Is penetration testing legally required in Indonesia?

There is no single law that names 'penetration testing' for every company. However, several frameworks effectively require it: OJK rules for financial-sector institutions, the security obligations of the Personal Data Protection Law (UU PDP), and certifications like ISO 27001 that customers demand. In practice, regulated and data-handling businesses are expected to test.

Does UU PDP require penetration testing?

UU PDP (Law No. 27 of 2022) requires data controllers to protect personal data with appropriate security measures. While it does not name penetration testing explicitly, regular testing is a widely accepted way to demonstrate that those measures are effective.

Penetration Testing & Compliance in Indonesia: OJK, UU PDP, and ISO 27001

Q: What does OJK require for fintech and banks?

OJK regulations on IT and cyber risk management for financial institutions and digital banks expect regular security assessments, including penetration testing of critical systems. Specific obligations depend on the institution type and the current POJK in force.

In Indonesia, penetration testing is increasingly expected — and in regulated sectors effectively required — by a combination of the Personal Data Protection Law (UU PDP), Financial Services Authority (OJK) rules, and international standards such as ISO 27001 that Indonesian customers demand. No single statute mandates a pentest for every business, but if you handle personal data or operate in finance, regular testing is how you demonstrate due diligence.

This article is general guidance, not legal advice. Confirm your specific obligations with qualified counsel.

UU PDP — the Personal Data Protection Law

Indonesia’s UU PDP (Undang-Undang No. 27 Tahun 2022) requires organizations that process personal data to implement appropriate technical and organizational security measures. It does not list “penetration testing” by name, but regulators and auditors widely treat regular security testing as evidence that your controls actually work. If a breach occurs, being able to show a recent, independent penetration test supports your due-diligence position.

OJK — financial sector

The Otoritas Jasa Keuangan (OJK) sets IT and cyber risk-management expectations for banks, digital banks, fintech lenders, and other financial institutions. These frameworks expect regular security assessments, including penetration testing of critical and internet-facing systems, often on an annual basis and after major changes. The exact requirement depends on your institution type and the current POJK in force, so verify the specific regulation that applies to you.

ISO 27001 and customer-driven requirements

Many Indonesian companies pursue ISO/IEC 27001 certification — sometimes because a customer or partner demands it. While ISO 27001 does not mandate penetration testing in those exact words, its control set (and the supporting ISO 27002 guidance on technical vulnerability management) makes regular testing the practical way to satisfy auditors. The same is true for SOC 2 if you serve international clients.

BSSN and national cybersecurity

The Badan Siber dan Sandi Negara (BSSN) publishes national cybersecurity guidance and standards. Organizations operating critical information infrastructure should track BSSN expectations alongside sector regulators.

What this means in practice

If any of the following describe you, you should be running penetration tests on a regular cadence:

You handle personal data of Indonesian users (almost every digital business).
You operate in the financial sector or are supervised by OJK.
You are pursuing or hold ISO 27001 / SOC 2.
A customer’s security questionnaire asks for a recent independent test.

A clean, recent penetration test report is one of the most efficient ways to answer all of these at once. See how we structure ours on the services page, or get in touch to scope an engagement aligned to your compliance needs.