The PMO, in a statement, said Prime Minister Datuk Seri Anwar Ibrahim, as the minister responsible for cyber security, had set the date for this Act 854 to come into force after having obtained the royal assent from the His Majesty Sultan Ibrahim, King of Malaysia, on June 18.
The notification was published in the Government Gazette on June 26.
The regulations under the Act include the Cyber Security (Period for Cyber Security Risk Assessment and Audit) Regulations 2024 and the Cyber Security (Notification of Cybersecurity Incidents) Regulations 2024.
Also coming into force are the Cyber Security (Licensing of Cyber Security Service Providers) Regulations 2024 and the Cyber Security (Compounding of Offences) Regulations 2024.
"These regulations were published in the Government Gazette on Aug 22, 2024," the statement read.
Act 854 was enacted to enhance national cybersecurity by providing provisions for the establishment of the National Cyber Security Committee (JKSN); the duties and powers of the Chief Executive of the National Cyber Security Agency (NACSA); the functions and responsibilities of the heads of the National Critical Information Infrastructure (NCII) sectors, as well as NCII entities.
It was also drafted to manage cybersecurity threats and incidents involving NCII; regulate cyber security service providers through licensing, and to provide provisions for related matters.
According to the statement, under the Cyber Security (Period for Cyber Security Risk Assessment and Audit) Regulations 2024, an NCII entity that owns or operates an NCII must conduct a cybersecurity risk assessment at least once a year.
The entity is also required to carry out an audit at least once every two years or more frequently as may be directed by the Chief Executive in specific cases.
Meanwhile, the Cyber Security (Notification of Cyber Security Incidents) Regulations 2024 stipulates that the authorised person for the NCII entity must immediately notify via electronic means any cybersecurity incident that has occurred or may have occurred.
The authorised person must then submit preliminary details within six hours of the cybersecurity incident being known to the NCII entity through the National Cyber Coordination and Command Centre System (NC4 System).
Furthermore, the authorised person for the NCII entity must provide additional information within 14 days through the NC4 System. The preliminary details and additional information required are outlined in the Cyber Security (Notification of Cybersecurity Incidents) Regulations.
The Cyber Security (Licensing of Cyber Security Service Providers) Regulations 2024 applies to individuals and companies providing cybersecurity services related to Managed Security Operation Centre (SOC) Monitoring Services and Penetration Testing Services.
The Cyber Security (Compounding of Offences) Regulations 2024 sets provisions regarding compoundable offences involving subsections 20(6), 20(7), 22(7), 22(8), 24(4), and 32(3).
-- BERNAMA