Cyber resilience as the foundation of Indonesia’s digital state governance

Over the past few years, waves of data breaches and cyberattacks cannot be seen as mere technical disruptions. They reflect deeper governance challenges in the digital age.  

When public services are paralysed by ransomware or citizens’ data is exposed without control, what is at stake is not only IT systems, but public trust and institutional legitimacy. 

For this reason, the discussion about establishing a Cybersecurity and Cyber Resilience Law in Indonesia should not be framed as a narrow technical debate.  

It is fundamentally a constitutional issue: how the state ensures that citizens are protected in the digital space in a systemic, coordinated, and accountable manner. 

There are three reasons why such a law is urgently needed. 

1. Lack of reporting structure for cyber incidents 

The first gap lies in the lack of mandatory, standardised cyber incident reporting. 

Unclear reporting thresholds can prevent governments from fully understanding the threat landscape, according to recent research on the European Union (EU)’s Directive on Security of Network and Information Systems (NIS Directive). 

If only “major” incidents must be reported, situational awareness becomes incomplete. As a result, preparedness and policy decisions are built on partial information. 

Indonesia faces a similar risk. There is still no clear national standard defining which incidents must be reported, what qualifies as a significant incident, and how to distinguish between early warnings and major breaches.  

Reporting remains fragmented across sectors, without strong national integration. 

In earlier research we published, my colleagues and I found that national cyber defence requirements cannot be designed in isolation.

Through a structured consensus approach across stakeholders, the study highlighted the importance of integrated national capacity, including early detection systems and coordinated response mechanisms.  

Without a clear reporting and coordination architecture, it is difficult to build risk-based and evidence-based resilience. 

A Cybersecurity and Cyber Resilience Law should therefore establish proportional mandatory reporting, clear incident thresholds, a single national reporting gateway, such as a National Security Operations Center, and fair administrative sanctions.  

Cyber resilience cannot be built without reliable threat visibility. 

2. Lack of legal framework to protect critical information infrastructure 

The second issue concerns the lack of a robust legal framework to protect critical information infrastructure.

The line between critical infrastructure (such as energy or transport) and critical information infrastructure (the digital systems that support them) is often unclear in regulatory practice. 

This ambiguity can create two opposite risks: underprotection of vital sectors and ineffective, burdensome overregulation. 

While Indonesia has experienced its share of disruptions affecting data centres, public services, and financial institutions, a comprehensive statutory definition of critical information infrastructure remains absent.

There are also no uniform mandatory audits or baseline cybersecurity standards that apply across sectors. 

Global practice offers useful lessons.  

The EU under NIS2 and Singapore under its Cybersecurity Act use a designation-based model. Stricter obligations apply only to systems or entities that are formally designated as strategically important.

This allows regulation to be focused and proportionate, rather than imposing heavy compliance requirements on all digital service providers. 

We also emphasised that strategic national systems should be prioritised based on risk and impact. Not all systems require the same level of intervention, but those that support essential services must operate under stronger legal and governance standards. 

A national cyber resilience law should therefore provide a clear legal basis for critical infrastructure designation, mandatory risk assessments, periodic audits, and transparent cross-sector coordination. 

3. Evolving nature of cyber threats 

The third reason relates to the changing nature of cyber threats.

Scholars have criticised the traditional “castle model” of cybersecurity, which assumes that strong perimeter defences can keep threats outside.  

In a highly interconnected digital ecosystem, this assumption is no longer realistic. Systems must be designed with the expectation that breaches will occur. The goal is not only to prevent attacks, but to detect, respond, and recover quickly. 

Cross-sector collaboration works only when supported by clear institutional rules. Without a legal foundation, cooperation remains voluntary and inconsistent. 

We have similarly stressed that national cyber resilience requires adaptive, collaborative governance. It is not merely a technical challenge, but one that demands inter-agency coordination, continuous learning, and strategic consensus. 

Indonesia still tends to focus on strengthening the technical perimeter. Modern cybersecurity, however, requires continuous monitoring, threat intelligence sharing, and coordinated crisis management.  

A dedicated legal framework would help shift the paradigm from perimeter defence to systemic resilience. 

Learning from others without copying blindly 

Singapore offers a relevant example. Its Cybersecurity Act is neither a cybercrime law nor a content regulation law.

Instead, it is a governance framework focused on protecting critical infrastructure and coordinating administrative responses. Cybercrime and data protection are regulated separately. 

This separation of domains ensures clarity and avoids regulatory overlap. The approach is risk-based and proportionate, not punitive. 

Indonesia already has the Electronic Information and Transactions Law, which regulates prohibited conduct in digital space, and the Personal Data Protection Law, which protects data subjects and governs data processing.  

However, a comprehensive national cyber resilience architecture at the statutory level does not yet exist. This is the gap that needs to be addressed. 

Any future Cybersecurity and Cyber Resilience Law must uphold democratic principles. Its authority should be clearly defined and limited. Oversight mechanisms must be transparent. Human rights must be respected.  

The objective is not to expand criminalisation, but to strengthen the state’s capacity to protect the public interest. 

Cyber resilience is not only about technology. It is part of the state’s constitutional responsibility to ensure safety and trust in a new living space called digital space.  

In an era where data has become a critical social and economic infrastructure, protecting digital systems means protecting public life itself. 

Building a clear, proportionate, and democratic Cybersecurity and Cyber Resilience Law is a step toward mature digital governance, not for control, but for protection and national sustainability. 

The author is a technocrat and academic. He currently serves as Head of the Centre for Data and Information Technology at Indonesia’s Ministry of Primary and Secondary Education and previously led Jakarta Smart City (2019–2023). He obtained his Doctor of Philosophy in Cyber Security from the University of Oxford, United Kingdom, and is currently active as a lecturer at Telkom University. 

Read also: Indonesia’s Ministry of Education looks to consolidate its edutech teams and initiatives