Online Safety Act 2025: Child Protection Code and Risk Mitigation Code Published

25 May 2026

• Age verification measures to ensure only users aged 16 years and above are permitted to register for their service and access any features of their service appropriate for their age. Licensed service providers must verify users’ ages based on records issued by the Malaysian Government (e.g., NRIC, passport, birth certificate) or equivalent records issued or recognised by competent authorities of other jurisdictions. 
• Measures to mitigate the risk of child users encountering harmful content, including among others: (1) clear and accessible reporting mechanisms for child users and parents to report content they believe is harmful; (2) clear and robust systems for the detection and removal of harmful content to ensure these are not accessed by child users; and (3) the taking of proportionate steps to prevent repeated exposure to harmful content that has been reported or removed. 
• Features that allow parents to monitor and manage the online activities of child users, i.e., parental controls. 
• Privacy and safety settings to protect child users, including among others: (1) tools and settings to enable child users to control public visibility of personal information; (2) limiting direct communication features to restrict or prohibit adults who are strangers from communicating with child users; and (3) ensuring privacy and safety settings for child users are age-appropriate and/or set to the highest level by default. 
• Ensuring search and recommendation systems are suitable and appropriate for child users, such as by ensuring harmful content is filtered from search results. 

• Licensed service providers must conduct harmful conduct risk assessments of their services. These assessments must have regard to trends and the user demographics for Malaysia and must be carried out by a skilled and qualified risk assessment team. The RMC requires that assessments be reviewed and updated annually, and for written records to be maintained of all assessments. 
• Based on the findings of the risk assessments conducted, licensed service providers must implement measures to mitigate the risk of users being exposed to harmful content. These include, among others:

• Content management and moderation measures, such as: (1) systems, mechanisms, and procedures for reporting and removing harmful content; and (2) policies to address users communicating harmful content. 
• Measures relating to user control, such as: (1) tools such as filter search and recommendation outputs; (2) ensuring anonymity for users who report harmful content; and (3) awareness-raising measures to enable users to minimise exposure to harmful content. 
• Ensuring content can only be communicated by registered users, and advertisements are only permitted on the service if they are from advertisers verified against government-issued records (e.g., certificates of incorporation for companies, identification documents for individuals). 
• Ensuring generated/ manipulated images which closely resemble real persons, places, etc. are clearly distinguishable through prominent labels or markings. 
• Implementing and enforcing user-safety policies, community standards, community guidelines, and/or terms of service to mitigate the risk of users being exposed to harmful content. These policies must be visible, easily accessible, regularly updated, and written in clear, user-friendly language.