In the early weeks of 2025, a handful of Malaysian companies received a letter that quietly rewrote what their boards were legally responsible for. In several cases the letter came from Bank Negara Malaysia. It informed the recipient that it had been designated as National Critical Information Infrastructure under the Cyber Security Act 2024. For most, the first instinct was to forward it to the head of IT.

That instinct is the subject of this article.

Act 854 came into force on 26 August 2024, having passed Parliament in April and received royal assent in June. It divides the economy into eleven sectors, among them banking and finance, energy, healthcare, water, transportation and government. Within each sector, a sector lead and the Chief Executive of the National Cyber Security Agency (NACSA) designate specific organisations as NCII entities. Designation is not a label. It is a set of duties.

Three of those duties matter most here. Under Section 21, a designated entity must implement the measures, standards and processes set out in its sector's Code of Practice. Under Section 22, it must conduct a cyber security risk assessment and arrange an independent audit, then submit the report to the Chief Executive within thirty days of completion. Under Section 23, it must notify NACSA of incidents.

The penalties read like a board agenda item rather than an IT memo. Failing to implement the Code of Practice carries a fine of up to RM500,000, imprisonment for up to ten years, or both.

Failing to implement the Code of Practice carries a fine of up to RM500,000, imprisonment for up to ten years, or both. — Cyber Security Act 2024 [Act 854], Section 21(5)

The checklist trap

Here is how the duty tends to be absorbed in practice. The entity treats the audit as a recurring event to be survived. NACSA's Chief Executive Directive No. 8, which took effect on 17 July 2025, requires NCII entities to be audited at least once every two years. So the calendar gets a marker, an approved auditor is engaged, findings are gathered, a report is filed inside the thirty-day window, and the organisation exhales. The Code of Practice, meanwhile, lives as a binder on a shared drive. It is read closely twice: once when it is adopted, and once when the auditor asks for it.

This satisfies the letter of the Act. It also wastes the most useful thing the Act gives you.

The structure is already an operating model

Read the duties in sequence and a familiar shape appears. A risk assessment identifies what could go wrong. The Code of Practice sets the measures, standards and processes meant to prevent it. An audit tests whether those controls hold. Findings drive remediation. The next assessment checks whether the fixes worked. That is a control loop, and it is the same loop that sits underneath every credible security operating model.

Run that loop once every two years and it becomes a performance for an external audience. Run it continuously, with the assessment as a living register and the audit as confirmation of what you already know, and the same legal obligation turns into a working management system. The Act does not ask you to choose the second version. It does, however, make the second version far cheaper to defend.

The Act even anticipates maturity. Section 21 lets an entity adopt alternative measures where it can prove equal or higher protection to the Chief Executive, and it explicitly permits layering internationally recognised frameworks on top of the Code of Practice. The compliance floor and the operating ceiling are not the same thing, and Act 854 was written knowing that.

The compliance floor and the operating ceiling are not the same thing, and Act 854 was written knowing that.

Why the board owns the outcome

The most overlooked sentence in Section 22 is about where the report goes. The audit report is submitted to the Chief Executive of NACSA. If the result is unsatisfactory, the Chief Executive can direct the entity to re-evaluate its risk. The accountability does not rest with the auditor who wrote the report, nor with the CISO who commissioned it. It rests with the entity, which in governance terms means the board.

Regulators elsewhere are moving in the same direction. Gartner's analysis of the top cyber security trends for 2026 notes that boards and executives are increasingly held personally liable for compliance failures, with inaction exposing them to penalties, lost business and lasting reputational damage. Act 854 places a Malaysian board inside that trend whether or not it has noticed.

A board that owns the outcome behaves differently from one that has delegated it. It does not ask whether the audit was passed. It asks which controls in the Code of Practice currently have no named owner, what the residual risk register looked like last quarter, and which remediation items were deferred and why. Those are questions about an operating model. The first kind of board is reading a checklist back to itself.

What the operating model looks like in practice

Four shifts separate the binder from the operating model.

1. The Code of Practice becomes a control inventory with named owners, not a document. Every measure maps to a person who can describe, in a sentence, how it is enforced and how failure would be detected.

2. The risk assessment becomes a standing register reviewed on a quarterly cadence, feeding directly into the board's stated risk appetite, rather than a snapshot produced for the auditor.

3. The audit becomes a verification of a system the entity already runs, which is why mature organisations find audits uneventful. Discovery happening during the audit is itself a finding.

4. Remediation is written in board language. Not "patch the unsupported server," but "this control gap carries this residual risk, closing it costs this, and leaving it open is a decision the board is making."

None of this requires more than the Act already demands. It requires running the same obligations as a process rather than an event.

Where to start

At your next board meeting, ask for the Code of Practice and ask a single question for each major control: who owns this, and how would we know if it failed. If the answers come back in clean sentences, you have an operating model. If the room goes quiet, you have a checklist, and the gap between the two is exactly the distance a NACSA directive, or a breach, will eventually measure.

Sources

• Cyber Security Act 2024 [Act 854], Laws of Malaysia. National Cyber Security Agency. https://www.nacsa.gov.my/act854.php

• Chief Executive Directive No. 8: Cyber Security-Related Audit for National Critical Information Infrastructure Entities, National Cyber Security Agency (effective 17 July 2025). https://www.nacsa.gov.my/legal.php

• Gartner, "Gartner Identifies the Top Cybersecurity Trends for 2026" (5 February 2026). https://www.gartner.com/en/newsroom/press-releases/2026-02-05-gartner-identifies-the-top-cybersecurity-trends-for-2026

• PwC Malaysia, "Cyber Security Act 2024: A new era for cybersecurity in Malaysia" (2024). https://www.pwc.com/my/en/assets/publications/2024/pwc-my-cyber-security-act-2024-new-era-for-cybersecurity-in-malaysia.pdf

Disclaimer

This article is provided for general information and does not constitute legal advice. Designation as an NCII entity and the specific obligations that follow are determined by NACSA and the relevant sector lead under the Cyber Security Act 2024. Organisations should seek qualified legal counsel and refer to the current text of Act 854, its regulations and any applicable Chief Executive directives when assessing their own compliance position.