Skip Navigation
KO EN JP CN
Intellectual Property Careers
Menu
Intellectual Property Careers
Locations Contacts
Close
Search
Newsletters

Reformation of Network Separation Regulations for Use of SaaS

2026.04.22
Audio Print

On January 20, 2026, the Financial Services Commission and the Financial Supervisory Service (collectively, the “Financial Authorities”) announced a plan to reform the existing network separation regulations to allow financial companies to use cloud-based application software (Software as a Service, “SaaS”) on their internal networks without having to undergo the application process for being designated as the Innovative Financial Services (Regulatory Sandbox), on the condition that they comply with specific security protocols. Accordingly, the Financial Authorities issued a prior notice (for the period from January 20, 2026 to February 9, 2026) regarding the proposed amendment to the Detailed Enforcement Rules of the Electronic Financial Supervisory Regulations (the “Amendment”) to allow exceptions to the network separation regulations for the use of SaaS.

SaaS offers significant advantages, including seamless updates and maintenance, device compatibility, and efficient management of IT infrastructure. While many industries are rapidly replacing legacy on-premises software with SaaS, financial institutions in Korea have faced limitations in using SaaS due to strict network separation regulations under the Electronic Financial Supervisory Regulations.

Until recently, the Financial Authorities had permitted the use of SaaS by granting exemptions from the network separation requirements through the Innovative Financial Services (Regulatory Sandbox) designation to services that had implemented sufficient security measures. Based on the accumulated cases over time, the Financial Authorities have now drafted the Amendment to improve the network separation system, allowing SaaS to be operated as a permanent exception to these regulations.

The purpose of the Amendment can be summarized as “granting exceptions to the network separation requirements for SaaS usage on internal business networks, while imposing corresponding obligations for alternative information security controls.” Key provisions of the Amendment are as follows:
 

1.

Stipulation of SaaS Services as an Exception to Network Separation Regulations
 

  • Any “service of providing software, including applications (i.e., SaaS)” prescribed in Article 3, Item 2 of the Enforcement Decree of the Act on the Development of Cloud Computing and Protection of Its Users is explicitly designated as an exception to the network separation regulations under Article 15(1), Item 3 of the Electronic Financial Supervisory Regulations (the “Network Separation Requirements under Item 3”). The Network Separation Requirements under Item 3 are applicable to terminal devices such as computers and laptops. In cases where SaaS is used on terminal devices, the aforementioned network separation exceptions will be applicable.
     

  •  However, in consideration of concerns regarding personal information leakage, these network separation exceptions will not be allowed when processing users’ unique identification information or personal credit information. Furthermore, as the aforementioned exceptions do not apply to the network separation requirements under Article 15(1), Item 5 of the Electronic Financial Supervisory Regulations—which pertain to information processing systems such as servers—the use of SaaS within such information processing systems will remain prohibited.
     

2.

Establishment of Institutional Measures for Information Protection Controls
 

  • As exceptions to the network separation regulations for SaaS become available, it will be mandatory for financial companies to establish rigorous information security control measures in order to close any potential loopholes.
     

  • More specifically, a financial company must establish and implement internal protocols in accordance with the following obligations: (i) use SaaS that has undergone evaluation by an incident response agency (e.g., Financial Security Institute); (ii) establish protection measures for terminal devices (e.g., computers and mobile devices) accessing the SaaS; (iii) implement strict security management protocols, such as secure authentication methods and the principle of least privilege; (iv) monitor and control the input, processing, and potential leakage of critical information; (v) prevent unnecessary transfer and processing of data within SaaS, and control unauthorized access to the external internet; and (vi) establish and apply encryption for the network layer utilized by the SaaS. In addition to the foregoing, the implementation status of these information security controls must be evaluated semi-annually and reported to the financial institution’s internal Information Protection Committee (chaired by the Chief Information Security Officer).
     

Comparison Table of Current Provisions and Proposed Amendment
(amended provisions in Annex Table 7 are omitted)

Current Provisions

Proposed Amendment

Article 2-3 (Exceptions to Network Separation)
 

(1)

Cases where confirmation is obtained from the Governor of the Financial Supervisory Service under Article 15(1) Item 3(b) of the Electronic Financial Supervisory Regulations shall be as follows:
1. ~ 2. (Omitted)
<Newly Inserted>

Article 2-3 (Exceptions to Network Separation)
 

(1)

Cases where confirmation is obtained from the Governor of the Financial Supervisory Service under Article 15(1) Item 3(b) of the Electronic Financial Supervisory Regulations shall be as follows:
1. ~ 2. (Same as left)
3.    Where it is for the purpose of using any “service of providing software, including applications” prescribed in Article 3, Item 2 of the Enforcement Decree of the Act on the Development of Cloud Computing and Protection of Its Users, which does not process users’ unique identification information or personal credit information.

(2)    (Omitted)
(3)    (Omitted)
<Newly Inserted>

(2)    (Omitted)
(3)    (Omitted)
(4)    In the cases falling under Paragraph (1), Item 3, a financial company or electronic financial business entity shall ensure that its compliance with information protection controls, which have been implemented in lieu of network separation as prescribed in Annex Table 7, is evaluated semiannually and reported to its internal information protection committee.
 

 

The Amendment is scheduled to be finalized and implemented after the prior notice period and review by the Regulatory Reform Committee. In conjunction with the implementation, a security manual containing detailed guidelines to address security threats is expected to be prepared and distributed.

Once the Amendment becomes effective, financial companies will be able to use various SaaS services in their business operations without having to undergo the individual review process for Innovative Financial Services, thereby simplifying the SaaS implementation process. This is anticipated to enhance overall operational efficiency and facilitate collaboration both within and outside the organization by establishing standardized administrative systems with its overseas branches and global affiliates. Moreover, significant cost savings are expected through the efficient utilization of financial companies’ IT resources.

When planning to integrate SaaS into their operations following these regulatory reforms, it would be advisable for financial companies to carefully examine and ensure full compliance with the provisions of the Amendment.
 

[Korean Version]

Related Topics

#Electronic Finance #Network Segregation #2026 Issue 1 #Newsletter

List

Share

Close

Professionals

CLose

Professionals

CLose