Cybersecurity · Indonesia
Cybersecurity regulation in Indonesia (2026)
Indonesia shaded by its cybersecurity status
Indonesia has no overarching cybersecurity law in force; obligations arise from a combination of agency regulations, the electronic-systems framework, the data-protection law, and sector-specific rules (notably finance and vital information infrastructure). BSSN, reporting directly to the President, is the lead national authority for cyber defense, incident response, and crisis management. A long-pending comprehensive Cybersecurity and Cyber Resilience Bill (RUU KKS) sits in the 2025/2026 national legislative program but has not been passed.
Key points
Presidential Regulation No. 28 of 2021 established BSSN (National Cyber and Crypto Agency) as the central body reporting directly to the President, responsible for identification, detection, protection, response, recovery, and monitoring of cybersecurity, plus national cyber crisis management.
BSSN Regulation No. 1 of 2024 requires Electronic System Operators (especially vital information infrastructure operators) to establish a Cyber Incident Response Team (CSIRT) and report incidents to the national Nat-CSIRT within 24 hours; BSSN Regulation No. 2 of 2024 obliges agencies and operators to maintain cyber crisis contingency plans.
Under Law No. 27 of 2022 on Personal Data Protection (fully enforceable from October 2024), a data controller suffering a personal data protection failure must notify both affected data subjects and the supervisory authority within 72 hours. The dedicated PDP Agency is targeted to become operational in 2026.
Government Regulation No. 71 of 2019 on the Implementation of Electronic Systems and Transactions sets baseline security, data, and operational obligations for Electronic System Operators, complementing the Electronic Information and Transactions (ITE) regime.
The financial regulator OJK imposes cyber resilience duties via POJK No. 11/2022 on IT Governance and SEOJK No. 29/2022 on Cybersecurity and Resilience; financial institutions must give initial incident notification to OJK within 24 hours and a full report within five working days.
The Cybersecurity and Cyber Resilience Bill, first submitted in 2019, stalled in the DPR and has been re-listed in the 2025/2026 national legislative program (Prolegnas). It would create an integrated framework with BSSN as central authority, but it has not been enacted; military involvement provisions have drawn public criticism.
Timeline - major decisions & events
By October 2025 the draft Government Regulation implementing the PDP Law completed harmonization and was sent for presidential approval, while the Presidential Regulation establishing the long-awaited Personal Data Protection Agency entered its harmonization stage, with the agency targeted to become operational in 2026. This will finally provide a dedicated enforcement authority and detailed compliance rules for Indonesia's data-protection regime.
Chambers and Partners ↗After being first proposed in 2019 and stalling for over five years, the Cyber Security and Resilience Bill (RUU KKS) was included among parliament's 2025 priority legislation; it would designate BSSN as central cyber authority but has drawn criticism over proposed military (TNI) roles and civil-liberties risks.
Kompas ↗The two-year transition period under Law No. 27 of 2022 expired, so all data controllers and processors must now fully comply with Indonesia's comprehensive personal data protection obligations, including security and breach-notification duties, even though the dedicated supervisory agency was not yet operational.
Library of Congress ↗A LockBit 3.0-derived ransomware attack on the Temporary National Data Center in Surabaya disrupted 282 public services including immigration and passports, with attackers demanding USD 8 million; the government refused to pay and BSSN's forensics found Windows Defender had been disabled, exposing severe weaknesses in government cyber governance.
ANTARA News ↗The President signed the second amendment to the 2008 Electronic Information and Transactions Law, revising contested criminal provisions, raising fines, and requiring electronic certification service providers to be Indonesian-domiciled legal entities, reshaping rules governing the digital space and electronic trust services.
Hogan Lovells ↗President Jokowi issued Perpres 82/2022 mandating BSSN to coordinate protection of vital information infrastructure across strategic sectors (government, energy, finance, health, transport, defense, etc.), requiring operators to apply risk management, incident readiness, and coordination with BSSN.
Cabinet Secretariat (Setkab) ↗Personal data of over 279 million citizens — ID numbers, addresses, phone numbers, salaries — allegedly from health-insurer BPJS Kesehatan was offered for sale on a hacking forum; the police-investigated incident underscored Indonesia's weak data protection and helped build momentum for the PDP Law.
Indonesian National Police ↗GR 71/2019 (replacing GR 82/2012) classified operators into public and private ESPs, required public operators to localize systems and data in Indonesia, mandated registration with the Ministry of Communications, and obliged operators to grant government supervisory access and report incidents to the cyber authority.
Global Compliance News ↗Presidential Regulation No. 53/2017 created BSSN by merging the National Crypto Agency (Lemsaneg) and the national cyber defense desk (DK2ICN), giving Indonesia a dedicated central agency for cyber defense, threat intelligence, and cryptography; its mandate was reaffirmed by Perpres 28/2021.
UNIDIR Cyber Policy Portal ↗The first amendment to the 2008 ITE Law introduced the concept of electronic system providers, the 'right to be forgotten,' powers to terminate access to illegal content, and clarified criminal penalties, expanding the regulatory reach over Indonesia's digital ecosystem.
ICLG ↗Indonesia - other topics
Last verified 5/23/2026 · Orientation, not legal advice - verify against the primary sources linked above. Explore the full world map →