NACSA-Aligned · Act 854 of 2024

Cyber Security Act 2024 Readiness Assessment

Free scoping call. Four-week gap assessment. Board-ready remediation plan. Get ahead of NACSA before your sector regulator gets ahead of you.

Book Free Scoping Call Talk to an Expert

What the Act actually does

The Cyber Security Act 2024 (Act 854) is Malaysia's first dedicated cyber security statute. It puts NACSA on a statutory footing, establishes designated National Critical Information Infrastructure (NCII) operators, and creates binding obligations on those operators: a sector-specific cyber security code of practice, mandatory cyber security risk assessments, mandatory audits, and a mandatory incident-notification regime with statutory time limits.

For most boards, this is the first time cyber-security non-compliance has carried direct statutory criminal liability rather than indirect sectoral penalties.

The 11 NCII sectors

Government

Banking & finance

Transport

Defence & national security

Information & communications

Healthcare

Water, sewerage & waste

Energy

Agriculture & plantation

Trade, industry & economy

Science, technology & innovation

Timelines & penalties to know

• Act came into force: 26 August 2024.
• Risk assessments: required at the cadence prescribed in the Risk Assessment and Audit Compliance Regulations 2024 — typically at least annually for designated NCII assets.
• Audits: required at least once every two years, performed by an audit firm or auditor licensed under section 25.
• Incident notification: material cyber incidents must be reported within the prescribed time window under the Notification Regulations 2024.
• Penalties: fines and imprisonment under sections 20-22 — up to RM500,000 and up to 10 years depending on the offence.

What nCrypt's readiness assessment delivers

NCII scoping — what assets, processes and data fall under the Act for your organisation.
Current-state control mapping against your sector NACSA Code of Practice.
Gap register with risk-ratings and prioritised remediation actions.
Draft incident-notification procedure aligned to the 2024 Notification Regulations.
Draft risk-assessment and audit-readiness pack ahead of your section 25 auditor.
Executive board paper summarising obligations, gaps, costs and timeline.

Frequently asked questions

Who does the Cyber Security Act 2024 apply to?

The Act applies to entities designated as National Critical Information Infrastructure (NCII) operators across 11 sectors: government, banking and finance, transport, defence and national security, information and communications, healthcare, water, sewerage and waste management, energy, agriculture and plantation, trade, industry and economy, and science, technology and innovation. If your sector regulator has identified your assets as NCII, you are in scope.

When does the Act come into force?

The Cyber Security Act 2024 (Act 854) came into operation on 26 August 2024. NACSA has issued the Cyber Security (Risk Assessment and Audit Compliance) Regulations 2024 and the Cyber Security (Notification of Cyber Security Incident) Regulations 2024. Designated NCII operators must comply with the cyber security code of practice for their sector and conduct risk assessments and audits on the prescribed cycle.

What happens if I don't comply?

Section 21 of Act 854 makes failure to comply with NACSA directions an offence. Penalties on conviction can include fines up to RM500,000 and imprisonment up to ten years for the most serious offences, with separate offences for failing to notify incidents within the prescribed time. Beyond statutory penalties, regulator action and reputational damage are material.

What's in an nCrypt readiness assessment?

We perform a 4-week structured gap assessment against your sector's NACSA Code of Practice and Act 854 obligations: scoping the in-scope NCII assets, mapping your current controls, identifying gaps with risk-rated remediation actions, drafting an incident-notification procedure aligned to the 2024 Regulations, and producing an executive board paper. You leave with a clear, prioritised path to compliance.

Is the readiness scoping call really free?

Yes. We run a complimentary 45-minute scoping call to confirm whether your organisation is likely in NCII scope, what your sector regulator expects, and what a full readiness engagement would cost and contain. No obligation. Book through the /quote form.

Start with a free 45-minute scoping call

No slide deck, no obligation. We'll tell you straight whether you're likely in NCII scope and what a sensible compliance path looks like for your organisation.

Book Free Scoping Call

What the Act actually does

For most boards, this is the first time cyber-security non-compliance has carried direct statutory criminal liability rather than indirect sectoral penalties.

Timelines & penalties to know

• Act came into force: 26 August 2024.

• Risk assessments: required at the cadence prescribed in the Risk Assessment and Audit Compliance Regulations 2024 — typically at least annually for designated NCII assets.

• Audits: required at least once every two years, performed by an audit firm or auditor licensed under section 25.

• Incident notification: material cyber incidents must be reported within the prescribed time window under the Notification Regulations 2024.

• Penalties: fines and imprisonment under sections 20-22 — up to RM500,000 and up to 10 years depending on the offence.

What nCrypt's readiness assessment delivers

NCII scoping — what assets, processes and data fall under the Act for your organisation.

Current-state control mapping against your sector NACSA Code of Practice.

Gap register with risk-ratings and prioritised remediation actions.

Draft incident-notification procedure aligned to the 2024 Notification Regulations.

Draft risk-assessment and audit-readiness pack ahead of your section 25 auditor.