Overview
The Digital Signature Act 1997 (Act 562) established Malaysia as one of the world's first countries to legislate a comprehensive legal framework for digital signatures and public key infrastructure (PKI). Enacted as part of the MSC Malaysia cyber law initiative, the Act gave digital signatures the same legal standing as handwritten signatures — a critical step in enabling legally valid electronic transactions and supporting the development of Malaysia's digital economy.
The Act creates a licensed certification authority (CA) framework — requiring organisations that issue digital certificates to be licensed by the Controller of Certification Authorities. It establishes the rights and obligations of certification authorities, subscribers, and relying parties, and sets out the technical and operational standards that licensed CAs must meet.
A World First in Digital Signature Legislation
When Malaysia enacted the Digital Signature Act in 1997, it joined a very small group of countries — including Utah in the United States — that had legislated specifically for digital signatures. The Act's enactment was a direct fulfilment of the MSC Malaysia Bill of Guarantees and signalled Malaysia's commitment to creating the legal infrastructure needed for a functioning digital economy.
What is a Digital Signature?
A digital signature is a cryptographic mechanism that allows the recipient of a digitally signed document to verify both the identity of the signatory and the integrity of the signed content. It is not simply a scanned image of a handwritten signature — it is a mathematically generated code produced using the signatory's private key, which can be verified using the corresponding public key.
The Digital Signature Act 1997 defines a digital signature as a transformation of a message using an asymmetric cryptosystem such that a person having the initial message and the signer's public key can accurately determine whether the transformation was created using the private key that corresponds to the signer's public key, and whether the initial message has been altered since the transformation was made.
Public Key Infrastructure (PKI) Framework
The Act establishes a hierarchical PKI framework with the Controller of Certification Authorities at its apex, licensed certification authorities operating under the Controller's oversight, and subscribers — individuals and organisations — who obtain digital certificates from licensed CAs.
Controller of Certification Authorities
The regulatory authority responsible for licensing and supervising certification authorities in Malaysia, maintaining the repository of licensed CAs, and enforcing compliance with the Act.
Licensed Certification Authorities
Organisations licensed by the Controller to issue digital certificates — verifying the identity of subscribers and binding their identity to a public key through the issuance of a certificate.
Subscribers
Individuals or organisations that obtain a digital certificate from a licensed CA — using their private key to digitally sign documents and transactions.
Relying Parties
Those who rely on a digital certificate to verify the identity of a signatory or the integrity of a signed document — including parties to electronic contracts and digital transactions.
Key Provisions
Licensing of Certification Authorities
Establishes the licensing regime for certification authorities — including application requirements, licensing criteria, conditions of licence, and the Controller's powers of supervision, inspection, and enforcement.
Duties of Licensed Certification Authorities
Sets out the obligations of licensed CAs — including duties to verify subscriber identity, issue certificates meeting specified standards, maintain secure systems, publish certificate revocation lists, and comply with the Controller's directions.
Certificates and Repositories
Governs the issuance, content, and management of digital certificates — including the mandatory contents of a certificate, the maintenance of publicly accessible repositories, and the procedures for certificate suspension and revocation.
Effect of Digital Signatures
The critical operative provision — establishing that a digitally signed document satisfies any statutory requirement for a signature, and setting out the conditions under which a digital signature creates a legally binding obligation on the signatory.
Recognised Foreign Certification Authorities
Provides a framework for the recognition of foreign certification authorities — enabling cross-border digital signature recognition and facilitating international electronic commerce involving Malaysian parties.
Legal Effect of Digital Signatures
Under the Digital Signature Act, a digital signature that satisfies the Act's requirements has the same legal effect as a handwritten signature. Specifically, where a rule of law requires a signature — whether in legislation, contract, or other legal instrument — a digital signature created in accordance with the Act satisfies that requirement.
The Act also creates a presumption of authenticity — where a digital signature is verified by reference to the public key listed in a valid certificate issued by a licensed CA, it is presumed that the digital signature was affixed by the subscriber named in the certificate. This presumption is rebuttable but places the evidential burden on the party challenging the signature's authenticity.
Enabling the MyKad's PKI Functionality
The Digital Signature Act's PKI framework provided the legal foundation for one of MSC Malaysia's most celebrated achievements — the MyKad multipurpose smart card's digital certificate functionality. The MyKad included a PKI certificate issued under the DSA framework, enabling Malaysian citizens to use their national identity card for legally valid digital signatures in e-government transactions and electronic commerce.
Relation to Other Cyber Laws
The Digital Signature Act 1997 was enacted in the same year as the Computer Crimes Act 1997 — together forming the first wave of Malaysia's MSC cyber law framework. While the Computer Crimes Act addressed the criminal dimension of the digital environment, the Digital Signature Act addressed the civil and commercial dimension — providing the legal certainty for electronic transactions that the digital economy required.
The Act works alongside the Communications and Multimedia Act 1998 in providing the comprehensive legal infrastructure that underpinned the MSC Malaysia programme. For a full overview of all five cyber laws, see the Cyber Laws section.
Current Administration
The Digital Signature Act 1997 is currently administered under the Ministry of Digital Malaysia. The Controller of Certification Authorities maintains the register of licensed CAs in Malaysia. For current licensing information and the list of licensed certification authorities, visit the Ministry of Digital Malaysia.