On June 1, 2026, Indonesia formally joined the 50-in-5 campaign — a country-led initiative backed by UNDP, the World Bank, and the Gates Foundation that aims to help 50 nations build interoperable digital public infrastructure by 2028. Jakarta's accession makes it the 37th member of a coalition that includes Estonia, Singapore, Bangladesh, and Rwanda. Indonesia pledged three DPI pillars: the Identitas Kependudukan Digital (IKD) national digital ID, the QRIS and BI-FAST payment rails, and the Sistem Penghubung Layanan Pemerintah (SPLP) government data connector, which already links 447 public institutions as of April 2026.
For a country of 280 million citizens spread across 17,000 islands, infrastructure interoperability is not an abstraction. Remote communities in Papua and Kalimantan access government services far less reliably than residents of Jakarta or Surabaya. Done right, DPI can compress that gap — which is why Indonesia's commitment deserves to be taken seriously, and why the gaps in execution deserve honest scrutiny.
The Genuine Win: QRIS
The strongest part of Indonesia's DPI story is its payment system. QRIS — the QR code standard mandated by Bank Indonesia in 2019 — has reached 58 million users and processed more than 10.33 billion transactions, with 41 million merchants enrolled, the majority of them micro, small, and medium enterprises. Cross-border QRIS interoperability is live with Thailand, Malaysia, Singapore, Japan, and China. This is not aspirational; it is a functioning, scaled network that has moved MSMEs into the formal financial system faster than any predecessor programme.
That success matters for this conversation because it demonstrates Indonesia can build DPI that reaches the population at scale. QRIS succeeded by mandating a single interoperable QR standard rather than permitting fragmentation, and by building on existing smartphone infrastructure rather than requiring new devices. That is the correct DPI model: open at the infrastructure layer, competitive above it.
The Stretch Goal: Digital ID at Under 7%
IKD is a more complicated story. As of May 19, 2026 — days before the 50-in-5 announcement — Indonesia reported 19.35 million activated IKD accounts. Against a population of roughly 280 million, that is under 7% penetration. The government's stated target is 50 million users, to be reached through expanded digital onboarding using face recognition and liveness detection.
There are genuine grounds for optimism. SIAK, the underlying civil registration database, covers the full population. By April 2025, 7,010 institutions — banks, local governments, universities — had signed data-use agreements with Dukcapil (the civil registry directorate), creating real demand-side pull for IKD activation. A social protection pilot in Banyuwangi compressed beneficiary verification timelines from 75–200 days down to 1–6 hours. These results are real and reproducible.
But scaling from 7% to 50% means reaching the populations hardest to serve: rural elderly citizens, low-literacy users, and the approximately 60 million Indonesians without reliable internet. Early adopters self-select; the next cohort does not. That phase requires assisted digital onboarding at significant scale — something the current rollout has not yet demonstrated.
The Security Track Record
Any honest assessment of Indonesia's DPI readiness must address June 2024. On June 20 of that year, attackers using a LockBit variant called Brain Cipher hit Indonesia's Temporary National Data Center (PDNS) in Surabaya. The attack disabled 282 public services, disrupted passport processing for 60,000 citizens, and shuttered 431 immigration checkpoints for days. The most damning revelation was not the attack itself — ransomware strikes government infrastructure globally — but what the post-incident audit found: 98% of the data held in one of the two compromised facilities had no backup. Backup capacity existed at the data centers, but using it was optional, and most agencies skipped it for budget reasons.
President Joko Widodo ordered a datacenter audit and mandated backups going forward. But a mandate issued under crisis conditions and an operationally verified change in practice are different things. As of mid-2026, no published third-party assessment confirming remediated backup protocols across Indonesia's national data centers has appeared. That absence is significant when the next DPI target is a 50-million-person biometric identity system.
The Governance Gap: Law in Force, Enforcer Absent
Indonesia enacted its first comprehensive Personal Data Protection statute — UU PDP (Law No. 27 of 2022) — after a decade of fragmented sector rules. The two-year transition period ended in October 2024, making the law operative. But the independent Data Protection Authority (DPA) mandated by UU PDP has not been established. Enforcement powers sit temporarily with the Ministry of Communication and Digital Affairs — the same ministry responsible for promoting digital adoption. That is a structural conflict of interest at precisely the wrong moment. Citizens activating an IKD account submit biometric face data and liveness confirmation. That data collection requires independent oversight with real sanctioning authority — not a promotional ministry holding a temporary brief.
Build on the Wins; Sequence the Rest
The right policy frame here is not skepticism about DPI — it is sequencing. Indonesia has earned its 50-in-5 membership on payments. QRIS is a genuine regional model that other ASEAN economies are studying. The commitment to host the Global DPI Summit 2027 in Bali reflects real institutional ambition.
But the next phase of IKD expansion should be conditioned on two deliverables: the formal establishment of an independent DPA with real enforcement powers under UU PDP, and published third-party confirmation that post-PDNS backup and resilience protocols are operational across all national data centers. Scaling biometric identity collection to 50 million citizens before those conditions are met adds surface area to a foundation that has already cracked under pressure.
Indonesia has the population, the institutional architecture, and the demonstrated payment-layer execution to become a genuine DPI model for the Global South. The 50-in-5 commitment is the right signal. The harder, less ceremony-friendly work — building the governance infrastructure that makes the technical infrastructure trustworthy — is what determines whether Jakarta's DPI story ends as a regional model or a cautionary tale.