National Cybersecurity Strategy and National Cybersecurity Basic Plan

The South Korean (“Korean”) government has established the National Cybersecurity Strategy and its corresponding National Cybersecurity Basic Plan to ensure comprehensive implementation, both of which underwent revisions in 2024. The updated Strategy delineates five core objectives:

• bolstering offensive cyber defence capabilities;
• forging a robust global cyber co-operation framework;
• fortifying the cyber resilience of critical national infrastructure;
• securing a competitive edge in emerging technologies; and
• reinforcing the operational foundation for these tasks.

Complementing this, the Basic Plan prescribes 100 actionable initiatives for various government ministries to systematically execute the Strategy.

Cybersecurity-Related Laws and Enactment of New Laws

The cybersecurity regulatory framework of South Korea (“Korea”) comprises a complex patchwork of sector-specific legislation. Notably, the Act on Promotion of Information and Communications Network Utilization and Information Protection, etc. (the "Network Act") predominantly governs the information and communications sector; the Personal Information Protection Act (PIPA) regulates the protection of personal information; the Electronic Financial Transactions Act (EFTA) covers the financial sector; the Act on the Protection of Information and Communications Infrastructure safeguards critical infrastructure; and the Cyber Security Work Regulations (the “Cybersecurity Regulations”) of the National Intelligence Service (NIS) dictate standards for the public sector. For private enterprises, the Network Act, PIPA and the EFTA serve as the primary governing statutes. Given these overlapping jurisdictional scopes, multiple laws frequently apply concurrently in the aftermath of a cybersecurity incident.

Another critical legislative development is the Act on Fostering the Artificial Intelligence Industry and Securing Trust (the "AI Framework Act"), which took effect on 22 January 2026. This legislation imposes affirmative safety obligations on artificial intelligence (AI) operators that meet specific criteria. Crucially, if an AI operator provides “high-impact AI” or associated products and services, the Act mandates the implementation and operation of comprehensive risk management protocols to guarantee the safety and reliability of these systems (Articles 32 and 34 of the AI Framework Act). For a more detailed analysis of this legislation, please refer to Section 6.2 Cybersecurity and AI.

Concurrently, legislative discussions remain ongoing regarding the potential enactment of the Framework Act on Cybersecurity (working title), which aims to provide a statutory basis for an integrated cybersecurity response mechanism spanning both the public and private sectors. However, its passage has stalled due to protracted debates over the scope of the NIS’s authority and related concerns regarding digital privacy rights. If ultimately enacted, this legislation is expected to establish a unified governance framework, effectively integrating and co-ordinating the nation’s currently fragmented cybersecurity apparatus.

The primary cybersecurity-related laws and regulations in Korea are outlined in the following. Given the varying scopes and subjects of application across these statutes, establishing a universal hierarchy of precedence is challenging. Depending on the specific circumstances of a case, a particular statute may take precedence, or multiple laws may apply concurrently.

Network Act

The Network Act prohibits and penalises malicious activities that threaten cybersecurity via information and communications networks (eg, hacking, distributed denial-of-service (DDoS) attacks and the transmission or distribution of malware). It imposes specific cybersecurity obligations on “information and communications service providers” (ICSPs; telecommunications operators and online service providers). These include the mandates to designate and report a Chief Information Security Officer (CISO) and to obtain information security management system (ISMS) certification.

Notably, the Network Act features an extraterritorial application provision, meaning it applies to acts committed outside Korea that impact the domestic market or its users (Article 5-2).

PIPA

PIPA serves as the comprehensive general law for the protection of personal information. Its primary regulatory subjects are “data handlers” (a concept analogous to data controllers under the General Data Protection Regulation – GDPR). PIPA imposes various cybersecurity obligations related to data protection, including the duty to implement robust security measures for the protection of personal information (Article 29) and the obligation to notify and report data breaches (ie, incidents involving the loss, theft or unauthorised disclosure of personal information) (Article 34). Specifically, the Standards of Personal Information Security Measures, which elaborates on these statutory security obligations, set forth detailed technical and organisational measures required for the protection of personal information.

Recently, hacking incidents and massive data breaches involving critical telecommunications companies and e-commerce platforms have emerged as significant social issues in Korea, driving demand for heightened corporate cybersecurity measures. In response, the National Assembly recently passed an amendment to PIPA. This amendment explicitly clarifies the data protection responsibilities of a data handler’s representative (eg, the CEO), augments the statutory authority of the chief privacy officer (CPO) and significantly increases the administrative penalties for repeated or severe data breaches. The amended PIPA is scheduled to take effect six months following its formal promulgation.

While PIPA lacks an explicit extraterritoriality clause, Korean courts and regulatory authorities have consistently interpreted it as applicable to foreign operators, depending on the specific facts and circumstances of each case.

For reference, the Credit Information Use and Protection Act (the “Credit Information Act”) specifically regulates the protection of credit information handled by financial institutions and imposes particularly stringent security requirements. With respect to credit information that also constitutes personal information (ie, personal credit information), the Credit Information Act operates as a special law and therefore takes precedence over PIPA to the extent of any inconsistency.

EFTA

The EFTA governs the security and reliability of electronic financial transactions, applying directly to financial institutions and electronic financial businesses. It serves as the primary cybersecurity framework for the financial sector. Its subordinate regulation, the Regulations on the Supervision of Electronic Financial Transactions, establishes detailed security standards.

Notably, the Regulations on the Supervision of Electronic Financial Transactions was comprehensively amended on 5 February 2025, shifting financial security regulation from a rules-based approach to a more flexible principles-based framework. This amendment laid the groundwork for greater autonomy in security practices within the financial sector and strengthened the resilience of financial IT systems to ensure stable protection of the financial system against disasters and electronic intrusions.

Act on the Protection of Information and Communications Infrastructure

This Act governs the safeguarding of “critical information and communications infrastructure” (these are facilities designated for heightened protection against cyber-intrusions due to the socio-economic importance of the managing agency’s functions, as well as the potential scale of damage to national security and the broader economy in the event of a breach). The Act imposes stringent obligations on the heads of organisations managing such infrastructure, which include formulating comprehensive protection plans (Article 5), conducting vulnerability analyses and assessments (Article 9), and reporting any infringement incidents (Article 13).

NIS Cybersecurity Regulations

The Cybersecurity Regulations are a Presidential Decree governing cybersecurity-related functions of the NIS. As they also regulate the prevention of and response to cyber-attacks and threats targeting state agencies, public institutions, schools and government-funded research institutes, they constitute a key regulatory framework for cybersecurity in the public sector.

Unfair Competition Prevention and Trade Secret Protection Act

The Unfair Competition Prevention and Trade Secret Protection Act affords statutory protection to corporate trade secrets. Where a company’s trade secrets are misappropriated through a cyber-intrusion incident, the prohibitions against trade secret infringement under the Act (Article 2(3), Article 18(1)–(3)) and the related civil and criminal remedies may become applicable.

Ministry of Science and ICT (MSIT) and Korea Internet & Security Agency (KISA)

As the competent ministry overseeing the Network Act, the Act on the Protection of Information and Communications Infrastructure and the AI Framework Act, the MSIT directs cybersecurity policy across the private sector.

While not a central government agency, KISA operates as a statutory public institution playing a core operational role in national cybersecurity. Its primary functions include acting as the national computer emergency response team (CERT). In this capacity, KISA is responsible for receiving, analysing and responding to private-sector cyber-infringement incidents, maintaining a 24-hour rapid response system. Furthermore, KISA operates the Cyber Threat Analysis and Sharing (C-TAS) platform – a centralised system for collecting, analysing and disseminating cyber threat intelligence – to facilitate real-time information sharing among private enterprises. It also conducts ISMS certification audits, supports vulnerability analyses and assessments for critical information and communications infrastructure, and manages the internet of things (IoT) security certification framework.

Personal Information Protection Commission (PIPC)

As the primary regulatory authority responsible for enforcing PIPA, the PIPC conducts comprehensive research and support initiatives regarding data protection, while concurrently exercising statutory authority to investigate and sanction PIPA violations.

Specifically, the PIPC wields robust enforcement mechanisms under PIPA, including the authority to demand data submissions and conduct on-site inspections (Article 63), issue corrective orders (Article 64), and impose administrative penalties (Article 64-2) and administrative fines (Article 75).

Notably, KISA is frequently entrusted with executing a portion of the PIPC’s cybersecurity-related mandates, including conducting research, providing technical support and operating the intake system for data breach incident reports.

Financial Services Commission (FSC), Financial Supervisory Service (FSS) and Financial Security Institute (FSI)

The FSC is the authority responsible for overall financial policy and serves as the competent authority for the EFTA in relation to cybersecurity in the financial sector. The FSS, while not a central government agency, is a specialised supervisory body subject to the direction and supervision of the FSC and exercises authority delegated by the FSC. In connection with the EFTA, the FSS conducts inspections of and imposes sanctions on financial institutions and electronic financial business operators. Measures that the FSS may take include corrective orders, recommendations for the dismissal of officers, suspension of business operations and the imposition of administrative penalties (Articles 39 and 51 of the EFTA).

NIS

The NIS is the national agency responsible for counterintelligence and national security, and its duties include the prevention of and response to cyber-attacks. Pursuant to the NIS Cybersecurity Regulations, the NIS implements preventive cybersecurity measures for state agencies, public institutions, schools and government-funded research institutes, including security reviews of information system projects and the establishment of security measures for the use of cloud computing (Article 9 of the NIS Cybersecurity Regulations), and evaluates the overall state of cybersecurity (Article 13 of the NIS Cybersecurity Regulations).

In Korea, cybersecurity regulation for critical infrastructure is primarily governed by the Act on the Protection of Information and Communications Infrastructure.

Under this Act, “information and communications infrastructure” refers to electronic control and management systems and information and communications networks related to national security, public administration, national defence, public safety, finance, telecommunications, transportation, energy and similar functions (Article 2(1)). The heads of central administrative agencies may designate, from among the information and communications infrastructure under its jurisdiction, certain facilities as “critical information and communications infrastructure” where protection from electronic intrusion is deemed necessary, taking into account:

• the national and social importance of the functions performed by the institution managing the infrastructure;
• the degree of dependence of such functions on the infrastructure;
• interconnectivity with other information and communications infrastructure;
• the scale and scope of potential damage to national security and the economy and society in the event of an incident; and
• the likelihood of an incident occurring or the ease of recovery (Article 8(1)).

In addition, the Information and Communications Infrastructure Protection Committee is established under the Prime Minister to deliberate on matters concerning the protection of critical information and communications infrastructure (Article 3(1)). The Act sets forth various regulatory requirements for the protection of such critical infrastructure.

Designation of critical information and communications infrastructure is made on a facility-by-facility basis by the head of the relevant central administrative agency.

In addition to the foregoing, a separate protection regime for national critical infrastructure exists under the Framework Act on the Management of Disasters and Safety. This Act establishes a management framework for national critical infrastructure in sectors such as energy, information and communications, transportation and finance. As a result, certain facilities may be subject to overlapping regulation under both the Act on the Protection of Information and Communications Infrastructure and the Framework Act on the Management of Disasters and Safety.

Obligation to Establish Protection Measures

The head of the management institution responsible for critical information and communications infrastructure must establish and implement annual protection measures for the relevant facilities (Act on the Protection of Information and Communications Infrastructure, Article 5). Such protection measures must include risk management based on the results of vulnerability analyses and assessments, physical, technical and organisational safeguards, and incident response plans. Implementation of these protection measures is subject to inspection by MSIT, the NIS, and the Ministry of National Defense (Article 5-2).

Vulnerability Analysis and Assessment

Vulnerability analyses and assessments of critical information and communications infrastructure must be conducted periodically (at least once per year) (Article 9). The MSIT has published the “Standards for Vulnerability Analysis and Assessment of Critical Information and Communications Infrastructure”, which set forth detailed methods and procedures. These standards were amended on 24 December 2025 to reflect changes in the information and communication technology (ICT) environment, including the addition of inspection items relating to cloud and web services.

Compliance With Protection Guidelines

Central administrative agencies may promulgate sector-specific protection guidelines for critical information and communications infrastructure and mandate that the heads of managing agencies strictly adhere to them (Article 10). These guidelines include technical and organisational matters relating to infrastructure protection and are applied in a differentiated manner reflecting sector-specific characteristics.

Recovery Measures in the Event of an Incident

Where a critical information and communications infrastructure facility is disrupted, paralysed or destroyed due to an electronic intrusion, the head of the management institution must promptly take the necessary measures for restoration and protection. The head of the relevant central administrative agency may issue orders to this effect, and if such orders are not issued, the NIS may do so in lieu thereof (Article 14).

ISMS Certification

Separately from the protection obligations under the Act on the Protection of Information and Communications Infrastructure, Article 47 of the Network Act requires certain ICSPs above a specified size to obtain ISMS certification. For further details, see 5.1 Key Cybersecurity Certification Legislation.

Reporting Obligations Under the Act on the Protection of Information and Communications Infrastructure

Where an electronic intrusion (eg, hacking, malware infections or DDoS) occurs in relation to critical information and communications infrastructure, the head of the management institution must report the incident to the relevant authorities and to KISA (Article 13(1)) [TJK1.1][LK1.2]. While the Act does not specify a precise deadline, the report must be made as promptly as reasonably practicable.

Incident Reporting under the Network Act

An ICSP must report an incident to the MSIT or KISA within 24 hours from the time it becomes aware of the incident (Article 48-3). The report must include an overview of the incident, the extent of the damage and response measures taken.

Notification and Reporting of Data Breaches Under PIPA

Where a data handler becomes aware of a data breach, it must notify the affected data subjects within 72 hours (Article 34(1)). In addition, where personal information is leaked due to unlawful external access to a personal information processing system, the data handler must report the breach to the PIPC or KISA within 72 hours (Article 34(3) of PIPA and Article 40 of its Enforcement Decree). For further details, see 6.1 Cybersecurity and Data Protection.

Reporting to the FSS Under the EFTA

A financial institution or electronic financial business operator must notify the FSC without delay upon the occurrence of an incident (Article 21-5) and must report certain electronic financial incidents to the FSS (Article 37-5 of the Regulations on Supervision of Electronic Financial Transactions and Article 7-4(1) of its Detailed Enforcement Rules). For further details, see 3.3 Key Operational Resilience Obligations.

Concurrent Reporting Obligations

Even where a single hacking incident occurs, the affected entity is, in principle, required to comply with reporting and notification obligations under each applicable statute, depending on the type and scope of the incident. While reporting under the Network Act may be deemed satisfied if reporting under another statute has been completed, differences in deadlines and required content mean that separate reporting is typically carried out in practice. Given that each statute prescribes different reporting timelines, content requirements and reporting channels, it is critical to promptly identify and simultaneously fulfil all applicable reporting obligations at the initial stage of an incident.

National Cyber Crisis Management System

The Korean government operates a four-tier national cyber crisis alert system – Attention, Caution, Alert and Severe – based on the seriousness of cyber threats (Article 15 of the NIS Cybersecurity Regulations). Depending on the alert level, the response posture and emergency working arrangements of government agencies are adjusted accordingly. The MSIT (for the private sector) and the NIS (for the public sector) are responsible for issuing alerts within their jurisdictions.

The government’s role extends beyond threat detection and information sharing to include recovery support following incidents. As discussed in 2.2 Critical Infrastructure Cybersecurity Requirements, under the Act on the Protection of Information and Communications Infrastructure, in the event of an incident affecting critical information and communications infrastructure, the head of the relevant central administrative agency or the director of the NIS may order necessary measures for restoration and protection (Article 14(2)). Where incidents occur on a widespread basis, the Information and Communications Infrastructure Protection Committee may establish an incident response headquarters for a specified period to implement emergency measures, provide technical support and facilitate damage recovery, and may second relevant public officials to respond to the incident (Article 15).

Threat Intelligence Sharing

KISA operates C-TAS, a platform that collects, analyses and shares cybersecurity threat information in real time in the private sector. Through C-TAS, companies may voluntarily share and utilise malware samples, IP block lists, vulnerability information and similar data.

In addition, pursuant to Article 16 of the Act on the Protection of Information and Communications Infrastructure, sector-specific information sharing and analysis centres (ISACs) have been established and are in operation. ISACs collect and analyse information on vulnerabilities and incidents relating to critical information and communications infrastructure in their sectors and provide such information to relevant institutions. ISACs are currently operating in multiple sectors, including finance, telecommunications and public administration.

Public-Private Co-Operation

In the event of a large-scale incident, a joint public-private investigation task force may be established, comprising the MSIT, KISA, the National Police Agency and relevant companies, to analyse the causes of the incident and formulate response measures (Article 48-4 of the Network Act). In addition, MSIT and KISA regularly conduct cybersecurity drills involving private companies to strengthen cyber-incident response capabilities in the private sector.

EFTA

In Korea, cybersecurity regulations within the financial sector are primarily anchored by the EFTA, while its subordinate statute, the Regulations on the Supervision of Electronic Financial Transactions, establishes the specific, granular compliance standards.

Entities subject to the EFTA are broadly categorised into “financial companies” and “electronic financial businesses”. “Financial companies” encompass banks, financial investment businesses, insurance companies, credit card companies and mutual savings banks. “Electronic financial businesses” include electronic funds transfer providers, issuers and managers of debit and prepaid electronic payment means, and electronic payment gateway (PG) providers (Article 2 of the EFTA).

Comprehensive 2025 Amendment to the Regulations on the Supervision of Electronic Financial Transactions

On 5 February 2025, the Regulations on the Supervision of Electronic Financial Transactions underwent a comprehensive revision, marking a fundamental paradigm shift in the financial security regulatory landscape. A central feature of this overhaul is the transition from a rigid, prescriptive “rule-based” regime to a flexible, “principle-based” framework. The previously sprawling 293 detailed conduct rules were streamlined to 166. Excessively micro-level and specific regulations were abolished in favour of a structure that presents overarching goals and principles (FSC, Press Release on the Resolution of the Proposed Amendment to the Regulations on the Supervision of Electronic Financial Transactions, 5 February 2025). This amendment aims to shift financial institutions away from a passive mindset of “compliance equals immunity”, driving them towards an “autonomous security and result accountability” system where they independently construct security frameworks and bear full responsibility for the outcomes.

Notably, this amendment introduced regulations specifically designed to bolster financial cyber resilience against disasters and electronic intrusions. Previously, the mandatory establishment of disaster recovery centres applied only to banks, financial investment businesses and insurance companies. Under the new rules, this obligation has been expanded to include specialised credit finance companies and electronic financial businesses that meet specific scale thresholds.

Extraterritorial Application

As a general rule, the EFTA and the Regulations on the Supervision of Electronic Financial Transactions apply to all financial companies and electronic financial businesses conducting electronic financial transactions within Korea. Domestic branches and offices of foreign financial institutions are expressly included within this jurisdictional scope.

Regulations on Electronic Financial Auxiliary Businesses and Outsourcing Under the EFTA

An “electronic financial auxiliary business” refers to an entity that assists or performs a portion of electronic financial transactions on behalf of a financial company or an electronic financial business, or an operator of a payment brokerage system, as designated by the FSC (Article 2(5) of the EFTA). Examples include comprehensive IT outsourcing providers handling electronic financial tasks and cloud computing providers processing data related to electronic financial transactions.

When a financial company or electronic financial business partners with, entrusts or outsources operations to an electronic financial auxiliary business, it must strictly adhere to robust regulatory controls. For instance, the physical workspaces and computing facilities utilised for outsourced IT system development must be installed and operated entirely separate from the institution’s internal business networks. The firm must comply with security management protocols prescribed by the FSS across all phases of the outsourcing life cycle – including bidding, contracting, execution and completion. Furthermore, the financial entity must evaluate the financial soundness and service quality of the auxiliary business at least annually and formally report these findings to the FSS (Article 40 of the EFTA; Article 60 of the Regulations on the Supervision of Electronic Financial Transactions).

Regulations on the Entrustment of Information Processing by Financial Companies

Pursuant to the Regulations on the Entrustment of Information Processing by Financial Companies (an FSC Notification), when a financial institution executes an information processing entrustment contract, the agreement must explicitly incorporate the following clauses (Articles 4 and 5 of the Regulations):

• strict data access controls;
• the allocation of liability between the entrusting and entrusted entities regarding user damages resulting from IT accidents;
• the entrusted company’s binding obligation to submit to supervision and inspection by regulatory authorities; and
• the designated judicial jurisdiction for dispute resolution.

Sub-entrustment (re-outsourcing) is legally permissible, provided it remains within the bounds of these compliance requirements.

Crucially, the unique identification information of individual customers (eg, resident registration numbers, passport numbers) must be safeguarded through encryption or equivalent measures, and the cross-border transfer of such sensitive data is strictly prohibited (Article 5(1)). Additionally, the specific safety measures implemented to protect the entrusted information must be transparently disclosed to the public via the company’s website.

Regulations on Cloud Computing Usage

When a financial company or electronic financial business intends to utilise cloud computing services, it must proactively evaluate the safety of the service and report its usage to the FSS pursuant to Article 14-2 of the Regulations on the Supervision of Electronic Financial Transactions.

Safety evaluation of the cloud service provider (CSP) is conducted via the CSP Safety Evaluation Integrated Support System operated by the FSI. The 2025 amendment to the Regulations on the Supervision of Electronic Financial Transactions streamlined this cloud usage reporting workflow, with specific procedural details delegated to the Enforcement Rules of the Regulations on the Supervision of Electronic Financial Transactions (Article 2-4 of the Enforcement Rules).

For reference, if unique identification information or personal credit information is processed through a cloud computing service, regulatory restrictions mandate that the corresponding data processing systems must be physically localised within Korea.

Governance

Financial institutions and electronic financial business operators must designate a CISO and establish and implement an annual training plan to enhance employees’ information security capabilities (Article 8(1) of the Regulations on the Supervision of Electronic Financial Transactions). Under the 2025 amendment, a new obligation was introduced under which the representative (eg, CEO) must evaluate the results of the prior year’s training plan implementation, and the CISO must reflect those results in the current year’s training plan (Article 8(1)(4) of the Regulations on the Supervision of Electronic Financial Transactions).

Financial institutions and electronic financial business operators must also establish and operate an Information Security Committee that deliberates and resolves key information security matters (Article 8-2(1)). The CISO must report committee deliberations and resolutions to the representative and, further, must report directly to the board of directors on deliberations and resolutions that the CISO determines have a material impact on the safety and reliability of electronic financial transactions (Article 8-2(4) of the Regulations on the Supervision of Electronic Financial Transactions).

Segregation of Duties

To ensure robust internal controls within their IT departments, financial companies and electronic financial businesses must establish and operate strict standards for the segregation of duties (Article 8-3). Prior to the 2025 amendment, the tasks subject to segregation were enumerated in detail; following the amendment, the principle of segregation of duties is maintained, while the specific domains of segregation are left to each institution’s discretion.

Disaster Recovery and Business Continuity

Financial institutions and electronic financial business operators must establish and comply with business continuity measures designed to prevent service interruption even in urgent circumstances such as system failures, disasters, strikes or terrorism. These measures must include:

• situation-specific response procedures;
• disaster recovery plans leveraging backups or disaster recovery centres; and
• the composition and operation of emergency response teams (Article 23 of the Regulations on the Supervision of Electronic Financial Transactions).

Under the 2025 amendment, the scope of entities required to establish disaster recovery centres was expanded from banks, financial investment business operators, credit card companies and insurers to include certain credit-specialised financial companies and electronic financial business operators meeting specified thresholds (Article 23(8) of the Regulations on the Supervision of Electronic Financial Transactions).

Incident Management and Reporting

Where an incident occurs in which electronic financial infrastructure is disrupted or paralysed due to an electronic intrusion, a financial institution or electronic financial business operator must notify the FSC without delay (Article 21-5 of the EFTA).

In addition, financial institutions and electronic financial business operators must establish and operate procedures for incidents relating to the IT function and electronic finance, including incident type classification, handling stages, remediation measures and methods for assessing impact and severity (Article 37-5(1)(1) of the Regulations on the Supervision of Electronic Financial Transactions). Reportable incidents are specified in the Enforcement Rules of the Regulations on the Supervision of Electronic Financial Transactions. These include:

• where a delay or interruption of electronic financial services lasts 30 minutes or more; or
• where a delay or interruption lasts ten minutes or more and the relevant electronic financial service has 10,000 or more subscribers (Article 7-4(1)(i) of the Enforcement Rules).

Reporting must be made to the FSS within 24 hours of becoming aware of the incident, through the electronic financial accident response system (EFARS).

Inspection and Sanctioning Authority of the FSS

The FSS has inspection authority over financial institutions and electronic financial business operators pursuant to Article 39 of the EFTA. Based on inspection results, the FSC may impose sanctions for cybersecurity-related violations, including corrective orders, recommendations for the dismissal of officers, suspension of all or part of business operations and the imposition of administrative penalties (Articles 39 and 51 of the EFTA). Violations of the Regulations on the Supervision of Electronic Financial Transactions may result not only in institutional sanctions but also in personnel measures against relevant officers and employees.

Recent Enforcement Trends and Outlook

In recent years, financial authorities have strengthened information security inspections of financial institutions and have maintained an active enforcement posture, including imposing administrative penalties in the event of electronic financial incidents. Moreover, the FSC has indicated that, following the amendment to the Regulations on the Supervision of Electronic Financial Transactions (Phase I), it plans to pursue Phase II reforms through amendments to the EFTA to operationalise an administrative fine regime and strengthen accountability of the CEO, the board and business units, thereby establishing a “digital financial security” legal framework. Accordingly, enforcement of cybersecurity regulation in the financial sector is expected to become more robust going forward.

Regulation of Cross-Border Transfers of Personal Information

PIPA imposes separate legal requirements for cross-border transfers of personal information. “Cross-border transfer” includes not only the provision, or entrustment (outsourcing), of personal information to a third party located outside Korea, but also accessing personal information from abroad and storing personal information abroad.

Where personal information is transferred abroad, in addition to satisfying the general lawful basis requirements for personal information transfers (eg, consent for third-party provision or obligations associated with entrustment of processing), additional legal requirements apply. Specifically, the data handler must either:

• provide notice of the cross-border transfer and obtain separate consent; or
• disclose cross-border transfer matters in its privacy policy (limited to cases of entrustment of processing or storage).

Further, in response to increasing global data exchanges and co-operation, a 2023 amendment to PIPA added the following as “additional lawful bases” for cross-border transfers, to align with international standards.

• Where laws, treaties to which Korea is a party or other international agreements contain special provisions on cross-border transfers of personal information: however, in practice, Korea has not enacted such legal provisions or entered into treaties specifically governing cross-border transfers.
• Cross-border transfer certification: where the overseas recipient is certified by the PIPC and has implemented required safeguards. To date, there has been no case recognised by the PIPC in practice.
• Equivalence recognition by the PIPC: where the PIPC recognises that the level of data protection in a given country or international organisation is equivalent to the level under PIPA. This is similar to the GDPR adequacy decision mechanism. In September 2025, the PIPC recognised equivalence with respect to the EU, such that Korea and the EU currently mutually recognise the adequacy/equivalence of data protection. No country or international organisation other than the EU has yet been recognised as equivalent by the PIPC, but the PIPC plans to expand such recognitions gradually.

Separately, PIPA grants the PIPC authority to order a data handler to suspend cross-border transfers of personal information. Specifically, where cross-border transfers are ongoing or further cross-border transfers are anticipated, the PIPC may order suspension if:

• the data handler has violated PIPA’s cross-border transfer provisions; or
• the overseas recipient, the destination country or an international organisation does not adequately protect personal information compared to PIPA, and harm to data subjects has occurred or there is a significant risk that harm will occur.

Restrictions on Cross-Border Transfers in Outsourced Information Processing in the Financial Sector

Because the Credit Information Act (a special law vis-à-vis PIPA) does not separately stipulate cross-border transfer rules, cross-border transfers of personal credit information by financial institutions are not necessarily impossible if PIPA’s cross-border transfer requirements are satisfied. However, under Article 5(1) of the Regulations on the Outsourcing of Data Processing by Financial Institutions, outsourcing of data processing abroad is prohibited for unique identification information of individual customers (eg, resident registration numbers, passport numbers), even if safeguards such as encryption are applied. In general, use of cloud computing services is interpreted as an entrustment (outsourcing) of data processing, and these restrictions therefore constitute a key practical consideration for financial institutions seeking to use overseas cloud regions. Accordingly, when a financial institution builds cloud-based infrastructure, it is necessary to confirm whether the physical location of systems that process and store data is within Korea.

Vulnerability Analysis and Assessment Under the Regulations on the Supervision of Electronic Financial Transactions

Under Article 37-2 of the Regulations on the Supervision of Electronic Financial Transactions, financial institutions with total assets of KRW2 trillion or more and 300 or more regular employees must conduct vulnerability analyses and assessments of their IT functions at least once per year. With respect to websites, vulnerability analyses must be conducted at least once every six months.

Absence of a Korean TIBER/CBEST Framework

At present, Korea has not introduced a dedicated threat-led penetration testing (TLPT) framework directly corresponding to the EU’s Threat Intelligence-Based Ethical Red Teaming (TIBER) or the UK’s Cybersecurity Testing Framework based on Intelligence-Led Ethical Security Testing (CBEST). However, the FSI, as a specialised institution for vulnerability analyses and assessments of electronic financial infrastructure, may incorporate simulated hacking into such analyses and assessments. In practice, there are increasing examples of support for red-team testing of financial institutions, including instances where the FSI’s RED IRIS team, acting as white-hat hackers, attempts server hacking and DDoS attacks against financial institutions and evaluates response capabilities.

Korea has not yet enacted a comprehensive statute directly equivalent to the EU’s Cyber Resilience Act (CRA) to regulate security issues across the entire life cycle of individual products. Consequently, broad, cross-sector “security-by-design” obligations for ICT products and services remain largely uncodified in formal legislation.

Among existing Korean laws, the provision with the broadest applicability to cyber resilience is the “Obligation to Implement Information Security Measures”, stipulated in Article 45 of the Network Act. This provision mandates that ICSPs, alongside manufacturers or importers of specific network-connected devices designated by enforcement decree, implement technical and organisational security measures to ensure network stability and the reliability of information utilised in service provision (Article 45(1) of the Network Act).

With respect to IoT devices, KISA operates an “IoT Security Certification Service”, but this is a voluntary certification programme rather than a legally mandated requirement. That said, if a “Framework Act on Cybersecurity” is enacted in the future, a more comprehensive cyber-resilience framework – potentially including security requirements for connected devices – may be established, and legislative discussions on this point are ongoing.

Obligation to Implement Information Security Measures Under the Network Act

To guarantee network stability and information reliability, ICSPs must comply with formal information security guidelines and implement technical and organisational security measures, including strict access controls and the application of encryption technologies (Article 45(1)). The MSIT holds statutory authority to publicly notify the specific parameters of these security measures (Paragraph 2 of the same Article) and may issue corrective orders in the event of non-compliance (Article 64(4)).

IoT Security Certification System

Operated by KISA, the IoT Security Certification System is a voluntary framework that evaluates and certifies the security posture of IoT products against established criteria. The certification is divided into two tiers, “Lite” and “Standard”, covering a diverse array of devices ranging from smart home appliances to industrial IoT equipment. Although it lacks binding legal force, the certification offers a significant market advantage; government and public institutions explicitly grant preferential treatment to certified products during public procurement processes.

ISMS Certification

ISMS, Korea’s flagship cybersecurity certification scheme, is based on Article 47 of the Network Act. ISMS evaluates whether an organisation’s information security and data protection management system is established and operated in accordance with the applicable certification criteria. ISMS certification is mandatory for certain entities, including ICSPs (excluding financial institutions) with an average daily user base of at least 1 million in the preceding year, major ISPs and internet data centre (IDC) operators, among others (Article 47(2) of the Network Act; Article 49 of its Enforcement Decree). Certification audits are conducted by KISA and accredited certification audit bodies. The certification is valid for three years, and annual post-certification reviews are conducted to confirm continued compliance with the certification standards.

Separately, Article 32-2 of PIPA provides for a personal information management system (PIMS) certification. In practice, standalone PIMS certification is not typically pursued; instead, organisations obtain ISMS-P, which combines ISMS and PIMS. ISMS-P is not currently mandatory, and historically it has functioned, for example, as a mitigating factor in the event of PIPA violations. However, if the recently passed amendment to PIPA is implemented as enacted, ISMS-P certification is expected to become mandatory for certain large-scale data handlers going forward.

Cloud Security Assurance Programme (CSAP)

Pursuant to Article 23-2 of the Act on the Development of Cloud Computing and Protection of Users, a security certification regime for cloud computing services is in operation. State agencies and similar public bodies are required to give priority consideration to cloud computing services that have obtained this security certification. KISA serves as the certification body; however, because public-sector cloud security measures are overseen by the NIS, obtaining CSAP certification requires passing the NIS security suitability assessment. The certification is valid for five years. Certification levels are differentiated based on service type and security level, and CSAP functions in practice as a de facto entry requirement for cloud adoption by public institutions. That said, there is ongoing discussion about easing CSAP requirements.

Sector-Specific Security Certification Schemes

In the financial sector, under Article 14-2 of the Regulations on the Supervision of Electronic Financial Transactions, a financial institution or electronic financial business operator seeking to use cloud computing services must undergo a safety assessment through the “Integrated Support System for CSP Safety Assessments” operated by the FSI.

In the automotive sector, the Ministry of Land, Infrastructure and Transport (MOLIT) enacted the Notification on the Certification of Automobile Cyber Security Management Systems, etc., adopting the cybersecurity management system (CSMS) based on UN ECE R155 regulations. This framework is now formally codified in the Motor Vehicle Management Act, imposing statutory obligations on domestic automobile manufacturers and importers to obtain CSMS certification and comply with associated security mandates (Article 30-9 of the Motor Vehicle Management Act).

Obligation to Implement Security Measures for Personal Information

To prevent data breaches – statutorily defined as the loss, theft, leakage, forgery, alteration or damage of personal information – PIPA and the PIPC’s Standards of Security Measures for Personal Information mandate that data handlers implement rigorous technical, organisational and physical security measures. These mandatory measures include:

• the management of access rights (Article 5);
• strict access controls (Article 6);
• the encryption of personal information (Article 7);
• the retention and periodic inspection of access logs (Article 8);
• the prevention of malware (Article 9);
• physical security measures (Article 10);
• security measures in preparation for disasters and emergencies (Article 11); and
• the secure destruction of personal information (Article 13).

Data Breach Notification and Reporting

Upon recognising that a data breach has occurred, a data handler must notify the affected data subjects within 72 hours (Article 34(1) of PIPA).

The statutory notice must explicitly include:

• the categories of personal information compromised;
• the timing and circumstances of the breach;
• actionable steps data subjects can take to minimise damage;
• the data handler’s remediation measures and damage relief procedures; and
• the contact details of the dedicated response department (Article 34(1) of PIPA).

Under the amended PIPA (passed in February 2026), this notification must also detail rights relief mechanisms, such as claiming damages and utilising dispute resolution. Crucially, the amendment triggers the notification obligation even if an actual breach is not confirmed, provided there is a “possibility” of a breach or similar incident.

Furthermore, the data handler must report the breach to the PIPC or KISA within 72 hours if the incident involves:

• the personal information of 1,000 or more data subjects;
• sensitive information or unique identification information; or
• unauthorised external access (eg, hacking) to the data processing system or the IT devices used by personnel of the data handler (Article 34(3) of the PIPA; Article 40 of its Enforcement Decree).

Consequently, any data breach resulting from a cyber-attack triggers an automatic statutory reporting obligation.

Administrative Penalties and Punitive Damages

In the event of a data breach, unless the data handler successfully demonstrates full compliance with the implementation of all required security measures under PIPA, the PIPC may impose a penalty surcharge of up to 3% of the data handler’s total revenue (excluding revenue proved to be unrelated to the violation) (Article 64-2 of the PIPA). Significantly, once the February 2026 amendment to PIPA takes effect, this ceiling increases dramatically. The PIPC will be authorised to impose administrative penalties of up to 10% of total revenue for breaches caused by:

• repeated violations within three years due to intent or gross negligence;
• large-scale damage affecting 10 million or more individuals due to intent or gross negligence; or
• the failure to comply with prior corrective orders.

Additionally, a 2023 amendment to PIPA introduced an aggravated damages mechanism. If a data breach is caused by the intent or gross negligence of the data handler, courts are authorised to award damages up to five times the actual proven amounts (Article 39(3) of PIPA).

Security Protection of IT Systems Processing Credit Information

Within the financial sector, Article 19 of the Credit Information Act mandates that credit information companies establish robust technical, physical and organisational security measures for their IT systems processing credit information. The detailed content of such measures is set out in Article 16 of the Enforcement Decree of the Credit Information Act and Appendix 3 to the Supervisory Regulations on Credit Information Business.

Regulations Under the AI Framework Act

The AI Framework entered into force on 22 January 2026. This legislation imposes affirmative safety obligations on AI operators meeting specific statutory criteria. Specifically, an AI operator must fulfil safety obligations prescribed by the MSIT’s Notification on Methods for Fulfilling Safety Assurance Obligations for AI if their AI systems:

• utilised a cumulative compute exceeding 1,026 floating-point operations (FLOPs) during training;
• are constructed and operated using the most cutting-edge AI technologies currently available; or
• pose a risk of causing widespread and severe impacts on human life, physical safety and fundamental rights (Articles 32 and 34).

Furthermore, operators of “high-impact AI” – defined as AI systems utilised in critical sectors such as healthcare and energy that harbour the potential to significantly impact or endanger human life, physical safety and fundamental rights – must adhere to supplementary regulatory controls outlined in the MSIT’s Guidelines on the Responsibilities of High-impact AI Operators. These mandatory obligations heavily intersect with cybersecurity, encompassing the strict security assurance of AI systems and guaranteeing the integrity of AI training data.

Regulation Under PIPA

Where an AI system processes personal information, PIPA’s security safeguard obligations (Article 29) apply in the same manner. The PIPC has provided guidance on security safeguards for personal information processing in AI development and use through materials such as the “Guidelines on Personal Information Processing for the Development and Use of Generative AI”.

Those guidelines distinguish between “model developers” and “model users”, and present items each should follow, dividing them into mandatory requirements and voluntary responsibilities.

Overlap of the Medical Service Act and PIPA

Health information constitutes sensitive information under PIPA (Article 23(1)), and accordingly it is subject to enhanced regulation; as a result, heightened standards also apply to security safeguards (Articles 23(2) and 29 of PIPA). Separately, where healthcare professionals or medical institutions create and store medical records and similar documentation as electronic medical records (EMRs), they must maintain the facilities and equipment necessary to manage and preserve such records securely (Article 23 of the Medical Service Act). The Ministry of Health and Welfare (MOHW) issues and administers a public notice titled “Standards for Facilities and Equipment Necessary for the Management and Preservation of Electronic Medical Records”, which sets standards for security measures such as retention of EMR access logs, as well as standards for EMR system facilities and equipment. In addition, with respect to the use of healthcare data, the PIPC and the MOHW jointly established and operate the “Healthcare Data Guidelines”.

Medical Device Cybersecurity Guidelines

The Ministry of Food and Drug Safety (MFDS) has established and operates the “Guidelines for Cybersecurity Approval and Review of Medical Devices”, which set out minimum security requirements and the scope of materials to be submitted in connection with the approval and review of medical devices to address cybersecurity threats. These guidelines present standards for security risk management, the implementation of security functions and post-market security management for network-connected medical devices, including software as a medical device (SaMD).