A Mandate With Thin Compliance
Three months after Indonesia's landmark child-protection regulation for digital platforms entered its enforcement phase, the numbers tell a stark story. As of June 9, 2026, only 64 of Indonesia's thousands of registered Electronic System Providers (PSEs) had submitted self-assessments under Government Regulation 17/2025 — known as PP Tunas — covering 175 of their products, services, and features. The Ministry of Communication and Digital Affairs (Komdigi), led by Minister Meutya Hafid, is now mapping platforms into risk tiers ahead of enforcement action. The message from Jakarta is clear: registration without compliance will not survive the next phase.
What PP Tunas Requires
PP Tunas — the name is Indonesian for "seedling," invoking children — was signed by President Prabowo Subianto on March 28, 2025, and entered legal force on April 1, 2025. Ministerial Regulation (Permenkomdigi) 9/2026, issued March 6, 2026, provided the technical implementation rules, with the first enforcement phase beginning March 28, 2026.
The regulation covers any PSE whose product is "designed for use or access by children, or potentially accessed by children" — a deliberately wide net. Key obligations include:
- Age controls: users under 16 may not hold accounts on designated high-risk platforms; ages 13–17 require parental consent even on lower-risk services
- Data protection by default: no commercial profiling of minors; privacy settings locked to high by default; precise geolocation tracking prohibited
- Content moderation: active removal of violence, sexual exploitation, gambling, and bullying content
- Self-assessment filing: PSEs must submit formal risk assessments to Komdigi evaluating content exposure, contact risks, addiction potential, and parental control availability
The first tranche of platforms designated high-risk — YouTube, Instagram, Facebook, Threads, X, Bigo Live, TikTok, and Roblox — was already directed to deactivate accounts of users under 16 from March 28 onward.
The Child Protection Case Is Real
Regulators did not invent this problem. Indonesian authorities have documented 5.5 million child sexual abuse material cases over four years, with 48% of child social media users reporting cyberbullying and an estimated 80,000 children exposed to online gambling. The argument for requiring platforms to self-assess risk profiles and implement protective features is not abstract. Australia passed similar age-gate legislation in late 2024, and Indonesia is notably the second country globally to implement hard minimum-age access controls at this scale. Treating PP Tunas as reflexive overreach misreads both the evidence and the political moment.
The Gap That Matters
That said, the June 9 data exposes a structural problem. Indonesia's private PSE registry runs to thousands of registered operators. Of these, only 64 filed self-assessments by the June 6 deadline — well below 1% compliance by operator count.
The compliant platforms are, tellingly, the large ones: Netflix, Disney+, HBO Max, Shopee, Tokopedia, Lazada, Roblox, PUBG Online, Free Fire, Mobile Legends, ChatGPT, GoPay, Grab. These companies have compliance functions capable of absorbing new obligations. The gap widens sharply as you move toward smaller domestic developers, gaming studios, educational platforms, and fintech apps — all of whom theoretically fall within PP Tunas's scope if minors plausibly use their products.
Several frictions explain low compliance:
- Scope ambiguity: "potentially accessed by children" is an enormous catchment; many mid-size PSEs may not know they qualify
- Assessment complexity: Komdigi's framework covers content risks, contact risks, addiction risks, and health risks — a multi-dimensional review requiring real internal resources
- Administrative sequencing: the technical ministerial regulation only took effect in late March 2026, giving PSEs under three months to navigate a novel compliance process
Risk-Tier Mapping as the Next Move
Komdigi is now doing what regulators do when voluntary compliance stalls: building an enforcement-ready risk classification. The ministry has signalled it will tier platforms by risk level before deploying sanctions — a sensible approach that avoids applying Indonesia's most powerful enforcement tool, access blocking, to a small app that simply missed a filing deadline.
This matters because Indonesia's track record with blocking is mixed. The 2022 blocking of PayPal and Steam for PSE registration non-compliance caused significant user disruption before both platforms rapidly complied. A blocking-first approach to PP Tunas self-assessment enforcement, applied to platforms with large Indonesian user bases, could inflict collateral harm disproportionate to the child protection benefit. The risk-tier approach offers a more graduated path: high-risk platforms by function, not just by fame, face enforcement first; lower-risk PSEs get more runway.
The Enforcement Design Problem
Here is where Indonesia's approach carries real risk of going wrong. PP Tunas's sanction framework is, by critics' own assessment, comparatively mild — warnings, compliance orders, and access restriction, rather than the AUD 50 million civil fines Australia's framework authorizes. Mild administrative penalties may be insufficient to motivate the long tail of non-compliant PSEs, particularly foreign operators outside Komdigi's direct jurisdictional reach.
The better-designed path forward pairs risk-tier enforcement with tiered financial penalties: binding compliance notices for high-risk platforms, meaningful fines for willful delay, and a realistic grace period for smaller domestic PSEs navigating the assessment process for the first time. Civil society experts, including the Indonesian Child Protection Commission, have already called for stronger enforcement teeth. The question is whether Komdigi can scale compliance without defaulting to blanket blocking authority — a tool that protects children from nothing if the platform goes dark entirely.
What 64 Actually Means
A sub-1% compliance rate sounds alarming, but deserves context. The technical rules only became operative in late March 2026. The platforms that did comply — 64 operators covering 175 products — represent much of the actual child-facing digital surface area in Indonesia. And Komdigi's stated plan to map risk tiers before enforcement suggests the ministry understands sequencing.
PP Tunas is, in design, one of the more thoughtful child-protection frameworks in Asia-Pacific: risk-based, cross-platform, tied to evidence of child access rather than blunt product bans. The real test is execution — whether Komdigi can build a compliance architecture that is predictable enough for platforms to invest in, and robust enough that obligations aren't enforced selectively against high-profile foreign names while hundreds of domestic operators quietly opt out.