Indonesia has established a structured but evolving regulatory framework for IoT, driven by the Kementerian Komunikasi dan Informatika (Kominfo), the Undang-Undang Perlindungan Data Pribadi (UU PDP), and supporting policies like Peraturan Pemerintah No. 71 Tahun 2019. For foreign investors, compliance is not optional. It is a strategic requirement to operate legally, securely, and competitively in Southeast Asia’s largest digital economy.
Before diving deeper into regulations, it is important to understand how these policies align with Indonesia’s rapidly growing IoT ecosystem. If you need a broader market perspective, we recommend reading our overview of the IoT industry in Indonesia to see how regulation and opportunity intersect.
Understanding the Regulatory Landscape of IoT in Indonesia
IoT regulation in Indonesia is not governed by a single law. Instead, it is a layered framework combining telecommunications, data protection, and digital governance.
At its core, the regulatory system focuses on four pillars:
- Device and network compliance
- Licensing and operational permits
- Data protection and privacy
- Cybersecurity and infrastructure resilience
This multi-layered approach reflects the complexity of IoT systems, which span devices, networks, platforms, and data ecosystems.
1. Telecommunications and Device Certification
All IoT devices operating in Indonesia must comply with technical standards set by Kominfo. This includes certification through SDPPI (Directorate General of Resources and Equipment of Post and Informatics).
For example, LPWA-based IoT devices must meet specific technical requirements before being marketed or deployed.
Key requirements include:
- Device certification (SDPPI approval)
- Frequency compliance and spectrum allocation
- Interoperability standards
Failure to comply can result in import restrictions or operational bans.
2. Licensing: SISKOMDAT and PSE Obligations
Operating an IoT business in Indonesia requires proper licensing, particularly if your solution involves connectivity or data transmission.
The most relevant licenses include:
SISKOMDAT License
IoT providers offering data communication services must obtain a SISKOMDAT license, which ensures compliance with operational, financial, and technical standards.
PSE (Electronic System Operator) Registration
Any digital platform handling user data must register as a PSE with Kominfo. This applies even to foreign companies without a local entity.
Non-compliance may lead to:
- Platform blocking
- Service disruption
- Legal penalties
3. Data Protection and Privacy: UU PDP
The UU PDP (Law No. 27 of 2022) is the cornerstone of Indonesia’s data governance.
It regulates:
- Data collection and processing
- User consent requirements
- Cross-border data transfer
- Individual rights over personal data
This law applies to all IoT systems that collect personal or behavioral data, including smart devices, wearables, and industrial sensors.
For IoT businesses, this means implementing:
- Data minimization practices
- Encryption and secure storage
- Transparent privacy policies
4. Data Localization and Infrastructure Rules
Under PP No. 71 of 2019, certain categories of data must be stored within Indonesia, particularly for public services and strategic sectors.
For IoT and cloud-based systems:
- Local data centers may be required
- Hybrid architectures are often used for compliance
- Cross-border transfer must meet strict conditions
This is especially relevant for foreign investors deploying IoT platforms at scale.
5. Cybersecurity and National Strategy
Indonesia is strengthening its cybersecurity posture through policies like Presidential Regulation No. 47 of 2023.
This regulation emphasizes:
- Protection of critical digital infrastructure
- Risk management for connected devices
- National cyber resilience
IoT systems are explicitly considered part of the national digital infrastructure, increasing compliance expectations.
Key Compliance Challenges for Foreign Investors
While Indonesia offers strong growth potential, regulatory complexity can create friction:
- Fragmented regulations across sectors
- Evolving standards and enforcement
- Local partnership and licensing requirements
- Data governance uncertainty
However, these challenges also create a barrier to entry, favoring companies that approach compliance strategically.
At InvestinAsia, we work directly with foreign investors entering Indonesia’s digital and IoT sectors.
We help you:
- Obtain SISKOMDAT and telecom licenses
- Register your platform as a PSE
- Structure your data compliance strategy under UU PDP
- Set up compliant entities and local operations
Instead of navigating fragmented regulations alone, you can rely on our team to ensure your IoT business is compliant from day one.
FAQ: IoT Regulations in Indonesia
What is the main law governing IoT data in Indonesia?
The main law is the UU PDP (Law No. 27 of 2022), which regulates personal data protection across all digital systems, including IoT.
Do foreign IoT companies need to register in Indonesia?
Yes. Foreign companies must register as a PSE if they provide digital services or process user data accessible in Indonesia.
Is local data storage mandatory?
In certain sectors, yes. PP No. 71/2019 requires data localization for specific types of data, especially related to public services.
What license is required for IoT connectivity services?
A SISKOMDAT license is required for providers offering data communication systems and network-based IoT services.
Are IoT devices required to be certified?
Yes. All telecom-related devices must pass SDPPI certification before being sold or used in Indonesia.
References
- https://tekno.kompas.com/read/2024/10/15/11310077/6-aturan-ini-bikin-indonesia-makin-berdaulat-di-dunia-digital
- https://bpostel.komdigi.go.id/index.php/bpostel/article/view/222
