Malaysia’s Cybercrimes Bill 2026: Why Critics Say It Lets AI Companies Off the Hook

by






Cybercrimes Bill 2026 AI Regulation | Why Critics Say It Misses the Mark






















Krystle & Sean · AI Education

Malaysia’s Cybercrimes Bill 2026: Why Critics Say It Lets AI Companies Off the Hook

Published
·
5 min read

Malaysia Parliament building — Cybercrimes Bill 2026 debate

Malaysia’s Cybercrimes Bill 2026 was tabled in the Dewan Rakyat on 1 July 2026, and while it represents the government’s most ambitious attempt yet to modernise digital offence legislation, a growing chorus of critics — including MPs from both sides of the aisle — argue that the Bill fundamentally misses the point.

At the heart of the debate is a specific and troubling imbalance: the Cybercrimes Bill 2026 AI companies are conspicuously absent from its regulatory reach. Critics say it targets individual users while leaving the powerful artificial intelligence companies that enable these offences entirely unregulated.

For Malaysian SME owners grappling with an increasingly complex digital landscape, this debate isn’t academic — it has real implications for compliance, cybersecurity strategy, and the future of AI adoption in business.

The Core Critique: Punishing the User, Protecting the Platform

Machang MP Wan Ahmad Fayhsal Wan Ahmad Kamal was blunt in his assessment during the debate. While he supported the broad thrust of the Bill, he argued it effectively targets only end users while leaving the structural power of AI tech firms untouched.

“The source of deepfakes continues to operate — the powerful AI companies that help people create deepfakes are still not regulated by law.”

This is the central tension at the heart of the Cybercrimes Bill 2026. The legislation creates new criminal offences for individuals who misuse computer systems — hacking, malware distribution, ransomware attacks, unauthorised data interception, computer-related fraud, and forgery. But it does not impose corresponding obligations on the AI platform providers whose tools make many of these offences possible in the first place.

🔍 Why This Matters for Malaysian SMEs

If you run a small or medium business in Malaysia, your exposure to digital risk is two-sided: you could be a victim of AI-enabled fraud or cyberattacks, and your employees could inadvertently run afoul of new laws by using AI tools without clear compliance guidelines. The Bill, as drafted, addresses neither side adequately.

What the Cybercrimes Bill 2026 Actually Does

Deputy Prime Minister Datuk Seri Dr Ahmad Zahid Hamidi tabled the Bill for its second reading, seeking to repeal the Computer Crimes Act 1997 — a law widely regarded as outdated in an era of generative AI, deepfakes, and sophisticated ransomware-as-a-service.

Key provisions of the Bill include:

  • Expanded computer offences — new definitions for hacking, malware, and ransomware attacks
  • Unauthorised interception — criminalising the interception of communications without lawful authority
  • Computer-related fraud and forgery — covering digital deception and document forgery
  • MyDigital ID protections — specific offences involving the national digital identity service
  • Warrantless search powers — authorising searches without prior warrant in certain circumstances

But critics say these provisions, while welcome in scope, focus disproportionately on symptoms rather than sources.

The AI Accountability Gap

Wan Ahmad Fayhsal raised two specific red flags that deserve close attention from the business community.

First, warrantless searches. The Bill grants authorities the power to conduct searches without a warrant. The MP asked pointedly what oversight mechanisms exist to prevent abuse. For businesses, this raises obvious concerns about data privacy and the potential for overreach — especially for SMEs that may not have legal teams on standby.

Second, the definition of “content that falsely appears to be authentic.” He questioned whether the language was clear enough to avoid being weaponised against legitimate critical voices — including religious scholars, academics, and journalists debating AI ethics and policy.

These concerns echo warnings from the Malaysian Media Council, which called for the Bill to be referred to a parliamentary select committee. The Council cautioned that broad surveillance and interception powers, without adequate statutory safeguards, could create a chilling effect on investigative journalism, whistleblowing, and attorney-client confidentiality.

Dedicated Cybersecurity Units: A Practical Fix

One concrete proposal that emerged from the debate came from Datuk Rosol Wahid (PN-Hulu Terengganu), who highlighted the recent hack of the Health Ministry website on 27 June as evidence that Malaysia cannot rely solely on the Malaysian Communications and Multimedia Commission (MCMC) to protect government systems.

He called for dedicated cybersecurity teams embedded within every ministry. Wan Ahmad Fayhsal backed this call, arguing that more established cybersecurity units are needed across the board to address new and evolving threats.

For Malaysian SMEs, this principle applies equally: a centralised, one-size-fits-all approach to cybersecurity is no longer viable. Every business — regardless of size — needs its own layered defence strategy.

Ethics and AI: The Missing Framework

Perhaps the most provocative argument raised during the debate was the call for a stronger ethical and religious grounding in AI regulation. Wan Ahmad Fayhsal cited Pope Leo XIV’s recent encyclical Magnifica Humanitas and its call for AI to be humanised, urging the government to involve stakeholders beyond the legislative process.

“Without a strong grounding in religion and ethics, this crime will continue to recur and become more complex — because without law and religion, humans will become unruly beasts.”

It’s a reminder that the AI accountability gap isn’t only a legal problem — it’s an ethical one. And for businesses, it signals that the regulatory environment around AI in Malaysia is only going to get more demanding, not less.

What SMEs Should Do Now

The Cybercrimes Bill 2026 is still being debated, and amendments are possible. But the direction of travel is clear: Malaysia is moving toward a more regulated digital environment. SME owners should take three concrete steps:

  1. Audit your AI tooling. Review every AI platform your team uses — from content generation tools to customer-facing chatbots — and assess the compliance risk.
  2. Strengthen internal cybersecurity. Don’t wait for legislation to force your hand. Implement basic controls: multi-factor authentication, employee training, and incident response protocols.
  3. Stay informed. The Bill’s definition of “content that falsely appears to be authentic” could have implications for how you market, communicate, and operate online. Watch the select committee process closely.

Ready to Navigate AI Compliance?

Stay ahead of Malaysia’s evolving regulatory landscape with AutoRunBiz — built for SMEs who need practical, no-fluff guidance on AI governance and digital compliance.

Book a Demo

Cybercrimes Bill 2026
AI regulation Malaysia
Malaysia digital law
AI accountability
SME compliance