Malaysia’s new online safety rules kick in today: What changes for social media users?

KUALA LUMPUR, June 1 — Malaysia’s new Risk Mitigation Code (RMC) officially takes effect today, requiring major online platforms and social media providers to introduce stronger measures against harmful content, scams and manipulated media such as deepfakes.

Issued by the Malaysian Communications and Multimedia Commission (MCMC) under the Online Safety Act 2025 (ONSA), the code forms part of the government’s broader push to strengthen online safety protections for users, especially children and vulnerable groups.

The code applies to licensed online service providers operating in Malaysia, including social media services and content platforms licensed under the Communications and Multimedia Act 1998.

Here is what Malaysians need to know about the new rules.

What is the Risk Mitigation Code?

The RMC sets out measures that online platforms must implement to reduce the risk of users being exposed to harmful content on their services.

Platforms are required to assess the risks present on their services and introduce mitigation measures tailored to those risks.

MCMC said the code was introduced in response to growing concerns over online harms such as scams, child sexual abuse material, cyberbullying and harmful manipulated content.

What counts as ‘harmful content'?

Under the code, harmful content includes:

• Child sexual abuse material;
• Financial fraud;
• Obscene or indecent content;
• Content causing harassment or distress;
• Violent or terrorism-related material;
• Content encouraging self-harm among children;
• Content promoting hostility; and
• Content promoting dangerous drugs.

Social media platforms operating in Malaysia are now required to implement stronger safeguards against harmful content, improve reporting systems and verify certain advertisers under the new Risk Mitigation Code. — Picture by Yusof Isa

What must platforms now do?

1. Conduct risk assessments

Platforms are required to carry out what MCMC describes as “suitable and sufficient” harmful content risk assessments.

This means examining how platform features, recommendation systems and user behaviour may expose users to harmful content.

The assessments must also consider periods of heightened risk such as elections or national crises.

For services likely to be accessed by children, platforms must additionally assess child-specific risks, vulnerabilities and online behaviour trends.

Written records of the assessments must be maintained and reviewed annually.

2. Improve reporting and moderation

Platforms must establish systems that allow users to report harmful content easily.

They are also required to implement procedures for the timely identification, assessment and removal of harmful content.

Enforcement measures may include warnings, restrictions, suspensions or account terminations against users who repeatedly spread harmful material.

MCMC said moderation tools and reporting systems must be user-friendly and easily accessible.

Malaysia’s new online safety rules introduce advertiser verification requirements and other measures aimed at reducing online scams and fraudulent advertisements on digital platforms. — Picture by Firdaus Latif

3. Verify advertisers

The code introduces advertiser verification requirements aimed at tackling online scams and fraudulent advertisements.

Paid advertisements for goods or services may only be allowed from advertisers or users verified against government-issued records, including:

• MyKad or NRIC;
• Passports;
• Work permits;
• Business registration documents; and
• Incorporation certificates.

Platforms may use their own systems or third-party verification providers, provided privacy and data protection laws are complied with.

4. Label manipulated and AI-generated content

The code also addresses manipulated or AI-generated content resembling real people or events.

Platforms are required to implement measures enabling users to identify such content and distinguish manipulated material from genuine content.

They must also provide tools and guidance to help users and advertisers disclose when content has been generated or altered using artificial intelligence.

5. Review algorithms and recommendation systems

Platforms are required to test and adapt recommendation systems to reduce users’ exposure to harmful content.

MCMC noted that algorithms can either amplify or limit the spread of harmful material, making their oversight part of the new regulatory framework.

Screenshots of fake TikTok accounts and AI-generated videos impersonating the King, which the Johor Palace has denounced as fraudulent. Online platforms must introduce measures enabling users to identify manipulated and AI-generated content under Malaysia’s new Risk Mitigation Code, which comes into force from June 1, 2026. — Pictures via Facebook/Official Sultan Ibrahim

6. Provide user safety tools

Platforms must provide users with tools to manage their online safety, including:

• Controls over account interactions;
• Filters for search and recommendation outputs; and
• User-friendly safety settings.

The code also requires anonymity and confidentiality protections for users reporting harmful content.

What about privacy?

Personal data collected or processed for risk assessments and verification measures must comply with the Personal Data Protection Act 2010.

MCMC said safety measures must be implemented with due regard for users’ privacy and personal data rights.

What happens if platforms fail to comply?

Failure to comply with the RMC may result in enforcement action under the Online Safety Act 2025.

This could include fines upon conviction or financial penalties of up to RM10 million.

Can the rules change later?

Yes.

MCMC may amend, revise or revoke parts of the RMC from time to time if necessary.

The regulator said the code establishes a minimum baseline for online safety measures while allowing platforms to introduce stronger protections where appropriate.

Why is the government introducing these rules?

The Online Safety Act and Risk Mitigation Code was introduced amid growing concerns over online scams, child exploitation, cyberbullying and harmful content circulating on social media platforms.

Critics have argued that the legislation could be used to curb freedom of speech.

However, legal experts have said the law is aimed primarily at addressing harmful content such as scams, child sexual abuse material and online exploitation rather than regulating lawful expression.

Deputy Communications Minister Teo Nie Ching has previously said the government views the misuse of digital platforms seriously and has been working with social media companies to remove content linked to investment scams, online gambling and the sale of unregistered products.

She noted, however, that no social media platform – like Facebook, Instagram, TikTok and Xiaohongshu – has so far been prosecuted or penalised by Malaysian courts over scam-related advertisements published on their services.

According to Teo, such content is generally uploaded by third-party users, with legal liability depending on the extent of a platform’s role in facilitating its spread.

From January to April this year, authorities recorded 23,367 online scam cases involving losses of RM680.3 million.