South Korea's National Intelligence Service said on Monday it conducted on-site cybersecurity inspections of 152 government and public bodies, including central ministries, metropolitan local governments and public institutions. It disclosed the results through the 2025 cybersecurity assessment.

The NIS said 32 public agencies, including Korea District Heating Corp, received an “excellent” rating, up 3 from 2024, when 29 agencies received the grade. It said the agencies actively pursued efforts such as continuously checking for vulnerabilities and making improvements. Korea Land and Housing Corp and the Korea Petroleum Management Institute were upgraded from “average” in 2024 to “excellent” in 2025 after working to expand dedicated cybersecurity teams and improve security management at outsourced project sites.

No metropolitan local governments received an “excellent” rating in 2025, as in 2024. The number of central ministries rated “excellent” fell to 0 in 2025 from 3 in 2024 due to factors including insufficient control of unauthorised IT devices.

No public agencies received a “poor (60 points or below)” rating, but 6 central ministries and metropolitan local governments were included, such as the Korea Communications Commission, the National Fire Agency, the Korea AeroSpace Administration, the Overseas Koreans Agency, Seoul and Chungcheongnam-do.

The Korea Communications Commission had received an “average” rating in 2024, but fell to “poor” in 2025 due to factors including a lack of dedicated cybersecurity staff and weak management capabilities. The National Fire Agency, the Overseas Koreans Agency, Seoul and Chungcheongnam-do were rated “poor” for a second straight year, following 2024.

For the National Fire Agency and the Overseas Koreans Agency, an overall lack of attention to cybersecurity across the organisations and low improvement efforts were confirmed.

Seoul had some improvements, including establishing a dedicated organisation, but security management was insufficient due to inadequate staffing relative to the size of its systems. For Chungcheongnam-do, weak security measures for major vulnerabilities identified in 2024 led to the “poor” assessment.

Many organisations carried out drills for real-world situations only formally, such as the fire at the National Information Resources Service that occurred in 2025. In particular, central ministries were relying entirely on the National Information Resources Service for backup and recovery measures. The NIS said it will focus on checking the establishment of disaster recovery systems and practical recovery training, as well as access controls to prevent unauthorised access to key systems, in the 2026 assessment.

An NIS official said it will build an “active and substantive” cybersecurity assessment by accurately evaluating the security management level and capabilities of government and public institutions as they are and by supporting comprehensive security consulting for organisations rated “poor”. The official said it will continue efforts to improve overall national security levels by proactively addressing related problems.