Cybersecurity - Indonesia

Presidential Regulation No. 28 of 2021 established BSSN (National Cyber and Crypto Agency) as the central body reporting directly to the President, responsible for identification, detection, protection, response, recovery, and monitoring of cybersecurity, plus national cyber crisis management.

BSSN Regulation No. 1 of 2024 requires Electronic System Operators (especially vital information infrastructure operators) to establish a Cyber Incident Response Team (CSIRT) and report incidents to the national Nat-CSIRT within 24 hours; BSSN Regulation No. 2 of 2024 obliges agencies and operators to maintain cyber crisis contingency plans.

Under Law No. 27 of 2022 on Personal Data Protection (fully enforceable from October 2024), a data controller suffering a personal data protection failure must notify both affected data subjects and the supervisory authority within 72 hours. The dedicated PDP Agency is targeted to become operational in 2026.

Government Regulation No. 71 of 2019 on the Implementation of Electronic Systems and Transactions sets baseline security, data, and operational obligations for Electronic System Operators, complementing the Electronic Information and Transactions (ITE) regime.

The financial regulator OJK imposes cyber resilience duties via POJK No. 11/2022 on IT Governance and SEOJK No. 29/2022 on Cybersecurity and Resilience; financial institutions must give initial incident notification to OJK within 24 hours and a full report within five working days.

The Cybersecurity and Cyber Resilience Bill, first submitted in 2019, stalled in the DPR and has been re-listed in the 2025/2026 national legislative program (Prolegnas). It would create an integrated framework with BSSN as central authority, but it has not been enacted; military involvement provisions have drawn public criticism.