In formulating the objectives of cybersecurity and cyber resilience, the bill still places excessive emphasis on a state-centered approach, prioritizing the protection of national interests, and lacks any reference to individual protection. Every cyber threat and attack that occurs ultimately affects individual citizens as primary victims.

Furthermore, the bill also carries legal uncertainty in the governance of cybersecurity and cyber resilience, particularly concerning the regulation of providers of products with digital elements (PDE), which overlaps with electronic system providers (PSEs) as regulated in the Law on Electronic Information and Transactions (ITE Law).

The uncertainty is not only in the area of regulation but also in enforcement, which involves supervisory agencies in each sector. This overlap may cause administrative friction and conflict, potentially disrupting the public’s ability to enjoy a safe and secure digital environment.

Another issue is the regulation of artificial intelligence, including a code of ethics. We understand that legislation constitutes an essential infrastructure for developing the technology, so it must adopt and optimize AI and provide related standardization.

However, the emphasis should not rest on ethical standards, considering that ethics belongs to the realm of soft law. As one of the approaches to AI governance, ethics is, by nature, based on voluntarism. Therefore, state recognition of ethical principles should not be formalized through a legally binding regulation.

The bill also conflates cybersecurity policy with cybercrime when in fact, cybersecurity legislation should strictly describe the implementation of technical measures designed to secure computer systems from attacks and system failures.