Back to Asia Rankings

MALAYSIA: An Introduction to Intellectual Property

Under the leadership of Prime Minister Anwar Ibrahim, Malaysia continues its race to become a high-income country by 2030 under the “Malaysia Madani” national policy. In 2024, Bank Negara reported a strong economic growth of 5.9% in the second quarter driven by stronger domestic demand supported by increased external investments. Malaysia’s recent participation in the BRICS alliance as a partner country is expected to boost Malaysia’s international trade. Also relevant is the upcoming entry of the UK into the Comprehensive and Progressive Agreement for Trans-Pacific Partnership (CPTPP), which marks the first free trade agreement between the UK and Malaysia.

To continue this upward momentum, the Malaysian government seeks to achieve a new growth trajectory under the Shared Prosperity Vision 2030 (“theVision”). In the spirit of the Vision, the 13th Malaysia Plan (2026–30) – now in its public consultation stage – will see Malaysia focusing on high-growth, high-value sectors such as digital technology and energy transition.

In line with Malaysia’s aspiration to be a tech-oriented nation, the Malaysian National Intelligence Office (NAIO) was launched in November 2024. The NAIO will serve as the “hub” to boost local participation in AI adoption and advance Malaysia’s aspiration to become the regional spearhead for AI. However, there remains a vacuum of specific legislations governing AI and its related IP issues, posing both challenges and opportunities for industry players who wish to jump on the AI bandwagon. However, this is unlikely to remain the case for long, as the NAIO has been tasked with establishing a regulatory framework for AI technology. Overall, IP will continue to be a critical focus for all stakeholders in 2025 as Malaysia strives to be a key leader in the technology space.

On the IP front, Malaysia remains one of the countries of interest. From January 2024 to May 2024 alone, 20,744 trademark applications and 2,965 patent applications were filed in Malaysia, with more than half of these applications originating from foreign applicants. Local applicants are also becoming more aware of the international trade mark registration system under the Madrid Protocol, leading to an expected increase in its utilisation in Malaysia.

On the patent side, the realm continues its robust growth, with patentees, agents and practitioners alike eagerly awaiting the implementation of the post-grant opposition procedure that is slated for mid-2025. The post-grant opposition procedure offers yet another mode for challenging granted patents – albeit on certain grounds under Section 56 of the Patents Act 1983, before ad hoc committee(s) that will be set up to hear invalidation challenges.

2024 has been a relatively quiet year for IP legislations updates. However, accession to the Hague Agreement on Industrial Designs remains on the table, considering the recent issuance of the second consultation paper on the same. Malaysia is also expected to amend the Industrial Designs Act 1996, given the recent adoption of the Riyadh Design Law Treaty by the World Intellectual Property Organization.

A significant non-IP legislation update is the Cyber Security Act 2024 (CSA). The CSA aims to enhance Malaysia’s cybersecurity and key takeaways for clients are as follows.

  1. Foreign businesses may fall within the purview of the CSA, as the CSA has extraterritorial application where the offence relates to a national critical information infrastructure (NCII) that is wholly or partly in Malaysia. NCII is defined as a computer or computer system whose disruption or destruction would have a detrimental impact on the delivery of any service essential to the security, defence, foreign relations, economy, public health, public safety or public order of Malaysia or on the ability of the federal or state government to carry out its functions effectively.
  2. The CSA establishes a National Cyber Security Committee (“the Committee”) chaired by the Prime Minister. The functions of the Committee include planning and deciding on policies for national cybersecurity, monitoring the implementation of policies and strategies relating to national cybersecurity, and overseeing the effective implementation of the CSA.
  3. The following sectors have been identified by CSA as NCII sectors:
    1. government
    2. banking and finance
    3. transportation
    4. defence and national security
    5. information, communication and digital
    6. healthcare services
    7. water, sewerage and waste management
    8. energy
    9. agriculture and plantation
    10. trade, industry and economy
    11. science, technology and innovation
  4. A sector lead for each of the NCII sectors will be appointed to – among other things – designate a NCII entity, prepare a sector-specific code of practice, and ensure duties are carried out by the NCII entities.
  5. These duties by NCII entities include:
    1. implementing measures, standards and processes in the code of practice;
    2. conducting a cybersecurity risk assessment according to the code of practice;
    3. undertaking an audit to determine the compliance of NCII entities with the CSA;
    4. notifying the Chief Executive and its NCII sector leads of any actual or potential cybersecurity incident;
    5. carrying out cybersecurity exercises as directed by the Chief Executive; and
    6. complying with various directives issued under the CSA.
  6. The liability for non-compliance with the above-mentioned duties differs based on the type of violation. By way of example, failure of an NCII entity to implement the measures as per the code of practice would result in a criminal conviction and penalties which include a fine up to RM500,000 or imprisonment for up to ten years (or both).
  7. Cybersecurity service providers must hold a valid licence under the CSA before providing any cybersecurity services or advertising themselves as cybersecurity service providers.
  8. The CSA is supported by four subsidiary legislations:
    1. Cyber Security (Period for Cyber Security Risk Assessment and Audit) Regulations 2024 (the “Audit Regulations”) – notably, the Audit Regulations require NCII entities to conduct a cybersecurity risk assessment at least annually and carry out at least a biennial audit or at such higher frequency as directed by the Chief Executive;
    2. Cyber Security (Notification of Cyber Security Incident) Regulations 2024;
    3. Cyber Security (Licensing of Cyber Security Service Provider) Regulations 2024; and
    4. Cyber Security (Compounding of Offences) Regulations 2024.

Given the infancy of this regulatory framework, legal practitioners play a vital role in helping businesses navigate compliance with the CSA.

Another interesting development is the gazetting of the Personal Data Protection (Amendment) Act 2024. The following key amendments to the Personal Data Protection Act 2010 (PDPA) were made to align further with practices in other jurisdictions:

  1. the substitution of “data users” substituted with “data controllers”.
  2. biometric data is recognised as “sensitive personal data”.
  3. data processors are directly obliged to comply with the security principle.
  4. mandatory obligation for data controllers to appoint data protection officers, which extend to data processors who process personal data on behalf of data controllers.
  5. mandatory personal data breach notification requirements.
  6. increased penalties for non-compliance with the personal data protection principles.
  7. a new right of data subject’s right to portability (data subject can now request a data controller to directly transmit their personal data to another data controller of their choice).
  8. personal data of deceased individuals have now been expressly excluded from the PDPA.

As Malaysia continues to evolve with all these strides in place, 2025 promises to be yet another important year filled with growth and innovation.