Indonesia's Ministry of Communication and Digital (Komdigi) set June 6, 2026 as the deadline for every Electronic System Operator (PSE) in the country to complete a child-safety risk self-assessment and classify itself as low, medium, or high risk. The exercise is mandated by PP 17/2025 — known as PP Tunas, the Government Regulation on the Governance of Electronic System Operations in Child Protection — and its implementing rule, Permen Komdigi No. 9/2026. When the clock ran out, only 19 operators had filed, covering 68 products, services, and features, according to the ministry's own June 8 tally reported by ANTARA. That is 19 out of tens of thousands of registered PSEs.
The filers were the obvious names: Instagram, Threads, Facebook, BigoLive, X, YouTube, TikTok, and Roblox, later joined by services from Netflix to PUBG to Shopee. The long tail of registered operators — local marketplaces, fintech apps, games, forums — simply did not respond. Komdigi has threatened sanctions running up to access termination, but signalled it would defer hard enforcement for a brand-new regime. That restraint is the right instinct. The deeper lesson of the 19 is that the framework's ambition has outrun the compliance capacity it can realistically expect.
The case for the rule is real
Start with the strongest version of Komdigi's position. Indonesia has one of the world's largest and youngest online populations, and the harms the regulation targets — grooming by strangers, exposure to pornography and self-harm content, algorithmic addiction, and commercial exploitation of minors — are concrete, not hypothetical. PP Tunas borrows the logic of the UK's Age Appropriate Design Code and parts of the EU's Digital Services Act: make platforms assess and mitigate risk to children by design rather than after the fact. Minister Meutya Hafid framed it as the state standing with parents who otherwise "have to fight alone" against platform algorithms. As a statement of intent, that is defensible and broadly aligned with the international direction of travel.
The self-assessment instrument is also, on paper, proportionate in shape. Komdigi's framework grades products against seven risk aspects — contact risk, content risk, exploitation of children as consumers, personal-data security, addiction, and psychological and physiological harm — across a detailed indicator set, then sorts platforms by risk tier rather than imposing one rule on everyone. A risk-tiered model is exactly what good regulation should look like: a small low-risk utility should not carry the same obligations as a high-risk social network. From March 28, 2026, the high-risk tier already saw under-16 accounts deactivated on eight named platforms.
Where the design strains
The problem is the gap between that elegant architecture and what operators can actually do with it. Three issues stand out.
First, the technical parameters are not yet transparent. Indriyatno Banyumurti of ICT Watch has warned that without published, detailed scoring guidance, risk classification will be inconsistent across platforms — two similar apps could land in different tiers depending on how they read an ambiguous indicator. When the grading rubric is unclear, a self-assessment becomes a guess with legal consequences attached. That uncertainty falls hardest on small and mid-sized domestic operators without compliance teams, which is precisely the cohort that stayed silent.
Second, the timeline was compressed. Operators had roughly three months from the implementing regulation's March 2026 issuance to the June 6 deadline. Industry observers quoted by Readers.id called that window unreasonably tight given the unresolved ambiguity. A 19-filer result is not evidence of mass defiance; it is evidence that most operators could not complete a 58-point assessment, against criteria they could not fully interpret, in the time allowed.
Third, the all-PSE scope collides with enforcement reality. Komdigi insisted the duty applies to every operator "regardless of whether services are global or local." Universally is the fair principle, but a rule that nominally binds tens of thousands while only the largest 19 comply creates selective, discretionary enforcement — the kind that chills smaller and foreign entrants without measurably protecting children. Amnesty International Indonesia's Usman Hamid has separately cautioned that overly restrictive rules can push young users toward unsafe, hidden access rather than off the platforms entirely.
A more proportionate path
None of this argues against child-safety-by-design. It argues for sequencing the regime to match capacity, so the rule actually lands.
- Publish the scoring rubric in full. A self-assessment is only as good as the criteria behind it. Releasing weighted, worked examples for each of the seven aspects would convert guesswork into compliance.
- Phase by risk and size. Mandate filing first from the high-risk, high-reach platforms — which already complied — and give smaller, lower-risk domestic operators a longer, supported runway with template tooling.
- Make deferral a stated policy, not a one-off mercy. Komdigi's decision to hold back sanctions is wise; codifying a good-faith grace period would give the market predictability instead of the chilling effect of an open-ended threat.
The ministry deserves credit for not reaching immediately for access termination. The 19 filers are not a compliance failure to be punished — they are a measurement of how much regulatory infrastructure still has to be built before PP Tunas can be enforced fairly. Build that scaffolding first, and the second deadline will look very different from the first.