Business Licensing in Indonesia: Getting the License Is Only the Beginning

Since June 2025, Indonesia’s business licensing framework operates under Government Regulation (Peraturan Pemerintah or PP) No. 28 of 2025 and its implementing regulation BKPM Regulation No. 5 of 2025, effective 2 October 2025. The new framework introduced automated sanctions, stricter post-approval monitoring, an OSS data synchronization obligation for existing license holders, and a Deemed Approval mechanism that grants automatic license issuance when regulators miss their service level deadlines. For businesses that already have licenses, the framework also changed what compliance looks like going forward. XPND manages business licensing as a structured compliance program, not a one-time application. 

Licensing Problems That Surface After Approval

Most licensing problems in Indonesia do not appear during the application process. They appear months later, when the OSS system flags a data inconsistency, when an inspector visits and finds a mismatch between the license and actual operations, or when a company tries to add a business activity and discovers its existing licensing foundation does not support the expansion.

Your company obtained its NIB and business licenses before October 2025. Under BKPM Regulation No. 5 of 2025, companies with existing OSS accounts are required to confirm and update their OSS profile data to ensure consistency with the new licensing framework under PP No. 28 of 2025. Companies that do not complete this synchronization risk automatic suspension of licensing access once BKPM enforces the requirement. A suspended NIB does not simply delay new applications. It creates a cascading compliance failure across all licenses and permits tied to that NIB. BKPM has signaled that implementation of this requirement is being monitored and companies should not assume their existing OSS data will remain valid indefinitely without review.

Your company has been in the construction or preparation phase since NIB issuance and has not reported investment realization progress for four consecutive quarters. Under BKPM Regulation No. 5 of 2025, this non-compliance trigger applies automatically. The OSS system treats a static construction stage as a compliance violation, and the company can receive administrative sanctions without any prior manual inspection.

Your company added a new business activity informally without updating the KBLI codes in OSS. The activity is commercially active, but the OSS record reflects the original registration. Under PP No. 28 of 2025, business activities are regulated by their five-digit KBLI classification, and each classification carries its own risk level, licensing requirements, and reporting obligations. Operating under an unregistered KBLI creates both a licensing gap and a potential tax exposure for revenue generated under a classification that does not appear in the company’s OSS profile.

Your company’s operational footprint has changed. A new office, a new city, or a production facility that was not part of the original licensing application creates a gap between the OSS record and physical reality. Under the risk-based licensing framework, post-approval supervision cross-references operational data against the OSS record. Discrepancies surface during routine system checks, not only during formal inspections.

You are operating in a sector that was reclassified under PP No. 28 of 2025. The regulation expanded sectoral coverage from 16 to 22 sectors and revised risk classifications across many KBLI codes. A business that held a Standard Certificate under the previous framework may now require a higher-category license under the new risk classification, or conversely may have been downgraded to a simpler licensing requirement. Neither change is communicated proactively by the OSS system. The company is responsible for monitoring its own reclassification status.

You need to convert an older license format such as an Industrial Business License (Izin Usaha Industri or IUI) that predates the OSS-RBA system into the current Standard Certificate format. Legacy licenses that have not been migrated into OSS carry increasingly limited recognition as the system integrates more deeply with other government databases.

Tell us your current licensing status and what activities your company is actually conducting. We will identify the gaps.

What the 2025 Regulatory Framework Actually Changed

PP No. 28 of 2025, effective 5 June 2025, replaced Government Regulation No. 5 of 2021 and overhauled Indonesia’s Risk-Based Approach or RBA (Pendekatan Berbasis Risiko) licensing framework. BKPM Regulation No. 5 of 2025, effective 2 October 2025, is the primary implementing regulation that operationalizes PP No. 28 of 2025 through the OSS system. Together, they introduced several changes that affect both new license applicants and companies that already hold licenses.

Expanded sectoral coverage. PP No. 28 of 2025 expanded the sectors subject to risk-based licensing from 16 to 22, adding Electronic Systems and Transaction Operations, among others. The total number of KBLI entries subject to the framework increased from 1,348 to 1,417. Companies in newly covered sectors that were not previously subject to OSS-based risk classification now have licensing obligations they did not have before.

Deemed Approval mechanism broadened. Under GR 5/2021, automatic approval when regulators miss their Service Level Agreement (Standar Layanan or SLA) deadline applied narrowly, primarily to KKPR approvals. Under BKPM Regulation No. 5 of 2025, the Deemed Approval or Fiktif Positif mechanism applies broadly across licensing types. If an application is complete and the competent authority does not act within the prescribed SLA, the OSS platform automatically issues the license, which carries the same legal validity as a manually issued license. This significantly changes how companies should structure their applications: completeness and procedural correctness at submission are now more important than follow-up pressure.

Stricter post-approval monitoring. The new framework introduced automated administrative sanctions tied directly to OSS data. Sanctions range from electronic warnings to temporary suspension of business activities, fines, and license revocation, all without manual intervention by licensing officers. The triggers include data inconsistencies between the OSS record and reported operations, missed LKPM filing deadlines, and the four-consecutive-quarter non-realization trigger for construction-stage companies.

KKPR exemption for commercial building tenants. Under BKPM Regulation No. 5 of 2025, businesses operating in commercial buildings including malls, office buildings, markets, rest areas, airports, ports, hospitals, and vertical housing can rely on the building owner or manager’s existing spatial, environmental, and building permits instead of obtaining their own. The business must provide the lease agreement, the property manager’s NIB, and the building’s existing KKPR, Environmental Approval (Persetujuan Lingkungan or PL), Building Approval (Persetujuan Bangunan Gedung or PBG), and Certificate of Proper Function (Sertifikat Laik Fungsi or SLF). This is a significant cost and time reduction for retail and service businesses that operate as tenants.

OSS data synchronization requirement. Companies with existing OSS accounts are required to update and confirm their profile data to ensure consistency with the new licensing framework. As of late 2025, active enforcement of this requirement had not yet been fully implemented by BKPM, but companies should proactively review and update their OSS data rather than waiting for enforcement to begin. Existing licenses that have not expired generally remain valid under transitional provisions, but companies operating under older licensing frameworks should review their permits against new KBLI classifications and update their OSS profiles accordingly.

Operating under a license that predates October 2025?XPND can assess whether your current profile needs to be updated.

Risk Classification and What It Determines

Under the Risk-Based Approach, every business activity registered in OSS carries a risk classification that determines the type of license required, the post-approval reporting obligations, and the supervision intensity applied by the relevant government authority.

The four risk levels are Low Risk, which requires only an NIB; Medium Low Risk, which requires an NIB and a Standard Certificate (Sertifikat Standar or SS) that is self-declared; Medium High Risk, which requires an NIB and a Standard Certificate that must be verified by the government; and High Risk, which requires an NIB plus a formal Business License (IZ or Izin) that involves substantive assessment by the relevant ministry or agency.

The risk classification attached to a company’s KBLI determines the practical licensing pathway, the verification requirements, the environmental documentation needed, and the type of post-issuance supervision the company will face. Under PP No. 28 of 2025, BKPM announced in June 2025 a list of 258 KBLI codes eligible for the Deemed Approval mechanism, primarily in manufacturing, tourism, and agriculture. This list is subject to revision as sector-specific implementing regulations are issued.

Getting the risk classification right at the time of registration matters because it determines all downstream compliance obligations. A company that registers under a KBLI code with a different risk level than its actual activities creates a structural mismatch that appears during post-issuance supervision.

Multi-KBLI Licensing and Expansion Structure

Many businesses in Indonesia operate across multiple business activities. A manufacturing company that also imports its own raw materials. A service company that operates both a core service and a supporting consulting function. A retail chain that manages both wholesale and retail activities.

Under the current framework, each five-digit KBLI code is treated as a separate business activity with its own licensing requirements, investment value obligations, and reporting schedule. For PT PMA companies, BKPM Regulation No. 5 of 2025 maintains the general principle that the total investment value must exceed IDR 10 billion per KBLI code. The minimum paid-up capital requirement was reduced to IDR 2.5 billion but this applies at the company level, not per KBLI.

A company that adds a new KBLI without correctly assessing the investment value implication, the risk classification of the new activity, and the associated licensing requirement creates a gap that will surface during LKPM review or post-approval supervision.

XPND designs multi-KBLI licensing structures that are coherent across all registered activities, ensure the investment value distribution is correctly modeled, and create a licensing profile that supports the company’s actual operational scope.

Expanding into a new business activity or sector? Let XPND structure the licensing before the activity starts.

Legacy License Migration and OSS Compliance

Many companies operating in Indonesia today hold licenses that were issued before the OSS-RBA system was fully implemented. These include Industrial Business Licenses or IUI, Trade Business Licenses (Surat Izin Usaha Perdagangan or SIUP), and sector-specific permits issued by ministries that predate the consolidated OSS framework.

Under the current framework, legacy licenses issued by relevant authorities before the OSS era remain valid under transitional provisions. However, BKPM Regulation No. 5 of 2025 makes clear that the OSS system is increasingly the reference point for all licensing verification, and licenses that are not registered and reflected in OSS carry growing recognition risk as inter-agency data integration deepens.

XPND manages the migration of legacy licenses into the OSS system, ensuring that the company’s historical licenses are correctly reflected in its current OSS profile and that any gaps between legacy permit scope and current operational activities are identified and resolved.

How XPND Structures the Business Licensing Program

Licensing gap analysis and risk classification review

XPND reviews the company’s current OSS profile against its actual operational activities, identifies any KBLI registrations that do not reflect current business scope, and assesses whether the risk classification assigned to each activity is consistent with the current framework under PP No. 28 of 2025.

OSS profile synchronization and data update

XPND manages the OSS profile update process to ensure the company’s data is current, complete, and consistent with all cross-referenced government databases including the company registry, tax system, and spatial planning database. Given that BKPM may enforce the synchronization requirement at any point, completing this update proactively is significantly less disruptive than responding to a suspension after the fact.

New license and KBLI application management

XPND prepares and submits new license applications through the OSS system, including the preparation of KKPR, PL, PBG, and SLF documentation where required, or identification of the commercial building tenant exemption where applicable. Applications are prepared to meet the completeness standard required for the Deemed Approval mechanism to operate correctly.

Multi-KBLI investment value structuring

For PT PMA companies adding new business activities, XPND models the investment value distribution across KBLI codes, ensures the minimum investment threshold is correctly satisfied per activity, and prepares the supporting documentation for OSS submission.

Legacy license migration

XPND manages the registration of pre-OSS licenses into the current system and converts older license formats such as IUI or SIUP into the current Standard Certificate format where applicable.

Ongoing LKPM and post-approval compliance

XPND manages Investment Activity Report or LKPM (Laporan Kegiatan Penanaman Modal) filings on the required schedule to ensure the company’s investment realization is correctly reported and that no non-realization trigger accumulates in the system.

Ready to bring your licensing profile into compliance with the current framework? Talk to XPND.

Why Business Licensing

Under the current framework, a business license is not a static document. It is a data point in a government system that is cross-referenced against tax records, environmental permits, spatial planning databases, and investment realization reports on an ongoing basis. The automated sanctions introduced under BKPM Regulation No. 5 of 2025 mean that gaps between the licensing record and operational reality are detected and acted upon without manual intervention.

The businesses that manage licensing well are not necessarily the ones that obtained their licenses fastest. They are the ones whose licensing profile accurately reflects what they actually do, whose OSS data is current and consistent, and whose LKPM filings demonstrate active investment realization. That combination produces a compliance record that holds up under post-approval supervision and supports expansion without friction.