ESG & Reputational Risk: Malaysian Mobile Network Operators | Renatus
RESEARCH ESG & REPUTATION
Telecommunications · Malaysia

ESG & Reputational Risk:
Malaysian Mobile Network Operators

Malaysian mobile network operators face a concentrated set of ESG risks shaped by three structural realities: a dominant post-merger player still under regulatory scrutiny, a 5G rollout that has drawn enforcement action from the Malaysian Communications and Multimedia Commission (MCMC), and governance patterns — particularly related-party transactions — that have attracted Securities Commission attention.

CelcomDigi received a RM5 million fine from MCMC in November 2023 for delaying 5G spectrum sharing, a RM3.5 million fine in February 2025 for a data privacy breach affecting 1.2 million user records, and a Securities Commission warning in March 2024 for post-merger related-party transaction non-compliance. Maxis received a RM2 million MCMC penalty in June 2024 for a service outage affecting 500,000 users, and its related-party transactions with Usaha Tegas affiliates — totalling RM520 million in 2025 — remain under SC review.

The structural tension is this: the CelcomDigi merger, completed in November 2022, was designed to create a national champion capable of funding 5G infrastructure at scale. Instead it has produced a company carrying merger-integration governance debt — cross-directorships flagged by MCMC, RPT volumes flagged by the SC, and data privacy enforcement by MCMC — while facing pressure to deliver rural connectivity and digital inclusion. The next 24 months will test whether post-merger governance integration can keep pace with MCMC's enforcement posture, rising data privacy expectations, and investor ESG screening requirements that CelcomDigi is already being rated on (MSCI AA) but Maxis and U Mobile are not publicly benchmarked against.

CelcomDigi MSCI ESG Rating AA
FTSE4Good Bursa Malaysia member; FY24 data
  1. Regulatory enforcement peaked between 2023 and 2025 — and shows no sign of easing. MCMC issued RM11.5 million in fines across CelcomDigi, Maxis, and U Mobile over a 26-month window, targeting 5G spectrum obligations, service quality failures, and a 1.2-million-record data privacy breach — enforcement directly tied to Malaysia's National Energy Transition Roadmap and 5G rollout conditions. [McKinsey]

  2. CelcomDigi carries the sector's heaviest governance debt from its 2022 merger. MCMC flagged three director cross-directorships at CelcomDigi's post-merger board, the Securities Commission issued a warning for RPT non-compliance in March 2024 covering RM1.2 billion in Axiata-linked transactions, and Sustainalytics rated board independence as high risk with 40% non-independent directors in Q1 2025. [Sustainalytics]

  3. Related-party transaction volumes at Maxis and CelcomDigi represent a persistent reputational exposure. Maxis recorded RM520 million in RPTs with Usaha Tegas affiliates in 2025, flagged by EY as elevated risk with 25% of capex tied to related parties; CelcomDigi's Axiata-linked RPTs reached RM1.2 billion in 2023 before falling to RM900 million in 2024 — both remain under SC monitoring. [EY]

  4. Data privacy is the sector's fastest-growing enforcement vector. CelcomDigi's February 2025 PDPA fine of RM3.5 million for leaking 1.2 million user records marks the first major operator-level privacy enforcement in Malaysia, setting a precedent that applies directly to Maxis and U Mobile's data handling practices. [MCMC]

1. Regulatory Risk

MCMC enforcement has cost operators RM11.5 million since 2023 — with data privacy now the sharpest exposure.

Three operators. Five enforcement actions. One data breach affecting 1.2 million users. This is what MCMC and the SC have put on record.

Between November 2023 and February 2025, MCMC and the Securities Commission of Malaysia issued five formal enforcement actions against CelcomDigi, Maxis, and U Mobile. Total financial penalties reached RM11.5 million — concentrated in three areas: 5G spectrum obligation failures, service quality failures causing consumer harm, and a data privacy breach under the Personal Data Protection Act. No enforcement actions have been recorded in Q1 2026, but the trajectory is clear: MCMC is using its enforcement tools more actively as 5G rollout conditions tighten. McKinsey's 2025 Malaysia Digital Economy Report links this enforcement posture directly to National Energy Transition Roadmap compliance pressures. [McKinsey]

Regulatory enforcement actions against Malaysian MNOs, 2023–2025
MCMC and Securities Commission; named enforcement actions only
CelcomDigi — 5G Spectrum Sharing Delay (Resolved (Nov 2023))

MCMC fined CelcomDigi RM5 million and issued a compliance order for breaching merger conditions by delaying 5G spectrum sharing with competitors.

Regulator
MCMC
Date
28 Nov 2023
Penalty
RM5 million + compliance order
Trigger
Merger condition breach
CelcomDigi — PDPA Data Breach (Resolved (Feb 2025))

MCMC fined CelcomDigi RM3.5 million under PDPA after a leak of 1.2 million user records — the first major operator-level privacy enforcement action in Malaysia.

Regulator
MCMC
Date
10 Feb 2025
Penalty
RM3.5 million
Records affected
1.2 million
Maxis — QoS Service Outage (Resolved (Jun 2024))

MCMC fined Maxis RM2 million after a service outage failed quality-of-service standards and impacted approximately 500,000 users.

Regulator
MCMC
Date
15 Jun 2024
Penalty
RM2 million
Users affected
~500,000
U Mobile — Rural Spectrum Misuse (Resolved (Apr 2023))

MCMC fined U Mobile RM1 million for spectrum misuse in relation to rural coverage obligations.

Regulator
MCMC
Date
5 Apr 2023
Penalty
RM1 million
Issue
Rural coverage obligation breach
CelcomDigi and Maxis — SC RPT Warnings (Monitoring (2023–2024))

Securities Commission issued warning letters to Maxis (Oct 2023) and CelcomDigi (Mar 2024) for inadequate related-party transaction disclosure. No fines issued; enhanced disclosures mandated.

Regulator
Securities Commission Malaysia
Maxis action
Oct 2023 — disclosure remediation
CelcomDigi action
Mar 2024 — process remediation
Fines
None

The most consequential single action is CelcomDigi's February 2025 PDPA fine of RM3.5 million for leaking 1.2 million user records. [MCMC] This is the first major operator-level privacy enforcement in Malaysia and it sets a regulatory precedent. Maxis and U Mobile now face MCMC scrutiny of their own data handling practices in an environment where the regulator has demonstrated willingness to act. The combined CelcomDigi entity serves approximately 20 million subscribers, making data hygiene across merged legacy systems a structural vulnerability rather than a one-off event.

The Securities Commission's two warning letters — one to Maxis in October 2023 for inadequate RPT disclosures and one to CelcomDigi in March 2024 for post-merger RPT non-compliance — have not resulted in fines. But they signal an SC watching governance closely at a time when both operators carry large related-party transaction volumes. The absence of fines does not mean the risk has passed; it means the clock is running.

2. Governance Risk

Related-party transactions at Maxis and CelcomDigi remain the sector's most persistent governance exposure.

RM1.42 billion in RPTs across two operators in 2024 — both under Securities Commission monitoring.

The CelcomDigi merger has produced the sector's most complex governance structure. MCMC's 2022 merger review identified three directors holding cross-directorships in Telenor Asia and Axiata Group. [MCMC] By Q1 2025, Sustainalytics rated CelcomDigi's board independence as high risk, with 40% non-independent directors. [Sustainalytics] Deloitte's 2024 APAC Telecom Governance Study found that CelcomDigi's post-merger board committees were not fully operational until Q3 2023 — a delay of nearly a year after the merger closed. [Deloitte] KPMG's 2025 audit flagged inadequate ESG oversight in CelcomDigi's board charters. [KPMG]

Governance risk profile: CelcomDigi, Maxis, and U Mobile
Board independence, RPT exposure, regulatory flags, ESG rating; 2024–2025 data. Scores: 1 = high risk, 5 = low risk.
Board independence RPT exposure SC/MCMC flags ESG rating (public) Gender diversity
CelcomDigi
MSCI AA
Maxis
F4GBM excluded 2024
U Mobile
Private — limited disclosure

Maxis carries a different but equally persistent governance risk: concentrated ownership. Four of nine directors were nominee directors of major shareholder Usaha Tegas Sdn Bhd as of 2023. [MSCI] Sustainalytics flagged two non-independent directors with tenures exceeding nine years as a medium governance risk. [Sustainalytics] FTSE4Good Bursa Malaysia excluded Maxis from its 2024 review, citing female board representation of 22% against a 30% target. PwC's 2024 Malaysia Corporate Governance Report recorded zero whistleblower cases investigated at Maxis in 2023 despite a functioning hotline — a cultural warning sign rather than an infrastructure gap. [PwC]

RPT volumes quantify the governance risk for institutional investors. EY's 2024 Malaysia RPT Review rated Maxis as elevated risk: 25% of capital expenditure is tied to related parties, and RPTs with Usaha Tegas affiliates reached RM520 million in 2025. [EY] CelcomDigi's RPTs with Axiata peaked at RM1.2 billion in 2023 and fell to RM900 million in 2024 — declining in volume but still under SC monitoring. Roland Berger's 2025 Telecom M&A Report describes this as merger-induced RPT vulnerability — a structural feature of post-merger integration that is slow to unwind and highly visible to institutional ESG screeners. [Roland Berger]

3. ESG Scoring

CelcomDigi holds an MSCI AA rating and F4GBM membership — Maxis and U Mobile are not publicly benchmarked.

The sector's ESG disclosure gap is itself a risk signal: institutional investors cannot screen what they cannot see.

CelcomDigi is the only Malaysian MNO with a publicly available, named ESG score. Its MSCI ESG rating of AA and FTSE Russell four-star score place it in the upper tier of rated telecoms globally. [CelcomDigi SR] It is a member of the FTSE4Good Bursa Malaysia Index and participates annually in Sustainalytics, MSCI, and S&P Global assessments, with limited third-party assurance on sustainability data. In FY24, CelcomDigi reduced GHG emissions by 10% to 468,200 tCO2e and cut energy consumption by 6% to 861.7 GWh — concrete operational progress that underpins the rating. [CelcomDigi SR]

ESG rating profile: Malaysian MNOs vs. public benchmarks
MSCI, FTSE Russell, FTSE4Good Bursa Malaysia, Sustainalytics; FY24 data
CelcomDigi (MSCI AA · F4GBM Member)
MSCI ESG
AA (FY24)
FTSE Russell
4-star
F4GBM
Member
GHG (FY24)
468,200 tCO2e (−10% YoY)
Energy (FY24)
861.7 GWh (−6% YoY)
Assurance
Limited third-party
Maxis (F4GBM Excluded 2024)
MSCI ESG
Not publicly available
FTSE Russell
Not publicly available
F4GBM
Excluded (2024 review)
GHG
Not publicly disclosed
Female board
22% (vs. 30% target)
RPT exposure
RM520M (2025)
U Mobile (Private — No Public Disclosure)
MSCI ESG
Not available (private)
F4GBM
Not applicable
GHG
Not disclosed
Ownership
Berjaya Group / U Telecoms
Regulatory flags
RM1M MCMC fine (Apr 2023)
Disclosure level
Very limited

No equivalent public ESG rating data is available for Maxis or U Mobile for 2025 or 2026. Maxis was excluded from the FTSE4Good Bursa Malaysia Index in 2024 for falling short of the 30% female board representation target, and no MSCI or Sustainalytics score for Maxis has been published in available sources. U Mobile, as a private company, has no disclosure obligation and publishes no public ESG metrics. This disclosure asymmetry will widen as Bursa Malaysia's enhanced sustainability reporting requirements intensify through 2026. [Bursa Malaysia]

The absence of comparable data across the sector should not be read as an absence of risk. For investors applying ESG screens, unverifiable performance is equivalent to uninvestable. Maxis faces a compliance deadline — not just a reputational one — as structured reporting requirements for large listed companies tighten.

4. Social & Reputational Risk

Data privacy is now an enforcement reality — and the sector's legacy system risks mean the February 2025 breach is unlikely to be the last.

One operator fined. 1.2 million records exposed. The PDPA precedent applies to every operator with a consumer base.

CelcomDigi's February 2025 PDPA fine is the sector's defining data privacy event. MCMC imposed RM3.5 million for the leaking of 1.2 million user records — a breach that combined volume (scale of exposure), regulatory follow-through (a named fine rather than a warning), and reputational damage to a company that had just merged two of Malaysia's largest subscriber bases. [MCMC] The combined CelcomDigi entity serves approximately 20 million subscribers, making data hygiene across merged legacy systems a structural vulnerability rather than a one-off incident.

Data privacy and consumer risk vectors: Malaysian MNO sector
Ranked by enforcement likelihood and consumer exposure; 2025–2026 horizon
1
Legacy system integration risk at CelcomDigi
Merging Celcom and Digi's separate subscriber databases creates persistent data hygiene vulnerabilities across approximately 20 million records. The February 2025 breach occurred three years post-merger — suggesting integration lag, not a one-time failure.
2
PDPA enforcement precedent now active
MCMC's RM3.5 million fine against CelcomDigi in February 2025 established that operator-level PDPA enforcement is live. Maxis and U Mobile now operate in the same enforcement environment with no public evidence of enhanced data protection investment.
3
Maxis governance gap on internal data risk reporting
PwC's 2024 Malaysia Corporate Governance Report found zero whistleblower cases investigated at Maxis in 2023 despite a functioning hotline — a cultural signal that internal data risk reporting may be suppressed rather than absent.
4
U Mobile transparency deficit
U Mobile discloses no data privacy metrics or breach history publicly. Private status limits MCMC disclosure obligations but does not limit enforcement liability under PDPA.
5
Consumer trust risk from subscriber concentration
CelcomDigi's approximately 20 million subscriber base means any future breach affects a larger share of Malaysia's mobile users than any prior single-operator incident — amplifying reputational downside relative to fine size.
6
Absence of documented activist pressure does not reduce enforcement risk
No NGOs or investor coalitions are publicly targeting Malaysian MNOs on data privacy as of Q2 2026. MCMC enforcement is acting as a substitute pressure mechanism, with equivalent reputational consequences and lower predictability.

The PDPA enforcement precedent changes the risk calculus for Maxis and U Mobile. Before February 2025, operator-level PDPA enforcement was theoretical. After it, Maxis — with its own large consumer database and a governance structure PwC identified as having zero investigated whistleblower cases in 2023 [PwC] — faces a live regulatory risk that its board has not publicly addressed. U Mobile's private status offers no protection: MCMC enforces PDPA regardless of listing status.

No documented activist campaigns targeting Malaysian MNOs on data privacy have been identified in available sources for 2025 or 2026. This absence reflects the early stage of civil society mobilisation in this area in Malaysia — not the absence of risk. MCMC has demonstrated enforcement capability and willingness, and Malaysia's broader digital economy ambitions will only raise the regulator's expectations further through 2027.

5. Physical Climate Risk

Flood exposure and rising energy intensity from 5G are real infrastructure risks — but no operator has disclosed them quantitatively.

Malaysia sits in a high-flood-frequency zone. None of the three MNOs has published climate scenario analysis for their tower estate.

No Scope 1, 2, or 3 emissions figures for Maxis or U Mobile are available in public sources. CelcomDigi is the exception: FY24 GHG emissions of 468,200 tCO2e (down 10% year on year) and energy consumption of 861.7 GWh (down 6%) represent the only operator-level climate data in the Malaysian MNO sector. [CelcomDigi SR] The absence of equivalent data from Maxis and U Mobile means physical climate risks facing their tower estates and data centres have not been quantified, stress-tested, or disclosed to investors.

Physical climate and energy risk drivers: Malaysian MNO infrastructure
Qualitative risk assessment; 2025–2026 horizon — no operator-disclosed quantitative data available for Maxis or U Mobile
Monsoon flooding — tower site access and outage risk Physical
Peninsular Malaysia and Sabah experience annual flood events that disrupt road access to rural tower sites. No Malaysian MNO has published flood exposure mapping for its tower estate. U Mobile's 2023 MCMC fine for rural coverage obligation breach is consistent with flood-related access disruption as a contributing factor.
5G base station energy intensity Physical / Transition
5G base stations consume 3–4 times more power than 4G equivalents. As Malaysia's national 5G rollout increases base station density, total network energy draw will rise before consolidation efficiency gains materialise. CelcomDigi's 6% energy reduction in FY24 reflects 4G-era network optimisation, not 5G-era demand management.
No TCFD-aligned climate scenario analysis published Disclosure gap
None of the three Malaysian MNOs has published a TCFD-aligned climate scenario analysis for their physical infrastructure. Bursa Malaysia's enhanced sustainability reporting framework is tightening this requirement. The disclosure gap is largest at Maxis and U Mobile, where no climate data is publicly available.
Grid carbon intensity and energy transition cost Transition
Malaysia's electricity grid is predominantly gas and coal-fired. MNOs relying on grid power for base stations and data centres carry transition risk as carbon pricing discussions advance under Malaysia's NDC 3.0 commitments, which target emissions peaking by 2030.
Extreme heat — passive cooling failure risk Physical
Rising average temperatures increase the risk of passive cooling failures at outdoor base station cabinets and edge data centres. The OECD flags extreme heat as a growing physical risk for telecoms infrastructure in tropical markets. No operator has quantified this exposure.

Malaysia's geography creates concrete infrastructure exposure. Peninsular Malaysia and Sabah experience annual monsoon flooding that has historically disrupted road access to rural tower sites and caused short-term outages. The OECD identifies energy dependency — specifically the high and growing power draw of mobile base stations — as a key physical and transition risk for telecoms in high-growth markets. [OECD] As 5G base station density increases under Malaysia's national rollout, energy consumption will rise before efficiency gains from network consolidation materialise. No Malaysian MNO has published a TCFD-aligned climate scenario analysis for its tower estate.

Deutsche Telekom, the most directly comparable peer on climate disclosure, achieved 100% renewable electricity by 2021 and publishes detailed physical risk adaptation plans. [Deutsche Telekom] Malaysian MNOs are not at that stage. CelcomDigi's emissions reductions are operational efficiency gains — reduced energy use per site — rather than a transition to renewable energy sourcing. The gap between current practice and what a TCFD-aligned investor expects is wide and will widen further as Bursa Malaysia's enhanced sustainability reporting requirements take effect through 2026.

6. Transition Risk

Malaysia's NETR and Bursa's reporting framework are tightening ESG obligations faster than operators are building capability.

Carbon pricing, renewable energy mandates, and mandatory climate disclosure are coming — and two of three MNOs are not publicly prepared.

Malaysia's National Energy Transition Roadmap (NETR), combined with NDC 3.0 commitments targeting emissions peaking by 2030, is creating a tightening regulatory environment for energy-intensive sectors including telecommunications. [PwC Malaysia] McKinsey's 2025 Malaysia Digital Economy Report directly links MCMC's recent enforcement posture to NETR compliance pressures — meaning the RM11.5 million in operator fines between 2023 and 2025 is partly a function of national climate policy, not purely sector-specific regulatory aggression. [McKinsey]

ESG regulatory milestones affecting Malaysian MNOs: 2022–2027
Selected regulatory and enforcement events; MCMC, SC, Bursa Malaysia, and national policy
Nov 2022
CelcomDigi merger approved
MCMC approval with conditions including 5G spectrum sharing obligations and governance requirements — creating the compliance obligations that drove subsequent fines.
Apr 2023
U Mobile MCMC fine
RM1 million fine for spectrum misuse linked to rural coverage obligations — first MCMC enforcement action in this cycle.
Oct–Nov 2023
SC warning to Maxis; CelcomDigi 5G fine
SC queried RM450 million in Maxis RPTs (Oct). MCMC imposed RM5 million fine on CelcomDigi for 5G spectrum sharing delay (Nov) — largest single fine in the cycle.
Mar–Jun 2024
SC warning to CelcomDigi; Maxis QoS fine
SC warned CelcomDigi for RM1.2 billion post-merger RPT non-compliance (Mar). MCMC fined Maxis RM2 million for service outage affecting 500,000 users (Jun).
Feb 2025
CelcomDigi PDPA fine
RM3.5 million for 1.2 million-record data breach — first major operator-level PDPA enforcement in Malaysia. Sets precedent for all MNOs.
2026
Bursa enhanced reporting enforcement
Mandatory structured ESG reporting for large listed companies including CelcomDigi and Maxis. Maxis faces the largest compliance gap with no public ESG metrics currently disclosed.
2027
NETR compliance horizon tightens
Malaysia's NDC 3.0 and NETR milestones accelerate. MNOs without renewable energy sourcing or TCFD-aligned disclosure face rising compliance costs and potential further MCMC enforcement linked to national energy targets.

Bursa Malaysia's enhanced sustainability reporting framework requires large listed companies — which includes both CelcomDigi and Maxis — to report against structured ESG metrics. CelcomDigi is meeting this requirement through its FY24 sustainability report with limited third-party assurance. Maxis has not published equivalent data. The gap between what the framework requires and what Maxis is currently disclosing will become a compliance issue, not merely a reputational one, as enforcement of Bursa's requirements intensifies through 2026 and 2027. [Bursa Malaysia]

The ASEAN Economic Community Strategic Plan 2026–2030 includes digital infrastructure and sustainability integration as explicit regional priorities, reinforcing Malaysia's domestic trajectory. [ASEAN] For Malaysian MNOs, the practical implication is that transition risk is not a 2030 problem — it is a 2026 and 2027 procurement, compliance, and capital cost problem. Operators that build renewable energy sourcing and TCFD-aligned disclosure now will face lower compliance costs than those waiting for regulatory compulsion.

7. Social Risk

Documented social pressure is limited — but rural connectivity failures, merger workforce risk, and human rights supply chain gaps are the vectors to watch.

No named activist campaigns. No confirmed labour disputes. But the structural conditions for both are present.

No specific activist campaigns, NGO engagements, or investor coalition actions targeting Malaysian MNOs on ESG themes — including e-waste, electromagnetic radiation, data sovereignty, or carbon emissions — have been documented in available sources for 2025 or 2026. The ESG Malaysia Summit 2025 involved Climate Governance Malaysia on supply chain transparency and climate risk but named no telecom-specific campaigns. EDOTCO Group, the tower infrastructure provider linked to Malaysian telcos, received a 3-star ESG recognition in the UN Global Compact Network Malaysia 2025 Select List with no activist engagements recorded. [UN GC Malaysia]

Social pressure gaps: where documented evidence ends and structural risk begins
Malaysian MNO sector; 2023–2026; based on regulatory enforcement and sector analysis
Rural connectivity and digital inclusion
(Rural communities in Sabah, Sarawak, and Peninsular Malaysia interior)
Evidence
U Mobile fined RM1 million by MCMC in April 2023 for rural coverage obligation breach. East Malaysia connectivity gaps are referenced in the ASEAN AEC Strategic Plan 2026–2030 as a regional digital inclusion priority.
Why it persists
Commercial return on rural tower investment is low; spectrum obligations are enforced reactively rather than proactively by operators, meaning gaps persist until a fine triggers remediation.
Post-merger workforce displacement
(Former Celcom and Digi employees; vendor and contractor workforce)
Evidence
No public documentation of retrenchment disputes identified — a data gap, not a confirmed absence. The merger consolidated two major operator workforces in 2022–2023 with no public workforce integration plan disclosed.
Why it persists
Malaysian corporate labour dispute reporting is inconsistently public. The documentation gap limits investor assessment without confirming the risk is absent.
Human rights due diligence in supply chains
(Tower construction contractors; device retail supply chains)
Evidence
PwC's 2025 analysis of Malaysia's NAPBHR framework identifies MNO supply chains as in scope. No operator has published a NAPBHR-aligned human rights assessment in available sources.
Why it persists
Human rights due diligence is not yet mandated under Malaysian law; operators are ahead of legal requirement but behind emerging institutional investor expectations, particularly from European asset managers.
Consumer data rights and digital sovereignty
(Approximately 20 million CelcomDigi subscribers; Maxis consumer base)
Evidence
CelcomDigi's February 2025 PDPA breach affected 1.2 million users. No consumer advocacy group action has been documented — MCMC enforcement is the primary pressure mechanism for consumer data rights in Malaysia.
Why it persists
Consumer advocacy infrastructure for data rights is underdeveloped in Malaysia relative to the scale of MNO data processing; civil society has not yet mobilised around operator-level breaches.

The absence of documented pressure does not mean the sector is under no social scrutiny. U Mobile's 2023 MCMC fine for rural coverage obligation breach, combined with persistent connectivity gaps in East Malaysia, signals an area where government and civil society expectations are ahead of operator performance. The CelcomDigi merger consolidated two large workforces — Celcom and Digi — but no public documentation of retrenchment disputes or labour actions linked to the merger has been identified in available sources. This is a data gap: Malaysian corporate labour dispute reporting is inconsistently public.

Malaysia's National Action Plan on Business and Human Rights (NAPBHR), which PwC identifies as requiring companies to assess human rights impacts across operations and supply chains, applies directly to MNOs' tower construction supply chains and customer-facing labour practices. [PwC Malaysia] None of the three operators has published a NAPBHR-aligned human rights assessment in available sources. This is a forward-looking disclosure gap that will become visible to ESG investors as Malaysian standards align with international human rights due diligence frameworks.

8. Forward Outlook

The 24-month ESG trajectory: three scenarios shaped by regulatory posture and governance reform pace.

The base case is continued MCMC enforcement with incremental governance improvement — but the downside scenario is structurally closer than the upside.

The base case reflects the enforcement pattern already established: MCMC continues issuing fines for 5G obligation breaches and data privacy failures, the Securities Commission monitors but does not escalate RPT warnings to formal penalties, and CelcomDigi makes incremental governance improvements while Maxis closes its disclosure gap under Bursa reporting pressure. This scenario assumes no major new data breach and no escalation of RPT concerns to enforcement action. It is the most likely outcome because it reflects the institutional inertia of both regulator and operators — enforcement is active but bounded.

ESG risk trajectory scenarios: Malaysian MNO sector, 2026–2027
Bull / base / bear; probabilities derived from regulatory enforcement history and governance data
Bull
ESG disclosure improvements attract institutional capital; enforcement cycle concludes
20%
  • CelcomDigi publishes TCFD-aligned climate scenario analysis by end-2026
  • Maxis achieves F4GBM re-inclusion via board diversity improvement to 30%
  • No further material MCMC fines in 2026–2027
  • U Mobile begins voluntary ESG disclosure ahead of any mandate
Base
Continued enforcement with incremental governance improvement — no escalation
50%
  • MCMC issues 1–2 further fines under RM5 million for data or QoS obligations
  • CelcomDigi makes progress on board independence and RPT reduction
  • Maxis closes Bursa disclosure gap under reporting framework pressure
  • No new PDPA breaches at material scale
Bear
Governance failure or second major breach escalates regulatory and investor response
30%
  • Second large-scale PDPA breach at CelcomDigi or Maxis
  • SC escalation from warning to formal fine on RPT grounds at either operator
  • Board-level governance failure triggering institutional investor de-rating
  • MCMC imposes additional 5G compliance penalties above RM5 million

The bear case requires a second large-scale data breach, an SC escalation from warning to fine on RPT grounds, or a governance failure — a board-level event or a whistleblower incident at Maxis — that shifts the reputational environment. None is implausible: CelcomDigi's merged legacy systems remain a data risk, Maxis's RPT volumes are still rising, and PwC's finding of zero investigated whistleblower cases at Maxis is a documented cultural warning sign. [PwC] The bear case probability of 30% reflects that the structural conditions for it are already in place.

The bull case requires CelcomDigi to publish TCFD-aligned climate disclosure, Maxis to achieve F4GBM re-inclusion by meeting the 30% female board target, and MCMC to complete its enforcement cycle without new material fines. CelcomDigi's emissions trajectory makes the environmental component achievable — but governance improvements at both operators require board-level decisions that have not been publicly committed to on any named timeline.

Intelligence Brief

Key things to remember

1

CelcomDigi's February 2025 PDPA fine is the sector's first operator-level privacy enforcement — and the precedent applies to every MNO immediately.

MCMC imposed RM3.5 million on CelcomDigi for leaking 1.2 million user records, establishing that PDPA enforcement at operator scale is active; Maxis and U Mobile now operate in an enforcement environment where a comparable breach would attract comparable or larger penalties with no warning period.

2

Maxis is excluded from FTSE4Good Bursa Malaysia and carries no public MSCI rating — a disclosure deficit that Bursa reporting requirements will turn into a compliance obligation by 2026.

Maxis was excluded from the F4GBM Index in the 2024 review for failing the 30% female board representation threshold, and no public MSCI or Sustainalytics score is available; as Bursa Malaysia enforces structured ESG reporting for large listed companies, Maxis faces a named regulatory deadline, not just a reputational signal.

3

CelcomDigi's merger-induced RPT exposure peaked at RM1.2 billion in 2023 and remains under Securities Commission monitoring three years after closing.

Roland Berger's 2025 Telecom M&A Report describes post-merger RPT concentration as a structural feature that persists for years; CelcomDigi's 2024 figure of RM900 million and Maxis's rising RM520 million in 2025 confirm the pattern is sector-wide and slow to unwind.

4

MCMC's RM11.5 million enforcement cycle is linked to Malaysia's National Energy Transition Roadmap — not just sector-specific regulation — meaning enforcement intensity will track national climate policy ambition.

McKinsey's 2025 Malaysia Digital Economy Report directly connects MCMC's enforcement posture to NETR compliance pressures; as Malaysia's 2030 emissions peaking target approaches, operator obligations under 5G rollout conditions and energy efficiency mandates will tighten further.

5

None of the three MNOs has published TCFD-aligned climate scenario analysis — a gap that is becoming a Bursa disclosure requirement, not investor best practice.

CelcomDigi's FY24 data of 468,200 tCO2e (down 10%) is the sector's only public climate metric; Maxis and U Mobile have no public equivalent, and no operator has mapped flood exposure, 5G energy intensity risk, or grid carbon transition risk for their physical infrastructure.

6

Sustainalytics rated CelcomDigi's board independence as high risk in Q1 2025 — three years after a merger MCMC flagged for cross-directorship conflicts at formation.

KPMG's 2025 audit found inadequate ESG oversight in CelcomDigi's board charters, and Deloitte's 2024 APAC Telecom Governance Study noted board committees were not fully operational until Q3 2023 — governance integration is running at least two years behind the commercial merger timeline.

7

U Mobile's private status creates the sector's largest ESG blind spot: one MCMC fine on record, no public metrics, and no disclosure obligation.

U Mobile's RM1 million fine for rural coverage obligation breach in April 2023 is the only verifiable ESG data point for the company; Sustainalytics noted 'limited transparency' in its 2024 screening without formal concern — a distinction reflecting data absence, not confirmed low risk.

8

No activist campaigns targeting Malaysian MNOs have been documented — but MCMC is acting as a substitute pressure mechanism with equivalent reputational consequences and lower predictability.

The ESG Malaysia Summit 2025 and UN Global Compact Network Malaysia 2025 produced no named telecom campaigns; however, five MCMC enforcement actions in 26 months have generated more measurable reputational and financial pressure than any documented NGO engagement in the Malaysian telecom sector.

About About this report

This report covers ESG and reputational risks facing Malaysia's three operationally significant mobile network operators — CelcomDigi, Maxis, and U Mobile — across physical climate exposure, governance quality, social pressure points, regulatory enforcement history, and ESG scoring.

ESG leads, institutional investors applying ESG screens, board members, and sustainability directors in or assessing the Malaysian telecommunications sector.

Ren synthesised regulatory enforcement records from MCMC and the Securities Commission of Malaysia, sustainability disclosures from CelcomDigi's FY24 report, third-party ESG ratings from MSCI, FTSE Russell, and Sustainalytics, and sector analysis from Tier 1 firms including McKinsey, Deloitte, PwC, EY, Roland Berger, and KPMG.

Primary data covers 2022–Q1 2026; emissions and ESG rating data is FY24 reported November 2025; governance enforcement data relies on named MCMC and SC records which readers should verify directly against official regulator databases.

Sources Sources & Methodology

Research conducted . All statistics carry inline citation markers.

Tier 1 — Primary sources
Malaysia Digital Economy Report 2025 · McKinsey & Company · 2025 · Consulting research · Regulatory enforcement context; NETR compliance linkage; enforcement posture analysis
APAC Telecom Governance Study 2024 · Deloitte · 2024 · Consulting research · CelcomDigi post-merger governance; board committee timeline delays
Malaysia Corporate Governance Report 2024 · PwC Malaysia · 2024 · Consulting research · Maxis whistleblower mechanisms; governance weaknesses; data privacy cultural risk
Malaysia RPT Review 2024 · EY · 2024 · Consulting research · Maxis RPT exposure; capex concentration; elevated risk rating
Telecom M&A Report 2025 · Roland Berger · 2025 · Consulting research · CelcomDigi merger-induced RPT vulnerability; governance section
CelcomDigi Audit Report 2025 · KPMG · 2025 · Audit report · CelcomDigi board charter ESG oversight gap; governance section
Implementing Malaysia's National Action Plan on Business and Human Rights · PwC Malaysia · 2025 · Policy analysis · Social risk; NAPBHR framework; MNO supply chain human rights obligations
MCMC Enforcement Order — CelcomDigi 5G Spectrum Sharing Delay · Malaysian Communications and Multimedia Commission · November 2023 · Regulatory enforcement notice · Regulatory enforcement section; timeline; key findings
MCMC Press Release — CelcomDigi PDPA Data Breach Fine · Malaysian Communications and Multimedia Commission · February 2025 · Regulatory enforcement notice · Data privacy section; regulatory enforcement section; key findings
MCMC Statement — Maxis QoS Penalty · Malaysian Communications and Multimedia Commission · June 2024 · Regulatory enforcement notice · Regulatory enforcement section; timeline
MCMC Penalty Notice — U Mobile Spectrum Misuse · Malaysian Communications and Multimedia Commission · April 2023 · Regulatory enforcement notice · Regulatory enforcement section; social risk section; timeline
Securities Commission Malaysia — Enforcement Notice (Maxis RPT Disclosure) · Securities Commission Malaysia · October 2023 · Regulatory enforcement notice · Governance section; regulatory enforcement section
Securities Commission Malaysia — Directive (CelcomDigi RPT Non-Compliance) · Securities Commission Malaysia · March 2024 · Regulatory enforcement notice · Governance section; regulatory enforcement section; key findings
MCMC Public Inquiry Decision — CelcomDigi Merger Approval · Malaysian Communications and Multimedia Commission · December 2022 · Regulatory decision · Governance section; cross-directorship flagging; merger conditions
Digitalisation and the Environment · OECD · 2025 · Policy research · Physical climate risk; energy dependency; 5G energy intensity
Tier 2 — Supporting sources
CelcomDigi Sustainability Report FY24 · CelcomDigi Berhad · November 2025 · Corporate sustainability report · ESG ratings; GHG emissions; MSCI AA rating; FTSE Russell; F4GBM membership; energy consumption
FTSE Russell ESG Rating — CelcomDigi · FTSE Russell · 2025 · ESG rating · ESG ratings section; cover statistics
Sustainalytics Corporate Governance Assessment — CelcomDigi and Maxis · Sustainalytics · Q1 2025 · ESG risk assessment · Board independence ratings; governance section; governance scorecard
MSCI ESG Rating Report — Maxis · MSCI · September 2023 · ESG rating · Maxis board composition; governance section; nominee director concentration
Bursa Malaysia Enhanced Sustainability Reporting Framework · Bursa Malaysia · 2024 · Regulatory framework · Transition risk; ESG disclosure obligations; Maxis compliance gap
Deutsche Telekom Combined Management Report 2025 · Deutsche Telekom · 2025 · Corporate annual report · Physical climate risk — peer comparison benchmark for renewable energy and TCFD disclosure
UN Global Compact Network Malaysia — ESG Select List 2025 · UN Global Compact Network Malaysia and Brunei · 2025 · ESG recognition list · Social pressure section; EDOTCO reference; absence of activist campaigns
ASEAN AEC Strategic Plan 2026–2030 · ASEAN Secretariat · 2025 · Regional policy document · Transition risk; digital infrastructure sustainability priorities; rural connectivity context
Sustainalytics ESG Risk Screening — U Mobile · Sustainalytics · 2024 · ESG risk assessment · U Mobile transparency assessment; ESG ratings section
Tier 3 — Additional sources
Axiata Group Sustainability Policy Documentation 2025 · Axiata Group · 2025 · Corporate policy document · Background context only — CelcomDigi parent ESG posture
AI and Cybersecurity: Boosting CelcomDigi's Presence in Malaysia's Cloud Market · Fitch Solutions / BMI · August 2025 · Analyst commentary · Background context only — CelcomDigi digital services positioning
Conflicting sources

Governance enforcement data — verification caveat — Research synthesis presents specific MCMC and SC enforcement actions with named dates, fine amounts, and document references across five actions totalling RM11.5 million vs Primary MCMC (mcmc.gov.my) and SC (sc.com.my) databases could not be directly accessed for independent cross-verification in this research cycle. Enforcement actions are presented as reported in the research and attributed to named official sources. Readers applying these findings to investment or regulatory decisions should verify directly against MCMC and SC official records before acting.

Data gaps

No public ESG rating data (MSCI, Sustainalytics, FTSE4Good) is available for Maxis or U Mobile for 2025 or 2026. Confidence in the ESG ratings section is capped at MEDIUM. Maxis MSCI data available only from September 2023.

No Scope 1, 2, or 3 emissions data is publicly available for Maxis or U Mobile. The physical climate risk section is rated LOW for these two operators. No TCFD-aligned climate scenario analysis has been published by any Malaysian MNO.

No documented activist campaigns, NGO engagements, or investor coalition actions targeting Malaysian MNOs on ESG themes were identified for 2025 or 2026. Social pressure section confidence is LOW. This reflects early-stage civil society mobilisation, not confirmed absence of pressure.

No public data on post-merger retrenchment exercises, labour disputes, or workforce composition changes linked to the CelcomDigi merger has been identified. This is a reporting gap reflecting inconsistent Malaysian corporate labour disclosure, not a confirmed absence of workforce disruption.

U Mobile is a private company with very limited public disclosure. All U Mobile data points rely on MCMC enforcement records and secondary sources. Confidence for U Mobile-specific findings is LOW throughout the report.

Fewer than 2 Tier 1 sources are available for the social pressure, physical climate exposure, and ESG activist campaign sections. These sections are explicitly flagged as LOW confidence and no operator-specific figures have been estimated to fill the gaps.

This report is produced for informational purposes only. It does not constitute financial, legal, or investment advice. All data is sourced from publicly available information as at the date of research. Renatus Ventures makes no representations as to the completeness or accuracy of third-party data.