TMT 2026 Comparisons

Indonesia’s digital economy sits at the intersection of technology, finance, data governance, and sector‑specific regulation. It is shaped by legal frameworks governing electronic systems and transactions, e‑commerce, payment systems, the financial sector, competition, and consumer protection. The key regulations are summarised below.

Electronic Systems and Transactions

The main regulatory framework consists of:

• Law No. 11 of 2008 on Electronic Information and Transactions, as last amended by Law No. 1 of 2024 (“EIT Law”);
• Law No. 27 of 2022 on Personal Data Protection (“PDP Law”);
• Government Regulation (GR) No. 71 of 2019 on Electronic Systems and Transactions (“GR 71/2019”);
• GR No. 17 of 2025 on Governance of Electronic System Implementation in Child Protection (“GR 17/2025”);
• Ministry of Communication and Informatics (MOCI) (now known as the Ministry of Communication and Digital Affairs or MOCDA) Regulation No. 20 of 2016 on Personal Data Protection in Electronic Systems (“MOCI Reg. 20/2016”); and
• MOCI Regulation No. 5 of 2020 on Private Electronic System Providers, as amended by MOCI Regulation No. 10 of 2021 (“MOCI Reg. 5/2020”).

These rules form the core framework for the use, operation, and governance of electronic systems in Indonesia. They establish standards for system functionality, data protection, cybersecurity, and content moderation.

An electronic system covers any electronic tools and procedures used to process or deliver electronic information. An electronic system provider (ESP) may be an individual, business entity, or government body that operates electronic systems for public or private purposes.

Key ESP obligations include:

• registering with the MOCDA and obtaining an ESP certificate (both domestic and foreign ESPs);
• using secure, compatible hardware and reliable software;
• meeting minimum operational requirements;
• protecting personal data in accordance with the PDP Law;
• maintaining adequate security across all components of the electronic system; and
• implementing content moderation to prevent the distribution of prohibited content, including pornography, gambling, defamation, fraud, hate speech, violence, IP infringement, security breaches, public‑order violations, social‑norm violations, hoaxes, and extortion.

E‑Commerce

The e‑commerce sector is regulated by:

• GR No. 80 of 2019 on Trade through Electronic Systems (“GR 80/2019”); and
• Ministry of Trade (MOT) Regulation No. 31 of 2023 on Licensing, Advertising, Development, and Supervision of Business Actors in E‑Commerce (“MOT Reg. 31/2023”).

These regulations govern licensing, obligations of e‑commerce actors, liability for electronic content, consumer protection, and data protection.

E‑commerce is defined as commercial activity conducted using electronic devices and procedures. “E‑commerce providers” include any business actors operating communication facilities that enable such transactions, including cross‑border transactions.

Other categories include:

• Merchants – business actors conducting e‑commerce directly or through platforms.
• Intermediary Service Providers (ISPs) – non‑telecommunication operators providing electronic communication platforms solely as intermediaries.

Key obligations under MOT Reg. 31/2023 include the following.

• Classification of e‑commerce business types: Retail Online, Marketplace, Online Classifieds, Price Comparison Platforms, Daily Deals, and Social Commerce.
• Business licensing via the Online Single Submission (OSS) system.
• Requirements for foreign e‑commerce providers to establish a representative office in Indonesia if, within one year, they have:
1. at least 1,000 customers;
2. at least 1,000 shipments to Indonesia; and/or
3. 1% or more of domestic internet traffic.
• A minimum Free on Board (FOB) price of USD 100 for finished goods sold directly from overseas.
• Identity verification and documentation requirements for foreign merchants.
• Content moderation obligations, with a safe‑harbour mechanism under GR 80/2019 for prompt removal of illegal content once discovered.

Digital Taxation

Key regulations include:

• Income Tax Law (Law No. 7 of 1983, as amended by Law No. 6 of 2023).
• MOF Regulation No. 81 of 2024 on Tax Provisions for the Core Tax Administration System, as amended by MOF Reg. 54 of 2025 (“MOF Reg. 81/2024”).
• Presidential Regulation No. 68 of 2025 on Tax Collection for Foreign Digital Transactions.

These rules define the tax regime for digital goods and services, including VAT obligations for foreign digital service providers and relevant tax‑administration procedures.

Payment Systems

Bank Indonesia (BI) regulates the payment system through:

• BI Reg. No. 22/23/PBI/2020 on Payment Systems;
• BI Reg. No. 23/6/PBI/2021 on Payment Service Providers (PSPs); and
• BI Reg. No. 23/7/PBI/2021 on Payment System Infrastructure Providers (PSIPs).

Key provisions cover:

• role delineation between PSPs and PSIPs and their co-operation with supporting service providers;
• QRIS implementation, interoperability requirements, and clearing/settlement standards;
• ownership, foreign investment limits, capital rules, risk management, and data‑localisation requirements; and
• consumer protection, system security, and operational standards.

Financial Sector

The central regulation is Law No. 4 of 2023 on the Development and Strengthening of the Financial Sector (“P2SK Law”). The P2SK Law modernises Indonesia’s financial‑sector framework and enhances the authority of the Financial Services Authority (Otoritas Jasa Keuangan or OJK) across banking, capital markets, non‑bank institutions, digital financial innovation, and crypto assets.

Key elements include:

• rules for establishing, licensing, and supervising digital banks, including capital and governance requirements;
• transfer of regulatory authority for crypto assets from Bappebti to the OJK;
• regulation of Financial Sector Technology Innovation (Inovasi Teknologi Sektor Keuangan or ITSK) for activities not fitting existing regulated categories; and
• strengthened rules on market conduct, consumer protection, financial stability, and risk oversight.

Additional regulations include OJK Reg. No. 21 of 2023 on Digital Services by Commercial Banks, and BI’s oversight of digital‑financial market infrastructure under Board of Governors Reg. No. 26 of 2025 on Financial Derivatives with Underlying Assets in the Form of Money Market and Foreign Exchange Market Products.

Consumer Protection

The foundation of consumer protection is Law No. 8 of 1999 on Consumer Protection (“Consumer Protection Law”). It guarantees consumer rights to accurate information, safety, comfort, dispute‑resolution mechanisms, and fair treatment, while setting obligations and liabilities for business actors.

Sector‑specific consumer‑protection rules also apply, including those issued by BI for the payment‑system sector and by the OJK for the financial sector.

Indonesia continues to face several legal and structural challenges in the development of its digital economy. Key issues include the following.

• Uneven infrastructure, with major disparities in internet access – especially in rural and remote regions – which limits broad participation in the digital economy.
• Insufficient digital skills across the population, a gap that is becoming increasingly urgent as artificial intelligence (AI) advances and the government identifies it as an area needing further regulatory attention.
• Persistent cybersecurity threats, including rising cybercrime, online fraud, and systemic vulnerabilities affecting both public and private sectors.

The government has acknowledged these challenges and is attempting to guide digital‑economy development through a mix of legislation and policy initiatives. A central effort is the White Paper on the National Strategy for Indonesia’s Digital Economy Development 2030 (2023), which establishes six core pillars:

• infrastructure;
• human capital;
• research and development;
• business climate and cybersecurity;
• funding and investment; and
• policies and regulations.

The White Paper functions as a strategic reference for ministries, agencies, and other stakeholders, and also helps shape Indonesia’s position internationally. It outlines a long‑term development trajectory through three phases leading up to 2045:

• Prepare Phase, focused on strengthening foundational digital infrastructure and readiness;
• Transform Phase, aimed at accelerating digital transformation to create smart communities and businesses; and
• Lead Phase, where Indonesia aspires to set standards for emerging innovative technologies.

Despite these strategic directions, Indonesia still lacks a unified and transparent mechanism to monitor implementation, making it difficult to assess actual progress in practice.

Under MOF Regulation 81/2024, the use of foreign digital goods and digital services within Indonesia through e‑commerce platforms is subject to value added tax (VAT). An 11% VAT rate applies to each transaction and is imposed on foreign merchants and/or foreign service providers.

The regulation covers both digital goods and digital services.

Digital Goods

Intangible products in the form of electronic or digital information, whether originally digital or converted into digital form. This includes software, multimedia content, electronic data, electronic games, e‑books, music, and similar products.

Digital Services

Services delivered via the internet or other electronic networks that can only be accessed or utilised through information technology. Examples include software‑based services such as online advertising, online consultations, and digital marketing.

Foreign digital businesses operating in e‑commerce may be appointed as VAT collectors if they meet certain thresholds. Once designated, they are required to:

• charge 11% VAT on transactions with Indonesian consumers;
• issue electronic proof of VAT collection; and
• remit the collected VAT to the Indonesian tax authority.

Digital advertising services are subject to 11% VAT when used in Indonesia, including those provided by foreign digital platforms that have been appointed as VAT collectors. Payments made to foreign advertising providers may also be subject to a 20% withholding tax under Article 26 of the Income Tax Law when the provider does not have a permanent establishment in Indonesia, unless a tax treaty allows for a reduced rate.

To ensure compliance, companies should apply the correct VAT and withholding tax, maintain proper invoices, and verify whether the foreign provider is designated as a VAT collector or falls under withholding tax obligations. They should also keep accurate transaction records and follow the latest guidance issued by the Indonesian tax authority.

The Consumer Protection Law is Indonesia’s main legal framework for safeguarding consumer rights. It applies to all goods and services, including digital products and digital services in the TMT sector. For digital transactions, this general framework is complemented by sector‑specific rules under GR 71/2019, GR 80/2019, and MOT Regulation 31/2023. Additional consumer‑protection measures are set out by the OJK and Bank Indonesia for financial and payment‑system services.

To comply with these requirements, digital businesses must, among other obligations:

• avoid misleading, fraudulent, or deceptive marketing practices;
• ensure accuracy of product information, including pricing, specifications, and contractual terms;
• refrain from making false claims or discrediting competing goods or services;
• provide clear refund and return mechanisms, especially when products are defective or not as described;
• be transparent about fees, cancellation rights, and delivery timelines;
• protect consumer data and ensure secure handling of electronic payments; and
• make terms and conditions easily accessible and not unfairly disadvantageous to consumers.

Mandatory Consumer Complaint Service

Under GR 80/2019, e‑commerce operators must uphold consumer rights in accordance with the Consumer Protection Law and relevant sector‑specific rules. MOT Regulation 31/2023 expands these obligations by requiring operators to provide a dedicated consumer‑complaint service that must:

• be clearly visible on the platform;
• include direct contact details for submitting complaints; and
• display contact information for the Directorate General of Consumer Protection at the Ministry of Trade.

Companies must respond promptly, keep records of complaints, and ensure the service is accessible to consumers throughout Indonesia.

Dispute Resolution Mechanisms

Consumers may resolve disputes either through (i) court proceedings – such as civil claims or class actions – or (ii) out‑of‑court mechanisms, including the Consumer Dispute Settlement Agency (Badan Penyelesaian Sengketa Konsumen or BPSK), mediation, and online dispute‑resolution platforms increasingly encouraged for digital services.

The latest amendment to the EIT Law reinforces legal certainty by requiring standardised electronic contracts involving Indonesian users, or implemented in Indonesia, to be governed by Indonesian law – even when the operator is based overseas.

Best Practice

The principles and obligations under these regulations align with the Consumer Protection Law to ensure consistent protection across the digital economy. As a best practice, companies should offer accessible complaint‑handling channels and clear procedures for processing consumer claims to foster user trust and maintain regulatory compliance.

Cryptocurrency is increasingly shaping Indonesia’s TMT regulatory landscape by enabling new digital services, asset‑trading models, and technological innovation. The government has recently reinforced its recognition of blockchain as a component of the national digital economy through Government Regulation No. 28 of 2025 on Risk‑Based Business Licensing. This regulation expressly incorporates blockchain technology into Indonesia’s risk‑based licensing framework, signalling continued support for decentralised digital transformation.

Under the P2SK Law, regulatory authority over crypto assets is transitioning from Bappebti to the OJK to align crypto oversight with Indonesia’s broader financial services framework. This transfer was formally completed on 30 July 2025, through the signing of an addendum to the handover minutes (berita acara serah terima) between Bappebti and the OJK, following a transition process that began on 10 January 2025. The OJK now holds full responsibility for regulating and supervising digital financial and crypto assets, including licensing and overseeing crypto trading platforms. After assuming this authority, the OJK issued an official whitelist of licensed Digital Financial Asset and Crypto Asset Trading Providers, which serves as the main reference for identifying entities legally authorised and supervised to conduct digital financial asset and crypto‑trading activities in Indonesia.

Despite rapid market growth, cryptocurrency in Indonesia remains legally classified as a tradable commodity on a regulated Crypto Asset Physical Market operated by licensed Crypto Asset Physical Traders. It is not recognised as a lawful payment instrument under the Currency Law. To preserve this distinction, Bank Indonesia prohibits the use of cryptocurrency for payments and bars payment service providers from facilitating crypto‑based transactions. At the same time, the government continues strengthening supervision to ensure that crypto trading operates within a controlled, commodity‑based regulatory framework.

Cloud and edge computing in Indonesia are primarily governed by Government Regulation No. 71 of 2019 (“GR 71/2019”), which establishes operational, security, and reliability standards for Electronic System Providers (ESPs), including mandatory registration with the Ministry of Communication and Informatics (MOCI). MOCI Regulation No. 5 of 2020 further imposes obligations on private ESPs, such as reporting, audits, data classification, incident response, and content management. Although there is no single industry‑wide code of conduct for cloud or edge computing, sectoral regulators have introduced stricter requirements for industries handling sensitive or critical data.

Financial Sector

Commercial banks may utilise third‑party IT providers, including cloud services, but must comply with OJK Regulation No. 11/POJK.03/2022 on IT Implementation by Commercial Banks (“OJK Reg. 11/2022”). Key obligations include:

• maintaining effective oversight of outsourced IT services;
• conducting due diligence on third‑party providers; and
• entering into written agreements that meet minimum regulatory standards.

If a bank engages a foreign IT provider for transaction processing, it must first obtain approval from the OJK. Banks are also required to maintain data centres and/or disaster recovery centres within Indonesia, unless an exemption is granted. Similar obligations apply to non‑bank financial institutions under OJK Regulation No. 4/POJK.05/2021 on Risk Management in the Use of IT by Non‑Bank Financial Services Institutions, as amended by OJK Regulation No. 10/POJK.05/2022 on Peer-to-Peer Lending.

Healthcare Sector

Under Ministry of Health (MOH) Regulation No. 24 of 2022 on Medical Records (“MOH Reg. 24/2022”), digital medical records may be stored on servers or certified cloud systems. Healthcare facilities may use electronic system operators that store data domestically and are approved (white-listed) by the Ministry of Health.

Processing of Personal Data in Cloud Computing

Where cloud services involve personal data, the cloud provider must clearly determine whether it is acting as a data controller or a data processor, as the PDP Law imposes different obligations and liabilities depending on this role. This classification may be reflected in a service agreement or separate data processing agreement, which should also set out the applicable personal data protection requirements. The PDP Law applies extraterritorially, and compliance must also include meeting cross‑border data transfer requirements when data is stored or processed outside Indonesia.

Because cloud adoption can increase cybersecurity exposure – particularly when services operate across public networks – organisations must ensure that cloud providers implement robust and proportionate security measures aligned with the organisation’s risk profile.

The use of artificial intelligence (AI) in Indonesia has expanded significantly, prompting the government to take steps to manage its development and deployment. However, Indonesia has not yet enacted binding, AI‑specific legislation. Instead, AI is regulated indirectly through the EIT Law, which categorises AI within the broader concept of an “Electronic Agent”. An Electronic Agent is defined as a component of an electronic system designed to automatically perform actions on specific electronic information, and operated by an individual or legal entity. Such agents may take various forms, including visual, audio, electronic data, or other digital formats.

As an implementing regulation of the EIT Law, GR 71/2019 sets out general principles that Electronic Agent providers must follow. These include:

• prudential principles;
• security and integration of information technology systems;
• security controls over electronic transactions;
• cost‑effectiveness and efficiency; and
• consumer protection in accordance with applicable laws.

With regard to deepfake technologies, the EIT Law regulates the creation and dissemination of false or manipulated electronic information, including content that appears authentic but is misleading, causes consumer losses, or incites public unrest. Criminal sanctions apply to violations, providing legal safeguards against the misuse of deepfakes that may damage an individual’s likeness or disrupt public order.

Through MOCI Circular Letter No. 9 of 2023 on the Ethics of Artificial Intelligence (“MOCI CL 9/2023”), the Ministry sets an AI code of ethics based on inclusivity, humanity, security, accessibility, transparency, credibility and accountability, personal data protection, sustainable development, environmental considerations, and respect for intellectual property.

Financial Services

In the banking sector, AI use is subject to the broader regulatory framework administered by the Financial Services Authority (OJK). Key instruments include the following.

• OJK Regulation No. 11/2022, which requires banks to implement sound IT governance, effective risk management, internal controls, and clear accountability for technology use, including AI‑based systems.
• OJK Circular Letter No. 29/SEOJK.03/2022 on Cyber Resilience, which reinforces cyber‑resilience and security‑by‑design requirements by mandating cyber risk management, incident response preparedness, and protection of critical information infrastructure.
• OJK Circular Letter No. 24/SEOJK.03/2023 on the Assessment of the Digital Maturity of Commercial Banks, which introduces a structured framework for assessing banks’ digital maturity, covering governance, risk management, and control over advanced technologies.

Although these instruments do not regulate AI specifically, together they serve as the baseline governance reference for AI adoption in the banking sector. The OJK also issued the 2024 Digital Resilience Guidance, reinforcing expectations that banks embed resilience, security, and accountability throughout the life cycle of AI and other digital technologies.

In the broader financial technology sector, the OJK has issued the Code of Ethics Guideline on Responsible and Trustworthy AI in the Financial Technology Industry. This framework applies to fintech companies and is aimed at minimising risks arising from AI use. The guideline emphasises that AI development and deployment should be grounded in Pancasila, Indonesia’s state philosophy, and must be beneficial, fair, accountable, transparent, explainable, robust, and secure.

Journalism

In journalism, the Indonesian Press Council (Dewan Pers) issued Press Council Regulation No. 1 of 2025 on the Use of Artificial Intelligence in Journalism. The regulation permits AI‑assisted production of journalistic content, provided that all work complies with the Journalistic Code of Ethics. Under this framework, press companies using AI must:

• remain fully responsible for all AI‑generated journalistic content;
• clearly disclose AI use in each AI‑generated journalistic output, including the specific tool or application used;
• ensure accuracy and verification of information by confirming it with competent and reliable sources; and
• ensure that AI use is conducted in good faith and does not involve or result in discrimination based on ethnicity, religion, race, intergroup relations, gender, skin colour, language, economic condition, or disability.

Intellectual Property

As AI‑generated creative works become more common, issues of intellectual property protection have grown in importance. Indonesia’s Law No. 28 of 2014 on Copyright (“Copyright Law”) protects original works, and the unauthorised use of a creator’s work – whether directly or through AI‑generated content – may constitute copyright infringement. Where a creator’s moral or economic rights are violated, the responsible party may face civil or criminal sanctions. Copyright holders retain the right to prevent or act against unauthorised reproduction or use of their work, including AI‑facilitated uses that harm their moral integrity or economic interests.

Indonesia does not have a standalone or comprehensive regulatory framework dedicated specifically to the Internet of Things (IoT). Instead, IoT systems are generally treated as “Electronic Agents” under the EIT Law, as outlined in 3.1 Liability, Data Protection, IP and Fundamental Rights. Because IoT devices operate autonomously and automatically, their deployment is subject to the general requirements for Electronic Agents, including obligations relating to system reliability, security, and accountability.

IoT activities in Indonesia are categorised under the Indonesian Business Code Classification (Klasifikasi Baku Lapangan Usaha Indonesia or KBLI), which serves as the official basis for licensing and regulatory oversight. IoT services fall under KBLI No. 62024 (Internet of Things Consulting and Design Activities), covering consulting, system design, and the development of integrated IoT solutions through modifications to existing hardware such as sensors and microcontrollers. Companies operating under this KBLI must obtain a standard certificate from the Ministry of Industry before commencing operations.

From a sectoral perspective, IoT deployments are governed through a combination of telecommunications, electronic systems, and data protection regulations.

IoT Under the Telecommunications Regime

IoT services rely heavily on telecommunications connectivity. IoT service providers must either obtain a telecommunications business licence for data communication services or partner with a licensed telecommunications operator. Connectivity providers are also required to implement unique addressing systems, including the use of local MSISDNs, device end‑user IDs, or IP addresses.

A significant recent development is the issuance of MOCDA Regulation No. 7 of 2025 on the Utilization of Embedded Subscriber Identity Module (eSIM) Technology in Telecommunications Services (“MOCDA Reg. 7/2025”). This regulation authorises mobile and satellite network operators to deploy eSIM technology – a key enabler of machine‑to‑machine communications and IoT connectivity. It introduces obligations related to local numbering for IoT devices and mandates the protection of eSIM profiles in accordance with cybersecurity and personal data protection standards.

Indonesia has also supported IoT advancement through the adoption of several ISO/IEC IoT standards into the Indonesian National Standards (Standar Nasional Indonesia or SNI), issued by the National Standardization Agency. These standards address IoT reference architecture, interoperability, sensor networks, testing frameworks, and terminology. Although not binding sectoral regulations, they provide essential technical guidance for IoT implementation.

Personal Data Protection

Where IoT devices process personal data, the PDP Law applies. Depending on their role, IoT service providers may be classified as personal data controllers or processors, and must ensure lawful processing, implement adequate security measures, and maintain transparency toward data subjects. Given the multi‑party nature of IoT ecosystems, clearly allocating data protection responsibilities is crucial. Providers are also subject to data breach notification obligations and must comply with cross‑border data transfer requirements when applicable.

Key challenges for IoT businesses in Indonesia include complying with personal data protection obligations and meeting mandatory certification requirements for IoT devices that use telecommunications, wireless, or radio‑frequency functions.

Personal data processing is regulated under the PDP Law, which requires businesses to ensure lawful processing, obtain consent where necessary, follow rules on cross‑border data transfers, and appoint a data protection officer.

In addition, IoT devices must be tested and certified under MOCI Regulation 3 of 2024 on the Certification of Telecommunications Equipment and/or Telecommunications Devices (“MOCI Reg. 3/2024”) before they can be distributed or used. This certification process requires importers, manufacturers, distributors, and brand owners or licensees to demonstrate that their devices comply with the relevant technical standards for each device type and technology.

As IoT technology continues to evolve, businesses should also remain alert to further regulatory developments.

Key Requirements for Data Sharing

Under the PDP Law, cross‑border transfers of personal data by a data controller must follow a sequential assessment process. Transfers may proceed based on:

• Adequacy of protection – when the recipient country provides a level of personal data protection equal to or higher than that required under the PDP Law.
• Appropriate safeguards – such as binding contractual arrangements or internal policies that ensure sufficient data protection.
• Data subject consent – where neither adequacy nor appropriate safeguards are available.

These requirements apply whenever IoT data sharing involves personal data.

Scope of Application

There are no quantitative thresholds. Data‑sharing obligations apply to all entities engaged in IoT‑related data processing – including device manufacturers, platform providers, connectivity providers, and service operators – whether domestic or foreign. Applicability depends on their role as data controllers or processors and on the nature of the data being shared.

Heightened Requirements and Sector‑Specific Rules

The processing of certain categories of personal data – including health, biometric, genetic, criminal records, children’s data, and other sensitive data – is subject to additional obligations, such as the need to conduct a data protection impact assessment. Sector‑specific requirements also apply.

• Financial services – consumer consent is generally required before data can be shared.
• Healthcare – personal health data is protected under Law No. 17 of 2023 on Health and MOH Regulation 24/2022. Disclosure of such data is typically permitted only at the patient’s request.

The regulatory requirements for audiovisual media services and video‑sharing platform services in Indonesia differ depending on whether the provider operates as a broadcasting company or as an internet‑based video‑sharing or streaming platform. The key distinction is whether the service qualifies as broadcasting under Indonesian law or as an Electronic System Provider (ESP) offering on‑demand or user‑generated content.

Broadcasting Companies

Audiovisual media services that fall within the scope of broadcasting are regulated under Law No. 32 of 2002 on Broadcasting, as amended by Law No. 6 of 2023 on Job Creation (“Broadcasting Law”). Broadcasting is defined as the transmission of content through broadcasting and/or transmission facilities using the radio frequency spectrum via air, cable, and/or other media, to be received simultaneously by the public using broadcast‑receiving devices. This definition covers both free‑to‑air and subscription‑based broadcasting services.

Broadcasting companies must obtain a Broadcasting Operation Licence from the Ministry of Communication and Digital Affairs (MOCDA). The licensing process requires submitting an online application through the MOCDA system and paying the applicable regulatory fees.

Video‑Sharing and Streaming Platform Services

In contrast, providers of internet‑based video‑sharing or streaming services fall under the category of Over‑the‑Top (OTT) services and ESPs, which are also supervised by the MOCDA. OTT services refer to media or content delivered directly via the internet without traditional cable or satellite television intermediaries.

These platforms must register as ESPs through the Online Single Submission (OSS) system, which is free of charge. Unlike broadcasting companies, OTT platforms are not required to obtain broadcasting licences. However, they must comply with ESP registration obligations and, where relevant, obtain an e‑commerce business licence.

Content compliance is a key regulatory issue for video‑sharing platforms. Under the EIT Law, Government Regulation No. 71/2019, and MOCI Regulation No. 5 of 2020, ESPs are required to ensure their platforms do not host or distribute Prohibited Content and must comply with takedown orders issued by the MOCDA. If services are delivered through telecommunications networks, the MOCDA may co-ordinate with network operators to block access to platforms that fail to comply.

To strengthen enforcement, the MOCDA has adopted mechanisms that allow the imposition of administrative monetary sanctions for non‑compliance with takedown directives. These fines are determined based on factors such as business scale, the type and severity of the Prohibited Content, the level of harm, and the platform’s compliance history.

The telecommunications industry in Indonesia is governed by the following regulations.

• Law No. 36 of 1999 on Telecommunications, as amended by Law No. 6 of 2023 on Job Creation (“Telecommunications Law”).
• GR No. 52 of 2000 on the Operation of Telecommunications (“GR 52/2000”).
• GR No. 46 of 2021 on Post, Telecommunications, and Broadcasting (“GR 46/2021”).
• MOCI Regulation No. 01/PER/M.KOMINFO/01/2010 on the Operation of Telecommunications Networks, as last amended by MOCI Regulation No. 5 of 2021.
• MOCI Regulation No. 13 of 2019 on the Operation of Telecommunications Services, as last amended by MOCI Regulation No. 14 of 2021.
• MOCI Regulation No. 5 of 2021 on the Operation of Telecommunications (“MOCI Reg. 5/2021”).
• MOCDA Regulation No. 14 of 2025 on Special Telecommunications for Personal Use.

Under the Telecommunications Law, telecommunications is defined as the transmission, delivery, and/or receipt of information – such as signs, signals, text, images, sounds, or data – via wire, optical, radio, or other electromagnetic systems.

The Telecommunications Law distinguishes between the following.

• telecommunications networks, encompassing fixed and mobile network infrastructure, including cellular, satellite, and terrestrial networks;
• telecommunications services, which enable telecommunications activities, including basic telephony, data communication, internet access, and other multimedia services; and
• special telecommunications services, used for specific purposes such as broadcasting, navigation, aviation, emergency communications, amateur radio, and services operated by certain government or private entities.

The regulatory framework increasingly addresses OTT services, recognising them as functional alternatives to traditional telecommunications services.

The operation of telecommunications services may only be conducted by licensed Indonesian legal entities. Companies must obtain the relevant licence – network, service, or special telecommunications – before offering services or deploying products in Indonesia, and must comply with sector‑specific regulatory requirements.

Where the radio frequency spectrum is used, businesses must obtain appropriate licences under MOCI Regulation No. 7 of 2021 on the Use of the Radio Frequency Spectrum, namely:

• a radio frequency band licence (IPFR);
• a radio station licence (ISR); or
• a class licence for certified telecommunications equipment.

The government also permits spectrum‑sharing arrangements between licensed operators, subject to contractual agreements.

Telecommunications equipment and devices that are manufactured, assembled, or imported for use or distribution in Indonesia must undergo testing and certification to demonstrate compliance with technical standards under MOCI Regulation No. 3 of 2024.

For OTT service providers, GR 46/2021 defines OTT services as internet‑based services that act as substitutes for telecommunications services or that provide audiovisual or other digital content. OTT providers that meet the “significant presence” threshold – based on traffic volume or active users – are required under MOCI Reg. 5/2021 to co-operate with local telecommunications operators. Although the regulation does not specify sanctions for non‑compliance, telecommunications operators are authorised to apply traffic management measures, including bandwidth throttling.

Security Requirements for Telecommunications Services

While Indonesian telecommunications regulations do not provide a standalone set of technical security standards, operators are subject to security obligations derived from licensing and operational requirements. These include ensuring network reliability, service continuity, protection against interference, and proper management of radio frequency spectrum.

In practice, telecommunications operators must also comply with broader obligations under Indonesia’s electronic systems and data protection regime, which include cybersecurity safeguards, user data protection, incident response procedures, and co-operation with lawful government requests.

These requirements have become increasingly important as telecommunications infrastructure underpins digital services, OTT platforms, IoT deployments, and the rollout of next‑generation technologies such as 5G.

Indonesia does not yet have explicit or standalone regulations on net neutrality. However, MOCI Reg. 5/2021 incorporates principles that broadly align with net neutrality in the context of co-operation between internet‑based service providers and licensed telecommunications operators.

Under this regulation, domestic and foreign internet‑based business actors serving users in Indonesia must co-operate with telecommunications network and/or service providers on a fair, reasonable, and non‑discriminatory basis, while maintaining service quality in accordance with applicable laws. The covered internet‑based activities include telecommunications service substitutes, audio and/or visual content platforms, broadcasting programme substitutes, and other services as designated by the MOCDA.

Although the regulation does not expressly mandate net neutrality, it imposes non‑discrimination and service‑quality obligations that indirectly restrict discriminatory treatment in network access and interconnection. In practice, the absence of a dedicated net neutrality framework gives operators some flexibility, but they remain subject to these principles as well as general competition law, which can be used to address anti‑competitive behaviour.

Emerging technologies such as 5G, IoT, and AI are reshaping Indonesia’s telecommunications landscape, even as regulation continues to lag behind their development. The sector remains highly regulated in areas including licensing, spectrum allocation, data governance, and network operations. In contrast, newer technologies are still largely governed under existing frameworks such as the EIT Law and the PDP Law. Indonesia currently has no comprehensive AI‑specific regulation, although early policy direction can be seen in non‑binding instruments such as MOCI Circular Letter 9/2023 on AI ethics.

Technologies that rely heavily on physical infrastructure – such as 5G – are subject to more direct regulation, including through spectrum allocation requirements under MOCI Decree No. 352 of 2024 on Technical Standards for Telecommunications Equipment and/or Cellular Mobile Telecommunications Devices based on Long-term Evolution (LTE) Technology Standards and International Mobile Telecommunications 2020 standards. Meanwhile, emerging services such as satellite‑based direct‑to‑cell connectivity are still undergoing regulatory assessment.

TMT companies deploying these technologies should prioritise compliance with data protection and cybersecurity obligations under the PDP Law, as well as telecommunications licensing, spectrum management, and equipment certification requirements where relevant. Companies utilising AI should also closely monitor ongoing regulatory developments, as more targeted rules are expected. A proactive and flexible compliance strategy is therefore essential as Indonesia’s regulatory framework continues to evolve.

One of Indonesia’s key challenges is that regulations governing emerging technologies are still in the early stages of development. This creates a degree of flexibility but also results in legal uncertainty, particularly for technologies such as AI and new digital business models. Companies must therefore closely monitor regulatory updates, as the government has signalled plans to issue further rules in these areas. In addition, certain innovative business models are not yet clearly addressed under existing laws, meaning a careful legal assessment is needed before implementation.

Key Features of the Local Legal Framework

Indonesia generally applies the principle of freedom of contract. However, several mandatory requirements must still be observed, including:

Data protection and data governance

Technology-related agreements involving personal data must comply with the PDP Law, which covers lawful processing, cross‑border data transfers, and clear allocation of responsibilities between parties. A forthcoming implementing regulation is expected to introduce mandatory minimum clauses for personal data processing agreements, which companies will need to adopt once in effect.

Data localisation

Under GR 71/2019, Indonesia generally permits offshore data storage, provided authorities can access the data for supervision and law enforcement purposes. However, certain sectors may still require local data centres – particularly organisations regulated by the OJK and the Ministry of Health.

Indonesian language requirement

Contracts involving Indonesian individuals or legal entities must be executed in the Indonesian language, in accordance with Law No. 24 of 2009 on the National Flag, Language, Coat of Arms, and Anthem. Bilingual versions are permissible.

Governing law restrictions for electronic transactions

Under the EIT Law, standard‑form electronic contracts used by electronic system operators in international transactions involving Indonesian users must be governed by Indonesian law.

Sector‑Specific Restrictions

Highly regulated sectors face additional requirements. Financial institutions supervised by the OJK and/or Bank Indonesia may need to notify or obtain approval before entering into technology agreements and may also be subject to stricter data localisation rules. The healthcare sector likewise imposes heightened obligations regarding data confidentiality and localisation, with exemptions available only upon regulatory approval.

Service Level Agreements (SLAs)

In telecommunications, SLAs must comply with MOCI Regulation 5/2021, which requires all telecommunications network and service providers to meet established service quality standards. When determining and applying these standards, providers must consider:

• the promotion of fair and healthy competition;
• improvements in service performance and quality; and
• the protection of consumer interests.

When drafting telecommunications agreements, parties commonly refer to key implementing regulations issued by the MOCDA, including:

• Director General of Post and Information (DGPI) Regulation No. 1 of 2021 on the Technical Implementation of Telecommunications Services, as amended by DGPI Regulation No. 1 of 2023; and
• DGPI Regulation No. 7 of 2024 on Telecommunications Network Service Quality Standards.

Interconnection Agreements

Interconnection arrangements in the telecommunications sector are primarily governed by Government Regulation No. 52/2000 and further regulated under MOCI Regulation 5/2021. Interconnection refers to the linkage between telecommunications networks operated by different providers, and must be formalised through a written interconnection agreement.

Under MOCI Regulation 5/2021, telecommunications network providers are required to prepare an Interconnection Offer Document (Dokumen Penawaran Interkoneksi or DPI). The DPI must list all available interconnection services – both standard and optional – and include detailed technical and operational information such as call scenarios, points of interconnection, charging areas, numbering arrangements, and applicable interconnection fees. These fees typically comprise origination, transit, and termination charges.

A well‑structured interconnection agreement generally addresses key commercial and technical components, including service scope and performance standards, capacity planning and traffic forecasting, information‑sharing and confidentiality, calling line identification, interoperability, fraud prevention, and billing and payment processes. These provisions are usually supported by detailed technical and operational documentation, such as network design materials, operational procedures, billing and settlement frameworks, and service catalogues.

Trust Services

Under Indonesian law, trust services are regulated and supervised by licensed Certification Authorities (CAs). The EIT Law authorises CAs to provide a range of trust services, including electronic signatures (“e‑signatures”), electronic seals, electronic time stamps, registered electronic delivery services, website authentication, and digital identity services. Collectively, these services form part of Indonesia’s digital trust infrastructure.

The regulatory framework established by the EIT Law and further implemented through MOCI Regulation No. 11 of 2022 on Electronic Certification Governance (“MOCI Reg. 11/2022”) includes a localisation requirement. Any CA offering electronic certification or trust services within Indonesia must be an Indonesian legal entity domiciled in Indonesia, unless the specific trust service is not yet available from domestic providers.

E‑Signatures

E‑signatures are legally recognised and enforceable in Indonesia, provided they meet certain statutory requirements set out in MOCI Reg. 11/2022. These include:

• the e‑signature creation data is uniquely linked to the signatory;
• the creation data is under the signatory’s sole control at the time of signing;
• any alteration to the e‑signature after signing can be detected;
• any alteration to the associated electronic information after signing can be detected;
• there is a reliable method to identify the signatory; and
• there is a reliable method to indicate the signatory’s approval of the electronic information.

MOCI Reg. 11/2022 differentiates between certified and uncertified e‑signatures. A certified e‑signature must satisfy the above requirements, be supported by an electronic certificate issued by a licensed local electronic certification provider (Penyelenggara Sertifikasi Elektronik or PSrE), and be generated using a certified signature creation device. These devices – whether software‑based or hardware‑based – must comply with SNI ISO/IEC 15408, SNI ISO/IEC 18045, and other technical standards issued by the Ministry of Communication and Digital Affairs (MOCDA). Several certification authorities are currently registered with the MOCDA.

Uncertified e‑signatures, by contrast, are created without the involvement of a PSrE and do not rely on certified signature creation devices.

Liability and Applicable Law

There are no detailed or standalone regulations governing liability, insurance, intellectual property, or jurisdiction specifically for trust services and e‑signatures. Instead, general legal principles apply. Providers of trust services and e‑signatures may face administrative, civil, or criminal liability for violations of the EIT Law and its implementing regulations.

Where personal data is processed, the PDP Law applies, requiring lawful processing and the implementation of adequate security measures. Intellectual property rights relating to the software and technology used in trust services are protected under general IP laws. As a general principle, Indonesian law applies to trust services that are provided in or directed to Indonesia.

The gaming industry in Indonesia is primarily governed by several key regulations:

• MOCDA Regulation No. 2 of 2024 on Game Classification (“MOCDA Reg. 2/2024”);
• EIT Law;
• GR 71/2019; and
• MOCI Reg. 5/2020.

Additionally, Presidential Regulation No. 19 of 2024 on the Acceleration of the Development of the National Gaming Industry (“PR 19/2024”) demonstrates the government’s policy commitment to strengthening the sector. Although it does not impose direct operational obligations on publishers or developers, it establishes the National Game Industry Acceleration Team and provides strategic direction, signalling increased regulatory attention and institutional co-ordination.

Key Legal Challenges in the Gaming Industry

The Indonesian government has increasingly treated gaming as a strategic component of the digital economy, as reinforced by PR 19/2024. Despite this supportive policy framework, the industry faces several significant legal challenges, including:

• navigating mandatory game classification requirements;
• managing uncertainty around emerging monetisation models; and
• addressing compliance risks related to online and user‑generated content.

One of the most critical issues is the widespread problem of illegal online gambling. Certain online games may contain or be misused to include elements that resemble gambling. To mitigate this risk, the MOCDA requires all Electronic System Providers (ESPs) – including game publishers and platforms – to sign an integrity pact committing to prevent, detect, and combat illegal online gambling.

In‑Game Purchases, Loot Boxes, and Gambling‑Related Elements

Indonesian regulations do not specifically regulate loot boxes or in‑game purchases as standalone features. However, MOCDA Reg. 2/2024 expressly prohibits games that are purely based on chance or gambling, particularly when involving:

• legal payment instruments;
• electronic money;
• foreign currency; or
• digital assets that can be traded, converted, or cashed out.

Accordingly, monetisation systems must be carefully designed to avoid being categorised as gambling. Game operators must also comply with broader prohibitions under the EIT Law and GR 71/2019 regarding unlawful or harmful content.

Age Ratings and Content Restrictions

MOCDA Reg. 2/2024 introduces the Indonesia Game Rating System (IGRS), which classifies games into five age categories: 3+, 7+, 13+, 15+, and 18+.

Ratings are determined based on a range of content elements, including:

• tobacco or electronic cigarettes;
• alcohol, narcotics, and other addictive substances;
• violence, blood, mutilation, and cannibalism;
• language use and character appearance;
• pornography;
• gambling simulations or activities;
• horror content; and
• online interactions.

Certain categories may require parental supervision or guidance.

Game publishers and developers must conduct self‑assessments via the official IGRS portal by submitting game descriptions, gameplay clips, and responses to classification questionnaires. These submissions are reviewed by Game Classification Examiners appointed by the MOCDA, who then issue conformity assessments. A two‑year transition period applies, which ends in January 2026.

The MOCDA is the primary regulator overseeing Indonesia’s gaming industry. Under MOCDA Regulation 2/2024, the agency holds broad supervisory and enforcement powers, including monitoring, control, inspection, investigation, and security measures related to game classification. These supervisory powers apply both to game publishers performing self‑assessments and to classification examiners conducting conformity testing.

The MOCDA is authorised to:

• revoke a game classification if a self‑assessment is found to be non‑compliant;
• impose administrative sanctions, such as written warnings, temporary suspensions, and access blocking; and
• block access to games if publishers fail to complete required self‑assessments, advertise unclassified games, or do not reclassify games when instructed.

In addition, under the EIT Law and MOCI Regulation No. 7 of 2016 on Administration of Investigations and Enforcement of Criminal Acts in the Field of Information Technology and Electronic Transactions, civil servant investigators are empowered to investigate criminal offences in this field. Their powers include directing electronic system operators to temporarily terminate access to platforms, social media accounts, bank accounts, electronic money, and digital assets associated with unlawful activities.

Enforcement activity has been especially vigorous in relation to illegal online gambling, including gambling features embedded within online games. According to an MOCDA press release, between October 2024 and April 2025, authorities handled and took action against approximately 1,192,000 online gambling sites.

Common IP Challenges Faced by Game Developers

Game developers in Indonesia encounter several recurring intellectual property (IP) challenges.

• Indonesia’s first‑to‑file trade mark system exposes developers to the risk of bad‑faith registrations if game titles, characters, or branding are not secured early. This vulnerability is heightened by the rapid development and release cycles typical of the gaming industry.
• Piracy and unauthorised distribution remain widespread, including cloned APKs, modified game files, and illegal downloads made available through third‑party platforms outside official channels. These activities not only harm developers’ commercial interests but also often fall outside the scope of the formal game classification regime.
• Enforcement difficulties persist due to limited public awareness of IP rights and the fact that copyright registration, while beneficial, is not mandatory. The absence of registration can weaken deterrence and complicate enforcement strategies.

Creators’ Rights in Virtual Environments

Under Indonesian law, creators automatically obtain copyright protection once an original work – such as a video game or digital asset – is created. Rights holders may enforce their copyrights through civil actions, administrative remedies before the Directorate General of Intellectual Property (DGIP), or criminal complaints, noting that copyright infringement is a complaint‑based offence. These enforcement mechanisms allow creators to pursue injunctions, damages, or sanctions against infringers operating within digital or virtual environments.

Key Copyright Considerations for Digital and Virtual Assets

Video games and their components – including software, graphics, music, characters, and virtual assets – are protected under Indonesia’s Copyright Law. Although registration is not mandatory, registering with the DGIP is strongly recommended to strengthen evidentiary value. Important considerations include ensuring originality, clearly defining ownership in collaborative projects, and allocating rights appropriately in development, publishing, and distribution agreements so that both moral and economic rights are protected.

Application of Trade Mark Law to Virtual Goods and Services

Indonesia’s Law No. 20 of 2016 on Trade marks and Geographical Indications, as amended by Law No. 6 of 2023 on Job Creation, protects game‑related identifiers such as titles, logos, character names, and branding used in connection with goods and services – including those offered digitally or virtually. In a first‑to‑file system, early registration is essential to prevent third‑party claims and support enforcement against unauthorised use in both physical and digital marketplaces.

User‑Generated Content (UGC) and IP Rights

Ownership of IP rights in UGC generally rests with the individual creator, as copyright automatically vests in the author unless otherwise agreed. Platforms typically secure usage rights through licensing provisions in their terms of service. Where content is created at a platform’s direction – such as commissioned or “made‑to‑order” materials – the parties may agree that IP rights transfer to the platform.

Following Constitutional Court Decision No. 84/PUU‑XXI/2023 (29 February 2024), marketplace operators and UGC platforms are expressly prohibited from allowing the sale, display, or reproduction of infringing content. Violations may result in administrative sanctions and fines of up to IDR100 million.

In Indonesia, social media platforms are governed under a broad digital regulatory framework that covers content control, state oversight of electronic information, data protection, and child safety. Although there is no dedicated social media law, several key regulations form the core governance structure.

EIT Law

The EIT Law is the primary legal foundation for electronic information and transactions. It applies to social media platforms as electronic system providers (ESPs) and regulates online conduct, prohibited content, and platform liability.

PDP Law

The PDP Law sets out the rights of personal data subjects and the responsibilities of data controllers and processors. It requires lawful processing, transparency, accountability, and strong security measures. Social media platforms must safeguard personal data from unauthorised access, disclosure, and misuse – including in data‑monetisation activities.

Government Regulation (GR) 71/2019

GR 71/2019 outlines operational obligations and accountability requirements for ESPs operating in Indonesia. These include ensuring system reliability, maintaining data integrity, and complying with applicable laws.

MOCI Regulation 5/2020

This regulation imposes proactive content‑moderation duties on platforms, including monitoring user‑generated content and responding promptly to takedown orders issued by the Ministry of Communication and Digital Affairs (MOCDA). Non-compliance may result in sanctions such as fines or access blocking.

GR 17/2025

This regulation introduces enhanced obligations for ESPs whose services are designed for, or accessible to, children. Requirements include age‑based access controls, parental‑consent mechanisms, and strengthened personal‑data protections.

There is currently no industry‑specific code of conduct for social media platforms in Indonesia; compliance is driven primarily by statutory obligations and regulatory enforcement.

Key Legal Challenges for Social Media Platforms

The regulatory landscape creates several operational challenges for both global and local social media providers. These include compliance with content‑moderation duties, personal‑data processing rules, data‑monetisation practices, cybersecurity standards, and child‑protection requirements. Enforcement is active, and sanctions can include monetary penalties and even termination of platform access.

Data‑monetisation models must be aligned with consent and transparency requirements under the PDP Law. Content‑governance obligations require continuous monitoring and rapid responses to regulatory directives. The threat of access blocking remains a significant enforcement tool.

The rapid growth of social commerce adds further complexity. While social platforms increasingly facilitate commercial interactions, regulators aim to maintain clear boundaries between social media and e‑commerce. Under MOT Regulation 31/2023, social commerce is recognised as enabling transactions within social media environments. However, the regulation prohibits these platforms from facilitating payment transactions or acting as sellers or producers of goods.

Age‑Based Restrictions and Child Protection

GR 17/2025 is one of the most impactful new regulations for social media platforms. Although it does not explicitly define “social media”, it applies to any ESP whose products, services, or features are designed for – or accessible to – children.

The regulation requires implementation of minimum age classifications (3–5, 6–9, 10–12, 13–15, and 16–17 years), based on the risk level of exposure to harmful content such as violence or pornography.

It also establishes strict parental‑consent requirements.

For users under 17, access must be suspended for up to 24 hours while parental or guardian approval is sought. Access must be denied if consent is not obtained.

For users aged 17, provisional access may be granted, but parents or guardians have six hours to object. If consent is withheld, the ESP must immediately revoke access and delete all related personal data.

In Indonesia, social media oversight is primarily carried out by the MOCDA, which is authorised to identify unlawful online content and issue takedown orders requiring platforms to remove such content within strict deadlines. These takedown requests may stem from public reports, other government bodies, law enforcement agencies, or court rulings. Enforcement efforts are supported by civil servant investigators who are empowered to examine electronic information and transaction offences and to collaborate with law enforcement authorities.

A practical example of social media enforcement in Indonesia can be seen in the MOCDA’s ongoing actions to remove or block content that violates prevailing laws and regulations. According to public statements, between October 2024 and April 2025, the MOCDA handled approximately 127,000 items of prohibited content across social media platforms.

The primary data‑privacy framework for the telecommunications sector is the PDP Law, which applies both domestically and extraterritorially. It establishes the core rules on lawful processing, security, transparency, and data‑subject rights. Telecommunications providers are also regulated under the electronic systems framework in GR 71/2019. Under this regime, Public ESPs are generally required to manage, process, and store electronic systems and data within Indonesia, whereas Private ESPs may store and process data either in Indonesia or offshore. Although there is no telecom‑specific privacy code of conduct, operators must align their privacy compliance with broader licensing and operational requirements under telecommunications and electronic‑system regulations.

Telecom operators commonly face challenges in obtaining and managing valid consent without disrupting service delivery, applying data‑minimisation principles amid large‑scale network and usage‑data collection, and enabling data‑subject rights where information is distributed across various systems, vendors, and legacy infrastructure. These issues are intensified by heightened cybersecurity risks due to the sensitivity and volume of customer and traffic‑related data.

Under GR 71/2019, Public ESPs are subject to data‑localisation requirements, while Private ESPs may process and store data offshore. For any cross‑border transfer of personal data, providers must follow the PDP Law’s sequential requirements as described in 4.3 Data Sharing: assessing adequacy, applying appropriate safeguards, and obtaining data‑subject consent where needed.

Lawful Interception and Privacy

Telecommunications providers must maintain the confidentiality of customer communications. Interception is allowed only in limited, strictly regulated circumstances, primarily for law‑enforcement purposes. Such interception may occur solely in response to a formal request from authorised agencies, such as the attorney general, the chief of the Indonesian National Police for specific criminal offences, or authorised investigators. Providers must therefore ensure that lawful interception is grounded in a clear legal basis, supported by strict access controls, robust security measures, and proper audit trails to prevent misuse and maintain compliance with privacy obligations.

Third‑Party Vendors and Cloud Providers

Third‑party vendors and cloud providers typically act as data processors, or in some situations as data controllers, depending on the arrangement. Telecom providers must clearly define roles and responsibilities contractually, impose security and confidentiality obligations, manage sub‑processing, and ensure that vendors support incident‑response activities and the fulfilment of data‑subject rights.

Impact of Evolving Privacy Rules on Infrastructure and Innovation

As implementation of the PDP Law progresses, telecom operators should expect increasing expectations around governance, accountability, privacy‑by‑design, and tighter vendor oversight. These developments may raise compliance‑related costs and potentially slow deployment unless privacy requirements are integrated early into network architecture, data analytics, and service innovation – including 5G, IoT connectivity, and AI‑driven operations.

The primary legal and operational challenges for digital media providers in Indonesia stem from strict accountability requirements relating to data protection and cybersecurity. Electronic System Providers (ESPs) must ensure their systems are operated reliably and securely, and implement safeguards to prevent unlawful access, disclosure, alteration, misuse, loss, or destruction of personal data. A key legal risk is the mandatory data breach notification obligation under the PDP Law, which requires data controllers to notify affected data subjects and the relevant authority within 3 × 24 hours of becoming aware of a breach.

Implementation of Privacy‑by‑Design and Security‑by‑Design Principles

Privacy‑by‑design and security‑by‑design obligations are increasingly embedded in regulatory requirements governing platform design and operation.

Security‑by‑design is reflected in obligations under GR 71/2019, which require ESPs to implement robust technical and organisational measures. These include system reliability standards, risk management processes, audit trails, and security controls such as firewalls, intrusion detection and prevention systems, and comprehensive information security governance frameworks.

Privacy‑by‑design is emphasised in GR 17/2025, particularly for services accessible to children. The regulation requires high‑privacy default settings that limit data collection to what is strictly necessary. ESPs must also conduct data protection impact assessments for high‑risk processing activities, including large‑scale processing, the use of new technologies, and the processing of children’s or other sensitive categories of personal data.

Challenges From Third‑Party Data Sharing

Significant challenges arise in relation to third‑party data sharing, particularly with advertisers, analytics providers, and other partners. Providers must ensure compliance throughout the entire data life cycle, while also observing specific restrictions on data monetisation practices involving minors.

Emerging Cybersecurity Regulations Affecting Digital Media Platforms

New and evolving regulations – including the PDP Law and GR 17/2025 – are raising the compliance threshold for digital media platforms by strengthening requirements around governance, technical integrity, incident response, and accountability. These rules require platforms to integrate privacy and security considerations directly into system architecture, product development processes, and contractual arrangements with third‑party service providers.

In addition, the government is finalising the Draft Law on Cybersecurity and Cyber Resilience, with the latest version issued in 2025. The bill aims to enhance legal certainty and strengthen national cyber resilience. It is expected to introduce broader obligations for relevant entities, including requirements for cybersecurity frameworks, protection standards for information infrastructure, incident reporting obligations, and both administrative and criminal sanctions for non‑compliance. Once enacted, this legislation is likely to further elevate compliance expectations for digital media platforms, particularly in relation to cybersecurity governance, preparedness, and risk allocation in contracts with technology vendors and service providers.