Regulation tracker
Indonesia cybersecurity regulations: one tracker for every major rule
In short
One table of Indonesia's cybersecurity regulations: UU PDP, POJK 11/2022, POJK 34/2025, PBI 2/2024, Perpres 82/2022, who must comply, and key deadlines.
Indonesia does not have a single cybersecurity law. It has a stack of them: a data protection statute that applies to almost every organisation, sector rules from OJK and Bank Indonesia for financial institutions, a presidential regulation for critical infrastructure, and BSSN instruments that bind electronic system operators when an incident escalates. Each was issued by a different regulator, on a different timeline, with different reporting deadlines. Most summaries of this stack live in legal PDFs that go stale within a year.
This page is the working alternative: every major regulation, who it applies to, the core obligations, and the dates that matter, in one place. It is reviewed quarterly and was last reviewed in July 2026.
The master table
| Regulation | Regulator | Who must comply | Core obligations | Key dates and status |
|---|---|---|---|---|
| UU PDP (Law 27/2022) | Komdigi (interim), Lembaga PDP pending | All personal data controllers and processors, public and private | Lawful basis and consent, data subject rights, DPO where Article 53 triggers apply, breach notice in 3x24 hours, sanctions up to 2% of annual revenue | Enacted 17 Oct 2022, fully enforceable since 17 Oct 2024; implementing regulation and supervisory agency still pending |
| PP 71/2019 | Kominfo (now Komdigi) | All electronic system operators (PSE), public and private | PSE registration, system reliability and security, personal data handling, notice to users when protection fails | In force since Oct 2019 |
| POJK 11/POJK.03/2022 | OJK | Commercial banks, conventional and sharia | IT governance and risk management, onshore data placement rules, OJK approval for certain offshore processing, incident notice in 24 hours and report in 5 working days | In force; replaced POJK 38/2016 |
| SEOJK 29/SEOJK.03/2022 | OJK | Commercial banks | Independent cyber unit or function, annual inherent-risk and maturity assessment, security testing including penetration testing with results to OJK | In force since 27 Dec 2022 |
| POJK 34/2025 | OJK | BPR and BPRS | IT governance, IT risk management, data centre and disaster recovery centre in Indonesia, cyber resilience, incident notice in 24 hours and report in 7 working days | Promulgated 17 Dec 2025; applies from 18 Dec 2026 |
| PBI 2/2024 | Bank Indonesia | Payment system operators (PJP and PIP), money market and FX market players, other BI-regulated parties | Cyber governance, prevention and handling of cyber risk, monitoring and threat analysis, incident reporting to BI | In force since 22 Apr 2024 |
| Perpres 82/2022 | BSSN (coordinator) with sector ministries | Operators of vital information infrastructure (IIV) in 8 strategic sectors | Identify IIV at least annually, apply risk-based protection, report incidents to BSSN | In force since 2022; no single deadline, obligations are ongoing |
| BSSN Regulation 2/2024 | BSSN | BSSN, state institutions, and electronic system operators during escalation | National cyber crisis contingency plan and simulations; PSE must act on crisis early warnings and report follow-up every 2 hours | In force since 18 Jan 2024 |
The sections below walk through each regulation. Where we maintain a deeper page, the link takes you there.
UU PDP (Law 27/2022): personal data protection
UU PDP is the closest thing Indonesia has to a general cybersecurity obligation, because it applies to any organisation that processes personal data, regardless of sector or size. It was enacted on 17 October 2022 with a two-year transition, so all provisions have been enforceable since October 2024.
The obligations with the sharpest edges are the 3x24 hour written breach notification to affected data subjects and the supervisory authority under Article 46, the duty to appoint a data protection officer when any of the Article 53 triggers applies, and the sanctions regime: administrative fines up to 2% of annual revenue tied to the violation, plus criminal provisions carrying up to 6 years imprisonment and fines up to IDR 6 billion.
One thing has not changed as of July 2026: the implementing government regulation has not been enacted and the dedicated supervisory agency, the Lembaga PDP, is still being established, with interim supervision under Komdigi. The law is enforceable anyway. Start with our UU PDP compliance guide, the breakdown of penalties and business risk, or the explainer on when a DPO is mandatory.
PP 71/2019: the baseline for every electronic system
Government Regulation 71/2019 predates UU PDP and covers the operation of electronic systems and transactions. Every electronic system operator, called a PSE, falls under it: government systems and private ones alike. It requires PSE registration, reliable and secure system operation, orderly personal data handling, and notification to users when data protection fails.
In practice PP 71/2019 works as the plumbing underneath the newer rules. Its definitions of electronic systems and operators are reused across sector regulations, and its registration requirement is how the government knows who runs what. If your organisation runs any online service for the Indonesian public, assume it applies.
POJK 11/2022 and SEOJK 29/2022: commercial banks
POJK 11/POJK.03/2022 governs how commercial banks implement information technology, replacing POJK 38/2016. It sets board-level accountability for IT risk, rules on data placement in Indonesia with OJK approval needed before certain data or systems move offshore, and incident reporting: an initial notice to OJK within 24 hours and a full report within 5 working days.
SEOJK 29/SEOJK.03/2022 carries the cyber detail. Banks must stand up a cyber resilience and security unit or function that is independent from IT operations, assess their inherent cyber risk and cyber maturity level annually against the end-of-December position, and run security testing that includes penetration testing and scenario-based exercises, with results submitted to OJK. Cloud use is treated as IT outsourcing under the same framework, which we cover in cloud compliance for Indonesian banks and in our guide to OJK cybersecurity requirements.
POJK 34/2025: BPR and BPRS
POJK 34/2025 extends a similar discipline to Bank Perekonomian Rakyat and their sharia counterparts. It covers IT governance, IT risk management including information security, placement of data centres and disaster recovery centres in Indonesia, IT architecture for banks offering digital services, and cyber resilience. Incident reporting follows the pattern of the commercial bank rules: initial notification to OJK within 24 hours and an incident report within 7 working days.
The regulation was promulgated on 17 December 2025 and its provisions apply one year later, from 18 December 2026. For most BPR that window is needed in full, because the changes touch policy, vendor contracts, and infrastructure. Our POJK 34/2025 compliance page for BPR and BPRS breaks the obligations down.
PBI 2/2024: parties regulated by Bank Indonesia
PBI 2/2024 is Bank Indonesia's regulation on information system security and cyber resilience. Its scope is wider than payments alone: it covers payment service providers (PJP) and payment infrastructure operators (PIP), money market and foreign exchange market players, and other parties BI regulates and supervises. It has applied since 22 April 2024.
The regulation is built around four blocks: governance, prevention, incident handling, and supervision with collaboration. For operators, the practical mandates are continuous monitoring, threat and malware analysis, periodic testing of detection capability, and cyber incident reporting to Bank Indonesia. See our page on PBI 2/2024 compliance for payment operators for the payments view.
Perpres 82/2022: vital information infrastructure
Presidential Regulation 82/2022 establishes protection for vital information infrastructure (Infrastruktur Informasi Vital, IIV) across 8 strategic sectors: government administration, energy and mineral resources, transportation, finance, health, information and communications technology, food, and defence. BSSN coordinates the framework and each sector has a supervisory ministry or authority.
Operators of designated IIV must identify their vital infrastructure at least once a year, apply protection proportionate to risk, and report cyber incidents to BSSN. There is no single compliance deadline; the obligations run continuously. Our page on security assessments under Perpres 82/2022 covers the OT and IT assessment side.
BSSN Regulation 2/2024: cyber crisis management
BSSN Regulation 2/2024 implements Presidential Regulation 47/2023 on the national cybersecurity strategy and cyber crisis management. It defines how Indonesia prepares for and runs a cyber crisis: BSSN drafts and maintains a national cyber crisis contingency plan with state institutions, simulates it at least once every two years, and evaluates it annually. A cyber crisis status is declared by the President on the proposal of the head of BSSN.
Private organisations are not bystanders here. When the national incident response team issues a cyber crisis early warning, electronic system operators are required to act on it and to report their follow-up every two hours until the situation is resolved. The regulation has been in force since 18 January 2024.
Incident reporting deadlines at a glance
Reporting clocks are where these regulations collide in practice, because one incident can trigger several of them at once. A ransomware event at a bank that exposes customer data starts the OJK clock and the UU PDP clock on the same day.
| Regulation | Deadline | Report to |
|---|---|---|
| UU PDP Art 46 | Written breach notice within 3x24 hours | Data subjects and authority |
| POJK 11/2022 | Notice within 24 hours, report within 5 working days | OJK |
| POJK 34/2025 | Notice within 24 hours, report within 7 working days | OJK |
| PBI 2/2024 | Incident reporting per BI procedure | Bank Indonesia |
| Perpres 82/2022 | Incident reporting for IIV operators | BSSN |
Keeping this page current
Regulations in this space move: POJK 34/2025 arrived in December 2025, and the UU PDP implementing regulation and supervisory agency can land at any time. We review this tracker quarterly and update it when a rule is issued, amended, or takes effect. Last reviewed: July 2026. If you spot a change we have not caught yet, tell us and we will verify it against the primary source.
If you need to turn this map into a plan, a gap assessment against the regulations that apply to your organisation is the usual first step, and our compliance team does exactly that.
This page is provided for general information and does not constitute legal advice. For interpretation of obligations that apply to your specific organisation, consult legal counsel or the relevant regulator.
References
- 1.UU Nomor 27 Tahun 2022 tentang Pelindungan Data Pribadi
- 2.OJK, POJK Nomor 34 Tahun 2025 tentang Penyelenggaraan Teknologi Informasi oleh BPR dan BPRS (incl. FAQ)
- 3.OJK, SEOJK Nomor 29/SEOJK.03/2022 tentang Ketahanan dan Keamanan Siber bagi Bank Umum
- 4.Bank Indonesia, PBI Nomor 2 Tahun 2024 tentang Keamanan Sistem Informasi dan Ketahanan Siber
- 5.Perpres Nomor 82 Tahun 2022 tentang Pelindungan Infrastruktur Informasi Vital
- 6.Peraturan BSSN Nomor 2 Tahun 2024 tentang Manajemen Krisis Siber
- 7.PP Nomor 71 Tahun 2019 tentang Penyelenggaraan Sistem dan Transaksi Elektronik
Reviewed by Naren Krishnan, Cybersecurity Manager
Frequently asked questions
Commercial banks fall under POJK 11/POJK.03/2022 and its circular SEOJK 29/SEOJK.03/2022, which require an independent cyber function, annual maturity assessment, security testing including penetration testing, and incident reporting to OJK. BPR and BPRS fall under POJK 34/2025, which applies from 18 December 2026. All banks also process personal data, so UU PDP applies on top.
Related
Solutions
- POJK 34/2025: IT and cybersecurity rules for BPR and BPRS
- Cyber resilience compliance for payment-system operators (Bank Indonesia PBI 2/2024)
- Critical infrastructure security assessment under Perpres 82/2022
- Cloud security and OJK compliance for Indonesian banks
- The cost of UU PDP non-compliance: fines, sanctions, and business risk
From the blog
Our services
Ready to strengthen your security posture?
Talk to our Jakarta-based team about your requirements.
Jakarta-based team. We reply within one business day.