judgment: under Section 17(2) it may require an organisation to produce information, particulars, or documents, including details of the function and design of the computer system it owns or operates. The decision is evidence-led, and the evidence is technical.

Once a sector lead is satisfied, designation follows in a defined sequence. The sector lead notifies the Chief Executive of NACSA of the designation and the particulars of the infrastructure involved, and it keeps and maintains a register of the entities it has designated, in the manner the Chief Executive determines. The organisation brought into scope is told in writing.

This is the reassuring half of the answer. In the strict legal sense, a company does not become a designated entity silently. The notice arrives, or it does not.

The unsettling half is everything that happens before the notice, and everything that happens around the edge of it.

The eleven sectors, and why the label misleads

When the Cyber Security Bill passed the Dewan Rakyat in March 2024, the Digital Minister named the eleven sectors on the record: government; banking and finance; transportation; defence and national security; information, communication and digital; healthcare services; water, sewerage and waste management; energy; agriculture and plantation; trade, industry and economy; and science, technology and innovation.

Read that list again with a single question in mind: which Malaysian business of any size does not touch at least one of these. "Trade, industry and economy" and "information, communication and digital" are wide enough to reach a logistics platform, a payment gateway, a hospital scheduling vendor, or a cloud provider serving a regulated client. The Act draws the boundary wider still in its definitions, where a sector covers both information technology systems and operational technology such as industrial control systems and SCADA. The sector boundary is not the filter most boards think it is. The filter is the Section 17 test applied within those sectors: does this specific system, if it went down, take an essential service with it.

The list is also not fixed. Section 62 lets the Minister amend the Schedule of sectors by order published in the Gazette, so a category that does not cover a business today can be widened to reach it later.

A mid-sized company can sit inside one of the eleven sectors, run a system that matters to an essential service, and still have never asked whether a sector lead might one day reach the same conclusion.

Pulled in through someone else's supply chain

There is a second route into scope, and it does not require a notice from a sector lead at all.

A designated NCII entity carries duties it cannot fully discharge alone. It must implement the measures in its sector code of practice, conduct risk assessments and audits, and notify NACSA of incidents affecting the infrastructure it owns or operates. When that infrastructure runs partly on a supplier's platform, the entity manages its own exposure by pushing those requirements down its supply chain through contract terms. The bank does not become compliant on its own; it requires its software vendor, its data centre, and its managed service provider to meet the same standard.

The practical effect is that a firm never named by a sector lead can still find Act 854 obligations written into its customer contracts. The legal duty sits with the designated entity. The operational burden lands on whoever holds the keys to the system. A vendor that supplies three banks may be doing more NCII compliance work, through contractual flow-down, than some entities formally inside the perimeter.

A firm never designated by a sector lead can still inherit Act 854 obligations through the contracts of the customers it serves. The duty stays upstream. The work flows down.

This is the honest resolution to the question in the title. A company will not be a designated entity without knowing, because designation comes with notice. A company can very easily be exposed, through what its systems do or who its customers are, without ever having connected the dots.

What this means for the board

The stakes are not abstract. Once an entity is designated, the duties carry real penalties written into the Act. Under Section 23, failure to notify NACSA and the sector lead of a cyber security incident affecting the infrastructure carries a fine of up to RM500,000, imprisonment of up to ten years, or both. Failure to conduct the required cyber security risk assessment and audit under Section 22 carries a fine of up to RM200,000, imprisonment of up to three years, or both. The audit duty is now governed in detail by the Chief Executive's own directive on cyber security audits, which sets the cadence and the qualifications of approved auditors, and which later posts in this series examine. For a director, this moves cyber security from an operational line item to a matter of corporate liability and regulatory standing.

There is also a timing problem. Designation does not come with a long runway. An entity that has never mapped its own systems against the Section 17 test will be doing that mapping under a clock, after the notice arrives, rather than calmly in advance. The boards that fare worst are not the ones that are in scope. They are the ones that discover they are in scope without having prepared for the possibility.

The scoping exercise to run first

Before any compliance budget is approved, the board should commission a scoping review with four questions. This is deliberately a diagnostic, not a remediation plan. The remediation comes later, once scope is settled.

1. Map systems to essential services. List the computer systems the company owns or operates, and mark any whose failure would disrupt a service the public, the government, or a regulated customer relies on. This is the Section 17 test applied to your own estate.

2. Locate yourself in the eleven sectors. Identify every sector your business activities touch, reading the categories broadly rather than narrowly. "We are not a bank" is not an answer; "no system we run supports an essential service in any of the eleven sectors" is.

3. Trace the customer chain. List customers who are, or are likely to be, designated NCII entities. Their obligations will arrive in your contracts whether or not a sector lead ever contacts you directly.

4. Assign an owner and a watch. Name the person responsible for monitoring designation activity in your sectors and for reviewing this scoping as the company's systems and clients change. Scope is not a one-time finding.

A review of this kind takes weeks, not quarters, and it tells the board whether the conversation it needs to have is about compliance now, preparedness for later, or neither.

The question before the question

Act 854 is often read as a compliance burden to be managed. It is first a scoping question to be answered. The misconception that the law covers eleven industries, and that a company is either obviously in or obviously out, is the thing that leaves boards unprepared. The Act covers eleven sectors through the systems that run them, and it reaches private companies through Section 17 and through the contracts of the entities they serve.

The board does not need to fear a silent designation. It does need to know, before the notice could ever arrive, whether the company would be ready to answer it. That answer starts with the scoping review, not the compliance plan. The compliance plan is the subject of the posts that follow in this series.

Sources

• Cyber Security Act 2024 (Act 854), Sections 15 to 23, 62 and the Schedule, Government of Malaysia. Published by the National Cyber Security Agency (NACSA). https://www.nacsa.gov.my/act854.php

• Chief Executive Directive No. 8: Cyber Security Audit for National Critical Information Infrastructure Entities, National Cyber Security Agency (NACSA).

• Malaysia's New Cyber Security Act 2024: A Summary and Brief Comparative Analysis, Mayer Brown. https://www.mayerbrown.com/en/insights/publications/2024/12/malaysias-new-cyber-security-act-2024-a-summary-and-brief-comparative-analysis

• Cyber Security Act 2024: A New Era for Cybersecurity in Malaysia, PwC Malaysia. https://www.pwc.com/my/en/assets/publications/2024/pwc-my-cyber-security-act-2024-new-era-for-cybersecurity-in-malaysia.pdf

• Dewan Rakyat Passes Cyber Security Bill 2024, Malay Mail. https://www.malaymail.com/news/malaysia/2024/03/27/dewan-rakyat-passes-cyber-security-bill-2024/125863

Disclaimer

This article is provided for general information and educational purposes. It summarises selected provisions of the Cyber Security Act 2024 (Act 854) as understood at the time of writing and does not constitute legal advice. The designation of national critical information infrastructure entities, the content of sector codes of practice, and the application of penalties depend on facts specific to each organisation and on guidance issued by NACSA and the relevant sector leads, which may change. Organisations should obtain qualified legal counsel before relying on any statement here to determine their own obligations under the Act.