Republic of Korea: Incident response and user notification obligations in Act on Promotion of Information and Communications Network Utilization and Information Protection (Law No. 21500) enter into force

On 1 October 2026, the incident response, user notification, and organisational obligations in the Act on Promotion of Information and Communications Network Utilization and Information Protection (Law No. 21500) enter into force. Major information and communications service providers must make efforts to secure personnel with expertise in information security and maintain sufficient budgets. Information and communications service providers, excluding medium-sized enterprises, must designate an executive officer as their Chief Information Security Officer, whose responsibilities include managing information security personnel, formulating the information security budget, and reporting information security status to the Board of Directors. Providers meeting asset and revenue thresholds set by Presidential Decree must establish and operate an Information Security Committee chaired by the Chief Information Security Officer. Upon the occurrence of a cybersecurity incident, providers must notify the relevant authorities within 24 hours of becoming aware of the incident and must notify affected users without delay. Providers must prepare a cybersecurity incident management and response manual suited to the scale and nature of their services, submit it to the Korea Ministry of Science and ICT and the Korea Internet & Security Agency, and keep it updated whenever revised. Where a cybersecurity incident occurs, providers must take measures to prevent the spread of damage to users, provide prompt relief, and report the details and results of those measures to the Minister. The Information Security Level Evaluation obligations enter into force on 1 April 2027.