A Look at How Countries
Regulate Cybersecurity

A Comparison: European Union, Singapore, and Indonesia

A snapshot of where countries stand in terms of national cybersecurity engagement

Legal Measures

The existence of legal institutions and frameworks dealing with cybersecurity and cybercrime: (1.) Criminal legislation (2.) Cybersecurity regulations (3) Cybersecurity compliances & training

Technical Measures

The existence of technical institutions and frameworks dealing with cybersecurity: (1.) CIRT/CERT/CSIRT (2.) Standards & certifications for organizations and professionals

Organizational Measures

The existence of policy coordination institutions and national strategies for cybersecurity development: (1.) Strategy (2.) Responsible agency (3.) Cybersecurity metrics

Capacity Building

The existence and number of research and development, education and training programs, and certified professionals and public sector agencies: (1.) Standardization bodies (2.) R&D programs (3.) Public awareness campaign (4.) Professional training courses (5) National education and curricula (6) Incentive mechanism (7) Home-grown cybersecurity industry

Cooperation

The existence and number of partnerships, cooperative frameworks and information sharing networks: (1.) Intra-state cooperation (2.) Intra-agency cooperation (3.) Public-private partnership (4.) International cooperation (5) Multilateral agreement

The Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (No. 108)

The convention is the first legally binding international instrument in the data protection field. It applies to all data processing carried out by both the private and public sectors, including data processing by the judiciary and law enforcement authorities. It seeks to both protect individuals and to regulate the trans-border flows of personal data.

1/28/1981

1995 Data Protection Directive 95/46/EC

The directive sets out the framework for data protection regulation in the European Union. It regulates and strictly limits the processing, including the collection, use, storage, disclosure, and destruction of personal data about individuals, both by automated means (e.g., a computer database of customers) and data contained in or intended to be part of non-automated filing systems (traditional paper files).

12/13/1995

Regulation No 460/2004 on the Establishment of the European Network and Information Security Agency (ENISA)

The Agency works closely together with EU Member States, Commissions, and other stakeholders to provide advice and solutions in meeting the requirements or matters of network and information security and improving their cybersecurity capabilities. It also supports the development of a collaborative response to large-scale cross-border cybersecurity incidents or crises, and it has been developing cybersecurity certification schemes since 2019.

3/10/2004

2013 EU Cybersecurity Strategy: An Open, Safe, and Secure Cyberspace

It is the cornerstone of the common cybersecurity policy in European Union. It is also the first text to openly use the term “cybersecurity”. Member States are directed to establish a National Computer Emergency Response Team (CERT) and a competent cybersecurity authority to represent the country in European-level discussions.

2/7/2013

The Cybercrime Directive (2013/40/EU)

is designed to approximate the criminal law of the EU member states in the area of attacks against information systems by among other things establishing minimum rules concerning the definition of criminal offences.

1/1/2013

electronic IDentification, Authentication and trust Services (eIDAS Regulation 910/2014)

The regulation repeals and replaces the Electronic Signatures Directive 1999/93/EC. It is the first European regulation that approach cybersecurity topics from a solution standpoint, establishing the conditions for the development of electronic identification and trust services, and creating standards for creation and verification of signatures. It establishes measures for national electronic identification schemes, electronic signatures, electronic seals, time stamping, electronic delivery service and website authentication.

7/23/2014

Network and Information Security (NIS) Directive 2016/1148

The Directive clarifies and complements some of NIS rules. It aims to ensure a high and common level of security for the networks and information systems of the EU, with the implementation of a cyber-resilience program with three major components: 1.) robust cybersecurity defenses; 2.) preventive measures against cyber risks; 3.) incident management and reporting systems and tools. It applies to 2 categories of central players: digital service providers (DSP) and operators of essential services (OES), to be defined and listed by each Member State. It also led to the creation of the NIS Cooperation Group among Member States, coordinated by the ENISA, to support and facilitate strategic cooperation and the exchange of information on risks and network and information system security incidents.

7/26/2016

General Data Protection Regulation 2016/679

The regulation established protections for privacy and security of personal data about individuals in European Economic Area (EEA)-based operations and certain non-EEA organizations that process personal data of individuals in the EEA. Preamble of GDPR states: "The principles of, and rules on the protection of natural persons with regard to the processing of their personal data should, whatever their nationality or residence, respect their fundamental rights and freedoms, in particular their right to the protection of personal data. This Regulation is intended to contribute to the accomplishment of an area of freedom, security and justice and of an economic union, to economic and social progress, to the strengthening and the convergence of the economies within the internal market, and to the well-being of natural persons."

4/14/2016

Convention 108+

Convention 108+ contains important innovations. It consolidates the proportionality requirement for data processing and strengthens the data subjects' arsenal of rights. It requires notification of security breaches and reinforces the responsibility of those in charge of data processing. It strengthens the supervisory authorities' independence, powers, and means of action. It also strengthens the mechanism for ensuring its effective implementation by entrusting the Committee established by the Convention with the task of verifying Parties' compliance with their commitments.

10/10/2018

2019 Cybersecurity Act 2019/881

The Act is the second cornerstone of the EU legislation on cybersecurity, bringing forward awareness on the new needs in terms of cybersecurity, resilience, and cooperation in the EU. The Act promotes two main points, namely he European Cybersecurity Certification Framework which provides companies with EU-wide certification schemes in a package of comprehensive set of rules, technical requirements, standards and procedures, as well as the strengthening of the European Network Information Security Agency (ENISA), the official European Union Agency for Cybersecurity.

6/27/2019

2020 EU Cybersecurity Strategy for Digital Decade

This second new strategy aims to ensure a global and open Internet with strong safeguards in the event of risk to European citizens' security. It is a major update to the first EUCSS, with the primary goal of implementing and promoting three areas of EU action: 1.) Increasing resilience, technological sovereignty, and leadership; 2.) Increasing operational capacity to prevent, deter, and respond; 3.) Advancing a global and open cyberspace through increased cooperation. The most well-known change mentioned was the announcement of the NIS 2 Directive, an upgrade and update to the NIS Directive.

12/16/2020

2022 Cyber Resilience Act

The Act aims to improve the transparency on the security of hardware and software products and introduces rules, through a coherent cybersecurity framework, to ensure that manufacturers remain responsible for the cybersecurity throughout their products’ lifecycle. The Act carries its own set of penalties in case of incompliance, third party vendors would see themselves fined up to €15,000,000 or at the level of their 2.5% of their annual turnover (whichever the highest).

9/15/2022

NIS2 Directive

The EU cybersecurity rules introduced in 2016 were updated by the NIS2 Directive that came into force in 2023. It provides legal measures to boost the overall level of cybersecurity in the EU, by modernizing the existing legal framework and expanding the scope of the cybersecurity rules to new sectors and entities, it further improves the resilience and incident response capacities of public and private entities, competent authorities and the EU as a whole.

1/16/2023

1993 Computer Misuse Act

Adapted from the UK's Computer Misuse Act 1990 from which it borrowed three types of offences (mere unauthorized access, access with ulterior motive and modification of the contents of a computer), the Singapore Computer Misuse Act 1993 (CMA) boasted innovative features of its own: intercepting a computer service, abetting of offence, the making of a compensation order against the wrongdoer, and, until recently, admissibility of evidence.

7/9/1993

Infocomm Security Master Plan (2005-2007)

The Info-communications Development Authority (IDA) launched Singapore’s first Infocomm Security Masterplan to coordinate cybersecurity efforts across the Government. A key priority was building basic capabilities within the public sector to mitigate and respond to cyber threats.

7/6/2005

Infocomm Security Master Plan (2008-2012)

The second Masterplan focused especially on the security of Singapore’s CIIs, with a vision of making Singapore a ‘Secure and Trusted Hub’.

3/5/2008

2012 Personal Data Protection Act

The Personal Data Protection Act 2012 (No. 26 of 2012) ('PDPA') governs the collection, use, and disclosure of individuals' personal data by organisations in a manner that recognises both the right of individuals to protect their personal data, and the need of organisations to collect, use, and disclose personal data for purposes that a reasonable person would consider appropriate in the circumstances.

10/15/2012

The National Cyber Security Masterplan (2013-2018)

The third Masterplan expanded to cover the wider infocomm ecosystem, which includes businesses and individuals, in addition to the previous focus on CIIs. It sought to make Singapore a ‘Trusted and Robust Infocomm Hub’.

7/24/2013

2013 Computer Misuse & Cybersecurity Act

The CMA was amended to include cybersecurity measures and renamed the Computer Misuse and Cybersecurity Act (CMCA), and was amended again in 2017 to strengthen the country's response to national level cyberthreats. The amendments broadened the scope of the CMA by criminalizing certain conduct not already covered by the existing law and enhancing penalties in certain situations (for example, the amended CMA criminalises the use of stolen data to carry out a crime even if the offender did not steal the data himself or herself, and prohibits the use of programs or devices used to facilitate computer crimes, such as malware or code crackers). The amendments also extended the extraterritorial reach of the CMA by covering actions by persons targeting systems that result in, or create a significant risk of, serious harm in Singapore, even if the persons and systems are both located outside Singapore.

3/13/2013

2016 Singapore Cybersecurity Strategy

Singapore’s Cybersecurity Strategy aims to create a resilient and trusted cyber environment. Four pillars underpin the strategy are: 1. Strengthen the resilience of Critical Information Infrastructures; 2. mobilizing businesses and the community to make cyberspace safer; 3. Developing a vibrant cybersecurity ecosystem; 4. form and maintain strong international partnerships.

10/10/2016

2018 Cybersecurity Act

The Act created a cyber security regulator, the Cybersecurity Commissioner, and gave the Commissioner significant powers for the response and prevention of cyber security incidents affecting Singapore. The Act also identified 11 critical sectors of essential services and set out a framework for the monitoring of Critical Information Infrastructures (CIIs). The essential services include energy, info-communications, water, healthcare, banking, aviation and the media. Under the Act, CIIs are obliged to report cyber security incidents to the Commissioner, conduct regular audits and risk assessments, and provide reports on their cybersecurity if requested by the Commissioner. The Act also creates a framework for licensing and regulating service providers of certain types of cyber security services, including a requirement that they be a "fit and proper" person to provide the service. These requirements extend to both Singaporean and overseas service providers offering such services in Singapore.

2/5/2018

2020 PDP (Amendment) Act

Amendments include the following: 1. introduction of a mandatory data breach notification requirement; 2. expansion of the scope of deemed consent; 3. inclusion of additional exceptions to express consent; 4. introduction of criminal offenses; 5. commencing October 1, 2022, the maximum financial penalty for breaches of the PDPA will also be increased.

11/25/2020

Guide on Managing and Notifying Data Breaches Under the PDPA

This guide is drafted by PDP Commission, and is intended to help organisations to identify, prepare for, and manage data breaches. Organisations may also refer to this guide for key information on the mandatory Data Breach Notification Obligation under the PDPA, including the criteria, timelines and information to be provided when notifying the PDPC and affected individuals.

3/15/2021

2021 Cybersecurity Strategy

The 2021 Strategy outlines Singapore’s updated goals and approach to adapt to a rapidly evolving strategic and technological environment. It seeks to actively defend our cyberspace, simplify cybersecurity for end-users, and promote the development of international cyber norms and standards. Workforce and ecosystem development are the foundations of this strategy. It comprises three strategic pillars namely build resilient infrastructure, enable a safer cyberspace, enhance international cyber cooperation.

5/10/2021

Let's look back!

Population

Traffic Anomaly

Monthly loss

Indonesia has a plethora of laws and regulations governing information security and data privacy. They are dispersed across the sectors under the authority of each Ministry/Agency, ranging from telecommunications and informatics, population and archives, trade and industry, health services, finance, banking, and taxation, to security and law enforcement.

Law 11/2008 concerning Information and Electronic Transactions (EIT)

It is the first legislation in the field of Information Technology and Electronic Transactions and has become a pioneer that lays the foundation of the arrangement in the field of utilization of Information Technology and Electronic Transactions. The law requires electronic systems operators (ESOs) to provide systems in a reliable and secure manner, and take responsibility for their proper operation. Security aspects cover the protection of electronic systems physically and non-physically, and include the security of hardware and software,. In general, the scope and content of the law broadly address cyberspace issues, such as: 1.) Electronic signatures carry the same legal weight as traditional signatures; 2) Electronic evidence is treated the same as other types of evidence under the Criminal Code; 3) The law applies to anyone who commits legal acts, whether on Indonesian territory or elsewhere, that have legal consequences in Indonesia; 4) The configuration and registration of domain name and intellectual property rights; 5) Chapter VII explains the prohibited acts of cybercrimes.

4/21/2008

Government Regulation 82/2012 concerning the Operation of Electronic Systems and Transactions

10/11/2012

Regulation of the Ministry of Defense 82/2014 concerning Cyber Defense Guidelines

To deal with cyberthreats to the national security, through this regulation, the Ministry of Defense provides cyber defense guidelines. It is the only regulation that provides a definition of cybersecurity. Unlike the EIT Law, the regulation covers critical infrastructure of, for example, the financial and transportation systems as object of cybersecurity. However, the regulation only serves to develop military cyber defense capacities, developed and implemented by the Ministry of Defense for the National Armed Forces (TNI). For non-military cyberthreats, it refers to other regulations, such as the EIT Law.

10/16/2014

Law 19/2016 on Amendments to EIT Law

The law aims to accommodate recent developments in the electronic information and transactions sector in Indonesia, it contains several new provisions that mainly concern law enforcement, sanctions and privacy issues, and clarifies the meaning of various terms such as 'distributing', 'transmitting', or 'making accessible'.

11/25/2016

Regulation of the Ministry of Communication and Informatics 20/2016 concerning Protection of Personal Data in Electronic System

This regulation provides certain fundaments and obligation of electronic system operator to ensure the security of personal data which amongst other things shall: 1. guarantee the confidentiality of the source code of the software; 2.) ensure agreements on minimum service level and information security towards the information technology services being used as well as security and facility of internal communication security it implements; 3. protect and ensure the privacy and personal data protection of users; 4. ensure the appropriate lawful use and disclosure of the personal data; 5. have governance policies, operational work procedures, and audit mechanisms that are conducted periodically in the electronic system; 6. for Private Scope Electronic System Providers who process and / or store personal data outside of Indonesia, must ensure the supervisory effectiveness of the Ministry or Agency and law enforcement; 7. provide access and information to the electronic system for the purpose of supervision and law enforcement; 8. provide options to the personal data owner regarding the personal data that is processed so that the personal data can or cannot be used and / or displayed by / at third party based on the consent as long as it is related with the purpose of obtaining and collecting the personal data; 9. provide access to personal data owner to changa/renew or delete his/her personal data without disturbing the system management of the personal data, except regulated otherwise by laws and regulations.

11/6/2016

Regulation of the Minister of Communication and Informatics Number 4/2016 concerning Information Security Management System

Pursuant to this ministrial regulation, the compliance requirement for information security management standards depends on the risk category of the electronic systems concerned. This regulation classifies the risk categories as: (1) strategic; (2) high; and (3) low. Electronic systems categorized as strategic and high are required to implement ISO/IEC 27001 standards on information security, while electronic systems categorized as low must implement guidelines for an Information Security Index.

4/11/2016

Presidential Regulation 53/2017 concerning the Establishment of National Cyber and Encryption Agency

5/19/2017

Government Regulation 71/2019 concerning the Implementation of Electronic Systems and Transactions

Based on the 2016 EIT Law, the government issued technical regulation which contains updates to GR 82/2012 related to the implementation of cybersecurity in electronic systems and transactions. Some of the updates within the new GR No. 71/2019 are as follows: 1. Electronic system operator has been classified into two categories, namely private domain and public domain. 2. Requirement on certification guarantee on spare parts, novelty conditions and defect free product have been removed. 3. New stipulations on personal data protection regarding data processing as written in Article 14 -18. 4. Private domain of electronic system operator may off-shore the management, processing and/or storage of electronic system and data from Indonesia. 5. Electronic system operator needs to disclose information related to contract prerequisites, agreement procedure and privacy and/or personal data protection guarantee to protect user’s rights.

10/10/2019

Law 27/2022 concerning Personal Data Protection

The PDP Law is the first law that specifically regulates the protection of personal data in Indonesia. So far, personal data protection has only been regulated through regulations governing certain sectors. This law regulates amongst other things: 1. Definition of Personal Data Protection and Scope of Applicability of the PDP Law; 2. Criteria for Personal Data Protected by the PDP Law; 3. Personal Data Controllers and Personal Data Processors; 4. Personal Data Protection Obligations; 5. Prohibitions in Personal Data Protection and Applicable Sanctions; 6. Institute for the Protection of Personal Data; 7. Two Years of Transition Period.

10/17/2022

President Regulation 82/2022 on Protection of Vital Information Infrastructure

This presidential regulation is aimed at protecting the sustainability of vital information infrastructure implementation (VII) safely, reliably, and trustily; to prevent inconveniences, damages, and/or disintegration of VII due to cyber-attacks, and/or other threats/fragilities; as well as to improve the preparedness in facing cyber incidents, and to carry out faster recovery from the impacts caused by cyber incidents.

8/28/2022

Presidential Regulation 82/2021 concerning the Establishment of National Cyber and Encryption Agency

The National Cyber and Encryption Agency is not a new agency, but rather a consolidation of two, namely the National Encryption Agency and the Directorate of Information Security, as well as the Indonesia Security Incident Response Team on Internet Infrastructure (ID-SIRTII), which is under the Directorate General of Applications and Informatics, Ministry of Communication and Informatics. Initially, this non-ministerial government institution was under to and accountable to the President through the Coordinating Ministry for Political, Legal, and Security Affairs. However, this agency and its regulation was strengthened to make it an independent agency directly responsible to the President.

Regulation of National Cyber and Encryption Agency 8/2020 concerning Security Systems in the Implementation of Electronic Systems

This regulation applies to administrators of public and private electronic systems. The electronic systems was categorized based on the risk principle: a. strategic (have a serious impact on the public interest, public services, the smooth running of the state, or the defense and security of the state); b. high (limited impact on the interests of certain sectors and/or regions); and c. low (other that previously stated). The categorization is determined based on independent assessment by the electronic system operator against its electronic system, which the format is attached in the Appendix, and must be reported to the National Cyber and Encryption Agency for verification no later than 10 working days. Electronic system operators must implement: a. INS ISO/IEC 27001; b. other safety standards related to cyber security set by the National Cyber and Encryption Agency; And c. other safety standards related to cyber security set by the Ministry or Institution.

Regulation of the National Cyber and Encryption Agency Number 9 of 2021 concerning Implementation of the Readiness Assessment for the Implementation of Indonesia National Standard (INS) ISO/IEC 27001 Using the Information Security Index

Self-assessment based on the Information Security Index is carried out by electronic system operators according to the latest version of the Index publish on the official website of the National Cyber and Encryption Agency. Self-assessment is done by evaluating several aspects: a. governance (evaluating the completeness of the policy, information security management, procedures, functions, duties and responsibilities); b. risk management (evaluating the risk of the policy as well as the risk of information security management, procedures, functions, duties and responsibilities); c. information security framework (evaluating the completeness of information security documents and the effectiveness of their implementation which includes several documents: a. business continuity plans; b. disaster recovery plans; c. management of information security incidents; d. secure software development; e. information security implementation strategy; and f. compliance with information security regulations); d. asset management (evaluating the completeness of safeguarding information assets, including the entire asset usage cycle and continuous checking for physical security); e. technology and information security (evaluating the completeness, consistency, and effectiveness of the use of technology in securing information assets). The implementation of this information security index by electronic system operators must be verified by the National Cyber and Encryption Agency and will produce a final score indicating the readiness level of electronic system operators in fulfilling the criteria of INS ISO/IEC 27001: a. Good (645-610); b. pretty good (609-536); c. fulfillment of the basic framework (535-334); d. not feasible (333-0)

European Union

---------------------------------------------- 1. The term "cybersecurity" has not been defined consistently across the law and policy. The concept was defined and regulated in the 2019 Cybersecurity Act and NIS2 Directive, distinguishing it from the concept of data privacy, defined and governed in 2016 GDPR. ---------------------------------------------- The statutes and regulations have explicit territorial and extraterritorial reach. ---------------------------------------------- Directive 2008/114 on EPCIP and NIS2 Directive have clarified the specific scope, responsible entities as well as security obligations and requirements of CII operators; however, implementation varies by Member State. It primarily covers 10 sectors: energy, transportation, banking, financial market infrastructures, health, drinking water, waste water, digital infrastructure, public administration, and space. ---------------------------------------------- The Cybercrime Directive requires EU member states to ensure that certain activities falling into the following categories are publishable under their national laws as criminal offences: 1. illegal access to information systems; 2. illegal system interference; 3. illegal data interference; 4. illegal interception; 5. production, sale, procurement, making available and similar of certain tools used for committing offences; and 6. incitement, aiding and abetting and attempt of the above. The criminal penalties must be determined by Member States by adhering to certain minimal penalties governed by Cybercrime Directive. ---------------------------------------------- The European Union Agency for Cybersecurity ---------------------------------------------- The Cybersecurity Act's Title III establishes centralized voluntary certification schemes for ICT products, processes, and services. Certification will be granted on the basis of a comprehensive set of rules, technical requirements, standards, and procedures established at the Union level and applicable to the certification or conformity assessment of specific ICT products, services, or processes, which will specify: 1.) the categories of products to be covered; 2. the cybersecurity requirements for each (referencing standards or technical specifications); and 3. the type of evaluation required (self-assessment: basic, substantial, or high). ---------------------------------------------- The 2016 GDPR differentiates between general personal data and sensitive personal data which are subject to a higher level of protection. These data include genetic, biometric and health data, as well as personal data revealing racial and ethnic origin, political opinions, religious or ideological convictions or trade union membership. ---------------------------------------------- The GDPR distinguishes and uses the concept and terms of data controller and data processor. ---------------------------------------------- The GDPR's requirements apply to a wide range of private (EU companies and non-EU companies doing business in the EU and/or collecting or transferring personal data of EU residents) and public sector entities, including government agencies, companies, and NGOs. The GDPR excludes from its application the processing of personal data by individuals for purely personal or household purposes. It also excludes from its application data processing in the context of law enforcement or national security, as well as anonymous data (pseudonymized data is still subjected to GDPR). It further provides requirements for specific processing situations including processing for journalistic purposes and academic, artistic or literary expression. ---------------------------------------------- The GDPR provides for the designation of a DPO by data controllers or data processors. ---------------------------------------------- The GDPR requires that an organization must report to a Data Protection Authority of a security breach that affects personal data (it is left to each Member State to establish a supervisory authority) without undue delay and, where feasible, not later than 72 hours after having become aware of it. ---------------------------------------------- Under GDPR, the fine framework can be up to 20 million euros, or in the case of an undertaking, up to 4 % of their total global turnover of the preceding fiscal year, whichever is higher. ---------------------------------------------- Individuals have a right to file a complaint and seek compensation from a data controller and data processor for violation under the GDPR. ---------------------------------------------- GDPR defines and treats consent as a legal foundation for data processing much more strictly. It sets six legal bases for personal data processing, namely consent, contractual necessity, controller's legal obligations, data subject's vital interest, public interest purposes, and data controller's legitimate interest. ---------------------------------------------- GDPR requires data controllers to inform data subjects about the purpose for which their personal data is collected and processed, as well as give data subjects the right to withdraw consent to the processing of their personal data and to access, object, rectify, erasure, or deletion of their personal data.

Singapore

---------------------------------------------- Definition & Concept: 1. The term "cybersecurity" has not been defined consistently across the law and policy. The concept was defined and regulated in the 2018 Cybersecurity Act and 2013 Computer Misuse & Cybersecurity Act, distinguishing it from the concept of data privacy. Although data protection is not explicitly defined, its concept is governed by 2020 Personal Data Protection Act. ---------------------------------------------- Jurisdiction: The statutes and regulations have explicit territorial and extraterritorial reach. ---------------------------------------------- Critical Information Infrastructure Protection: The 2018 Cybersecurity Act provides a framework for the designation of CII and security obligations of CII operators. Article 7 of the act has designated 11 sectors which are energy, water, banking and finance, healthcare, transportation which includes land, maritime, and aviation, information communication technology, media, security and emergency services, and government. ---------------------------------------------- Cybercrimes: Part 2 of 2020 Computer Misuse Act regulates the following prohibited acts: 1. Unauthorised access to computer material, 2. Access with intent to commit or facilitate commission of offence; 3. Unauthorised modification of computer material; 4. Unauthorised use or interception of computer service; 5. Unauthorised obstruction of use of computer; 6. Unauthorised disclosure of access code; 7. Supplying, etc., personal information obtained in contravention of certain provisions. ---------------------------------------------- Responsible Entity: Cyber Security Agency of Singapore ---------------------------------------------- Cybersecurity Certification for ICT Products and Services: CSA has launched Singapore's Cybersecurity Labelling Scheme (CLS), which follows the EU's standard for IoT devices, and it has mutual recognition with Finland and Germany for the cybersecurity labels issued. It is a voluntary scheme and was first launched October 2020 for consumer smart devices e.g., IP cameras, Wi-Fi router, smart hub, smart door locks, smart lights, smart printers, and many others. In October 2022, the program was expanded to certifies medical devices that handle sensitive data or can connect to other devices, systems and services. ---------------------------------------------- Classification of Personal Data There is no distinction in the 2020 PDP Act between general personal data and specific/special/sensitive personal data. However, based on past PDPC decisions, certain types of personal data have been deemed more sensitive and subject to more stringent data security standards. Medical data, finance data, bankruptcy status, drug-related problems and infidelity, personal data of children, and personal identifiers are all examples of such data. ---------------------------------------------- The Terms Used The PDP Act does not utilize the term data processor and data controller, but the general concept is similar to that of a "organisation" and "data intermediary" under the PDP Act. ---------------------------------------------- Who Must Comply & Exemption (Data Privacy Law) Organizations, companies, and unincorporated entities operating in Singapore must comply with the PDPA when collecting, using, and disclosing personal data. The PDPA explicitly excludes the application of the data protection provisions to any individual acting in a personal or domestic capacity, as well as any employee acting in the course of his/her employment with an organisation. It also excludes from its application public agencies or organisations acting on behalf of a public agency, as well as anonymous data. It also makes certain exceptions to the need for consent, such as the use or disclosure of personal data for research purposes, the collection of personal data for artistic or literary purposes, and certain journalistic purposes. ---------------------------------------------- Data Protection Officer (DPO) Under the PDP Act, all organisations are required to appoint a DPO. ---------------------------------------------- Mandatory Breach Notification An organizations must notify the Singapore Personal Data Privacy Commissioner and the affected individuals as soon as practicable, and in any event within 72 hours of determining that the data breach is notifiable. ---------------------------------------------- Monetary Penalties PDP Act imposes financial penalties on organisations of up to SGD 1 million or 10% of an organisation’s annual turnover in Singapore, whichever is higher, for data breaches. ---------------------------------------------- Civil Remedies for Individuals Individuals who have personally suffered loss or damage may file a complaint and a private civil action under the PDP Act. ---------------------------------------------- Consent PDP Act also acknowledges consent as a legal foundation for data processing. However, it defines consent in a much broader sense and includes numerous outright exceptions such as deemed-consent by contractual necessity, deemed consent by notification, legitimate interests, and business development purposes. ---------------------------------------------- Rights of Data Subject Although under the PDP Act, users can request to access and correct data held by an organization, the PDP Act provides numerous exceptions to this right to request access. Organizations can also refuse to correct data. There is also extremely limited support in the PDP Act for the right to erasure of personal data.

Indonesia

---------------------------------------------- 1. The concept of cybersecurity is still relatively new. The term was first used in 2014 Ministry of Defense Regulation, but this definition is limited to national defense and security. A bill on cybersecurity was once proposed, but it was failed to be enacted in 2019. This concept has spread to many laws and regulations, but sometimes overlaps with data privacy law, e.g., in 2016 Electronic Information Technology Law and 2022 Personal Data Protection Law. ---------------------------------------------- The statutes and regulations have explicit territorial and extraterritorial reach. ---------------------------------------------- Government Regulation 71/2019 and President Regulation 82/2022 have specified the frameworks, responsible entities as well as security obligations and requirements of CII operators; however, implementation varies by Member State. It primarily covers 9 sectors: government administration, energy and mineral resources, transportation, financial and banking, healthcare, information and communication technology, food, defense, and other strategic sectors determined by the President. ---------------------------------------------- Chapter VII of 2016 Electronic Information & Technology Law regulates following prohibited acts: 1. distributing illegal content such as propriety, gambling, insults and/or defamation, extortion and/or threat; 2. false and misleading information; 3. hatred/discord against individual/group based on ethnicity) 4. breach of data protection; 5. unauthorized access to another computer/electronic system; 6. illegal and unauthorized interception or wiretapping; 7. production, sale, procurement, making available and similar of certain tools used for committing offences (e.g., spread of malicious viruses and code); and 8. incitement, aiding and abetting and attempt of the above. ---------------------------------------------- The National Cyber and Encryption Agency ---------------------------------------------- Indonesia does not yet have any patents on technological products to ensure the safety of the products widely used by society for both personal and work needs. However, Indonesia has created a software to assess the maturity and completeness level of Indonesian National Standard ISO/IEC 27001:2013 implementation, which is mandatory for government agencies and electronic system operators in strategic/high-risk sectors. ---------------------------------------------- The 2022 PDP Law distinguishes between general personal data and specific personal data that are subject to greater protection. Specific personal data categories include health data, biometric data, genetic data, criminal records, children data, and personal financial data. ---------------------------------------------- The PDP Law also distinguishes and employs the concepts and terms data controller and data processor. ---------------------------------------------- The PDP Law applies to individuals, corporations, public bodies, NGOs, and international organizations that process personal data or otherwise conduct out legal acts in Indonesia. The PDP Law excludes from its application the processing of personal data by individuals for purely personal or household purposes. It also excludes from its application data processing in the context of law enforcement, national security, public interest purposes, supervision in the financial services sector, monetary, payment, or financial stabilization, or statistical and scientific research purposes. The Law does not address anonymous or pseudonymous material. ---------------------------------------------- The PDP Law provides for the designation of a DPO by data controllers or data processors. ---------------------------------------------- The PDP Law stipulates that in the event of such a personal data protection failure, the personal data controller must deliver a written notification within 72 hours to the affected data subjects and the regulatory authorities. ---------------------------------------------- PDP Law imposes financial penalties on organisations of up to of up to 6 billion rupiah (USD 400,000) or 2% of an organisation’s annual turnover in Indonesia, whichever is higher. ---------------------------------------------- Individuals who have personally suffered loss or damage may file a complaint and a private civil action under the PDP Law. ---------------------------------------------- PDP Law defines and treats consent as a legal foundation for data processing much more strictly. Similar to GDPR, it sets six legal bases for personal data processing, namely consent, contractual necessity, controller's legal obligations, data subject's vital interest, public interest purposes, and data controller's legitimate interest. ---------------------------------------------- PDP Law introduces and recognizes rights of data subjects such as right of access, right to rectification, right to erasure, right to data portability and right to object.

GCI Report (2020):

https://www.itu.int/epublications/publication/D-STR-GCI.01-2021-HTM-E

EU Laws and Regulations:

Convention 108: https://rm.coe.int/1680078b37

1995 Data Protection Directive 95/46/EC: https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:31995L0046&rid=5

Electronic Signatures Directive 1999/93/EC: https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:31999L0093&from=EN

2013 EU Cybersecurity Strategy: http://scm.oas.org/pdfs/2013/CP30782T.pdf

eIDAS Regulation: https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32014R0910

NIS Directive: https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016L1148&rid=1

GDPR: https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679

2019 Cybersecurity Act: https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32019R0881&from=EN

2020 EU Cybersecurity Strategy: https://digital-strategy.ec.europa.eu/en/library/eus-cybersecurity-strategy-digital-decade-0

2022 Digital Service Act: https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32022R2065&from=EN

Artificial Intelligence Act (Proposal): https://eur-lex.europa.eu/resource.html?uri=cellar:e0649735-a372-11eb-9585-01aa75ed71a1.0001.02/DOC_1&format=PDF

Data Governance Act (Proposal): https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:52020PC0767&from=EN

Digital Markets Act (Proposal): https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:52020PC0842&from=en

Cyber Resilience Act (Proposal): https://digital-strategy.ec.europa.eu/en/library/cyber-resilience-act

NIS2 Directive: https://www.nis-2-directive.com/European_Parliament_A_high_common_level_of_cybersecurity_in_the_EU.pdf

ENISA:

Pic 1: Cybersecurity Strategy of the European Union: An Open, Safe and Secure Cyberspace (p.16) - http://scm.oas.org/pdfs/2013/CP30782T.pdf

Pic 2: https://www.enisa.europa.eu/about-enisa/structure-organization

Cyberattack Reports:

2018: https://www.lemhannas.go.id/index.php/berita/berita-utama/625-kepala-bssn-serangan-siber-perlu-menjadi-perhatian-dalam-meningkatkan-kewaspadaan-nasional

2019: https://repository.cips-indonesia.org/publications/341780/perlindungan-keamanan-siber-di-indonesia#id-section-content

2020: https://jurnal.kemendagri.go.id/index.php/mp/article/download/1095/524

2021 & 2022: https://tirto.id/bssn-serangan-siber-di-2022-menurun-dibanding-tahun-lalu-gBjW

Indonesia Laws and Regulations:

EIT Law 11/2008: https://www.icnl.org/wp-content/uploads/Indonesia_elec.pdf

Government Regulation 82/2012: http://www.flevin.com/id/lgso/translations/JICA%20Mirror/english/4902_PP_82_2012_e.html

Regulation of the Ministry of Defense 82/2014: https://www.kemhan.go.id/pothan/2016/10/25/permenhan-no-82-tahun-2014-tentang-pertahanan-siber.html

Amendment to EIT Law 19/2016: https://peraturan.bpk.go.id/Home/Details/37582/uu-no-19-tahun-2016

Government Regulation No. 71/2019: https://peraturan.bpk.go.id/Home/Details/122030/pp-no-71-tahun-2019

PDP Law 27/2022: https://peraturan.bpk.go.id/Home/Details/229798/uu-no-27-tahun-2022

President Regulation 82/2022: https://peraturan.bpk.go.id/Home/Details/211029/perpres-no-82-tahun-2022

Presidential Regulation 28/2021: https://peraturan.bpk.go.id/Home/Details/165493/perpres-no-28-tahun-2021

Regulation of National Cyber and Encryption Agency 8/2020: https://peraturan.bpk.go.id/Home/Details/174285/peraturan-bssn-no-8-tahun-2020

Regulation on National Cyber and Encryption Agency 9/2021: https://peraturan.bpk.go.id/Home/Details/226093/peraturan-bssn-no-9-tahun-2021

Indonesia's Agencies:

https://henbuk.com/buku/q2uezzss3?type=full ["Cybersecurity Policy in a Multistakeholder Perspective" book by Ministry of Communication and Informatics & ICT Watch]

The National Cyber and Encryption Agency:

Pic 2: https://bssn.go.id/organisasi-bssn/

National Cyber and Encryption Agency Regulations:

Regulation 28/2021: https://peraturan.bpk.go.id/Home/Details/165493/perpres-no-28-tahun-2021

Regulation 8/2020: https://peraturan.bpk.go.id/Home/Details/174285/peraturan-bssn-no-8-tahun-2020

Regulation 9/2021: https://peraturan.bpk.go.id/Home/Details/226093/peraturan-bssn-no-9-tahun-2021

Singapore Law and Regulations:

1993 Computer Misuse Act: https://sso.agc.gov.sg/Acts-Supp/19-1993/Published/19940315?DocDate=19930827#:~:text=An%20Act%20to%20make%20provision,and%20for%20matters%20related%20thereto.&text=1.,notification%20in%20the%20Gazette%2C%20appoint.

Infocomm Security Master Plan (2005-2007):

Infocomm Security Master Plan (2008-2012):

2012 Personal Data Protection Act: https://sso.agc.gov.sg/Act/PDPA2012

The National Cyber Security Masterplan (2013-2018): https://www.itu.int/en/ITU-D/Cybersecurity/Documents/National_Strategies_Repository/Singapore_2013_AnnexA.pdf