Home » Indonesia’s Cybersecurity Draft Law: Implications for Digital Product Compliance

Blog 9 min read

Indonesia’s Cybersecurity Draft Law: Implications for Digital Product Compliance

This blog was originally posted on 10th March, 2025. Further regulatory developments may have occurred after publication. To keep up-to-date with the latest compliance news, sign up to our newsletter.

AUTHORED BY GISELLE CHIA, REGULATORY COMPLIANCE ANALYST, COMPLIANCE & RISKS

Discussions on the need for cybersecurity legislation in Indonesia have been ongoing for some time. In 2019, the Indonesian House of Representatives (DPR) officially introduced the Draft Law on Cyber Security and Resilience (RUU KKS) for the first time. However, progress on its development and ratification remained minimal.

In November-December 2024, efforts to include RUU KKS as a priority in the 2025 National Legislation Program (Prolegnas) received significant support from the legislative body. As a result, the Indonesian Government is currently finalizing the draft, with its latest version issued in February 2025.

Overview of RUU KKS (2025)

In strengthening national security against growing cyber threats and cyber attacks, RUU KKS aims to establish a comprehensive legal framework for cybersecurity and resilience in Indonesia. It addresses various aspects, including:

Role of the Government;
National Strategy for Cyber Security and Resilience;
Governance of Product with Digital Elements (PDED);
Protection of Critical Information Infrastructure (IIK);
Cyber Incident Reporting and Response;
Inter-agency Coordination.

Product Security: All You Need to Know About PDED

Definition and Classification of PDED

PDED bears the same definition as the “Product with Digital Elements” under EU’s Cyber Resilience Act. It refers to a software or hardware product and its remote data processing solutions, including software and hardware components being put on the market separately. PDED is classified into three risk levels – standard, medium and high.

Assessment and Certification of PDED

Standard PDED does not require certification or assessment by the National Cyber Agency. However, they must conduct self-assessment before being marketed and/or used.

Medium-risk and high-risk PDED are subject to mandatory assessment by the National Cyber Agency before being marketed and/or used. They would be assessed against security standards and obtain a certificate upon successful assessment. Further provisions regarding PDED, assessment guidelines and security standards will be determined by the National Cyber Agency through regulations.

Obligations of PDED Manufacturers

The manufacturers of PDED have a number of obligations in ensuring the security of their products. For instance, they must:

Identify and document the strengths, vulnerabilities, and components contained in the product, and compile a list of software used;
Address and remediate vulnerabilities, including providing security updates;
Conduct regular security testing and evaluation of the PDED;
When updates become available, disclose information about vulnerabilities that have been addressed;
Implement a coordinated vulnerability disclosure policy;
Provide a secure mechanism for distributing security updates for PDED in a timely manner;
Notify users about security update tools and the necessary actions to be taken;
Ensure that their products continuously meet the PDED requirements set by the Government through further regulation.

PDED, AI and Data Protection

Artificial Intelligence developed, implemented, and/or produced by PDED manufacturers must comply with AI Ethics Principles, and must be reported to the National Cyber Agency.

More specifically, the AI Ethics Principles that must be taken into consideration are:

Inclusivity;
Humanity;
Security;
Accessibility;
Transparency;
Credibility and accountability;
Personal data protection;
Sustainable development and environment; and
Intellectual property protection.

Challenges Facing PDED Manufacturers

Increased Costs and Operational Burdens: The manufacturers of medium-risk and high-risk PDED are responsible for paying the assessment and certification fees, increasing inevitable compliance costs, especially for small and medium enterprises (SMEs). Regular PDED security testing and update also means that dedicated teams are required to fulfil the requirements, straining resources for smaller companies. Manufacturers are also mandated to ensure that all third-party components comply with the security standards. This can be challenging in global supply chains, where vulnerabilities may exist in components sourced from different vendors.

Market Restrictions: PDED failing assessment cannot enter the Indonesian market. This constitutes trade barriers, especially for foreign companies unfamiliar with the Indonesian law. Besides, if Indonesia’s PDED security standards differ from international standards, global companies will need to create Indonesia-specific versions of their products, increasing production costs.

Challenges in AI Compliance: AI-based PDED must adhere to certain ethical principles. However, without clearly defined requirements, compliance becomes increasingly difficult.

Penalties for Non-Compliance: Failure to comply with PDED-related requirements and obligations may result in the imposition of administrative sanctions in the form of:

Written warning;
Temporary suspension of business activities;
Permanent suspension or freezing of business activities; and/or
Administrative fine.

Enforcement Status

Upon adoption, the Cyber Security and Resilience Law is scheduled to enter into force on the day of its enactment. All implementation regulations of this law will be stipulated within 2 years from its effective date.

Stay Ahead Of Regulatory Changes like Indonesia’s RUU KKS

Want to stay ahead of these regulatory developments?

Accelerate your ability to achieve, maintain & expand market access for all products in global markets with C2P – your key to unlocking market access, trusted by more than 300 of the world’s leading brands.
C2P is an enterprise SaaS platform providing everything you need in one place to achieve your business objectives by proving compliance in over 195 countries.

C2P is purpose-built to be tailored to your specific needs with comprehensive capabilities that enable enterprise-wide management of regulations, standards, requirements and evidence.
Add-on packages help accelerate market access through use-case-specific solutions, global regulatory content, a global team of subject matter experts and professional services.

Accelerate time-to-market for products
Reduce non-compliance risks that impact your ability to meet business goals and cause reputational damage
Enable business continuity by digitizing your compliance process and building corporate memory
Improve efficiency and enable your team to focus on business critical initiatives rather than manual tasks
Save time with access to Compliance & Risks’ extensive Knowledge Partner network