According to Art. 4 of the Ministry of Communication and Information Technology (MCIT) Regulation 13/2021, all 4G-LTE and 5G-enabled devices since April 2022 to contain 35% local content (while previously it was set at 30% in the Ministry of Communication and Information Technology (MOCI) Regulation No. 27/2015) and all 4G-LTE and 5G base stations to contain 40% local content. Ministry of Information's Regulation 29/2017 provides a formula for calculating “local content".

According to the Ministry of Communication and Information Technology Regulation No. 6/2017 , IPTV providers shall prioritise and are required to provide Internet Protocol Set-Top-Boxes with a minimum local content requirement of 20%, with the amount rising to 50% within five years of starting operations in Indonesia. Furthermore, the IPTV operator shall provide at least 10% of domestic content during its broadcasting services, 30% during its multimedia services, and "the number of domestic, independent content providers contributing to the implementation of IPTV services shall be at least 10% of the number of content providers in the content library of the organiser and gradually increase to 50% within five years.

Ministry of Communications and Information Technology Regulations No. 7/2009 and No. 19/2011 require that equipment used in certain wireless broadband services contain local content of at least 30% for subscriber stations and 40% for base stations and that all wireless equipment contains 50% local content. Although there are reports about the regulations, it was not possible to find the regulatory text.

It is reported that, according to Ministry of Communications and Information Technology (MCIT) Regulation 4/2019, all TV and set-top boxes based on digital video broadcasting-terrestrial second generation and internet protocol set-top boxes must contain at least 20% local content. Despite reports about these regulations, the regulatory text could not be located online.

It is reported that Ministry of Communications and Information Technology (MCIT) Regulations 9/2019 and 10/2019 mandate that wavelength division multiplexing and internet protocol network devices adhere to local content requirements. Industry stakeholders have expressed ongoing concerns regarding the Ministry of Information's (MOI) reluctance to engage in dialogue on local content requirement (LCR) policies with stakeholders. Despite reports about these regulations, the regulatory text could not be located online.

Government Regulation No. 46/2021, which replaces Government Regulation No.52/2000, stipulates that a certificate of approval is required for IT and telecommunication equipment to be sold or imported into the Indonesian market. The certificate of approval is issued by the Directorate General of Resources and Equipment for Post and Information Technology (SDPPI). The SDPPI Kepdiejen Postel No. 3/2020 allows third-party certification from Conformity Assessment Bodies (CABs) from a number of countries.
In-country testing at an SDPPI laboratory of two randomly selected equipment samples is required for radio frequency and telecommunications equipment before the SDPPI issuance of the certificate SDPPI Decision No. 36 issued in January 2020 includes a list of the 150 international test labs that it recognises.

The Government Regulation (GR) No. 28 of 2021 on the Implementation of the Industrial Sector includes requirements governing conformity assessment to Indonesian national standards (“SNI”) for a wide variety of consumer goods, including electronics. It has been reported that testing laboratories and conformity assessment bodies have been told to halt certification until the Minister of Industry issues implementing guidance for GR 28/2021. This standstill has resulted in the halting of imports that use the SNI scheme, which requires testing per shipment. Additionally, GR 28/2021 requires that all steps of product testing be conducted by an Indonesian national residing in Indonesia, further complicating product sample collection amid ongoing travel restrictions.

There is a limit of 49% on the shares that can be acquired by foreign investors in government-controlled firms. This includes foreign participation express delivery services SOEs sector as regulated in the Government Regulation No. 15/2013 as amended by the Government Regulation No. 46/2021.

Companies have reported that, in some cases, the Ministry of Information is informally limiting import quantities under existing licenses (issued under the Ministry of Information's Regulation 108/2012) to protect locally manufactured cell phones, handheld computers, and tablets.

The Ministry of Trade Regulation 38/2013 imposes requirements on importers of mobile phones, handheld computers, and tablets to prove previous import activities and local aftersales activity, as well as requirements regarding the distribution and the establishment of industrial activity in Indonesia. In addition, the Ministry of Industry Regulation 68/M-IND/PER/9/2016 includes new licensing requirements for different types of importers of tablets, cellular phones, and handheld computers. These differ depending on:
- whether the importer is working with an Indonesian producer,
- whether the importer is also the producer of the goods,
- whether the imports are conducted with a specific purpose (i.e., specialised orders) or concerning after-sales services.

Government Regulation No. 80/2019 states that domestic or foreign e-commerce platforms that operate in Indonesia should store data for at least 10 years for financial transactions and 5 years for non-financial transactions since the data were collected.

Art. 53 of Law No. 27 introduces the requirement for controllers and processors to appoint a data protection officer (DPO) in certain circumstances, namely where:
- the data processing is carried out for the benefit of public services;
- the nature, scope, and/or purposes of the main activity of the controller require organised and systematic supervision on a large scale; and
- the main activity of the controller consists of large-scale processing that is specific in nature and/or related to criminal conduct.
Additionally, while Regulation No. 20 do not stipulate the requirement of a DPO, Art. 28(i) requires electronic system operators to provide a point of contact who can be easily contacted by the data subject relating to the management of their personal data.

According to Art. 34 of Law No. 27, the data controller is obliged to conduct a Data Protection Impact Assessment if the personal data processing has a high potential risk to the personal data subjects. Personal data processing with high potential risk includes:
- automatic decision-making that has legal consequences or a significant impact on the data subject;
- processing of specific personal data;
- processing of large-scale personal data;
- processing of personal data for systematic evaluation, scoring, or monitoring of data subjects;
- processing of personal data for the activity of matching or combining a group of data;
- the use of new technologies in the processing of personal data; and/or
- the processing of personal data that limits the exercise of the rights of the data subject.
On the other hand, under Art. 12 of Government Regulation No. 71, electronic system providers must apply risk management towards damages or losses that they incur. Such provision provides the meaning of 'risk management', which is conducting risk analysis and formulating mitigation measures and countermeasures to overcome threats, disturbances, and obstacles to the electronic system it manages.

Art. 23 of Regulation No. 20 of 2016 on Personal Data Protection in Electronic Systems provides that, for the purpose of the law enforcement process, electronic system providers are obliged to provide personal data that is contained in electronic systems or personal data generated by electronic systems, upon a legitimate request made by law enforcement officers in accordance with the provisions of laws and regulations.

The Law on State Intelligence passed in October 2011 mandates that the collection of information on a person that is considered harmful to national interest and security should be based on the Head of State Intelligence Agency's order. The Law broadly authorises the Indonesian State Intelligence Agency (BIN) to engage in efforts “to prevent and/or to fight any effort, work, intelligence activity, and/or opponents that may be harmful to national interests and national security” (Art. 6). This may include communications surveillance. BIN's intelligence activities, including to collect information, should meet the following requirements: 1) they are for the purpose of intelligence function; 2) they are based on the Head of BIN's order; 3) they should be conducted without making any arrest and/or detention; and 4) they should be conducted in cooperation with a law enforcement agency. Civil society advocates in Indonesia had denounced the draft bill, which was nevertheless passed.