APAC Online Safety Regulations: The Shift to Proactive “Systems and Processes”

Global shift from "notice and takedown" to "systems and processes"

The regulation of online content has undergone a fundamental transformation over the past decade. In the 2010s, the dominant “notice and takedown” model was reactive: the government or an individual user would identify unlawful content, notify the relevant platform, and the platform would take it down.   

Governments have since shifted towards a more proactive "systems and processes" model, requiring online platforms to implement compliance measures before any violation occurs, such as formal risk assessments, content moderation processes, and the active detection of harmful material.

The EU's Digital Services Act (DSA) and the UK's Online Safety Act (OSA) have led this charge, imposing obligations across a range of services concerning illegal content, advertising transparency, content recommendation systems, and child protection. These Acts are backed by significant enforcement powers, including fines of up to 10% of worldwide revenue and wide-reaching powers to affect business practices.

The question for technology companies operating in Asia-Pacific is no longer whether this wave of proactive regulation will reach them; it already has. The question is how to navigate a landscape that is rapidly evolving with different obligations across different jurisdictions.

APAC: A region moving fast, but not in lockstep

Asia-Pacific is moving towards stricter rules, but countries are adopting distinct approaches, creating a complex and fragmented compliance environment for businesses. Some jurisdictions are embracing the full "systems and processes" model inspired by the UK and EU; others remain primarily "notice and takedown" but are showing potential signs of moving towards the "systems and processes" model.

Australia: A world-first social media ban for children

Australia has been a leader in implementing online safety legislation, becoming the first jurisdiction to have a dedicated online safety regulator in 2015, and the first country to require tech companies to develop enforceable industry codes to combat child sexual abuse and pro-terrorism content online. Most recently in December 2025, Australia became the first country in the world to set a minimum age of 16 for social media use, with potential penalties of up to A$49.5 million (US$35.4 million) for breaches. 

Malaysia: New Online Safety Act 2025

Malaysia enacted the Online Safety Act 2025 in May 2025, imposing proactive "systems and processes" obligations on social media platforms, internet messaging services and video streaming services, bringing it firmly into line with the direction set by the UK and EU. Malaysia is also expected to introduce a social media ban for children under the age of 16 in 2026.

Key obligations include implementing measures to be set out in a forthcoming code to ensure safe use of services by children, and maintaining mechanisms to make "priority harmful content" (a category expressly covering child sexual abuse material and financial fraud content) inaccessible. 

The detailed operational requirements are expected to be set out in a forthcoming code; accordingly, the scope and practical application of the statutory obligations will remain subject to further regulatory specification pending publication of that code. 

Singapore: Fast-tracked victim relief

Singapore's Online Safety (Relief and Accountability) Act illustrates a complementary but distinct direction: moving from the previous takedown system into a regulator-enabled victim redress model. This is made possible with the establishment of the Online Safety Commission (OSC) from 29 June 2026, from which victims will be able to seek remedies directly. The OSC will have the powers and ability to issue rapid directions to platforms and other actors, such as orders to take down harmful content and blocking access to offending platforms and applications, and to obtain identity information about perpetrators of online harms. 

The OSC will initially focus on online harassment, doxxing, online stalking, intimate image abuse and image-based child abuse, before progressively expanding to address other areas of online harms, such as online impersonation, deepfake abuse, incitement of violence, and the publication of false or reputationally harmful material.

Entities that fail to comply with an OSC direction can be liable to fines up to S$500,000 (US$393,000), with a further fine not exceeding S$50,000 (US$39,300) for each day the offence continues after a direction is issued. 

In parallel, Singapore is also introducing statutory torts to allow victims of online harms to make civil claims against platforms and perpetrators. 

Indonesia: Proactive enforcement is starting

Indonesia has established online safety protection for children through Minister of Communication and Digital Affairs Regulation No. 9 of 2026 (which implements the previously issued Government Regulation No. 17 of 2025) which mandates Electronic System Providers (including websites, social media platforms and game developers) to protect children from risks associated with harmful content. Key requirements include age-appropriate risk assessments, parental consent and age verification requirements, and privacy-by-default settings, taking inspiration from the UK's ICO Children's Code.

Beyond this, the Indonesian government has demonstrated that enforcement is not merely theoretical. In March this year, the Minister of Communication and Digital Affairs conducted an unannounced inspection of the offices of a global social media platform in Jakarta. The inspection was explicitly framed as enforcement of Article 40 of Indonesia's revised ITE Law (UU No. 1 of 2024), which mandates government action to protect the public from misinformation and disinformation. 

The message to global platforms operating in Indonesia is clear: online safety compliance obligations in this jurisdiction are real and are being enforced at the highest levels of government.

Vietnam and Thailand: Still relying on the “notice and takedown” model

While the wave of proactive enforcement has reached the APAC region, some jurisdictions within it still primarily rely on the “notice and takedown” model. For example, in Vietnam, platforms are required to remove illegal content within 24 hours of a government request, but there are also some system-like duties such as requirements for user-authentication and content scanning tools. Similarly, Thailand maintains a 24-hour takedown period for specific content; however, a draft Platform Economy Act indicates a potential future shift towards a “systems and processes” model inspired by the EU’s DSA.

What this means for your business in APAC

For technology companies operating across APAC, the calculus has changed. Regulatory compliance in the online safety space is no longer a matter for UK and EU companies alone; it is a live issue across the APAC region.

However, there is no one-size-fits-all compliance strategy across Asia. Businesses must adopt a localised approach that considers the specific legal requirements and cultural contexts of each market. This is further complicated by the extraterritorial reach of UK and EU online safety laws, which can apply to Asian-headquartered businesses serving UK and EU users.

For companies with significant EU operations, adopting a global compliance standard based on UK or EU law (with local nuances where obligations go beyond the UK/EU standard) may be operationally efficient and commercially easier to justify. For companies primarily based in Asia with a smaller EU footprint, a tailored, risk-based approach focused on key Asian markets may be more practical. Either way, the direction of travel across Asia is towards stricter regulation, and building an adaptable policy structure is key to long-term compliance.

If you would like to discuss how these developments apply to your business or a transaction you are considering, please do not hesitate to get in touch.

Authors: Alex Roberts, Yang Fan, Ivan Annandale