A revised Act on Promotion of Information and Communications Network Utilization and Information Protection, also known as the Network Act, requiring companies to appoint a chief information security officer (CISO) at executive level passed a cabinet meeting on March 24. The criteria for mandatory application were delegated to an enforcement decree.

According to relevant agencies on March 27, the revision is expected to be promulgated as early as next week. A bill passed by the cabinet takes effect upon promulgation once it is signed by the president and published in the official gazette. It is set to take effect six months after promulgation, which is expected to be late September to early October this year. Provisions on assessing and disclosing information security levels will take effect separately one year after promulgation, taking on-site preparations into account.

The revision is a committee alternative that integrates and coordinates 24 bills introduced by ruling and opposition lawmakers. A series of security breaches involving major mobile carriers such as SK Telecom, KT and LG Uplus, as well as financial companies, served as the direct trigger.

The core change is the requirement to designate the CISO at executive level. CISO duties were expanded to include managing information security personnel, budgeting and reporting the information security status to the board of directors. Companies above a certain size must also establish and operate an information security committee chaired by the CISO. Criteria for which companies must set up the committee will be set by an enforcement decree.

Penalties for security incidents were also strengthened. If at least 2 security incidents occur within 5 years due to intent or gross negligence, authorities can impose a penalty surcharge of up to 3 percent of annual sales. If a company refuses to submit data, obstructs an investigation or fails to comply with a corrective order during an investigation, it can also face an enforcement fine within 0.03 percent of average daily sales per day. The reporting deadline for a security incident was clarified as within 24 hours of becoming aware, and the government can investigate even when there are only circumstances suggesting an incident may have occurred. A new obligation was added to notify users without delay when an incident occurs. The Ministry of Science and ICT will create a Security Incident Investigation and Deliberation Committee, which will operate on a temporary basis until Dec. 3, 2030, before being converted into a standing body. Provisions on assessing and disclosing information security levels will take effect separately one year after promulgation.

The law has passed, but preparations are insufficient. According to the 2025 Report on the Status Analysis of Information Security Disclosures analyzed by the Korea Internet & Security Agency (KISA), only 70.9 percent, or 537, of 757 companies participating in disclosures had CISOs at executive level. The remaining 220 companies, or 29.1 percent, had non-executive CISOs or none designated.

Among 513 listed companies with sales of at least 300 billion won, a key target of the revised requirement, the executive-level share was even lower at 67.4 percent. About 167 companies must raise the CISO rank before the law takes effect. Among companies with fewer than 5 dedicated information security staff, numbering 512, the executive-level share was 67.2 percent, and among 137 companies with information security investment of less than 100 million won it was 64.2 percent, indicating lower readiness among smaller firms. By industry, the executive-level share was lowest in transportation and warehousing at 40.9 percent, followed by construction at 60.0 percent and wholesale and retail at 64.9 percent. The information and communications industry also stood at 75.4 percent.

The key point of contention is mid-sized companies. The standard for mid-sized companies follows Article 2(2) of the Framework Act on Small and Medium Enterprises, but how those mid-sized companies must comply with the mandatory CISO designation was delegated to an enforcement decree. There has not yet been a legislative notice for the enforcement decree.

An official at a mid-sized IT company said, "We are not a security specialist company and have built our executive team divided by business and technology," adding, "There will be personnel and organisational burdens from mandating a CISO, and it is also a difficulty that information security experts who can be appointed at executive level are limited in Korea."

An official at another mid-sized AI company said, "Six months is tight to secure a professional CISO and design a security system," adding, "Many companies will likely consider having the CTO concurrently serve, but without clear guidelines on the scope of permitted dual roles, it could end up as only a formal appointment."

Companies with weak CISO systems will also face a heavier penalty surcharge burden. The legal community expects that, when assessing "intent or gross negligence" as a condition for the penalty surcharge for repeated security incidents, authorities will comprehensively consider whether the CISO is an executive, the board reporting system and the company’s record of security investment. As security budget and staffing investment records are codified as grounds for reducing penalty surcharges, companies that fail to establish an executive-level CISO system will have less room for reductions if an incident occurs.

The revision may not be the end, which is also a potential burden. A bill to further strengthen penalties for failure to report security incidents is pending in the National Assembly. A proposal by Democratic Party lawmaker Yong-man Kim (김용만) includes automatic notification to investigative agencies when an incident is reported, while a proposal by People Power Party lawmaker So-hee Kim (김소희) includes adding administrative fines in proportion to the number of days a report is delayed.

A Ministry of Science and ICT official said, "We will continue to consider possible support, including measures to strengthen roles and capabilities related to the establishment of an information security committee." Vice Prime Minister and Minister of Science and ICT Kyung-hoon Bae (배경훈) said, "This Network Act revision will raise the prevention and response system for cyber security incidents by a level, ease public anxiety, and serve as a foundation for companies to continue growing under thorough security."