Indonesia personal data and cybersecurity quarterly update — July 2025 edition

This is our inaugural edition of our quarterly newsletter which offers a streamlined overview of key legal and regulatory developments impacting Indonesia’s cybersecurity and personal data protection environment. As the regulatory landscape continues to evolve, organisational compliance and cyber resilience remain critical priorities for businesses across all sectors.

Highlights in this issue include:

• Upcoming issuance of the Cybersecurity and Resilience Bill, targeting strengthened national cyber governance.
• Update on the Personal Data Protection Law implementing regulations.
• OJK assuming regulatory oversight over digital financial assets.
• The Indonesian Cybersecurity Symposium.
• Overview of notable of global headlines.
• Recent cybersecurity incidents and emerging risks in Indonesia.

Regulatory updates and developments

Cybersecurity and Resilience Bill

The Indonesian government recently published its Cybersecurity and Resilience Bill (Bill). This is a crucial step towards a unified cybersecurity framework since Indonesia currently relies on a patchwork of regulations.

What are the key highlights?

• Cyber authority. The Bill elevates the National Cyber and Encryption Agency (BSSN) to become Indonesia’s cyber authority, with ministry-equivalent status and directly reporting to the President of the Republic of Indonesia. This change grants BSSN broad policy-making, enforcement and investigative powers, including the power to impose administrative sanctions.
• Mandatory cyber incident reporting. The Bill imposes reporting requirements on a range of businesses, including more stringent reporting requirements for critical infrastructure information service providers in response to cyber incidents.
• Administrative and Criminal Penalties. Breaches of certain provisions under the Bill (including non-compliance with mandatory cyber incident reporting) may lead to administrative sanctions from the cyber authority, including written warnings, temporary or permanent suspension of business and/or administrative fines of up to 2% of their annual gross revenue or income. The Bill also sets out criminal penalties for cyberattacks on critical infrastructure information service providers, ranging from imprisonment for up to 20 years and fines of up to 20 billion rupiah (~US$1.2 million) or, in the case of cyberterrorism, imprisonment for up to 20 years, lifetime imprisonment or the death penalty.

When will it be issued?

As part of the 2025 National Legislative Program of Indonesia's House of Representatives, the Bill is expected to be enacted this year. On 15 May 2025, the BSSN announced that the Bill had completed the inter-ministerial discussion stage and was now undergoing “harmonisation” with the Ministry of Law to ensure no overlaps or conflicts with existing laws and regulations. [1]

For further reading, Indonesia Personal Data and Cybersecurity lead Cellia Cognard examines Indonesia’s evolving cybersecurity regulatory landscape in an article published by The Jakarta Post here.

Upcoming implementing regulations of PDP Law

We can expect more clarity on the high-level rules on personal data protection set out in Law No. 27 of 2022 on Personal Data Protection (the PDP Law) once the implementing regulations have been issued. In June 2025, senior officials from Indonesia’s Ministry of Communication and Digital Affairs (MOCD) shared two major updates on the progress of these upcoming implementing regulations. [2]

• a draft government regulation on the technical requirements of the PDP Law is currently being assessed by the MOCD and Ministry of Law and is expected to be delivered to the President in Q3 2025; and
• a draft presidential regulation on establishment of the PDP Authority is expected to be completed in Q4 2025 (the draft of this regulation is not currently publicly available).

OJK assumes regulatory oversight over digital financial assets

Indonesia's Financial Services Authority (OJK) recently took the first step towards building a comprehensive regulatory framework for digital financial assets in Indonesia, including crypto assets. With OJK assuming oversight, crypto assets are now regulated alongside other financial instruments, ensuring greater market stability, investor protection, and alignment with international regulatory standards. Our key takeaways are available here.

Indonesia Cybersecurity Symposium

Our Indonesia Personal Data and Cybersecurity lead Cellia Cognard attended the Indonesia Cybersecurity Symposium and Workshop on 16 and 17 June 2025, organised by the Coordinating Ministry of Economic Affairs with support from the Australian Government, RMIT University, Infinite Learning (Nongsa Digital Park) and PT Innoveight Technofarm Indonesia (Innov8). The symposium and workshop were organised to raise awareness of the importance of cybersecurity in Indonesia, and to encourage closer collaboration between the public and private sectors in building a strong and sustainable cyber resilience framework. For more details, the media release can be found here.

Global headlines

TikTok fined £530 million by the Irish data protection commission

On 2 May 2025, the Irish Data Protection Commission (DPC) fined TikTok Technology Limited (TikTok) €530 million for breaching the General Data Protection Regulation (GDPR) requirements. Aside from the fine, the DPC also ordered the suspension of data transfers to the People's Republic of China and gave TikTok six months to make sure its data processing practices fully comply with Chapter V of the GDPR.

NCSC recommendations in the wake of retail cyberattacks

The UK’s National Cyber Security Centre has issued guidance for retailers following a series of high-profile cyberattacks that have disrupted major brands such as Marks & Spencer, Co-op, and Harrods. These incidents underscore the escalating threat landscape and the need for robust cybersecurity measures within the retail sector.

Cyberattacks making the news

Pintar, Bank Indonesia’s currency exchange application

On 16 March 2025, Bank Indonesia’s currency exchange application Pintar experienced a temporary outage following a Distributed Denial-of-Service (DDoS) attack. The disruption led to complaints from users who were unable to access the platform.[1]

PeduliLindungi.id, a government Covid-19 tracking website

A cybersecurity incident occurred on 19 May 2025 involving the Indonesian government’s Covid-19 tracking website PeduliLindungi.id. The website was reportedly hacked, causing users to be redirected to an online gambling site when they tried to access it. In response, the MOCD officially took down the PeduliLindungi.id website.[2] It was later confirmed that PeduliLindungi.id is no longer active. All data and services from the sites have been moved to the SatuSehat platform.[3]

Attorney General’s Office (AGO) website

Indonesia's AGO website was reportedly targeted by hackers, who also released a written statement addressed to the institution. In response, the Head of the Legal Information Centre at the AGO clarified that the website was undergoing maintenance on 11 February 2025.[4]

Internal data breach at MOCD

The MOCD investigated a suspected cyberattack that may have resulted in the leakage of internal employee data. The incident was identified as occurring in MOCD’s centre for data and information systems, which serves as a hub for storing and managing the ministry’s information. On 3 February 2025, an MOCD official said they had taken mitigation measures against the suspected breach, closed all security gaps, and strengthened cybersecurity defences.[5]

Stock trading application Naik Mobile

NH Korindo Sekuritas Indonesia’s stock trading application Naik Mobile was disrupted by a cyberattack on 19 May 2025, preventing customers from accessing the app or trading stocks. In an official statement on 22 May 2025, NH Korindo Sekuritas Indonesia assured customers that all their assets, including stocks, bonds, mutual funds and cash, remained secure and unaffected by the incident.[6]

OJK reports over 2,600 external fraud complaints in financial services

OJK revealed that it had received 2,688 complaints relating to external fraud in the financial services sector between January 2024 and January 2025. These cases included account takeovers caused by phishing and smishing attacks.[7]