In this context, Indonesia’s Ministry of Communication and Digital Affairs (MOCDA) has taken a significant step by issuing Regulation No. 5 of 2025—a game-changing directive that introduces new compliance obligations for Public Electronic System Providers (Public ESPs).

This new regulation, promulgated on March 18, 2025, serves as the implementing instrument for Government Regulation No. 71 of 2019 on Electronic Systems and Transactions. It comes with a clear deadline: all Public ESPs must fully comply by March 2026, or face progressive administrative sanctions that include blacklisting and delisting.

If you’re a cloud provider, messaging platform, fintech service, healthtech app, or digital public service enabler operating in Indonesia, this regulation likely affects you.

Who Is a Public ESP?

Under MOCDA Reg. 5/2025, a Public ESP is defined as an electronic system operated by a government agency or an institution formally appointed by such an agency. Notably, the regulation excludes regulators and supervisory authorities in the financial sector.

However, this definition also opens the door for private companies to be designated as Public ESPs if formally appointed under a legal or regulatory instrument. This means a private platform hosting services on behalf of government ministries—such as e-learning tools, healthcare portals, or public service apps—may fall under the new regime.

MEF encourages stakeholders to monitor updates from MOCDA and consider joining MEF’s ID&Data Interest Group to stay informed and share industry responses. For further support or introductions to local regulatory experts in Indonesia, MEF members can contact us directly.”

To be classified as a Public ESP, an entity must:

• Be registered as a Private Scope Electronic System Provider;
• Be legally established in Indonesia;
• Operate a data center located within Indonesia’s borders.

Key Compliance Obligations

1. Mandatory Re-Registration

Whether you’re an incumbent Public ESP or newly appointed, re-registration is mandatory under the new framework. This isn’t just a box-ticking exercise. The updated registration process requires:

• Disclosure of the ESP’s operational infrastructure, data flows, and system governance;
• Full profiles of designated personnel, including identification numbers and contact details;
• Detailed system descriptions, including data categories, DNS/IP addresses, and processing locations.

Public ESPs must complete registration before launching or continuing operations.

2. Enhanced Data Governance

Public ESPs must now:

• Deploy robust cybersecurity systems to prevent, detect, and mitigate cyber threats;
• Implement personal data protection measures in line with Indonesia’s Personal Data Protection Law (UU PDP);
• Conduct feasibility testing to ensure systems are operationally and technically sound.

These requirements underscore a shift toward accountability and resilience, especially for systems managing sensitive or mission-critical public services.

3. Control Over User-Generated Content (UGC)

Platforms that allow users to upload, share, or display electronic information or documents—such as forums, social media channels, or community engagement portals—must:

• Monitor for and remove prohibited content (e.g., terrorism, child pornography, false information);
• Provide Indonesian-language service guidance for users;
• Offer mechanisms for public reporting of illegal or harmful content.

MOCDA is authorized to take direct enforcement action for urgent violations, including access blocking and delisting, underscoring the need for vigilant content moderation.

Penalties for Non-Compliance

MOCDA Reg. 5/2025 includes a one-year grace period until March 2026. After this, progressive sanctions apply:

• Up to three written warnings within a week
• Temporary suspension of system access if no action is taken
• Blocking and removal from the registry if violations persist.

These administrative sanctions can significantly disrupt operations—especially for companies serving large user bases or relying on continued public access.

What Mobile Ecosystem Stakeholders Should Do Now

Here is a practical step-by-step compliance roadmap for businesses affected by this regulation:

1. Internal Audit

Review your system’s legal status, data center locations, and registration classification. Determine if you’re considered a Public ESP under the new criteria.

2. Legal & Regulatory Review

Identify compliance gaps by mapping your operations against the new requirements. Engage local counsel to interpret regulatory grey areas—especially for cross-border operations or hybrid service models.

3. Policy and System Updates

Update your privacy policies, terms of service, and content moderation procedures. Ensure you have:

• Data protection protocols
• Cybersecurity risk management frameworks
• UGC governance and complaint handling mechanisms

4. Initiate Registration Early

The registration process is documentation-heavy and may involve coordination with multiple departments. Starting early minimizes risk of non-compliance and avoids last-minute administrative hurdles.

Looking Ahead: Building Trust in Indonesia’s Digital Infrastructure

Indonesia’s regulatory tightening reflects a broader global trend: governments are increasingly asserting sovereignty over digital systems, data localization, and content governance. While these regulations can introduce operational complexity, they also present opportunities.

MEF CEO