Cybersecurity regulation in South Korea (2026)

The National Assembly passed a major PIPA overhaul on 12 February 2026, promulgated 10 March 2026 (effective September 2026; mandatory ISMS-P from 1 July 2027). Key changes include an aggravated administrative penalty of up to 10% of total annual turnover for serious or repeated violations, express CEO accountability, strengthened Chief Privacy Officer authority, and mandatory ISMS-P certification for data controllers meeting prescribed size/data-volume thresholds—converting a previously voluntary standard into a statutory obligation.

A lithium-ion battery fire at South Korea's National Information Resources Service (NIRS) burned for 22 hours, damaging facilities that host more than one-third of the government's datacentres; water suppression could not be used, requiring gas systems. The incident exposed the fragility of centralised government ICT infrastructure and prompted emergency reviews of backup and business-continuity obligations across public agencies.

South Korea's Personal Information Protection Commission fined SK Telecom ₩134.8 billion (~$97 million)—the largest privacy penalty in the country's telecoms sector—for failing to encrypt 26.1 million SIM authentication keys, maintaining inadequate network segmentation, and delaying breach notifications after attackers exfiltrated USIM data of roughly 23 million subscribers. The regulator ordered a company-wide security overhaul; SK Telecom filed suit in January 2026 to overturn the fine.

SK Telecom, South Korea's largest mobile carrier, disclosed that attackers had maintained undetected access for nearly three years, stealing IMSI numbers, USIM authentication keys, and other sensitive identifiers for approximately 23 million subscribers. The breach is among the most consequential in the country's history given its national-security implications (SIM authentication key theft enables cloning and interception) and triggered parliamentary hearings, emergency SIM replacements, and the record PIPC enforcement action.

Amendments to the Act on Promotion of Information and Communications Network Utilisation and Information Protection (Network Act) entered force on 14 August 2024, requiring information and communications service providers to report cybersecurity incidents to the Korea Internet & Security Agency (KISA) within 24 hours of detection and file supplementary reports within 24 hours of confirming additional details. The CISO role was expanded to cover staffing and budget oversight for security and to include regular board-level reporting; repeat offenders face administrative fines of up to 3% of annual revenue.

The National Security Office published a new National Cybersecurity Strategy in February 2024, shifting South Korea's posture from purely defensive to proactive 'offensive cyber defence'—authorising preemptive operations against threat actors targeting national security, with an emphasis on public attribution, threat-intelligence sharing, and joint advisories with allies (notably the United States). A follow-up National Cybersecurity Basic Plan detailed implementation tasks across government, critical infrastructure, and the private sector.

A sweeping PIPA amendment (passed May 2023, effective 15 September 2023) extended the stricter security and breach-notification duties previously reserved for online businesses to all data controllers. Organisations suffering hacks that expose sensitive or identifying data of more than 1,000 people must notify the PIPC and affected data subjects within 72 hours; large data controllers must purchase breach-liability insurance; and the PIPC was confirmed as the sole independent supervisory authority for all sectors.

Amendments to three laws—PIPA, the Network Act, and the Credit Information Act—passed the National Assembly in January 2020 and took effect 5 August 2020. The reform introduced legal recognition of pseudonymised data (enabling use for research and statistics without consent), consolidated overlapping privacy obligations into a unified PIPA regime, and transferred all private-sector data-protection supervision to an independent PIPC, eliminating duplicative oversight by the Korea Communications Commission and the Financial Services Commission.

The Korea Internet & Security Agency (KISA) merged the Information Security Management System (ISMS) and the Personal Information Management System (PIMS) into a single ISMS-P certification, creating a comprehensive standard that covers both cybersecurity controls and personal-data-protection processes. Mandatory certification under ISMS-P applies to large internet service providers, hospitals, and educational institutions exceeding specified user or revenue thresholds.

A KCB contractor copied financial records—including names, social security numbers, and credit-card details—of approximately 20 million people (roughly 40% of the population) from three major credit-card companies onto a USB drive and sold the data to marketing firms. The incident exposed the absence of mandatory encryption and adequate access controls; it prompted emergency legislative amendments, senior executive resignations, and accelerated the push for the ISMS-P merger and stricter security-obligation rules.

Presidential Directive No. 316 formalised South Korea's whole-of-government cybersecurity structure, designating the National Security Office as the apex coordinating body, the National Intelligence Service's National Cyber Security Center as responsible for government network security, the Ministry of Interior and Safety for public-institution security, the Ministry of Science and ICT for private-sector security, and the Defense Ministry for military systems. This framework remained the structural backbone of Korean cybersecurity governance until the 2024 Strategy.