Republic of Korea: National Assembly adopted Bill amending Network Act including incident response obligations and enforcement measures

On 20 March 2026, the Bill amending the Network Act, including incident response obligations and enforcement measures, was adopted by the National Assembly. The Bill includes provisions on incident response and enforcement. It applies to information and communications service providers, including major providers and colocation facility operators. The Bill introduces obligations to designate a Chief Information Security Officer, establish an Information Security Committee, and undergo annual government evaluations of network stability and reliability, as well as compliance with statutory requirements. The Bill also requires providers to report cybersecurity incidents within 24 hours of becoming aware of them and to notify affected users without delay. In addition, it provides for enforcement levies in cases of non-compliance and penalty surcharges of up to 3% of revenue for repeated incidents resulting from intent or gross negligence. Further provisions require providers to prepare and submit cybersecurity incident management and response manuals and to implement measures aimed at addressing user harm.