Based on our experience, financial services sector represents a significant and growing source of outsourcing activity. Banks and other financial institutions in Malaysia are one of the biggest groups of technology deployers and users, progressively outsourcing non-core functions in order to enhance operational efficiency and focus on core revenue-generating activities. It is perhaps because of this reason that the Bank Negara Malaysia (“BNM”) has issued two key policy documents to manage risks of technology outsourcing by financial institutions – the Policy Document on Risk Management in Technology, and the Policy Document on Outsourcing.

In the public sector, technology outsourcing is also frequently being carried out. The Malaysian government undertakes many technology focused projects in the form of public-private partnership, with the private sector delivering, operating and maintaining the key technology that the government is using in its day-to-day work. Some examples of these partnerships are the development and maintenance of the Immigration Department’s immigration system by HeiTech Padu, and the electronic government services systems that are being operated by Zetrix AI Berhad.

Across both public and private sectors, there is a clear shift towards technology-enabled outsourcing models. With the advent of artificial intelligence, data analytics and cloud-based infrastructure, there is an increased demand for specialised service providers capable of delivering end-to-end digital solutions rather than discrete back-office support.

Malaysia generally adopts a pragmatic and facilitative approach towards outsourcing, recognising its function within a corporation in enhancing operational efficiency and scalability.

In the banking and financial services sector, BNM permits technology outsourcing by financial institutions but imposes stringent requirements, particularly where arrangements involve material or critical functions. Depending on the nature and risk profile of the outsourcing, prior regulatory approval may be required. Financial institutions are expected to undertake robust due diligence on service providers, implement comprehensive contractual safeguards, and maintain ongoing monitoring and oversight. Under the Policy Document on Risk Management in Technology published by BNM, the board and senior management of financial institutions bear ultimate responsibility for ensuring effective oversight of outsourced technology services, as well as the implementation of appropriate controls to safeguard data confidentiality and system security.

Electronic money issuers are similarly subject to a distinct, albeit closely aligned, regulatory framework under BNM. Where outsourcing arrangements are assessed as “material”, prior approval from BNM is required before entry into, or material variation of, such arrangements. BNM does not prohibit the outsourcing of material functions. Instead, it places emphasis on effective risk management, including due diligence, continuous monitoring, and periodic review of service providers.

Similarly, within the capital markets sector, the Securities Commission Malaysia (“SC”) regulates outsourcing by Capital Markets Services Licence (CMSL) holders. CMSL holders are generally allowed to outsource their internal functions, subject to requirement to notify SC within 14 days upon entering into a material outsourcing arrangement.

Across sectors, a consistent regulatory theme is that outsourcing does not absolve an organisation of its responsibilities. Regulators emphasise that accountability remains with the outsourcing entity, which must ensure that its service providers are competent, reliable and capable of complying with applicable legal and regulatory standards. This is typically operationalised through thorough due diligence, detailed service level agreements, ongoing performance monitoring, periodic reviews, and audit rights.

Overall, the regulatory stance in Malaysia reflects a calibrated balance. While there is clear recognition of the commercial benefits of outsourcing including cost efficiencies and economies of scale, this is counterbalanced by a focus on consumer protection, systemic stability and operational continuity.

The Parliament of Malaysia passed the Government Procurement Bill (“GP Bill”) on 28 August 2025, and it is expected to come into force in 2026.

Prior to the introduction of the GP Bill, Malaysia did not have a single, comprehensive piece of legislation governing public procurement. Instead, the procurement framework was derived from a combination of treasury instructions and circulars issued by the Ministry of Finance, the Financial Procedure Act 1957 (which regulates the management of public finances), and the Government Contracts Act 1949 (which governs the execution of contracts on behalf of the Government). These instruments, while relevant, are fragmented and not specifically tailored to address procurement in a cohesive manner.

In light of the lack of standardisation and transparency in existing procurement practices, the GP Bill was introduced to streamline procurement process, reduce reliance on direct negotiations in the award of government contracts, and promote a more level and competitive playing field.

The GP Bill applies to all forms of government procurement, broadly defined as “any procurement for the supply of goods or services or for works funded by the allocation of funds by the Federal Government or any State Government, as the case may be, whether fully or partially, or through the use of any assets owned by the Federal Government or any State Government, as the case may be”. This wide definition captures contracts awarded for projects funded by the Federal Government or State Governments.

The GP Bill introduces several key safeguards to enhance governance and accountability within the procurement process. These include the appointment of a controlling officer and procurement officers to oversee procurement activities, as well as the establishment of a procurement board responsible for reviewing and approving procurements. A tiered approval framework is also introduced, whereby approval authority is determined based on contract value. Notably, procurements exceeding RM50 million (for goods and services) and RM100 million (for works) require the approval of the Minister of Finance or Chief Minister.

Further, the GP Bill mandates that all suppliers and contractors must be registered under a Register of Government Procurement in order to participate in procurement exercises. Applicants must satisfy “fit and proper person” criteria, and the Registrar is empowered to refuse registration on grounds such as prior convictions for corruption, bankruptcy, or offences under the GP Bill. This marks a shift from the existing e-Perolehan system, which primarily functions as a tender management platform rather than a regulatory gatekeeping mechanism.

There is currently no legislation governing outsourcing activities by private organisations in Malaysia, except for industry-specific regulations.

Please refer to our response at question 6 below on industry-specific regulations.

Malaysia does not have a single, comprehensive statute specifically governing outsourcing arrangements. However, where the scope of the outsourcing involves the processing of personal data, the Personal Data Protection Act 2010 (“PDPA”) will apply. The majority of the obligations and controls under the PDPA are imposed on the data controllers, and it would be the primary responsibility of data controllers to ensure compliance with the PDPA, even where certain personal data processing activities are outsourced to third-party data processors. In this connection, data controllers would typically (i) require data processors to provide sufficient guarantees in respect of technical and organisational security; (ii) restrict cross-border personal data transfers; and (iii) impose an obligation to notify the data controllers when there is a personal data breach at the data processors’ environment involving the personal data provided by the data controllers.

Certain regulated sectors are subject to specific legal and regulatory frameworks governing outsourcing arrangements, particularly where such arrangements may impact consumer trust, financial stability, or market integrity.

The banking and financial services sectors are regulated by BNM, which permits outsourcing subject to strict regulatory requirements aimed at safeguarding consumer interests and maintaining confidence and stability in the financial system.

Material outsourcing arrangements by financial institutions would require prior approval from BNM. This requirement extends to any subsequent significant modifications to such arrangements, effectively ensuring ongoing regulatory oversight and preventing material deviations from approved terms. Rather than prescribing an exhaustive list, BNM adopts a principles-based approach in assessing materiality, taking into account factors such as: (i) the significance of the outsourced activity to the institution’s operations; (ii) the potential financial, reputational, and operational impact; (iii) the effect on the institution’s ability to serve customers in the event of service failure or security breaches; (iv) the extent to which outsourcing affects internal control; (v) risks to security, confidentiality, and data integrity; (vi) implications for business continuity; and (vii) the complexity of the outsourcing arrangement.

A key regulatory principle is that financial institutions must retain full responsibility and accountability for outsourced functions. The board of directors and senior management remain ultimately responsible and answerable to BNM for ensuring that the institution continues to meet its regulatory obligations and duties to customers, as if the outsourced functions are performed in-house.

Financial institutions are also required to implement robust risk management practices, including comprehensive due diligence on service providers. This includes assessing the provider’s operational capability, financial soundness, business reputation, risk management framework, internal controls, reliance on subcontractors, and geographical considerations.

BNM further requires outsourcing arrangements to be governed by formal written contracts containing adequate safeguards. Relevant clauses that are mandated to be included in the outsourcing contract include provisions on the scope and duration of services, roles and responsibilities, data protection and security measures, audit and regulatory access rights, confidentiality obligations, and termination rights.

In addition, financial institutions must develop and submit a board-approved outsourcing plan to BNM within 3 months of the financial institution’s financial year end. This enables regulatory visibility over the institution’s outsourcing strategy and risk profile.

The insurance sector is likewise regulated by BNM and is subject to similar outsourcing requirements under BNM’s outsourcing framework.

E-money issuers are also regulated by BNM under its Policy Document on Electronic Money and are subject to broadly similar outsourcing requirements, including those relating to approval for material outsourcing arrangements, board accountability, risk management, due diligence, and contractual safeguards.

In the capital markets sector, outsourcing by CMSL holders is regulated by the SC. CMSL holders are prohibited from outsourcing back office functions that involve key decision-making or direct client interaction, in order to preserve accountability and protect consumers. Unlike the BNM framework, prior approval is not required for material outsourcing arrangements. However, CMSL holders must notify the SC within 14 days of entering into, varying, or terminating any material outsourcing arrangement. Similarly, materiality is not defined as a list of activities, but instead is assessed based on factors such as the potential financial, reputational, or operational impact, the effect on clients in the event of failure or breach, and the CMSL holder’s ability to discharge its regulatory obligations.

As with BNM-regulated entities, ultimate responsibility remains with the board and senior management. CMSL holders cannot absolve themselves of liability by delegating functions to third-party service providers. They are also required to promptly notify the SC of any adverse developments in outsourced arrangements that could materially affect their operations or regulatory compliance.

In summary, while Malaysia does not have a unified outsourcing regime of general application, sector-specific regulations, particularly in the financial services and capital markets sectors, impose stringent requirements on outsourcing arrangements. These frameworks reflect a broader policy objective of facilitating operational efficiency and technological adoption, while ensuring adequate safeguards for consumer protection, regulatory oversight, and institutional accountability.

Under the current regulatory environment, outsourcing arrangements do not trigger any requirement for notification to or approval from merger control perspective.

Notwithstanding the above, outsourcing arrangements remain subject to the Competition Act 2010 (“CA 2010”), and companies must ensure that such arrangements do not give rise to anti-competitive conduct.

The CA 2010 prohibits horizontal and vertical agreements which have the object or effect of significantly preventing, restricting, or distorting competition in any market for goods or services.

In the context of technology outsourcing, this means that certain contractual provisions may be considered anti-competitive if they unduly limit market competition. Examples include clauses requiring customers to procure only from a single IT or cloud provider (exclusive sourcing), mandating the purchase of bundled proprietary hardware or software as a condition of service, or restricting interoperability or integration with competing platforms.

It is important to note that not all such provisions are automatically unlawful. The assessment under the CA 2010 depends on the purpose and intended effect of the clauses, and restrictions may be permissible where they can be objectively justified as reasonable commercial decision or response. If the clauses are meant to restrict or kill competition, then the company may fall afoul of CA 2010.

When it comes to technology outsourcing arrangements, the nature and extent of IP created will depend on the scope of the outsourcing. Typically, two (2) main types of IP would be most relevant: (i) copyright; and (ii) confidential information and trade secrets.

Copyright: Copyright in Malaysia is regulated under the Copyright Act 1987. In the context of technology outsourcing, source code, object code, software documentation, system specifications, user manuals, training materials, and custom-developed application features will typically attract copyright protection from the moment they are created. Unless agreed otherwise between a customer and an outsource service provider, copyright of a work that is developed under a commission will belong to the person having commissioned the work, and in the case of technology outsourcing, such person will be the customer.

Confidential Information and Trade Secrets: Technology outsourcing inevitably involves confidential information, such as the customer’s business processes, data, system configurations, and security architecture. Where an outsourcing arrangement involves managed services, the service provider will likely be creating further confidential information and/or trade secrets through the use of the customer’s background IP.

Whether contractual terms or formal steps are required to vest supplier-created IP in the customer depends on the category of IP involved.

Copyright is the most commonly created form of IP in a technology outsourcing engagement. Under the Copyright Act 1987, copyright vests initially in the author (the individual(s) who have created the copyright work). However, where a work is commissioned, the copyright is transferred automatically to the commissioning party (being the customer in a technology outsourcing arrangement), provided that parties have not agreed otherwise. In most cases, this may apply to custom software, documentation, and training materials developed specifically for the customer. No formal steps or specific contractual terms would be necessary to give effect to this arrangement, but in practice parties do usually spell out the understanding in contracts to avoid dispute.

When it comes to confidential information and trade secrets, given that they are not regulated by any specific legislation, it would be necessary for customers to expressly state in the outsourcing agreements that the ownership of any confidential information and trade secrets created in the course of provisioning the outsourcing services would vest in the customers.

Patents, industrial designs and layout-designs of integrated circuits are less relevant in the context of technology outsourcing, but if any of them are created in the course of an outsourcing arrangement, the right to these IP would follow a position similar to copyright. Where patents, industrial designs or layout-designs of integrated circuits are created pursuant to a commission arrangement, the rights to these IP would generally vest in the customer following the treatment under applicable laws. Similarly, no formal steps or contractual terms would be necessary to give effect to such arrangements.

In Malaysia, confidential information, know-how, and trade secrets are protected through a combination of common law, equity, contract and operational measures. There is no standalone statutory regime, and as a result, the level of protection available in any given situation depends largely on how these principles are applied and reinforced in practice.

The principal protection for confidential information, know-how and trade secrets is the equitable action for breach of confidence. It generally turns on three (3) core elements: (i) the information sought to be protected has the necessary quality of confidence, in the sense that it is not in the public domain or otherwise readily accessible; (ii) the information was communicated in circumstances importing an obligation of confidence, whether expressly stated or implied from the nature of the relationship; and (iii) there must be an unauthorised use or disclosure of that information to the detriment of the party communicating it.

A key limitation, however, is that Malaysian law does not recognise property rights in pure information. Once information enters the public domain, it will generally lose its confidential character. Even where that loss of confidentiality is the result of a breach, the disclosing party may still have a claim for damages, but the information itself cannot be restored to a protected state. This limitation makes it critical for parties to control the manner and scope of disclosure from the outset.

In practice, contractual protection plays a central role and is often the primary mechanism relied upon, particularly in outsourcing arrangements. This is typically implemented through non-disclosure agreements and confidentiality provisions within the main outsourcing contract. Such provisions would typically define the scope of confidential information, limit its use to the purposes of the engagement, restrict disclosure to third parties, and regulate how the information is to be handled, including access controls and the return or destruction of materials upon termination.

Where a breach occurs, the courts may grant injunctive relief to restrain further use or disclosure, as well as damages or an account of profits. Orders for the return or destruction of confidential materials may also be made, and interim injunctions are available where urgent intervention is required.

The protection and processing of personal data in Malaysia are governed by the PDPA. It regulates the collection, use, processing, and disclosure of personal data in commercial transactions, and imposes obligations on data controllers to ensure that such activities are carried out lawfully.

In particular, personal data may only be processed with the consent of the data subject, and for purposes that have been duly notified to the data subject. Where personal data is disclosed to third-party service providers (including under outsourcing arrangements), the purpose for the disclosure and the class of third-party who may receive the relevant personal data must be communicated to data subjects, usually through a personal data protection notice. In the context of technology outsourcing, compliance with the PDPA is mandatory regardless whether the contract addresses this obligation. From a risk allocation perspective, service providers will typically require contractual assurances from the client that all necessary consents have been obtained for the collection, use, processing, and transfer of personal data. Indemnities may also be sought to mitigate potential liability arising from non-compliance.

Cross-border transfers of personal data are also subject to restrictions under the PDPA. In general, personal data may not be transferred out of Malaysia unless certain conditions are satisfied, such as where the country where the personal data is to be transferred to has personal data protection law that is substantially similar to the PDPA, or where there are adequate measures in place to ensure the security of the personal data to be transferred. This is particularly relevant where outsourcing involves offshore service providers, cloud storage, or data processing activities conducted outside Malaysia. Customers would typically ensure that outsourcing agreements impose adequate obligations on service providers to implement appropriate technical and organisational security measures to safeguard personal data against unauthorised access, disclosure, or loss, and to provide indemnities in the event of any personal data breach arising from their negligence or breach of contractual obligations.

In Malaysia, there is no specific statutory regime that comprehensively regulates the processing of non-personal data. Unlike personal data, which is governed by dedicated legislation, non-personal data is generally not subject to overarching regulatory control.

Notwithstanding this, the use and protection of non-personal data in outsourcing arrangements are typically addressed through contractual clauses and intellectual property (“IP”) mechanisms.

From a contractual perspective, non-personal data, particularly commercially sensitive information, trade secrets or business know-how such as business strategies, pricing data, technical specifications, and client lists is commonly protected through confidentiality obligations within the outsourcing agreements. Most clients may also insist that the vendors enter into a non-disclosure agreement (“NDA”) to ensure that service providers use such data strictly for the purposes of performing their contractual obligations and refrain from any disclosure of such data. These provisions act to prevent unauthorised disclosure, misuse of information, or onward transfer of data, including to competitors.

In addition, IP laws may afford protection to certain categories of non-personal data. For instance, proprietary software, source code, databases, and other original works may be protected under copyright law. In the context of technology outsourcing, it is therefore important to clearly address ownership and the rights to use the relevant IPs.

Malaysia has in recent years made significant legislative strides in the cyber security space, most notably with the enactment of the Cyber Security Act 2024 (“CSA”), which came into force on 26 August 2024. Prior to the CSA, Malaysia’s cybersecurity framework was largely fragmented across several statutes of general application, and the CSA represents the first dedicated, comprehensive legislation addressing cyber security as a distinct regulatory subject matter.

The CSA introduces a structured regulatory regime, though its primary focus is on entities designated as owners or operators of National Critical Information Infrastructure (“NCII”) in specific sectors referred to as the NCII sectors. NCII is defined as a computer or computer system which the disruption to or destruction of the computer or computer system would have a detrimental impact on the delivery of any service essential to the security, defence, foreign relations, economy, public health, public safety or public order of Malaysia, or on the ability of the Federal Government or any of the State Governments to carry out its functions effectively.

Eleven sectors have been designated as NCII sectors, spanning government, banking and finance, transportation, defence and national security, information and communications technology, healthcare services, water, sewerage and waste management, energy, agricultural and plantation, trade, industry and economy, and science, technology and innovation. Within each sector, designated NCII sector lead(s) are responsible for identifying and designating specific NCII entities and formulating sector-specific codes of practice governing cybersecurity standards, measures, and processes.

Once designated as an NCII entity, an organisation is subject to a series of mandatory obligations. It must implement the relevant sector-specific code of practice, conduct cyber security risk assessments at least annually and undergo external cyber security audits at least once every two years. Critically, NCII entities are required to notify both their NCII sector lead(s) and the Chief Executive of the National Cyber Security Agency (“NACSA”) promptly upon becoming aware of a cyber security incident under a stringent notification timeline.

The CSA also introduces a licensing regime for cyber security service providers (“CSSP”). No entity or person may offer cyber security services or advertise, or in any way hold itself out as a cyber security service provider unless it holds a valid licence issued by NACSA. The categories of licensable services presently extend to managed security operations centre monitoring and penetration testing service.

For parties in a technology outsourcing arrangement, the CSA has a number of important practical implications. Where the customer is a designated NCII entity, it must ensure that any outsourcing arrangement involving the NCII does not compromise the customer’s ability to meet its statutory obligations. The responsibility for compliance remains squarely with the NCII entity and cannot be delegated to or discharged by the vendor. The customer should therefore ensure that the outsourcing contract imposes cyber security standards on the service provider that are at a minimum consistent with the applicable code of practice issued by the NCII lead(s), that the vendor is obligated to notify the customer promptly of any cyber security incident involving the customer’s NCII to enable the customer to meet its notification obligations, and that the vendor is required to cooperate fully with any investigations or audits directed by NACSA. Where the vendor is itself providing regulated cyber security services, it must hold the appropriate CSSP licence.

In Malaysia, technologies commonly used in outsourcing arrangements such as artificial intelligence (AI), robotic process automation (RPA), cloud computing, and blockchain or distributed ledger technologies (DLT) are generally not subject to standalone, technology-specific legislation at this juncture. However, their use may be regulated indirectly through sector-specific frameworks and existing laws, particularly in regulated industries.

Artificial Intelligence (AI)

As at April 2026, Malaysia does not have a dedicated legal framework governing AI. However, the Government is in the process of developing an AI Governance Bill aimed at fostering a responsible and sustainable AI ecosystem. At present, the scope and impact of the proposed legislation, particularly in the context of technology outsourcing, remain uncertain.

Robotic Process Automation (RPA)

RPA is not specifically regulated under Malaysian law.

Cloud Computing

Cloud computing is subject to more stringent regulatory oversight in certain sectors, particularly those regulated by Bank Negara Malaysia (“BNM”), including banking, financial institutions, insurance, and e-money. Under BNM’s Policy Document on Risk Management in Technology, regulated entities are required to consult BNM prior to the initial adoption of public cloud services for critical systems.

Such adoption must be supported by a comprehensive risk assessment and third-party pre-implementation review. Regulated entities are also required to implement robust cloud governance frameworks, including risk management policies and usage controls. Due diligence on cloud service providers must be proportionate to the criticality of the outsourced functions, and contractual arrangements should address, among others, data security, jurisdictional risks, regulatory access, and compliance with local legal and regulatory requirements, including data retention and access for investigative purposes.

Blockchain / Distributed Ledger Technologies (DLT)

Blockchain/DLT is not generally regulated as a technology in itself. However, its application may fall within existing regulatory regimes. For instance, where blockchain is used for payment-related services, it may fall under the purview BNM, including potential participation in regulatory sandbox frameworks. Similarly, where DLT is deployed within the capital markets space, it may be regulated by the Securities Commission Malaysia, which also operates a sandbox framework for innovative capital markets products and services.

While Malaysian law does not have a dedicated statutory regime governing outsourcing arrangements, general employment laws, principally the Employment Act 1955 and the Industrial Relations Act 1967 can have significant implications depending on how such arrangements are structured and implemented.

If the outsourcing involves a particular service under the control of a third party being provided by the third party to the customer, then there are generally no employment law implications for the customer.

However, if the outsourcing refers to a situation where the customer requires the service provider to maintain dedicated personnel at the customer’s site who may report to and receive instructions directly from the customer, then there could be employment law implications as the customer could be found to be an employer of the personnel. This would involve a consideration of whether the customer, by virtue of the outsourcing arrangement, exercises sufficient control over the outsourced personnel that an employer-employee relationship is found. Malaysian courts and tribunals will look beyond contractual labels and examine the substance of the relationship, including elements of control, supervision, integration and economic reality in determining whether an employment relationship exists.

The implication of a finding that the customer is the employer of the outsourced personnel is that:

If the service provider does not fulfil its statutory obligations as the employer, the customer can be held liable;

If the outsourced personnel is terminated while providing services to the customer, the customer can be joined as a party to an unjust dismissal claim on grounds that the customer is also the employer at the time of dismissal.

Also, in this outsourcing scenario, the service provider will need to register as a contractor for labour with the Director General of Labour within fourteen days of supplying its employees.

An employee’s contract of employment cannot be assigned or transferred without the employee’s express consent and outsourcing arrangements are typically for a fixed period of time. Accordingly, outsourcing arrangements in Malaysia do not involve a transfer of employment.

A common approach to assign an employee in an outsourcing arrangement is by way of secondment. Under this structure, the employee remains employed by the original employer (the service provider) but is deployed to perform services for the customer (the host entity) and all instructions given by the host entity to the employee are agreed as being given on behalf of the service provider.

This is typically formalised either through a tripartite arrangement or, more commonly, through two key documents: (i) a secondment or co-sharing agreement between the service provider and the host entity governing commercial terms, responsibilities and risk allocation; and (ii) a secondment letter or agreement between the service provider and the employee governing consent, reporting lines and applicable terms of employment.

The structure is intended to preserve the underlying employment relationship with the service provider. In practice, the service provider remains responsible for salary, benefits and disciplinary control, while the host entity exercises day-to-day operational supervision. The seconded employee continues to be bound by the original contract of employment, subject to limited alignment with the host entity’s workplace policies (e.g. working hours or internal rules). Careful structuring and documentation are therefore essential to balance commercial flexibility with compliance under Malaysian employment law.

The most relevant taxes in technology outsourcing arrangement are income tax, withholding tax and service tax.

Income tax: Payments received by a service provider from its customer are deductible if they are wholly and exclusively incurred in generating income. For intercompany technology outsourcing, charges must comply with arm’s length principles under Malaysian transfer pricing rules and guidelines, particularly for shared services and cost allocations.

Withholding tax (WHT): Cross-border payments for software, cloud services, technical support, and subscription fees may attract WHT (generally 10%) if these payments are classified as royalties or technical/management services. Services rendered wholly outside Malaysia are generally not subject to WHT.

Service tax: Technology outsourcing services are prescribed taxable services. Imported digital or IT services are subject to 8% service tax under the reverse charge mechanism, while foreign digital service providers may be required to register and charge service tax. A business-to-business (B2B) exemption may be available for certain taxable services, subject to meeting prescribed conditions.

Technology outsourcing in Malaysia is increasingly shaped by environmental, social and governance (ESG) requirements under both domestic law and international frameworks.

Environmental

From an environmental perspective, data center and cloud service providers would be the most impacted. Malaysia’s power generation remains heavily dependent on fossil fuels, meaning that high electricity use translates into significant greenhouse gas emissions and a larger carbon footprint. Recognizing this, the Energy Efficiency and Conservation Act 2024 requires electricity users consuming more than 21,600 gigajoules annually to appoint a registered energy manager and implement energy management systems.

Data centers generate electronic waste (e-waste) from servers, batteries and cooling equipment. Under SW110 of the First Schedule of the Environmental Quality (Scheduled Wastes) Regulation 2005, e-waste is classified as scheduled waste and Section 34B of the Environmental Quality Act 1974 mandates e-waste disposal through Department of Environment (DOE)-licensed contractors. Service providers must therefore register with DOE as generators of scheduled waste.

Malaysia has also introduced the Guidelines for Sustainable Development of Data Centers, which set benchmarks for energy and resource efficiency. These guidelines encourage operators to measure and disclose Power Usage Effectiveness (PUE), Water Usage Effectiveness (WUE) and Carbon Usage Effectiveness (CUE) while promoting renewable energy adoption and advanced cooling technologies. In parallel, the National Energy Transition Roadmap (NETR) provides the country’s long-term framework for decarbonisation and aims for carbon neutrality by 2050. Data centers, as major electricity consumers, are expected to align their operations with NETR targets and make sustainability reporting and efficiency disclosures a growing expectation in outsourcing contracts.

Social

International frameworks such as the OECD Guidelines for Multinational Enterprises on Responsible Business Conduct and the UN Guiding Principles on Business and Human Rights require enterprises to respect human rights, conduct due diligence, and provide remediation pathways. Locally, the Employment Act 1955, Industrial Relations Act 1967, and Occupational Safety and Health Act 1994 establish minimum standards for wages, working conditions and union rights. While Malaysian enterprises may be reluctant to interfere directly in how vendors manage their workforce, ESG expectations may require them to exercise contractual leverage by embedding compliance clauses in contracts, requesting audits and acting on adverse findings.

Governance

Governance requirements are generally imposed through a combination of local legislations and international framework, depending on the business activities of an enterprise. The Malaysian Anti-Corruption Commission Act 2009 deals with corruption prevention and corruption offence by either the corporation itself and/or its directors, workers and agents. The Personal Data Protection Act 2010 requires enterprises to safeguard personal data, even when processed by third-party vendors. International standards such as the United Nations Global Compact (UNGC) Principle 10, the Organization for Economic Cooperation and Development (OECD) Guidelines for Multinational Enterprises on Responsible Business Conduct and ISO 27001 reinforce these governance obligations, thereby demanding transparency, anti-corruption measures and robust information security.

As stated above, transfer of personal data out of Malaysia is subject to certain restrictions under the PDPA. As a general rule, such transfers are only permitted where the recipient country possesses personal data protection law that is substantially similar to the PDPA, or where there is in place adequate level of protection in relation to the processing of personal data that is at least equivalent to the level of protection afforded by the PDPA.

In practice, assessing whether a foreign jurisdiction meets either one of the requirements will require the conduct of a transfer impact assessment (“TIA”), which can be complex, expensive and resource-intensive, especially where multiple jurisdictions are involved. Additionally, where the outcome of a TIA is relied upon in carrying out cross-border data transfer, the TIA is only valid for three (3) years. Fresh TIA will have to be conducted in order to continue to rely on the outcome of a TIA for the transfer of personal data out of Malaysia, or when there are changes to the personal data protection law of a recipient country before the expiry of the three-year validity of a TIA.

In Malaysia, courts generally uphold the principle of freedom of contract in commercial arrangements and will typically give effect to agreed limitations or exclusions of liability, provided that such clauses are clearly and unambiguously drafted. In particular, exclusion clauses must expressly identify the nature and scope of liability being excluded, leaving no room for uncertainty or broad interpretation.

However, there are statutory limits to the extent to which liability may be excluded. Notably, section 29 of the Contracts Act 1950 renders void any contractual provision that absolutely restricts a party’s right to enforce its contractual rights through legal proceedings. The Federal Court in CIMB Bank Berhad v Anthony Lawrence Bourke [2019] 2 CLJ 1 clarified that a clause which effectively negates all remedies, such as one that wholly excludes any claim for losses or damages, may amount to an impermissible restriction under section 29 of the Contracts Act 1950, as it renders the right to legal proceedings illusory, given that no damages or losses can be claimed by the plaintiff.

Accordingly, while parties may limit liability (for example, through caps, exclusions of indirect or consequential losses, or defined carve-outs), a clause that seeks to exclude all forms of liability or deprive a party of any meaningful remedy is likely to be unenforceable.

In the context of technology outsourcing agreements, it is therefore important to ensure that liability provisions strike a balance between risk allocation and enforceability, and do not go so far as to render any potential claim futile to avoid the clause from being struck as void.

Contractual disputes are generally resolved through the courts unless the contract provides otherwise. The appropriate forum will depend on the nature and value of the claim, but court proceedings remain available as the default route.

In outsourcing arrangements, parties more commonly adopt alternative dispute resolution (ADR) mechanisms, particularly arbitration. Arbitration is often preferred in technology and cross-border outsourcing contracts due to its confidentiality and the ability to appoint arbitrators with relevant technical or industry expertise. Where adopted, arbitration is governed by the Arbitration Act 2005 and may be administered by the Asian International Arbitration Centre (AIAC) in Malaysia or conducted on an ad hoc basis.

The primary remedy for breach is damages, intended to compensate the affected party for losses suffered. Courts may also grant injunctive relief to restrain ongoing or threatened breaches, particularly where confidential information or IP is involved, and may order specific performance where damages are not sufficient. Interim relief may be available to preserve the position pending resolution of the dispute.

Outsourcing contracts typically also include a structured set of contractual remedies. These often include service credits for service level failures, termination rights for material breach or persistent non-performance, and indemnities for defined risks.

IP indemnities are common – these usually require the vendor to indemnify the customer against third-party infringement claims, subject to conditions such as prompt notification, the vendor having control over the defence and settlement, and the claim not arising from misuse or unauthorised modification by the customer. In addition to indemnifying losses, the vendor is often required to take remedial steps if infringement arises. This may include procuring the right for continued use, modifying the deliverables to avoid infringement, or replacing them with a functionally equivalent alternative. If these options are not feasible, the contract may provide for a refund or termination.

The outcome will depend largely on the agreed dispute resolution mechanism and the contractual allocation of risk, including any limitations of liability and indemnity provisions.

Regulatory enforcement is often the primary concern in outsourcing arrangements, particularly in regulated sectors. Where outsourcing involves critical systems or regulated activities, the customer remains responsible for compliance with applicable laws and regulatory requirements, such as those imposed under BNM’s Policy Document on Outsourcing and the Policy Document on Risk Management in Technology. This means that failures by a vendor can expose the customer to regulatory action, including fines, directives, and other supervisory measures imposed by the relevant authority.

In addition to regulatory exposure, outsourcing arrangements commonly include contractual enforcement mechanisms designed to secure performance. Performance bonds and performance guarantees are often used, particularly for high-value or critical engagements. A performance bond provides a financial backstop that may be called upon if the vendor fails to meet its contractual obligations, while a performance guarantee, typically issued by a parent company or financial institution, supports the vendor’s performance under the contract.

Other contractual controls may also be relevant. These can include step-in rights, allowing the customer to take over the outsourced function in the event of serious failure, and audit rights, enabling ongoing oversight of the vendor’s performance and compliance. Together, these mechanisms are intended to manage both performance risk and regulatory exposure in outsourcing arrangements.