Some people have pointed out that this only applies to government or CNII http://cnii.cybersecurity.my/main/about.html. This is all the public have info on, and it encompasses almost every economic sector in Malaysia. Would ISP, Telekoms and Mobile operators come under critical services? How about Banking? Would this be another layer of requirements on top of existing ones to provide IT services to banks and financial institutions?
National Security is also a red flag. Malaysia has history of using National Security laws to hide information related to corruption or even arresting opposition politicians under this pretense.
Long term wise, the public statement has already stated that the objective is increasing quality for *all* IT professionals. So their intentions are obviously not limited to just CNII requirements.