Republic of Korea: President signed Bill amending Network Act including incident response obligations and enforcement measures

On 31 March 2026, the President of Korea promulgated the Act on Promotion of Information and Communications Network Utilization and Information Protection as Law No. 21500. The Bill includes provisions on incident response and enforcement. It applies to information and communications service providers, including major providers and colocation facility operators. The Bill introduces obligations to designate a Chief Information Security Officer, establish an Information Security Committee, and undergo annual government evaluations of network stability and reliability, as well as compliance with statutory requirements. The Bill also requires providers to report cybersecurity incidents within 24 hours of becoming aware of them and to notify affected users without delay. In addition, it provides for enforcement levies in cases of non-compliance and penalty surcharges of up to 3% of revenue for repeated incidents resulting from intent or gross negligence. Further provisions require providers to prepare and submit cybersecurity incident management and response manuals and to implement measures aimed at addressing user harm. The main provisions of the Act will enter into force on 1 October 2026. The Information Security Level Evaluation obligations will enter into force on 1 April 2027.