Cyber security Governance in Public Institutions: A Legal Risk Assessment Model for Indonesia’s Digital Transformation

Indonesia’s rapid digital transformation has expanded the role of public institutions as custodians of critical data and providers of essential electronic services. However, this transition has not been matched by a coherent and enforceable cyber security governance framework. Existing regulations—dispersed across the ITE Law, PDP Law, PP 71/2019, and sectoral instruments—remain fragmented, inconsistent, and limited in binding force. Institutional mandates are similarly diffuse, with the National Cyber and Encryption Agency (BSSN), Kominfo, OJK, BI, and sectoral ministries exercising overlapping authorities. These doctrinal and structural weaknesses leave Indonesia vulnerable to escalating cyber threats, including ransomware attacks, data breaches, and systemic disruptions to public services. This article develops a Legal Risk Assessment Model (LRAM) tailored to Indonesia’s public institutions, integrating normative legal research and comparative analysis. Drawing on best practices from Estonia, Singapore, and the United Kingdom—jurisdictions with advanced public-sector cyber governance—the model proposes four interrelated components: (1) a unified statutory framework through a dedicated Cybersecurity Act; (2) a centralized national authority with clear enforcement powers; (3) mandatory, standardized risk assessment and incident-reporting obligations; and (4) institutional oversight mechanisms ensuring accountability and transparency. The proposed model reconceptualizes cyber security not merely as a technical function but as a legal and administrative governance obligation. The study concludes that adopting the LRAM would significantly strengthen Indonesia’s cyber resilience, harmonize public-sector security standards, enhance public trust, and support sustainable digital transformation. The model offers a reform pathway that aligns national regulatory structures with global norms while remaining sensitive to Indonesia’s institutional context.