Government-Linked Companies (GLCs) in Malaysia are raising the bar for the web and software vendors they engage. Procurement teams that once evaluated vendors primarily on price and delivery timelines are now asking detailed questions about security, governance, sustainability, and long-term capability. For digital agencies and software development companies in Malaysia, understanding what GLCs are looking for has become essential to winning and retaining institutional contracts.
What Is Driving the Change
Several factors have converged to intensify GLC scrutiny over their digital vendors. Malaysia's Government Procurement Act 2025,
passed in August 2025, introduced mandatory open competitive tenders, full documentation requirements, and audit-ready procurement
records. Vendor selection decisions are now subject to formal review by a Government Procurement Appeal Tribunal, meaning GLCs must
be able to justify every major engagement with documented evidence.
At the same time, GLCs are required to publish ESG reports and KPI disclosures aligned with Bursa Malaysia's sustainability reporting
framework. Digital vendors are increasingly considered part of a GLC's ESG supply chain. A vendor with weak security practices, no
sustainability policy, or poor governance documentation reflects directly on the GLC that hired them.
What GLC Procurement Teams Are Now Evaluating
Figure 1: The 5 areas GLC procurement teams now evaluate when selecting digital vendors.
“GLC procurement is no longer just about price and delivery timelines. It is about governance, security, sustainability, and institutional trust.”
- Security and PDPA compliance. Vendors must demonstrate data protection practices, audit logs, access control policies, and evidence of security testing. GLCs under Bank Negara or Securities Commission oversight hold vendors to particularly high standards.
- Service Level Agreements. Defined uptime guarantees and documented incident response procedures are now a baseline requirement, not a differentiator.
- ESG and sustainability alignment. Procurement teams ask whether hosting infrastructure uses renewable energy and whether vendors have any documented environmental commitments.
- Institutional track record. Experience delivering projects for GLC, PLC, or government-linked organisations carries significant weight. Generic portfolios without verifiable references are increasingly disqualifying.
- IP ownership and handover documentation. Post-delivery ownership terms, source code access, and system documentation must be clearly defined from the start of any engagement.
How to Position Your Business Ahead of an Audit
Vendors who approach GLC procurement proactively are consistently shortlisted over those who only address these questions when asked.
Practical steps include documenting your internal security and data governance policies, renewing or obtaining relevant industry
certifications, building a sustainability position for your hosting and infrastructure choices, and compiling a portfolio of
institutional projects with clearly stated outcomes.
GLC procurement is thorough and methodical. Vendors who arrive prepared with documentation, references, and clear governance
ecords demonstrate the kind of institutional maturity that large organisations look for in long-term partners.
The standard is rising. Digital agencies and software companies in Malaysia that understand this shift and build
their practices accordingly will find themselves consistently in contention for the contracts that matter most.