by Christy Tsang
Jul 2025
What is Local Content Requirements (LCR)?
Local content requirement (LCR) is a policy requiring products sold in a country to use local components, goods, services, and workforce. According to some reports, the adoption of LCRs have steadily grown since 2008, as governments turned to this policy as a tool to bolster domestic industries and drive local economic growth.[1]
How is LCR applied to electronic goods, including cybersecurity products?
The application of LCRs may be on many products, such as electronic goods including cybersecurity products. LCR application and implementation varies across jurisdictions but commonly involves the use of a minimum percentage of domestically sourced components. For instance, the Indonesian Ministry of Industry (MOI) has enacted several regulations imposing local content obligations, such as MOI Regulation No.16/M-IND/PER/2/2011, which outlines the methods for calculating the percentage of local content to be included in strategic goods, including electronic devices. [2]
What is LCR’s impact on cybersecurity?
While LCRs may appear attractive -promising economic stimulus, technology self-reliance, and support for the local industry–they often carry unintended negative consequences, particularly for cybersecurity products.
A key concern is a weakened cyber resilience. When businesses are required to rely solely on locally sourced components, local manufacturers may face limited availability of qualified domestic parts, which can then delay the deployment of critical security patches and tools. Such delay can increase exposure to cyber threats.
Another significant risk is the potential degradation of products’ quality and effectiveness. Global technology vendors typically have the resources and scale to invest significantly in R&D, product testing, ensuring compliance with internationally recognised systems and standards such as the IECEE CB scheme. [3] In contrast, domestic providers often lack comparable resources and infrastructures, meaning that components could be less rigorously tested and uncertified.
Finally, LCRs pose broader risks to the integrity of global supply chain security. By requiring localisation, governments fragment the global technology ecosystem and undermine the interoperability and consistency of cybersecurity infrastructure. This fragmentation could weaken collective defences against global threats like ransomware, DDoS attacks, and phishing.
What are the alternatives to LCRs?
Instead of relying on LCRs, governments can adopt alternative strategies to strengthen domestic industries and support technology development. These include:
- Investing in local capacity building to help domestic providers in R&D, product testing, compliance with internationally recognised technical standards and frameworks, and certification systems.
- Incentivising cross-border collaboration, specifically encouraging partnerships between local and global technology vendors to promote technology transfer, innovation and market access.
Additionally, governments can implement cybersecurity policies to ensure resilience without imposing overtly prescriptive LCR, such as:
- Adopting risk-based, sector-specific requirements rather than blanket local content mandates, allowing for more targeted and effective interventions.
- Supporting trusted global supply chains by establishing mutual recognition arrangements which enable the use of secure, certified solutions across borders. For example, Singapore has signed Mutual Recognition Arrangements (MRAs) with Korea and Germany to mutually recognise each other’s cybersecurity labels for consumer smart products. [4]
Conclusion
While LCR may provide short-term economic benefits, they risk weakening long-term cybersecurity resilience, hindering innovation, and disrupting global supply chain security. Instead of enforcing localisation mandates, policymakers should pursue alternative approaches that build domestic capabilities while preserving cybersecurity integrity, product quality, and trust in global supply chain security.
Footnotes:
[2] https://www.arma-law.com/news-event/newsflash/understanding-indonesias-local-content-tkdn-framework