AI Regulation Tracker / Public consultation
Malaysia Opens Consultation on Its First AI Governance Bill
On July 10, 2026, Malaysia's National AI Office opened a public consultation on a proposed Artificial Intelligence Governance Bill, the country's first attempt at a horizontal, economy-wide AI law. It is a consultation on a proposed Bill, not enacted law, and written feedback is due by July 31, 2026.
On July 10, 2026, the National AI Office published a public consultation paper setting out the shape of a proposed AI Governance Bill and invited written feedback through July 31, 2026. The office runs under the Ministry of Digital.
What the consultation actually is
Two things are worth getting straight before anything else. First, this is a consultation on a proposed Bill, not a statute. The paper describes what a law could look like and asks stakeholders to react to it. No obligation in it binds any firm today. Second, the ambition is horizontal. Malaysia has governed pieces of AI through existing rules on data protection, financial services, and the like. This paper proposes something broader, a single framework that would sit across sectors and cover an AI system from the moment it is developed through deployment and eventual withdrawal.
The paper leans on a risk-based structure. That approach will be familiar to anyone who has worked through the European model. Rather than treating every system the same, it scales the duties to the severity of the harm a system could cause. Published legal analysis of the paper describes three tiers, as described in the consultation paper. At the top, systems built or deployed with an intent to cause harm would be prohibited. In the middle, higher-risk systems that could cause harm without that intent would carry proposed obligations around risk assessment, documentation, internal controls, human oversight, monitoring, and mitigation. At the base, lower-risk systems would still be expected to follow a set of core principles but without the heavier compliance load.
Those core principles run through the whole thing. The paper frames responsible development, deployment, and use around a small set of ideas: human dignity, transparency and explainability, accountability, safety and security, and data governance. The language of "due regard" to these principles is doing real work in the draft, because it sets the standard a developer or deployer would be measured against.
The paper also names mechanisms that matter operationally. As described in the consultation paper, it proposes mandatory incident reporting, so that failures, misuse, or unexpected effects that cause or could cause harm get surfaced to the regulator rather than buried. It proposes a supervised sandbox aimed at startups and smaller firms, a controlled space to test systems without immediately carrying the full weight of the regime. And it contemplates a central authority to hold the safety, investigation and enforcement, and adoption functions in one place.
Who would be on the hook, and where the reach runs
The draft does not aim only at the people who write the models. It splits responsibility across the chain. Developers, in the paper's framing, are the parties that materially shape what a system can do. Deployers are the parties that put a system to work in a real-world setting. Both would carry proposed duties, allocated according to the role each one plays and the control each one holds. Foundation-model providers and system integrators are named as well, which tells you the office is thinking about the full supply chain, not just a single vendor.
The reach is the part that should catch the attention of any firm outside Malaysia. As described in the consultation paper, the framework would apply to AI systems placed on the market or put into service within Malaysia, systems designed, developed, or used in the country, and systems used by a deployer established in Malaysia regardless of where the system is physically hosted. Read that last clause slowly. A cloud-hosted model running on servers in another country would not sit outside the proposed regime simply because of where the hardware lives. If a Malaysian deployer is using it, the paper proposes to reach it.
I want to be careful here, because it is a consultation and the text can change. But the intent is not subtle. This is drafted to follow the AI wherever the economic activity touches Malaysia, in the same way the European rules follow systems into the single market. For a US or global company, that means the relevant question is not "do we have an office in Kuala Lumpur." It is "does any part of our AI touch a Malaysian user, market, or deployer."
What changes for firms operating in or selling into Malaysia
Nothing changes as a matter of law today. That is the honest answer, and it is worth repeating because the headlines will blur it. There is no compliance deadline, no filing requirement, and no penalty attached to this consultation. What changes is the planning horizon.
If you sell AI products or AI-enabled services into Malaysia, the shape of a future obligation is now visible enough to plan against. A tiered, lifecycle-based regime with mandatory incident reporting and a supply-chain allocation of duties, as the paper proposes it, is not a mystery you have to guess at. You can map your systems against the proposed tiers now, in draft form, and see roughly where each one would land and what documentation and oversight it would likely need.
For firms that already run a governance program built for the European rules, much of that work is portable. The vocabulary of risk tiers, human oversight, documentation, and provider-versus-deployer duties overlaps heavily. The gaps to watch are the Malaysia-specific ones: the incident-reporting trigger and its timing, the exact tier definitions, the treatment of foundation-model providers, and how the extraterritorial clauses land in the final text. Those are precisely the points a consultation exists to settle, which is why the comment window matters more than it looks.
For smaller companies and startups, the proposed supervised sandbox is the item to track. A controlled testing lane can be the difference between shipping into a new regime and stalling on compliance uncertainty. If that mechanism survives into the Bill, it becomes a real operational tool, not a footnote.
There is also a straightforward strategic point that US operators tend to underweight. Non-English and emerging-market regimes like this one draw far less English-language coverage than the European or US debates, which means the firms that read the primary text early tend to carry an information edge over competitors who wait for the secondary write-ups.
What to do now
The single most useful action available this week is to file a comment before the window closes. Consultations shape final text, and a regulator building its first horizontal AI law is actively looking for the practical friction points that only operators can see. If a proposed incident-reporting trigger is unworkable at your scale, or a tier definition is ambiguous for your product, this is the venue to say so on the record.
There are three ways to respond, and the deadline for all of them is July 31, 2026. You can complete the official consultation response form linked from the National AI Office consultation page. You can submit comments directly on the Unified Public Consultation platform at upc.mpc.gov.my, where the entry for the proposed Bill accepts file attachments. Or you can email your submission to policy@ai.gov.my, with a phone line at 03-21818090 for questions. Keep the submission specific. A regulator weighs a concrete, scenario-based comment far more heavily than a general statement of support or concern.
Beyond filing, three moves make sense now. Inventory the AI systems you run or sell that touch Malaysia, including anything used by a Malaysian deployer even if it is hosted elsewhere. Sort those systems against the proposed tiers so you know where your exposure would concentrate if the draft became law roughly as written. And assign someone to track the Bill from consultation to introduction, because the gap between a consultation paper and a passed statute is where the details that will actually bind you get decided.
Questions professionals are asking
Is Malaysia's AI Governance Bill now law?
No. What opened on July 10, 2026 is a public consultation on a proposed Bill. It sets out how a future law could work and invites written feedback through July 31, 2026. No obligation in it binds any company today, and the text can still change before any Bill is introduced or passed.
Would the framework reach a company with no office in Malaysia?
As described in the consultation paper, yes, in defined situations. The proposed reach covers AI systems placed on the market or put into service in Malaysia, systems designed, developed, or used there, and systems used by a deployer established in Malaysia regardless of where the system is physically hosted. A model hosted abroad but used by a Malaysian deployer would not sit outside the proposed regime for that reason alone. Because this is a draft, the final scope could shift.
Who would carry the obligations if the Bill passes as drafted?
The paper allocates duties across the chain rather than to a single party. It names developers, deployers, foundation-model providers, and system integrators, with responsibilities assigned according to the role and the level of control each party holds. Higher-risk systems would carry proposed duties such as risk assessment, documentation, human oversight, monitoring, and mitigation.
How do I submit feedback, and by when?
The deadline is July 31, 2026. You can complete the official response form linked from the National AI Office consultation page, submit comments with attachments directly on the Unified Public Consultation platform at upc.mpc.gov.my, or email a submission to policy@ai.gov.my. A specific, scenario-based comment carries more weight with the regulator than a general one.
RELATED BRIEFINGS
Browse the full AI Regulation News tracker
Informational analysis for working professionals, not legal advice. Confirm how any rule applies to your situation with qualified counsel in the relevant jurisdiction.