Cybersecurity regulation in North Korea (2026)

The Information Technology Law, amended in 2022, has 5 chapters and 43 articles covering planning, implementation, infrastructure and state oversight of IT. It is the closest thing to a domestic cyber/information-security statute, but is oriented toward state control and technological self-reliance rather than risk-based cybersecurity protection.

Article 19 requires all information systems to establish security measures in line with state standards and to undergo mandatory review and registration; Article 27 requires IT equipment and software to be produced per state plans, promoting domestic 'our-style' IT. These are control/approval duties, not breach-protection rules.

There is no publicly documented data-protection law or breach/incident-reporting duty comparable to GDPR, NIS2 or South Korea's PIPA. Obligations to notify affected individuals or a regulator after a security incident do not exist in any verifiable DPRK statute.

Domestic computing runs on the closed national intranet Kwangmyong, largely cut off from the global Internet; the limited external connectivity is routed through China Unicom and Russia's TransTeleCom. This architecture functions as a de facto state security control rather than a published cybersecurity standard.

Adjacent laws include the Software Industry Law (2004) and a 2022 public-reporting (complaints) law, but DPRK legal texts are rarely published officially; most English-language texts come from researchers such as Daily NK, NK TechLab and Columbia's compendium, so coverage is incomplete and hard to verify against an official gazette.

Cyber capacity is concentrated in state organs such as the Reconnaissance General Bureau under the leadership; the DPRK is internationally known as a source of offensive operations (e.g., crypto theft) rather than as a jurisdiction with civilian cybersecurity compliance obligations for businesses.