Indonesia is now treading a similar path. Since 2022, we have enacted the Personal Data Protection (PDP) Law. Often called “Indonesia’s version of the GDPR,” the PDP Law officially takes effect in October 2024. It promises citizens fundamental rights over their data, including the right to know how it is used, the right to access it and the right to erase it.

Yet for many, these promises remain unfulfilled. The data protection authority has not been established. Technical guidelines are still pending. Meanwhile, breaches continue to make headlines.

At the same time, the government is deliberating the Cybersecurity and Resilience (KKS) bill, expected to pass by the end of 2025. It introduces mandatory incident reporting within hours, an essential step toward transparency. Had this been in place during last year’s National Data Center (PDN) outage, the public would have received clear and timely information.

The stakes could not be higher. Daily life now depends on digital systems. When they fail, society grinds to a halt. The National Cyber and Encryption Agency (BSSN) recorded 3.64 billion cyberattacks or traffic anomalies in Indonesia from January to July 2025, almost equal to the total number over the past five years. This is a reminder that cyber resilience is not jargon, but a condition for survival.

The KKS bill covers critical information infrastructure across strategic sectors: banking, health care, transport, energy and government services. Disruptions in these areas could undermine public services, defense, security and the economy.

Oversight will fall to the BSSN, which will hold sweeping sanctioning powers. Many believe such authority must be balanced with transparency and checks and balances. Independent experts and civil society could be part of the equation, lest oversight itself become unchecked.

This is where the PDP Law and the KKS bill, once passed, must stand as twin pillars. The PDP Law protects content: citizens’ personal data and rights. The KKS law safeguards the vessel: the systems that carry public services. One speaks of privacy, the other of stability. Both matter only if they move together. If the PDP falters, rights are ignored. If the KKS bill overreaches, privacy risks erosion in the name of security.

Europe offers a useful model. GDPR is enforced by independent data protection authorities. NIS 2 relies on coordination and strict incident reporting. They stand side by side, reinforcing one another without undermining either.

Indonesia must do the same. Consider a cyberattack on a bank that exposes customer data. Under the PDP, customers should be promptly notified so they can protect themselves. Under the KKS, communication must be carefully managed to avoid panic that could destabilize financial markets. Without synchronization, these imperatives could create confusion.

The urgency is real. Ransomware attacks on financial institutions and the paralysis of government data centers are warnings. This is not just technical, it is about trust. Without trust, citizens lose confidence their data is safe, and businesses question whether the system can sustain the digital economy.

For businesses, the KKS will be more than a compliance checklist; it will be a maturity test. They must prepare for audits, sanctions and mandatory incident reporting. More importantly, they must embrace transparency. No more hiding behind fine print, no more concealing breaches, no more delays in response. Cybersecurity and good governance are now survival requirements.

For the public, these laws bring hope that rights are not only written into law but realized in practice, hope that threats are swiftly resolved and essential services continue to run, and ultimately hope that Indonesia’s digital space becomes one worthy of trust.

But sovereignty is not only domestic. Cyberattacks cross borders. Digital infrastructure is often foreign-owned. The KKS therefore carries geopolitical weight. Defending against external threats is as crucial as reducing reliance on foreign systems. Yet sovereignty must not be mistaken for unchecked state power. True sovereignty is also about protecting citizens’ rights.

We now stand at the threshold of Indonesia’s digital sovereignty. This dawn carries both promise and questions. Will the state wield its authority for the people? Will businesses uphold stricter standards of transparency? Will citizens’ rights remain at the center of our digital future?

Digital regulation is, at its heart, an architecture of trust. Privacy and security are not opposing poles, but two sides of the same coin. If one weakens, the digital sphere collapses.

Indonesia faces a decisive moment. The PDP Law is enacted but incomplete without implementing regulations. The KKS bill is in preparation but still requires more time and consideration.

If both advance together, Indonesia may welcome the dawn of digital sovereignty: a digital realm that is safe, trusted and grounded in human rights. If not, the dawn will turn gray, glorious in vision, yet gone by day.

---

The writer is a legal and corporate secretary at Bank DBS Indonesia. The views expressed are personal.