Malaysia’s Online Safety Act (ONSA) is not just for social media — it adds new duties and timelines that matter to VoIP and SIP trunk operators, and to any business that runs voice-blast or automated-calling services.
Your contact centre just received a complaint: a customer reported a fraud call impersonating your business. Meanwhile, your marketing team wants to run a nation‑wide voice blast next month. In 2026, those two situations are tightly connected to Malaysia’s Online Safety Act (ONSA) — not because the law bans voice services, but because it redefines what “service providers” must do when harmful content, fraud or priority harms move across digital networks. For businesses that rely on SIP trunking to deliver calls, the practical change is this: regulators will expect faster action, clearer policies, and demonstrable risk controls — and they have legal tools to demand it.
A new regulatory baseline means SIP trunk vendors, cloud PBX providers and IT teams must treat voice as part of the online-safety ecosystem — from real-time monitoring and reporting to log retention and cooperation with MCMC and law enforcement.
ONSA was drafted to reduce platform-level harms (child sexual abuse material, scams, harassment and other priority harms) by imposing prescribed duties on application and content providers and limited duties on network providers. That legal architecture makes service-level risk management and fast handling of user reports central to compliance — obligations that touch SIP trunking when voice channels are used to distribute scams, impersonations, or unsolicited bulk messages. bernama.com
Practical effect: even if a SIP trunk simply carries a voice stream, if that stream is used to distribute priority-harm content or fraud, MCMC can issue instructions that require action from carriers and NSPs — and those instructions come with tight timeframes.
Further reading: Online Safety Act comes into force — BusinessToday (1 Jan 2026)
Below are five concrete ways the law affects SIP trunking, and what teams running VoIP in Malaysia need to change now.
ONSA prescribes short acknowledgment and action timelines for reported content — for “priority harmful content” the regime uses windows measured in hours. While those provisions target ASPs/CASPs, NSPs (which include network operators) must comply with written instructions from MCMC to restrict access when harmful material is hosted outside provider services. For SIP trunk operators that carry fraudulent or impersonation calls, that means being ready to receive and action formal requests from regulators and to prove timelines were met. rahmatlim.com
Regulators and law enforcement will increasingly demand call metadata and, in some cases, call content or call‑leg traces to investigate scams and child‑safety incidents. Providers should review retention policies, ensure lawful interception and data‑export processes are documented, and prepare tamper‑evident logs that map SIP legs to customer accounts and CLI. Be prepared to produce records quickly when MCMC or PDRM issues a notice. bernama.com
The MCMC has moved to consult on rules for unsolicited commercial electronic messages and other platform harms; API or SIP-based voice blasts are squarely in scope for regulators worried about spam, fraud and impersonation. Businesses using SIP trunks for automated calling campaigns will need verifiable opt‑in records, clear caller identity practices, and suppression lists aligned with MCMC guidance once the subsidiary instruments are finalised. thestar.com.my
The MCMC used a “deeming provision” to auto‑register platforms with eight million or more Malaysian users as Application Service Provider (Class C) licensees. While that threshold targets large messaging and social platforms, it signals a regulator willing to extend licensing concepts to digital services. Regional or large-scale VoIP platforms or cloud‑PBX operators that host user content or social features should expect closer licensing scrutiny and may need to align with ASP/CASP duties or NSP instructions. bernama.com
ONSA includes strong penalties and a regime of prescribed duties (safety plans, reporting mechanisms, age‑related protections). Legal advisers flag fines up to RM10 million for non‑compliance with prescribed duties and separate fines for missing statutory timeframes. For SIP trunk providers that offer voice‑blast tools, predictive dialers, or hosted PBX features, this translates into spending on policy, monitoring, staff training, and technical controls (rate limits, CLI validation, abuse detection). rahmatlim.com
Risk warning: failing to treat harmful voice use as part of online‑safety obligations can result in rapid regulatory escalation — from written instructions to network restrictions to financial penalties.
The law is live. Some subsidiary regulations are still being finalised, but many enforcement mechanisms (deeming provision, prescribed duties, short response windows) are already actionable. Use this checklist to reduce immediate risk.
“Treat voice the way you treat platform content: map the risks, document controls, and be able to show regulators you acted within hours when priority harm is reported.” — Practical rule for VoIP teams.
As a Malaysian cloud PBX and SIP trunk provider, we help customers align voice services with regulatory expectations: from secure SIP trunk provisioning and CLI integrity checks to retention-ready call logging and voice-blast controls that respect opt‑ins and suppression lists. If you run voice campaigns or rely on hosted PBX, we can perform the compliance audit, implement access controls and document playbooks you can use if MCMC issues an instruction.
The MCMC has launched public consultations on the Online Safety Plan and draft codes (risk mitigation and child protection), signalling continued regulatory refinement and operational codes that providers must follow. At the same time, law firms and advisers highlight that ONSA already includes subsidiary rules prescribing timeframes for acknowledgements, takedowns and appeals — and that financial fraud losses reported to police (in the period before enforcement) were large enough to push the law through quickly. Expect more implementing rules on age verification, notification forms and possibly a lowered user threshold for deemed registration in future legislative moves. thestar.com.my
Further reading: MCMC launches public consultation on Online Safety Plan — The Star (12 Feb 2026)
ONSA lets MCMC issue written instructions to network service providers to restrict access to harmful material hosted outside providers’ services; while it does not automatically force removal of historical call records, it does create a formal pathway where the regulator can require actions that affect network routing, blocking or access. Prepare to receive formal notices and to act within prescribed timeframes. rahmatlim.com
Not necessarily — but the MCMC is clarifying rules for unsolicited commercial electronic messages and platform safety. Legitimate marketing must be backed by verifiable opt‑ins, clear caller identity, and the ability to honour suppression requests. Automated campaigns that trigger large numbers of complaints risk regulatory scrutiny under the new regime. thestar.com.my
Maintain call metadata (timestamps, CLI, called number, SIP call identifiers, trunk/customer account mapping), campaign identifiers for bulk calls, consent records for recipients, and tamper‑resistant logs. If you retain call recordings, document lawful bases and retention windows aligned to privacy law and MCMC expectations. rahmatlim.com
Non‑compliance with prescribed duties can attract heavy fines — legal analyses cite regulatory penalties up to RM10,000,000 for breaches of prescribed duties and separate fines where statutory timeframes are missed. That makes operational readiness essential. rahmatlim.com
Quick operational priority: designate a single regulatory contact for MCMC notices, document escalation criteria, and test your ability to pull call logs and opt‑in records within 24 hours.
Further reading: Deeming provision and ASP(C) registration — Bernama (15 Dec 2025)
Further reading: Online Safety Act strengthens oversight — Bernama (4 Feb 2026)
Further reading: Legal summary of ONSA duties and timeframes — Rahmat Lim & Partners (23 Jan 2026)
