Indonesia’s Online Child Safety Rules – what’s next

On 9 June 2026, Indonesia’s Ministry of Communication and Digital Affairs (MOCD) announced that 64 Electronic System Operators (ESOs) had submitted self-assessments for 175 products. These included, among others, streaming platforms Netflix, Disney and Vidio; game publishers Roblox, PUBG and Mobile Legends; e-commerce sites Tokopedia, TikTok Shop, Lazada and Shopee; and payment systems Dana and GoPay.

The MOCD used the opportunity to issue a media release (linked here) reminding other ESOs to comply with the online child safety rules now in effect or face being classified as high-risk platforms.

Regulatory background

As discussed in our June 2025 bulletin, Government Regulation No. 17 of 2025 on Governance of Electronic System Operations in Child Protection (the Online Child Safety Regulation), which is often referred to as PP Tunas, introduced a structured governance framework requiring ESOs to protect children that are using internet-connected products, services and features (collectively, Products).

Following the end of the 12-month transitional period, the Online Child Safety Regulation is now in full effect, with the MOCD having issued four implementing regulations – Regulation No. 9 of 2026 (Regulation 9/2026), Decree No. 140 of 2026 (Decree 140/2026) and Decree No. 142 of 2026 as amended by Decree No. 219 of 2026 (Decree 142/2026).

There are three key features of Indonesia’s online child protection regime – products that are in scope, use of a risk-based approach, and an under-16 social media ban.

In-scope Products

The Online Child Safety Regulation applies to ESOs that develop and/or operate Products which (a) are specifically designed for children’s use or access, or (b) could be used or accessed by children based on certain indicators (e.g. internal documentation indicating that the Products are intended for children, or strong evidence that a significant portion of regular users are children).

To assess whether a Product falls under category (b), Decree 142/2026 sets out a self-assessment mechanism consisting of a series of binary (yes/no) questions for each indicator, e.g. whether the Product is designed to attract children, and whether a substantially similar Product has been proven to be used or accessed by children. A Product falls within this scope if it meets at least one of the prescribed indicators.

Risk-based approach

ESOs must self-assess whether their Products pose a high or low risk to children by referring to indicators of seven aspects:

1. interaction with unknown individuals;
2. exposure to pornographic content, content on violence, content which is life-threatening, and other content not suitable for children;
3. exploitation of children as consumers;
4. threats to security of children’s personal data;
5. addiction;
6. psychological disturbance; and
7. physiological disturbance.

Decree 142/2026 contains the mechanics for this self-assessment, with each indicator broken down into weighted sub-questions answered “yes/found” or “no/not found”. The aggregate weighted score determines the Product’s risk classification, with the MOCD making the final determination.

A Product scoring above 50% in any one of these seven aspects will be classified as “high-risk”, bringing significant regulatory consequences, since children under 16 are not permitted to register for high-risk Products.

Under-16 social media ban

Through Regulation 9/2026 and Decree 140/2026, the MOCD initially designated eight networking services and social media platforms as high-risk – Instagram, Facebook, Threads, TikTok, YouTube, Bigo Live, Roblox, and X. These eight ESOs were required to gradually deactivate accounts held by children under the age of 16 years old, commencing from 28 March 2026.

This high-risk classification could later be revised if the ESO self-assessment and the MOCD’s subsequent determination conclude otherwise.

What happens next

• ESO submits self-assessment. As noted, the MOCD has called on other ESOs to submit their self-assessments to avoid having their Products automatically categorised as high-risk platforms and potentially facing administrative penalties. ESOs should carefully assess whether their Products are either designed for children’s use or access, or could be used or accessed by children, using the questions in Decree 142/2026 as guidance. ESOs should note that one indicator is whether a substantially similar Product has been proven to be used or accessed by children.
• MOCD makes determination. The MOCD has indicated that it will review submissions in the order they are received, and ESOs can expect clarification questions from the MOCD before it makes its determination. ESOs must respond to the MOCD’s questions within seven days, and the MOCD will inform the ESO of its final determination within three days after their risk profile is determined. That final determination will also be made public.
• Age verification. ESOs falling within the scope of the Online Child Safety Regulation must implement technical and operational measures to verify users’ age, using either internally developed or third-party technology. While Regulation 9/2026 allows the MOCD to determine technology deemed reliable for this purpose, no specific guidance has been issued to date.
• Annual reporting. Under the Online Child Safety Regulation, ESOs must report to the MOCD at least annually on their digital education and “ecosystem empowerment” initiatives. The MOCD has not yet specified the scope or format of this reporting requirement.

Conclusion

Indonesia’s online child safety regime is now fully operational, requiring ESOs to take a proactive, risk-based approach to assessing and mitigating potential harm to children across their Products. ESOs face increased regulatory scrutiny, with mandatory self-assessments and compliance obligations that include age verification and ongoing reporting.

If they have not already done so, ESOs should review their Product portfolios to determine whether they fall within the scope of the Online Child Safety Regulation, and complete any required self-assessments without delay.

In parallel, businesses should implement appropriate age verification and child safety safeguards, and be prepared for ongoing engagement with the MOCD.

Early engagement and a structured compliance strategy will be critical to avoiding high-risk classification and potential administrative penalties.

(The authors thank Angeline Emily for her research assistance in preparing this alert.)