It is reported that websites and apps in Indonesia are frequently blocked for hosting what the government defines as “negative” content or for not complying with national regulations. For instance, in 2021, the Ministry of Communication and Information Technology (Kominfo) blocked the platforms Snack Video, TikTok Cash, and VTube on the grounds that they engaged in financial and other services without Financial Services Authority (OJK) licensing. In July and August 2022, Kominfo blocked access to major sites, including Yahoo, the gaming service Steam, and the payment processor PayPal, for several days. These sites were unblocked after complying with registration requirements under MR 5/2020. Additionally, between 2016 and July 2020, the film and television streaming service Netflix was inaccessible to Telkom Indonesia and Telkomsel customers despite the absence of a formal blocking notification from Kominfo. In September 2023, Kominfo blocked TikTok Indonesia. The Ministry of Trade stated that it is working to further regulate e-commerce, emphasising that transactions on social media platforms are not permitted in the country.

According to the Minister of Communication and Informatics Regulation No. 5 of 2020 on Private Electronic System Operators, foreign Private Electronic System Operators (ESOs) are required to register their businesses with the relevant ministry through the online single submission system. ESOs should also appoint liaison officers, who have to be domiciled in Indonesia. The duty of the liaison officer is to facilitate any access request by government authorities and takedown requests. According to the regulation, ESOs are persons, business entities, or communities that operate an electronic system. ESOs include electronic system operators that are supervised by ministers or institutions in accordance with laws and regulations and electronic system operators that have an online portal, site, or application through the Internet. The requirement was first enacted with Government Regulation No. 71/2019 regarding the Provision of Electronic Systems and Transaction which repealed the Government Regulation No. 82 of 2012.

Pursuant to Art. 24 of the Trade Act and Art. 5 of the Limited Liability Company Act, all exporters and importers are subject to a licence issued by the government, which is subject to a commercial presence requirement.

Art. 59 of the Government Regulation No. 80/2019 states that personal data collected in e-commerce activities cannot be sent overseas unless the relevant Ministries confirm that the foreign country has the same level of personal data protection standard as Indonesia.

Indonesia has joined an agreement with binding commitments to open transfers of data across borders: Indonesia - Australia Comprehensive Economic Partnership Agreement (Art. 13.11).

Law No. 27 establishes a general framework for the protection of personal data in Indonesia. It is closely aligned with international data privacy standards and is largely modelled on the European Union’s General Data Protection Regulation. Data controllers, data processors, and relevant parties that process personal data are given a two-year transition period following the enactment of Law No. 27, which is up to 17 October 2024, to conform to it. Once the transition period elapses, all such parties must comply with all the provisions of Law No. 27, and any noncompliance thereto may possibly be enforced.

Indonesia mandates functional and accounting separation for operators with significant market power (SMP) in the telecom market (Art. 8 of the Government Regulations No. 52 regarding Telecommunications Operations).

Indonesia has appended the World Trade Organization (WTO) Telecom Reference Paper to its schedule of commitments.

Indonesia has a telecommunications authority: the Indonesian Telecommunication Regulatory Authority (BRTI). However, it is reported that this entity's decision-making process is not fully independent of the government.

In accordance with Art. 35 of OJK Regulation (POJK) No. 11/POJK.03/2022, banks are required to place their electronic systems in data centres and disaster recovery centres in Indonesia. Yet, banks may place them outside Indonesia upon obtaining authorisation from the Financial Services Authority (OJK). According to Art. 36, banks may apply for an authorisation provided that they:
- meet the regulatory provisions on the use of IT service providers in IT implementation;
- submit the results of the country risk analysis;
- ensure that the placement of the electronic systems in data centres and/or disaster recovery centres outside Indonesia does not diminish the effectiveness of OJK’s supervision as demonstrated by a statement letter;
- ensure that information regarding the bank’s confidentiality is only disclosed on the condition that such disclosure complies with the provisions of the statutory regulations in Indonesia, as evidenced by the cooperation agreement between the bank and the IT service provider;
- ensure that the written agreement with the IT service provider contains a choice of law clause;
- submit a no-objection letter from the supervisory authority of the IT service provider outside Indonesia so that OJK can conduct inspections on the IT service provider;
- submit a statement letter that the bank shall periodically submit the results of assessments conducted by the bank office(s) outside Indonesia on the application of risk management on the IT service provider;
- ensure that the placement plan of the electronic systems in data centres and/or disaster recovery centres outside Indonesia delivers more benefits than the costs for the bank; and
- submit the bank's plan to improve the bank's human resources capacity, both in IT implementation and in business transactions or products offered.
In addition, according to Art. 39, banks are required to process IT-based transactions within the Indonesian territory. However, the processing of IT-based transactions by the IT service providers outside Indonesia can be carried out provided that the bank has obtained authorisation from OJK. Banks may apply for an authorisation on the condition that:
- IT service providers comply with the prudential principle, with the regulatory provisions on the IT service providers in IT implementation, and take heed of consumer protection.
- the supporting documents for financial administration for transactions conducted at the bank offices in Indonesia are administered at the bank offices in Indonesia; and
- the bank's business plan demonstrates efforts to increase its role in developing Indonesia’s economy.
OJK Regulation (POJK) No. 11/POJK.03/2022 revoked and declared null and void OJK Regulation (POJK) No. 38/POJK.03/2016, which already required foreign banks and payments networks to locate data centres and process electronic transactions in Indonesia.

Art. 35 of Bank Indonesia Regulation No. 22/23/PBI/2020 requires domestic processing of initiation-authorisation-clearing-settlements phases of payment transactions for instruments issued by Indonesia's payment service provider and conducted within the territory of the Republic of Indonesia. Indonesia opens the possibility of such payment transactions being processed outside of Indonesian territory for the purpose of global reconciliation, integrated risk management system, and anti-money laundering. However, this is subject to Bank Indonesia's approval.

Art. 20 of Regulation No. 71 provides that public electronic system operators (ESOs) are required to manage, process, and/or store electronic systems and electronic data in the territory of Indonesia, except if the technology is not yet available. Private ESOs can manage, process, and/or store electronic systems and electronic data in Indonesia and/or outside the country (Art. 21). However if management is carried out outside, it must ensure the effectiveness of supervision by the ministry, etc.
Art. 1 contains several key definitions:
- Electronic system: a set of electronic equipment and procedures that have the function of preparing, collecting, processing, analysing, storing, displaying, announcing, delivering, and/or disseminating electronic information.
- ESO: any persons, state administrators, business entities and the public that provide, manage and/or operate an electronic system individually or jointly to electronic system users for its own interests and/or the interests of another party.
- Public ESO: an electronic system operation by a state administrator agency or institutions appointed by a state administrator agency.
- Private ESO: an electronic system operated by a person, business entity, and the public.
With the entry into force of Regulation No. 71, Regulation No. 82 was repealed and declared null and void. Under Art. 17 of Regulation No. 82, ESOs for public services had to establish data centres and a disaster recovery centre in Indonesia, impacting many private sector companies.

Art. 21 of Government Regulation No. 46/2020 mandates that the health data should be stored in Indonesia.

Under Art. 23 Regulation No. 4/05/2021, non-bank financial institutions are obligated to place their data centre and/or disaster recovery centre within the territory of Indonesia. An exemption of this obligation may only be applicable after obtaining prior approval from the Financial Services Authority (Otoritas Jasa Keuangan, OJK) and only for certain purposes of the electronic system.

Under Arts. 7, 11, 14 and 18 of Bappebti Regulation No. 8/2021, the stakeholders of crypto asset trade (i.e., futures market, futures clearing institution, crypto asset physical trader, and crypto asset depository manager) are obligated to place their disaster recovery centre as well as a server or cloud server within Indonesia. The disaster recovery centre must be located within a maximum distance of 20 km from the main server. A crypto asset is defined as a digital, intangible commodity that utilises cryptography, information technology networks, and distributed ledgers to create new units, verify transactions, and secure them without third-party intervention.