Regulatory Update: Indonesia’s Draft Law on Cybersecurity and Cyber Resilience

by Setyawati Fitrianggraeni and Tiara Amanda Putri

Overview
Indonesia’s Global Cybersecurity Index ranking has fallen to 84th, compounded by major incidents such as the ransomware attack on the National Data Center (PDN).​(1)​ Existing regulations, such as the Electronic Information and Transactions Law (EIT Law) and the Personal Data Protection Law (PDP Law), are considered insufficient as they adopt a sectoral approach. Accordingly, the Cybersecurity and Cyber Resilience Bill (RUU KKS) aims to integrate the regulatory framework and strengthen Indonesia’s digital sovereignty.​(2)​ The Bill is intended to serve as a comprehensive legal framework to address increasingly complex cyber threats and to safeguard national interests.(3)​

Substantively, the Bill designates the National Cyber and Crypto Agency or Badan Siber dan Sandi Negara (BSSN) as the central authority. The BSSN will report directly to the President to coordinate national cybersecurity strategies and crisis response. Its primary focus will be on protecting Critical Information Infrastructure (CII), imposing stringent incident reporting obligations, and standardizing digital products to build a resilient cybersecurity ecosystem.​(4)​

 

Key Highlights

• Strengthening the Institutional Framework and National Strategy
  The Bill elevates BSSN to a ministerial-level institution responsible for formulating the national cybersecurity strategy, managing cyber crises, and coordinating cross-sector incident detection and recovery. The Bill also mandates the establishment of Cyber Security Incident Response Teams (CSIRTs) at the national, sectoral, and organizational levels.​(4)​
• Strict Obligations for Critical Information Infrastructure (CII)
  Operators of Critical Information Infrastructure (CII), including vital sectors such as finance, healthcare, and energy, are required to implement heightened cybersecurity standards. These obligations include conducting cybersecurity audits at least once a year, maintaining disaster recovery plans, and performing regular data backups at designated data centers.​(4)​
• Mandatory Incident Reporting Mechanism
  The Bill introduces strict service-level agreements (SLAs) for incident reporting. CII operators are required to report cybersecurity incidents to BSSN within 24 hours of detection, while non-critical infrastructure operators must report within 72 hours. This mechanism is intended to accelerate national response efforts and enable timely analysis of attack patterns.​(4)​
• Collaborative and Multi-Stakeholder Approach
  Departing from a purely state-centric model, the Bill promotes strategic collaboration between the Government and non-state actors, including the private sector, academia, and communities. This approach recognizes that effective cyber defense requires information sharing, intelligence exchange, and rapid response that cannot be achieved by the State alone.​(2)​
• Institutional Strengthening and Oversight
  The Bill reinforces BSSN’s role as the central authority coordinating national cybersecurity strategy. However, experts emphasize the need for clear and independent oversight mechanisms to ensure effective checks and balances, prevent potential abuse of authority, and safeguard civil liberties and democratic values in cyberspace.​(5)​

References 

​​1. Majalah ICT: Referensi Terpercaya Informasi Digital Indonesia. Peringkat Keamanan Siber Indonesia Turun Tajam, Negara Belum Hadir Amankan Ruang Siber Indonesia. 2026.  Available from: https://www.majalahict.com/peringkat-ketahanan-siber-indonesia-turun-tajam-negara-belum-hadir-amankan-ruang-siber-indonesia/  

​2. Arief M. Urgensi Regulasi Ketahanan dan Keamanan Siber dalam Undang-Undang ITE. Jurnal Litigasi Amsir. 2022 Sep 21;(Spesial Isu: September-Oktober):45–9. Available from: https://journalstih.amsir.ac.id/index.php/julia/article/view/705  

​3. Sulubara SM, Tasril V, Nurkhalisah. Legal Protection Against Cybercrime from Ransomware Attacks and Evaluation of the 2025 Cyber Security and Resilience Bill in Indonesia’s Defense. Aliansi: Jurnal Hukum, Pendidikan dan Sosial Humaniora. 2025 Aug 8;2(5):240–9. Available from: https://journal.appihi.or.id/index.php/Aliansi/article/view/1234  

​4. Rancangan Undang-Undang tentang Keamanan dan Ketahanan Siber. Indonesia; Feb 17, 2025. Available from: https://paralegal.id/peraturan/rancangan-undang-undang-tentang-keamanan-dan-ketahanan-siber/  

​5. Suharto, Wardani DEK, Rahman A, Irwan M. Perlindungan Hukum di Ruang Siber: Telaah Yuridis atas Rancangan Undang-Undang Keamanan dan Ketahanan Siber. Jurnal Ilmu Hukum: The Juris. 2025 Dec 13;9(2):548–55. Available from: https://ejournal.stih-awanglong.ac.id/index.php/juris/article/view/1788  

​ 

Publication Disclaimer:    

This disclaimer applies to the publication of articles by Anggraeni and Partners. By accessing or reading any articles published by Anggraeni and Partners, you acknowledge and agree to the terms of this disclaimer:   

• No Legal Advice: The articles published by Anggraeni and Partners are for informational purposes only and do not constitute legal  advice. The information provided in the articles is not intended to create an attorney-client relationship between Anggraeni and Partners and the reader. The articles should not be relied upon as a substitute for seeking professional legal advice. For specific legal advice tailored to your individual circumstances, please consult a qualified attorney.   

• Accuracy and Completeness: Anggraeni and Partners strives to ensure the accuracy and completeness of the information presented in the articles. However, we do not warrant or guarantee the accuracy, currency, or completeness of the information. Laws and legal interpretations may vary, and the information in the articles may not be applicable to your jurisdiction or specific situation. Therefore, Anggraeni and Partners disclaims any liability for any errors or omissions in the articles.   

•  No Endorsement: Any references or mentions of third-party organizations, products, services, or websites in the articles are for informational purposes only and do not constitute an endorsement or recommendation by Anggraeni and Partners. We do not assume responsibility for the accuracy, quality, or reliability of any thirdparty information or services mentioned in the articles.   

• No Liability: Anggraeni and Partners, its partners, attorneys, employees, or affiliates shall not be liable for any direct, indirect, incidental, consequential, or special damages arising out of or in connection with the use of the articles or reliance on any information contained therein. This includes, but is not limited to, loss of data, loss of profits, or damages resulting from the use or inability to use the articles.   

• No Attorney-Client Relationship: Reading or accessing the articles does not establish an attorney-client relationship between Anggraeni and Partners and the reader. The information provided in the articles is general in nature and may not be applicable to your specific legal situation. Any communication with Anggraeni and Partners through the articles or any contact form on the website does not create an attorney-client relationship or establish confidentiality.   

• Intellectual Property: This publication is an original work of the author(s) that has not been previously published or submitted for publication elsewhere. All intellectual property rights in relation to this publication, including economic rights, are exclusively owned by Anggraeni and Partners (AP).   

• Use of AI Tools: During the preparation of this work, the author(s) may use AI-assisted technologies for readability. After using this tool/service, the author(s) reviewed and edited the content as needed for the purposes of the publication. Any use of artificial intelligence tools, if applied, is limited to supporting purposes only, and the author remains fully responsible for the accuracy, integrity, and quality of the content.   

By accessing or reading the articles, you acknowledge that you have read, understood, and agreed to this disclaimer. If you do not agree with any part of this disclaimer, please refrain from accessing or reading the articles published by Anggraeni and Partners.