Most companies in regulated industries have a Disaster Recovery Plan stored on a shared drive somewhere. However, few have seriously considered where that plan actually executes when trouble hits. The facility that houses your failover systems—the Disaster Recovery Center (DRC)—is a distinct decision from the plan itself, and in Indonesia, it is increasingly a regulatory mandate.
The Difference Between “Plan” and “Center”
A Disaster Recovery Plan defines how your IT systems will recover after an incident: which systems are critical, who is responsible, and how quickly recovery must happen. A Disaster Recovery Center is the physical infrastructure where that recovery actually occurs—a secondary data center that keeps your servers, storage, and network connections running when your primary site is inoperable.
Many businesses treat both as the same issue. They write a recovery plan, identify their Recovery Time Objective (RTO) and Recovery Point Objective (RPO), and then treat the physical DR site as an afterthought—often just a rack in a branch office or a cloud backup without connectivity SLAs. For regulated sectors in Indonesia, this approach can directly violate requirements set by the Financial Services Authority (OJK).
What OJK Requires
POJK 11/2022 (Information Technology Implementation by Commercial Banks) mandates that banks manage their primary data center and Disaster Recovery Center within Indonesian territory. The DRC must be geographically separated and located in a different risk domain from the primary site—meaning it should not share critical resources like power grids, fiber paths, or city infrastructure concentration points. In practice, auditors assess this based on risk independence, not just administrative distance.
POJK 27/2024 (Implementation of Crypto Asset Trading) applies similar requirements for crypto platforms: all servers and backups must be located onshore, with at least 70% of assets kept in cold storage secured by hardware meeting FIPS 140-2 Level 3 standards.
Both regulations reinforce the broader data sovereignty framework under Indonesia’s Personal Data Protection Law (UU PDP), which sets strict conditions on cross-border data transfers. Together, these regulations mean that running a legitimate financial or digital asset business in Indonesia requires a recovery architecture spanning at least two onshore data center locations that are physically and operationally distinct.
Evaluating a DRC Colocation Host
Not every data center is fit to serve as a Disaster Recovery Center. The criteria differ from primary site evaluations because a DRC must shoulder the full operational load at short notice following an event that disabled the main site.
- Geographic Independence: The DRC should pull power from a different grid segment and enter the network via diverse fiber routes so it doesn’t share a critical point of failure with the primary site—an independence achievable through proper infrastructure planning even in urban environments.
- Uptime Certification: Uptime Institute Tier III standards require redundant components and concurrent maintainability—meaning hardware can be serviced without shutting down the data floor. A Tier III or higher DRC reduces the likelihood of the secondary site failing during the same event that crippled the primary.
- ISO 27001 Certification: Directly referenced in OJK regulations as the benchmark for information security management. Verifying an active certification status is the first compliance checkpoint when choosing a DRC host.
- Network Redundancy: Multiple fiber entry points from various carriers are essential. If the DRC’s upstream paths share infrastructure with the primary site’s carriers, a network-layer incident could knock out both simultaneously.
- SLA Coverage: Must match what your RTO and RPO targets actually need. A four-hour Recovery Time Objective demands a hot standby or warm standby architecture—servers powered on and synchronized, not cold storage that requires provisioning time.
RTO, RPO, and Standby Architectures
Your recovery targets dictate the physical architecture of the DR system:
- Hot Standby: Systems are active and synchronized in real-time. Failover happens in minutes. This requires the highest level of continuous power and connectivity commitment.
- Warm Standby: Systems are prepared but not fully synchronized. Failover takes several hours. This is the most common balance for mid-sized enterprises.
- Cold Standby: Infrastructure is reserved but systems are not running. Recovery can take days. This is only suitable for non-critical workloads.
For banks subject to POJK 11/2022, regulators expect the DRC to be operational and tested—not just theoretical. Documented failover test results are mandatory during the audit process.
Testing and Compliance Documentation
OJK does not just mandate the existence of a DRC; they require proof that it works. Documented failover testing is highly expected during regulatory audits. A DRC colocation host must be able to provide:
- Scheduled Test Windows: The ability to isolate the DRC environment and simulate primary site failure without disrupting other tenants.
- Audit-Ready Access Logs: Physical access records, CCTV footage retention, and environmental monitoring that meet the minimum six-month storage requirements of POJK 27/2024.
- Network Path Verification: Confirmation that DR connectivity routes are truly independent of the primary site paths.
The ISO 22301 standard for Business Continuity Management provides the audit framework followed by most structured DRC testing programs.
Conclusion
The matter of DRC in Indonesia has shifted from operational best practice to a regulatory obligation. The physical facilities housing disaster recovery systems must meet specific geographic, uptime, security, and documentation standards—standards that cannot be met by a server room in a rented office or a generic cloud backup.
In this context, carrier-neutral colocation with Tier III certification, active ISO 27001, and a mature cross-site connectivity ecosystem acts as an infrastructure hub—enabling data replication, failover orchestration, and compliant operational recovery, rather than just being a physical backup site.
If your company is designing a regulation-compliant, audit-ready Disaster Recovery architecture, Digital Edge Indonesia can serve as your data center infrastructure partner—providing carrier-neutral facilities in the heart of Jakarta’s digital ecosystem and connectivity that enables integration with recovery sites tailored to your risk and operational needs.
