New Cybersecurity and Resilience Bill on The Horizon

The Cybersecurity and Resilience Bill seeks to protect Indonesia’s digital space from attacks that have already cost billions. In recent years, major breaches hit top companies, with records from an e-commerce giant with 91 million users sold for US$5,000, from a fintech startup with 2.9 million records sold for US$2,200, and from an insurance company with 2 million records sold for $7,000¹. In 2024 alone, over 19 million cyberattack attempts were recorded, including a cryptocurrency exchange hack causing US$22 million in losses². The cyberattack attempts in 2024 were trumped by the number of cyberattacks recorded in the first half of 2025, totaling at more than 3 billion³. Strengthening cybersecurity is key not only to preventing such damages but also to supporting Indonesia’s economic growth.

To address these threats, the Bill requires businesses to follow new cybersecurity rules. They are grouped into three types:

1. Operators, such as internet providers, data centres, and cloud platforms that keep digital systems running—must regularly test and audit their systems, prepare for emergencies, submit annual cybersecurity reports, and report incidents promptly;

2. Providers, which supply the hardware, software, and services those operators rely on—are required to get their products certified, put safeguards in place to reduce risks, and quickly report any threats; and

3. Producers, the companies that manufacture and sell tech products like hardware and software—must keep track of their products’ strengths and weaknesses, fix security flaws through updates, and carry out regular safety checks.

The Bill makes it clear that these rules are not optional. With 89% of Indonesian companies still unprepared for cyberattacks, mandatory tests and audits will push businesses to take cybersecurity seriously, working with leading companies such as Kitameraki, Sangfor, Xapiens, Logique, and ITSEC. Non-compliance may result in fines or even total business shut down, but the intent is not punishment—it is protection. By strengthening cybersecurity standards across operators, providers, and producers, Indonesia can safeguard its digital future, minimize losses, and unlock new opportunities for sustainable growth in the digital economy.

With neighbouring countries such as China, Hong Kong, Vietnam, and Myanmar advancing their own cybersecurity law reforms in 2025, Indonesia has a timely opportunity to ride this regional momentum and position itself as a leader in shaping a safer and more competitive digital landscape.

Read more of the draft bill here

¹ https://www.cyberlands.io/topsecuritybreachesindonesia

² https://it.proxsisgroup.com/19-juta-serangan-siber-di-indonesia-sepanjang-2024-ini-kata-pakar/

³ https://en.tempo.co/read/2037469/indonesias-bssn-records-3-64-billion-cyberattacks-in-first-half-of-2025

⁴ https://mediaindonesia.com/teknologi/804940/89-persen-perusahaan-di-indonesia-tidak-siap-hadapi-ancaman-keamanan-siber

By: Farid Bhadra Indraputra

DISCLAIMER:

This material is prepared for general information purposes only. It is not intended to give legal or any other professional advice, opinion or recommendation and, accordingly, it should not be relied upon. Specific legal advice should be sought before taking any action based on the contents in this material. Please contact us if you need any assistance regarding this matter.