Electronic & Digital Signatures in Malaysia


Ever since the COVID-19 global pandemic struck, the Malaysian Government has issued orders to restrict in-person business operations and encourage people to work from home as much as possible. As a result, technology has become an increasingly important part of the workforce as businesses look into digital technology to engage with clients and continue to serve their client base by operating remotely. Hence, this shift towards digital operations has turned businesses toward digital signatures and electronic signatures to effectively facilitate the signing and execution of documents.

Paperless signatures are legally enforceable in Malaysia. The terms electronic signatures and digital signatures are often used interchangeably; however, the Malaysian Government has provided two separate legal frameworks to regulate the two. Namely, the Digital Signature Act 1997 (“DSA“) and Electronic Commerce Act 2006 (“ECA“).

Distinctions could be drawn between electronic signatures and digital signatures, and this article seeks to highlight the salient differences and how they could be applied in a practical sense.


Briefly, electronic signatures are governed by the ECA; it mainly provides for legal recognition of electronic messages in commercial transactions, the use of electronic messages to fulfil legal requirements, as well as to enable and facilitate commercial transactions through the use of electronic means.

The ECA defines an electronic signature to mean “any letter, character, number, sound or any other symbol or any combination thereof created in an electronic form adopted by a person as a signature”.

In order for the electronic signatures to be binding and enforceable in Malaysia, the following ECA requirements stipulated under Section 9 of the ECA have to be met:

  1. where a signature is attached to or is logically associated with the electronic message;
  2. adequately identifies the person and adequately indicates the person’s approval of the information to which the signature relates; and
  3. is as reliable as is appropriate given the purpose for which, and the circumstances in which, the signature is required.
Further, electronic signatures must fulfil these three conditions listed by the ECA in order for the electronic signature to be considered “reliable”:

  1. the means of creating the electronic signature is linked to and under the control of that person only;
  2. any alteration made to the electronic signature after the time of signing is detectable; and
  3. any alteration made to that document after the time of signing is detectable.
Having said that, it is worth noting that not all documents are suitable to be electronically signed. Specifically, documents that must be attested before a commissioner of oaths are not allowed to be electronically signed.

As per Section 2 of the ECA, some transactions and documents were laid down which are not included within the scope of ECA; they include:

  • Power of attorney
  • Wills and codicils
  • Trusts documents
  • Negotiable instruments (Ie, a promissory note or bank cheques)
Further, ECA also provides for the formation of a contract to be legally binding and effective if it is communicated via electronic means. Reference could be made to Clause 7(1) of the ECA, which provides “In the formation of a contract, the communication of proposals, acceptance of proposals, and revocation of proposals and acceptances or any related communication may be expressed by an electronic message.”

Reading the ECA as a whole would enable us to understand that the ECA 2006 indeed plays a pivotal role in enhancing the legal framework and encourage businesses’ digitalisation.


Digital signatures are governed by the DSA. It is a signature generated using an asymmetric cryptosystem verified by reference to the public key listed in a valid certificate issued by a licensed certification authority. Such a certificate is used to verify the identity of the signer of a message and to ensure the correctness and validity of information in electronic transactions. Digital signature arguably offers more security and protection compared to other types of electronic signatures as they are created based on a set of algorithms and a unique authentication process.

A digital signature is defined in the DSA as,

    a transformation of a message using an asymmetric cryptosystem such that a person having the initial message and the signer’s public key can accurately determine
    1. whether the transformation was created using the private key that corresponds to the signer’s public key; and
    2. whether the message has been altered since the transformation was made”
In short, digital signatures cannot be generated by unlicensed software providers found online. For a digital signature to be valid, enforceable and effective in Malaysia, it has to be certified and validated by licensed certification authorities.

To date, there are four licensed certification authorities in Malaysia that issue digital certificates, namely:

  1. Post Digicert Sdn Bhd (457608-K);
  2. MSC Trustgate Sdn Bhd (478231-X);
  3. Telekom Applied Business Sdn Bhd (455343-U); and
  4. Rafcomm Technologies Sdn Bhd (1000449-W).
Just like the ECA, DSA shall recognise a digital signature to be a legally binding signature provided that such signature satisfies the requirements provided by DSA.

Pursuant to Section 62 of the DSA,

    “Where a rule of law requires a signature or provides for certain consequences in the absence of a signature, that rule shall be satisfied by a digital signature where
    1. that digital signature is verified by reference to the public key listed in a valid certificate issued by a licensed certification authority;
    2. that digital signature was affixed by the signer with the intention of signing the message; and
    3. the recipient has no knowledge or notice that the signer
      • has breached a duty as a subscriber; or
      • does not rightfully hold the private key used to affix the digital signature.
On top of the unique algorithm and authentication process, DSA ensures additional security measures to safeguard the subscriber’s private key information by imposing a fiduciary responsibility unto licensed certification authorities.

This was stipulated in Section 45,

    “Where a licensed certification authority holds the private key corresponding to a public key listed in a certificate which it has issued, the licensed certification authority shall hold the private key as a fiduciary of the subscriber named in the certificate, and may use that private key only with the subscriber’s prior written approval, unless the subscriber expressly and in writing grants the private key to the licensed certification authority and expressly and in writing permits the licensed certification authority to hold the private key according to other terms.”


In a nutshell, although the use of electronic signatures and digital signatures may be quick and convenient, in a practical sense, it is unresolved as to whether these signatures will be recognised and accepted by all relevant local authorities in Malaysia.
Disclaimer: The contents of this write-up is intended for general informational purposes only and does not constitute legal advice.

Share This Post