Annex I of Regulation 3/2021 mandates that providers of electronic certification and digital signature services establish their systems within the territory of Indonesia.

Under Arts. 7, 11, 14 and 18 of Bappebti Regulation No. 8/2021, the stakeholders of crypto asset trade (i.e., futures market, futures clearing institution, crypto asset physical trader, and crypto asset depository manager) are obligated to place their disaster recovery centre as well as a server or cloud server within Indonesia. The disaster recovery centre must be located within a maximum distance of 20 km from the main server. A crypto asset is defined as a digital, intangible commodity that utilises cryptography, information technology networks, and distributed ledgers to create new units, verify transactions, and secure them without third-party intervention.

Art. 349.7 of the Law on Health requires that the international transfer of personal data managed by organisers of health information systems may only be carried out for specific and limited purposes, and must be subject to the approval of the central government. In addition, pursuant to Art. 966 of Government Regulation No. 28, organisers of health information systems are obliged to locate their data centres within the territory of Indonesia and to ensure their integration with the Indonesian national data centre. Additionally, Art. 970 stipulates that the transfer of health data and health information between organisers of health information systems must be conducted through the national health information system.
Government Regulation No. 28 repealed Government Regulation No. 46 of 2014, which, under Art. 21, required that health data be stored within the territory of Indonesia.

Indonesia has adopted the World Intellectual Property Organization (WIPO) Performances and Phonograms Treaty.

Art. 56 of Law No. 27 on Personal Data Protection allows the cross-border transfer of personal data from a controller to a controller and/or processor outside the jurisdiction of Indonesia if the recipient country has an adequate level of protection. If the country is not adequate, the controller must ensure an adequate and binding personal data protection. Alternatively, the controller must obtain the consent of the data subject.

Government Regulation No. 71/2019 mandates that providers of bespoke software must either provide or escrow the source code associated with their services. This requirement has been in effect since the introduction of Government Regulation No. 82/2012, which was later replaced by Regulation No. 71/2019.

Law No. 30 of 2000 provides a framework for effective protection of trade secrets.

It is reported that there is an obligation for passive infrastructure sharing in Indonesia to deliver telecom services to end users.

According to Presidential Regulation No. 10/2021, the telecommunications sector was liberalised, allowing full foreign ownership of telecommunication service providers and telecommunication towers. However, according to Art. 1.2 and 77 of the State-owned Enterprises Act 19/2003, there is a limit of 49% on the shares that can be acquired by foreign investors in government-controlled firms. This includes foreign participation in state-owned entreprisese (SOEs) in the telecommunication sector, as regulated in Government Regulation No. 15/2013, amended by Government Regulation No. 41/2021.

The Government of Indonesia holds a majority equity stake in the telecommunications company Telkom Indonesia, owning approximately 52% of its shares.

Indonesia mandates functional and accounting separation for operators with significant market power (SMP) in the telecom market.

Indonesia has appended the World Trade Organization (WTO) Telecom Reference Paper to its schedule of commitments.

It is reported that Indonesia lacks a telecommunications authority whose decision-making process is independent of the government. In general, matters relating to telecommunications are regulated and supervised by the Ministry of Communication and Digital.

In accordance with Art. 35 of OJK Regulation (POJK) No. 11/POJK.03/2022, banks are required to place their electronic systems in data centres and disaster recovery centres in Indonesia. Yet, banks may place them outside Indonesia upon obtaining authorisation from the Financial Services Authority (OJK). According to Art. 36, banks may apply for an authorisation provided that they:
- meet the regulatory provisions on the use of IT service providers in IT implementation;
- submit the results of the country risk analysis;
- ensure that the placement of the electronic systems in data centres and/or disaster recovery centres outside Indonesia does not diminish the effectiveness of OJK’s supervision as demonstrated by a statement letter;
- ensure that information regarding the bank’s confidentiality is only disclosed on the condition that such disclosure complies with the provisions of the statutory regulations in Indonesia, as evidenced by the cooperation agreement between the bank and the IT service provider;
- ensure that the written agreement with the IT service provider contains a choice of law clause;
- submit a no-objection letter from the supervisory authority of the IT service provider outside Indonesia so that OJK can conduct inspections on the IT service provider;
- submit a statement letter that the bank shall periodically submit the results of assessments conducted by the bank office(s) outside Indonesia on the application of risk management on the IT service provider;
- ensure that the placement plan of the electronic systems in data centres and/or disaster recovery centres outside Indonesia delivers more benefits than the costs for the bank; and
- submit the bank's plan to improve the bank's human resources capacity, both in IT implementation and in business transactions or products offered.
In addition, according to Art. 39, banks are required to process IT-based transactions within the Indonesian territory. However, the processing of IT-based transactions by the IT service providers outside Indonesia can be carried out provided that the bank has obtained authorisation from OJK. Banks may apply for an authorisation on the condition that:
- IT service providers comply with the prudential principle, with the regulatory provisions on the IT service providers in IT implementation, and take heed of consumer protection.
- the supporting documents for financial administration for transactions conducted at the bank offices in Indonesia are administered at the bank offices in Indonesia; and
- the bank's business plan demonstrates efforts to increase its role in developing Indonesia’s economy.
OJK Regulation (POJK) No. 11/POJK.03/2022 revoked and declared null and void OJK Regulation (POJK) No. 38/POJK.03/2016, which already required foreign banks and payments networks to locate data centres and process electronic transactions in Indonesia.

Pursuant to Art. 24 of the Trade Act and Art. 5 of the Limited Liability Company Act, all exporters and importers are subject to a licence issued by the government, which is subject to a commercial presence requirement.