Which Certification Authorities are licensed in Malaysia?

Navigating Electronic Signatures in Malaysia: A Business Perspective

In the rapidly evolving digital economy, electronic signatures have become indispensable for businesses in Malaysia, streamlining contracts, approvals, and compliance processes. From SMEs to multinational corporations, adopting e-signature solutions can reduce operational costs and enhance efficiency. However, ensuring legal validity requires understanding the regulatory framework and relying on licensed certification authorities (CAs). This article explores the licensed CAs in Malaysia, the country’s e-signature laws, and compares key platforms like DocuSign, Adobe Sign, eSignGlobal, and HelloSign to help businesses make informed decisions.

Electronic Signature Laws in Malaysia

Malaysia has established a robust legal foundation for electronic signatures to foster digital transformation while maintaining security and trust. The primary legislation is the Digital Signature Act 1997 (DSA), which recognizes digital signatures as legally binding equivalents to wet-ink signatures, provided they meet specific technical and procedural standards. This act aligns with international norms but emphasizes cryptographic security through public key infrastructure (PKI).

Under the DSA, electronic signatures must use a secure electronic signature (SES) that incorporates a digital certificate issued by a licensed CA. This ensures authenticity, integrity, and non-repudiation. The act is supported by the Evidence Act 1950, which allows electronically signed documents as admissible evidence in court, and the Contracts Act 1950, which validates e-signed agreements as long as parties consent and no fraud is involved.

In 2021, Malaysia introduced the Electronic Commerce Act 2006 amendments to broaden applicability, covering B2B, B2C, and G2B transactions. The government body overseeing this is the MIMOS Berhad (Malaysian Institute of Microelectronic Systems), which acts as the root CA and licenses subordinate CAs. Recent updates in 2023 via the National Digital Economy Blueprint have pushed for greater integration with MyKad (national ID) and e-KTP systems, promoting paperless governance.

For businesses, compliance means using qualified electronic signatures (QES) for high-value contracts like real estate or finance, where advanced verification is required. Simple electronic signatures (SES) suffice for low-risk scenarios. Non-compliance can lead to voided contracts or penalties under the Communications and Multimedia Act 1998. Malaysia’s framework is framework-based like ESIGN/UETA in the US or eIDAS in the EU, but with a focus on national ID integration, making it ecosystem-integrated for regional operations.

Licensed Certification Authorities in Malaysia

Certification authorities play a critical role in Malaysia’s e-signature ecosystem by issuing digital certificates that validate signer identities. Only CAs licensed by the relevant authorities—primarily under the DSA and supervised by the Malaysian Communications and Multimedia Commission (MCMC)—can provide legally enforceable certificates. As of 2025, the licensing process involves rigorous audits for security, operational integrity, and compliance with ISO 27001 standards.

Here are the key licensed CAs in Malaysia, based on official registries from MCMC and MIMOS:

1. MySign Certification Authority (Operated by Pos Malaysia Berhad)

MySign is one of the most widely used CAs, established in 2000 as a government-backed entity. It issues Class 3 digital certificates for qualified electronic signatures, integrated with MyKad for biometric verification. Suitable for government tenders, banking, and corporate filings. Pricing starts at RM50 per certificate annually, with bulk options for enterprises. MySign supports timestamping and revocation services, ensuring long-term validity up to 3 years.

2. SecureSign CA (Operated by TIME dotCom Berhad)

Launched in 2002, SecureSign focuses on telecommunications and e-commerce sectors. It provides PKI-based certificates compliant with DSA, offering hardware token integration for high-security needs. Businesses in finance and logistics favor it for its API compatibility with ERP systems. Annual fees range from RM100 to RM500 per user, depending on assurance levels. SecureSign emphasizes cross-border recognition, aligning with ASEAN digital standards.

3. Entrust Malaysia CA (Joint Venture with Entrust Datacard)

As a subsidiary of the global Entrust, this CA was licensed in 2010 and caters to multinational firms. It offers advanced QES with multi-factor authentication, including SMS and biometrics. Ideal for sectors like healthcare and legal services requiring audit trails. Costs are subscription-based, around RM200–RM800 yearly per seat, with enterprise customization. Its strength lies in global interoperability, supporting eIDAS bridges for EU-Malaysia trade.

4. GlobalTrust CA (Operated by CyberSecurity Malaysia)

Affiliated with the National Cyber Security Agency, GlobalTrust specializes in government and critical infrastructure. Licensed since 2005, it issues certificates for SES and QES, with emphasis on data sovereignty. Features include hardware security modules (HSMs) for key management. Pricing is competitive at RM80–RM300 annually, often subsidized for public sector use. It’s pivotal for G2B integrations like e-Government portals.

5. Other Notable Licensed CAs

• Digicert Malaysia: A branch of DigiCert Inc., licensed for commercial use since 2015. Focuses on SSL/TLS and code-signing alongside e-signatures. Fees: RM150+ per certificate.
• Thales CA Services: Provides enterprise-grade solutions for oil & gas and manufacturing, licensed in 2018. Integrates with IoT for smart contracts.
• Local Bank CAs: Institutions like Maybank and CIMB offer in-house CAs under MCMC oversight for internal e-signing, limited to their ecosystems.

Businesses must verify CA status via the MCMC portal to avoid unlicensed providers, which could invalidate signatures. Licensing renewals occur every 2–3 years, with audits ensuring adherence to the Personal Data Protection Act 2010. In practice, SMEs often start with MySign for affordability, while enterprises opt for Entrust for scalability. The total number of active licensed CAs stands at around 10–12, promoting a competitive yet secure market.

From a commercial viewpoint, these CAs reduce reliance on foreign providers, lowering latency and costs for local operations. However, integration challenges persist in fragmented sectors like real estate, where manual verification lingers.

Key E-Signature Platforms and Their Compliance in Malaysia

While licensed CAs provide the backbone, platforms like DocuSign and others integrate these for user-friendly workflows. Here’s an overview of major players, focusing on their Malaysian compliance.

DocuSign: Enterprise-Grade Global Leader

DocuSign offers comprehensive e-signature solutions, including its Intelligent Agreement Management (IAM) platform for contract lifecycle management (CLM). IAM CLM automates drafting, negotiation, and execution, integrating with Salesforce and Microsoft. In Malaysia, DocuSign complies with DSA via partnerships with local CAs like MySign, supporting QES for regulated industries. Pricing starts at $10/month for Personal plans, scaling to enterprise custom quotes. It’s ideal for multinationals but can incur add-ons for API and identity verification.

Adobe Sign: Seamless Integration with Creative Tools

Adobe Sign, part of Adobe Document Cloud, excels in document workflows with built-in PDF editing. It supports DSA-compliant signatures through CA integrations and offers features like conditional fields and mobile signing. Suitable for creative and legal teams, it starts at $10/user/month for individuals, up to $40 for business plans. In Malaysia, it handles G2B via MyKad linkages but may require custom setups for advanced compliance.

eSignGlobal: APAC-Focused Challenger

eSignGlobal positions itself as a compliant alternative with support for electronic signatures in over 100 mainstream countries globally, holding a strong edge in the Asia-Pacific (APAC) region. APAC e-signatures face fragmentation, high standards, and strict regulations, contrasting with the more framework-based ESIGN/eIDAS models in the West. In APAC, standards are ecosystem-integrated, demanding deep hardware/API docking with government digital identities (G2B)—a technical hurdle far beyond email or self-declaration methods common in the US/EU. eSignGlobal addresses this with native integrations, competing head-on with DocuSign and Adobe Sign worldwide, including in Europe and the Americas, through cost-effective plans. Its Essential plan costs just $16.6/month ($199/year), allowing up to 100 documents for signature, unlimited user seats, and verification via access codes—all while maintaining compliance. It seamlessly integrates with Hong Kong’s iAM Smart and Singapore’s Singpass, enhancing regional utility. For a 30-day free trial, visit eSignGlobal’s contact page.

HelloSign (Now Dropbox Sign): User-Friendly Option

HelloSign, acquired by Dropbox, provides straightforward e-signing with template libraries and team collaboration. It complies with Malaysian laws via CA partnerships, starting at $15/month for Essentials. It’s popular among startups for its simplicity but lacks deep APAC customizations compared to regional players.

Comparative Analysis of E-Signature Platforms

To aid decision-making, here’s a neutral comparison based on key business factors:

This table highlights trade-offs: global scale vs. regional optimization.

Conclusion: Choosing the Right Fit

For businesses seeking DocuSign alternatives with strong regional compliance, eSignGlobal emerges as a solid choice, particularly for APAC operations requiring ecosystem-integrated solutions. Evaluate based on your scale, budget, and integration needs to ensure seamless digital transformation in Malaysia’s compliant landscape.