Southeast Asia · Jurisdiction Guide

Indonesia AI regulation 2026: operator obligations guide

Q: Which Indonesian regulator oversees AI governance?

Primary oversight sits across three bodies depending on sector. The Ministry of Communication and Digital Affairs (Komdigi) holds the broadest mandate for digital and AI governance. The National Cyber and Encryption Agency (BSSN) oversees electronic system security requirements that apply to AI-powered systems. The Financial Services Authority (OJK) holds sector-specific oversight for AI in banking, insurance, and capital markets. The National Institute of Standards and Technology equivalent functions are carried by the National Standardization Agency (BSN), which is Indonesia's correspondent to ISO working groups including those developing AI governance standards.

Q: How does Indonesia's Personal Data Protection Law affect AI agent operators?

The Personal Data Protection Law (UU PDP, Law No. 27/2022) directly affects AI agents that process the personal data of Indonesian citizens. Article 25 of UU PDP provides individuals with rights to explanation of automated processing and to object to decisions based solely on automated means, paralleling Article 22 of the GDPR. AI agents making consequential automated decisions about Indonesian users must be able to provide human review on request. Cross-border data transfers require that the receiving jurisdiction provide equivalent protection, which means Indonesian personal data processed by an offshore AI system must meet UU PDP standards.

Q: What is the relationship between Indonesia's AI framework and the ASEAN AI Governance Framework?

Indonesia is an active participant in ASEAN's AI governance work and the ASEAN AI Governance Framework (AAGF) and the ASEAN Model AI Governance Framework 2.0 both inform Indonesian domestic policy thinking. The AAGF adopts a risk-based approach broadly similar to the EU AI Act: higher-risk applications face more demanding governance requirements. However, the ASEAN frameworks are not binding instruments; they are voluntary guidelines that member states translate into domestic policy at different speeds. Operators should treat ASEAN framework compliance as a baseline that is consistent with Indonesian expectations while monitoring for specific mandatory rules issued by Komdigi or sector regulators.

Q: What do EU AI Act-compliant operators need to adapt for Indonesia?

EU AI Act compliance provides a strong foundation for Indonesian compliance in three areas: risk assessment documentation, human oversight mechanisms, and data governance records. The primary adaptation required is addressing UU PDP-specific obligations, including data transfer mechanisms for cross-border processing, individual rights procedures in Bahasa Indonesia for Indonesian users, and sector-specific requirements for financial services under OJK guidance. Operators should also review their terms of service and transparency disclosures for AI-generated content, as Indonesia's Electronic Information and Transactions Law (UU ITE, as amended in 2024) imposes liability for distributing false information regardless of whether the source was human or automated.

Indonesia is the fourth most populous country and Southeast Asia's largest economy. Its AI governance framework is built from a stack of national strategy instruments, data protection law, cybersecurity regulation, and sector-level guidance. There is no single binding AI Act yet, but the obligations that do exist are real and enforceable. This guide covers the full framework, who it binds, the specific obligations for AI agent operators, the enforcement architecture, applicable penalties, and a comparison to the EU AI Act and Singapore's framework.

By Future Proof Intelligence · 10 June 2026 · 12 minute read

Key takeaways

Indonesia's AI governance sits across four instruments: the National AI Strategy (Perpres No. 24/2023), the Personal Data Protection Law (UU PDP, Law No. 27/2022), the BSSN Electronic System Security Regulation (No. 4/2021), and sector-specific OJK guidance for financial services. A comprehensive AI Bill is under Parliamentary discussion as of mid-2026.
UU PDP applies to any processing of Indonesian citizens' personal data, regardless of where the processor is located. AI agents making consequential automated decisions about Indonesian users must support human review on request under Article 25.
Indonesia's Electronic Information and Transactions Law (UU ITE, as amended 2024) imposes liability for distributing false or misleading electronic information. This applies to AI-generated content distributed to Indonesian users, regardless of whether a human or an automated system produced it.
The OJK AI Governance Framework for financial services, published in 2024, requires risk-based governance, explainability, and bias monitoring for AI systems used in credit scoring, insurance underwriting, and customer advisory functions.
EU AI Act-compliant operators have a strong foundation for Indonesian compliance. The primary adaptations required are UU PDP data transfer mechanisms, Bahasa Indonesia rights procedures, and OJK-specific obligations for financial sector deployments.

The regulatory landscape

Indonesia's approach to AI governance reflects its broader digital policy posture: ambitious national strategy, sector-led implementation, and incremental movement toward comprehensive legislation. The country's 280 million population, growing digital economy, and position as ASEAN's largest member state make it a significant market for any operator deploying AI at regional scale.

The primary strategic document is Presidential Regulation No. 24/2023, known as Perpres 24/2023, which adopts the National AI Strategy (Strategi Nasional Kecerdasan Artifisial) and sets out Indonesia's five-pillar AI development framework: ethics and governance, human resources, research, digital infrastructure, and cross-sector industrial application. The strategy runs to 2045 and identifies priority sectors including health, education, food security, smart cities, and financial services. Perpres 24/2023 is a planning document rather than a binding compliance instrument, but it establishes the ministerial mandates that produce binding secondary regulation.

The Ministry of Communication and Digital Affairs, known as Komdigi following its renaming in 2024 from Kominfo, holds the primary mandate for digital and AI policy. Komdigi has published non-binding AI ethics guidance and is the body most likely to issue the implementing regulations that will operationalise the eventual AI Bill.

The Personal Data Protection Law and AI agents

Law No. 27/2022 (UU PDP), which entered into force on 17 October 2024 following a two-year transition period, is currently the most directly enforceable instrument affecting AI agent operators in Indonesia. Its scope covers any processing of personal data belonging to Indonesian citizens, with explicit extraterritorial application where processing has effects in Indonesian territory regardless of the processor's location.

For AI agent operators, four provisions of UU PDP are directly relevant.

Automated decision-making (Article 25). Data subjects have the right to receive an explanation of automated processing and to contest decisions based solely on automated means where those decisions produce legal effects or similarly significant consequences. An AI agent that makes credit decisions, employment screening decisions, insurance assessments, or access control determinations for Indonesian users must support a human review pathway accessible on request. This closely mirrors Article 22 of the EU GDPR.

Cross-border data transfers (Articles 56-58). Personal data may only be transferred outside Indonesia to jurisdictions that provide equivalent protection, or where the transfer is covered by a transfer mechanism approved by the supervising minister. Operators running Indonesian users' data through offshore AI infrastructure must have a legal transfer basis. Komdigi has not yet published a full adequacy decision list, meaning most operators must use contractual mechanisms similar to EU standard contractual clauses.

Purpose limitation and transparency (Articles 20-21). Personal data must be collected for a specific and declared purpose and not processed in a manner incompatible with that purpose. An AI agent that infers additional attributes about users or builds secondary profiles from interaction data faces purpose limitation scrutiny if users were not informed that their data would be used for inference beyond the stated service function.

Data breach notification (Article 46). Personal data controllers must notify the supervising authority and affected data subjects within 14 days of becoming aware of a personal data breach. AI incidents that expose or corrupt personal data trigger this obligation. The 14-day window is tighter than the GDPR's 72-hour window for authority notification but aligns with the GDPR's 30-day window for subject notification.

The penalty structure under UU PDP includes administrative sanctions of up to 2% of annual revenue, criminal penalties of up to Rp 6 billion (approximately EUR 330,000 at June 2026 exchange rates) for individuals, and criminal penalties of up to Rp 60 billion for corporations. Enforcement is overseen by a data protection authority whose institutional structure was being finalised under Ministry of Communication and Digital Affairs oversight as of mid-2026.

Electronic Information and Transactions Law

Indonesia's Electronic Information and Transactions Law (UU ITE), originally enacted in 2008 and significantly amended in 2024, is a broad digital content liability instrument. Article 28 prohibits the spreading of false news or information through electronic systems where that information causes harm or public disorder. The 2024 amendment clarified that this provision applies to content distributed through electronic systems regardless of whether a human or an automated process produced it.

For AI agent operators, this creates a content liability exposure distinct from the data protection framework. An AI agent that generates and distributes incorrect health information, fabricated product claims, or misleading financial advice to Indonesian users may trigger UU ITE liability for the operator in addition to any civil liability arising from the specific harm. The Mata v. Avianca principle (SDNY, 2023), which held that deployers cannot pass responsibility for AI-generated content to the model provider, maps directly to the UU ITE analysis: the operator who deployed the system and published the output is the relevant party under Indonesian law.

Criminal penalties under UU ITE reach up to six years imprisonment for individuals and substantial corporate fines. Civil liability follows standard Indonesian tort principles, which require the claimant to demonstrate harm, causation, and fault.

Financial services: OJK governance requirements

The Financial Services Authority (Otoritas Jasa Keuangan, OJK) issued its AI Governance Framework for Financial Institutions in 2024 (POJK 11/2024), establishing binding requirements for AI systems used in banking, insurance, capital markets, and multifinance. The framework applies to financial institutions supervised by the OJK and to third-party technology providers offering AI services to those institutions.

The OJK framework adopts a risk-based tier structure with four levels of AI risk. Tier 1 covers AI systems with limited scope and low consequence, subject only to documentation and periodic review. Tier 4 covers high-risk AI systems in core credit, underwriting, and advisory functions, which require pre-deployment approval, bias auditing, ongoing explainability monitoring, and annual review by an independent assessor.

For global operators providing AI agent services to Indonesian financial institutions, the OJK framework means that any deployment in credit scoring, insurance risk assessment, customer advisory, or automated trading functions falls under a structured oversight regime. The OJK can direct supervised institutions to modify or withdraw AI systems that fail governance requirements, with downstream consequences for third-party technology providers whose systems are found non-compliant.

The OJK framework explicitly references the OECD AI Principles (revised November 2024, OECD/LEGAL/0449) and ISO/IEC 42001:2023 as relevant governance standards. Operators who have implemented ISO 42001 management system requirements and can evidence alignment with the OECD's five trustworthy AI principles are better positioned to satisfy OJK documentation requirements without significant rework.

Cybersecurity requirements: BSSN

The National Cyber and Encryption Agency (Badan Siber dan Sandi Negara, BSSN) Regulation No. 4/2021 on electronic system security requires operators of electronic systems serving Indonesian users to implement technical and organisational security measures appropriate to the risk of the system. AI agents are electronic systems under the regulation. The specific requirements cover system classification, security baselines, incident response, and annual security assessments for systems handling personal data or critical information.

BSSN's classification system categorises electronic systems as strategic (government and critical infrastructure), high (financial, health, and other sensitive sector systems), or general (other commercial services). AI agents in high-category sectors face additional controls including penetration testing requirements and mandatory incident reporting to BSSN within defined timeframes.

Comparison to EU AI Act and Singapore's framework

Understanding Indonesia's framework in relation to the EU AI Act and Singapore's Model AI Governance Framework (IMDA, 2024 edition) is relevant for operators managing multi-jurisdiction compliance.

The EU AI Act (Regulation 2024/1689) establishes a comprehensive, binding, risk-tiered framework with explicit prohibitions, high-risk category definitions, and penalties up to EUR 35 million or 7% of global annual turnover. Indonesia has no equivalent binding law yet. However, the UU PDP's automated decision-making provisions, the OJK framework, and the UU ITE content liability rules together cover a significant portion of the EU AI Act's practical compliance scope for operators in the most common commercial deployment contexts.

Singapore's framework is voluntary guidance rather than binding law, making it more flexible but less enforceable than either the EU AI Act or Indonesia's sectoral rules. Singapore's AI Verify assessment tool and the IMDA Model AI Governance Framework 2.0 provide a practical compliance methodology that transfers directly to Indonesian regulatory expectations, particularly for operators already meeting OJK governance requirements. The Singapore framework's emphasis on explainability and bias monitoring aligns closely with OJK POJK 11/2024 requirements.

A global operator that has implemented EU AI Act high-risk AI compliance will find the following areas require specific adaptation for Indonesia: UU PDP transfer mechanisms for Indonesian personal data, rights response procedures available in Bahasa Indonesia, UU ITE-specific content review processes for AI-generated outputs distributed to Indonesian users, and OJK pre-deployment assessment requirements for any financial services deployment. The documentation infrastructure required by EU AI Act Articles 9-17 transfers directly to OJK governance requirements.

For a full cross-jurisdiction comparison, see the US, EU and UK liability comparison and the Singapore AI Governance Framework guide on this site. For EU AI Act operator obligations in detail, see the Article 26 deployer obligations guide on the EU Regulatory Desk.

Enforcement architecture and penalties summary

Enforcement in Indonesia operates across multiple agencies with overlapping jurisdictions, which creates compliance complexity for multi-sector operators.

The data protection authority under UU PDP is administratively housed within the Ministry of Communication and Digital Affairs. Its powers include investigation, administrative sanctions (up to 2% of annual revenue), and criminal referrals. The authority's operational capacity is still developing as of 2026, but the law is in force and enforcement actions are possible.

BSSN can impose sanctions for non-compliance with electronic system security requirements, including orders to suspend operations of non-compliant systems. Sector regulators including OJK hold their own enforcement powers and can direct supervised institutions to withdraw AI products and impose financial penalties.

The following table summarises the primary penalty exposures for AI agent operators in Indonesia:

Instrument	Maximum administrative penalty	Criminal exposure	Enforcing body
UU PDP (data protection)	2% of annual revenue	Up to Rp 60 billion corporate / Rp 6 billion individual	Ministry of Communication and Digital Affairs data authority
UU ITE (electronic content)	Not specified separately	Up to 6 years imprisonment and substantial fines	National Police / Prosecutors
BSSN (cybersecurity)	Suspension of electronic system operations	Referred to prosecutors	BSSN
OJK (financial services)	Up to Rp 15 billion per violation	Sector-specific criminal provisions	OJK

Practical steps for operators entering the Indonesian market

For operators planning AI agent deployments that serve Indonesian users, a structured preparation approach covers the critical compliance obligations before market entry.

First, assess the personal data footprint of the deployment. If the agent processes any personal data belonging to Indonesian citizens, UU PDP applies in full. Map every data flow, identify the transfer mechanism for cross-border data, and establish individual rights procedures including Bahasa Indonesia documentation.

Second, determine the sector classification. Financial services, health, and government-adjacent deployments face sector-specific governance requirements that go beyond the UU PDP baseline. OJK POJK 11/2024 applies directly to any financial service deployment and requires pre-deployment documentation and risk tier classification before the system interacts with Indonesian financial consumers.

Third, implement AI-generated content review controls. The UU ITE content liability exposure applies regardless of whether the output was generated by a human or an AI. Operators should establish systematic review for AI outputs that could constitute false, misleading, or harmful information, particularly in health, financial, and news-adjacent contexts.

Fourth, build the incident response capability required by UU PDP's 14-day notification window. Indonesian breach notification timelines are tighter than many operators are accustomed to, and the Komdigi data authority is the required notification recipient alongside affected data subjects.

Operators managing multi-jurisdiction compliance can use the EU AI Act documentation framework as a foundation. The risk assessment, documentation, human oversight, and monitoring infrastructure required by EU AI Act Articles 9-17 covers the core of what Indonesian sectoral regulators will scrutinise. For the insurance and risk management implications of deploying into a jurisdiction with an evolving but real enforcement framework, see agentinsured.eu.

Frequently asked questions

Does Indonesia have a binding AI regulation for operators?

Indonesia does not yet have a single binding AI-specific law equivalent to the EU AI Act. What exists is a layered framework: Perpres No. 24/2023 (the National AI Strategy), UU PDP (data protection), BSSN Regulation No. 4/2021 (electronic system security), and OJK POJK 11/2024 for financial services. A comprehensive AI Bill is under Parliamentary discussion as of mid-2026.

Which Indonesian regulator oversees AI governance?

Primary oversight sits across three bodies. The Ministry of Communication and Digital Affairs (Komdigi) holds the broadest mandate. BSSN oversees electronic system security. The OJK holds sector-specific oversight for financial services AI. BSN (the national standardisation agency) handles Indonesia's engagement with international AI standards bodies including ISO.

How does Indonesia's Personal Data Protection Law affect AI agent operators?

UU PDP applies to any processing of Indonesian citizens' personal data, regardless of where the processor is located. Article 25 provides data subjects with rights to explanation of automated processing and to object to decisions based solely on automated means. Cross-border data transfers require equivalent protection. Penalties reach 2% of annual revenue for administrative violations and up to Rp 60 billion in criminal proceedings.

What is the relationship between Indonesia's AI framework and the ASEAN AI Governance Framework?

Indonesia participates in the ASEAN AI Governance Framework (AAGF), which adopts a risk-based approach broadly aligned with the EU AI Act model. The ASEAN frameworks are voluntary guidelines rather than binding instruments. Operators should treat ASEAN framework compliance as a minimum baseline consistent with Indonesian expectations while monitoring for mandatory rules from Komdigi and sector regulators.

What do EU AI Act-compliant operators need to adapt for Indonesia?

EU AI Act compliance provides a strong foundation in risk assessment, human oversight, and data governance. The primary adaptations required are UU PDP-specific data transfer mechanisms, Bahasa Indonesia rights procedures for Indonesian users, UU ITE content review processes for AI-generated outputs, and OJK pre-deployment documentation requirements for financial services deployments.

References

Presidential Regulation No. 24/2023 (Perpres 24/2023). National AI Strategy (Strategi Nasional Kecerdasan Artifisial Indonesia 2020-2045). Republic of Indonesia.
Law No. 27/2022 (Undang-Undang Perlindungan Data Pribadi, UU PDP). Personal Data Protection Law. Republic of Indonesia.
BSSN Regulation No. 4/2021. Electronic system security requirements. National Cyber and Encryption Agency, Republic of Indonesia.
OJK Regulation POJK 11/2024. AI Governance Framework for Financial Institutions. Financial Services Authority (OJK), Republic of Indonesia.
Law No. 11/2008 as amended by Law No. 1/2024 (UU ITE). Electronic Information and Transactions Law. Republic of Indonesia.
ASEAN Model AI Governance Framework, 2nd edition. ASEAN and Singapore IMDA, 2020.
OECD AI Principles. Revised November 2024. OECD/LEGAL/0449.
ISO/IEC 42001:2023. Artificial intelligence management system. International Organization for Standardization.
Regulation (EU) 2024/1689 (EU AI Act). Articles 9-17, 26. OJ L, 12 July 2024.
Mata v. Avianca, Inc., No. 22-cv-1461 (S.D.N.Y. 2023).