On October 22, 2025, in response to the growing frequency and scale of hacking incidents and data breaches, the Korean government announced a government-wide comprehensive cybersecurity plan, aimed at strengthening the nation’s overall information security capabilities.
Lead by the Office of National Security, this plan brings together key government bodies, including the Ministry of Science and ICT, the Financial Services Commission, the Personal Information Protection Commission, the National Intelligence Service, and the Ministry of the Interior and Safety, for a unified, government-wide systematic response to cyber threats.
Key initiatives of the plan include: (i) conducting comprehensive security inspections of critical IT systems closely tied to people’s daily lives, (ii) establishing a consumer-centric incident response framework and enhancing countermeasures to prevent recurrence and improve overall effectiveness, (iii) strengthening cybersecurity capabilities across public and private sectors, fostering a globally aligned security environment, and promoting the growth of the cybersecurity industry, workforce, and technological innovation, and (iv) reinforcing national cybersecurity cooperation through expanded inter-agency and cross-sector collaboration.
|
1.
|
Establishment of Enhanced Information Security Management Framework
The government will immediately launch extensive security vulnerability inspections on more than a space between 1,600 IT systems[1] used widely by the public, including those in the public, financial, and telecommunication sectors. In particular, telecommunication service providers will undergo rigorous, unannounced inspections simulating real-life hacking scenarios, and they will also be required to establish robust identification and management systems for key IT assets. Small-scale base stations (femtocells) found to lack sufficient security level will be subject to immediate
Security certification systems, such as ISMS and ISMS-P, will place greater emphasis on on-site audits, accompanied by strengthened post-certification oversight duty. Certifications may be revoked if critical deficiencies are found. Additionally, the government plans to implement a continuous vulnerability assessment framework involving simulated hacking exercises and white-hat hackers to identify and address security vulnerabilities.
|
|
2.
|
Implementation of Consumer-centric Incident Response Framework
The government plans to reduce the burden of proof on consumers seeking compensation in the event of a hacking incident and to introduce user protection manuals for key sectors, such as telecommunications and finance. Also, the government will consider the creation of a dedicated fund that would allocate revenues from fines imposed for data breaches toward victim support.
In addition, the government will expand its authority to conduct on-site investigations when signs of hacking are detected without waiting for the affected companies to file an intrusion incident or data breach report. Sanctions will also be increased for violations, such as delayed breach reporting, failure to implement recurrence prevention measures, and repeated leaks of personal/credit information. These violations will be subject to increased administrative fines and penalties, enforcement fines, and punitive fines.
|
|
3.
|
Strengthening National Information Security Infrastructures
-
Promoting Investment and Enhanced Support for Small and Medium-sized Enterprises (SMEs): The government will expand the cybersecurity disclosure requirement to all listed companies[2]. A public rating system which will use these disclosures to classify and publish each company’s cybersecurity capacities will be introduced.
Furthermore, the government will codify the CEO’s cybersecurity responsibilities into law. The authorities of Chief Information Security Officers and Chief Privacy Officers will be significantly strengthened, granting them control over all IT assets and empowering them in areas, such as staffing, budgeting, and execution of cybersecurity initiatives. Their regular reporting to the board of directors will also be mandated to ensure top-level oversight.
To support SMEs with limited in-house cybersecurity capabilities, the government will offer targeted assistance to enhance their cybersecurity (such as expanding the number of regional cybersecurity support centers and implementing additional support measures).
-
Aligning with Global Standards and Creating a Secure Digital Environment: Starting from 2026, financial institutions and public agencies will gradually phase out the practice of requiring consumers to install specific security software. Instead, they will adopt more advanced measures, such as multi-factor authentication and AI-based anomaly detection systems. The current standardized approach to physical network separation will transition toward models that prioritize data security.
By 2027, public sector IT systems and products will be required to submit Software Bill of Materials to ensure transparency and traceability of software components. IT products found to have security vulnerabilities will be restricted from public procurement. Additional initiatives include strengthening cloud security requirements and publishing security evaluations for both industrial and consumer IT products, such as IoT products.
-
Positioning Cybersecurity as a Strategic Sector and Fostering Talent & Innovation: The government will foster next-generation security service providers, such as those developing AI agent-based security platforms, with a goal of creating about 30 new companies annually. To further strengthen the foundation of the cybersecurity industry, the scope of designated information protection services[3] will be expanded.
Moreover, around 500 elite white-hat hackers will be trained annually to strengthen national cyber defense capabilities. To prepare for the quantum era, the government will initiate a transition in national cryptographic infrastructure, including the development of post-quantum cryptography (PQC) technologies.
By 2026, the government plans to introduce security checklists and guidelines to ensure the safe use and development of emerging mobility technologies (such as autonomous vehicles, intelligent robots, and drones) within the public sector.
|
|
4.
|
Implementation of Consumer-centric Incident Response Framework
The Committee for the Protection of Critical Information Infrastructure (chaired by the Minister of the Office for Government Policy Coordination) with inter-agency authority will expand the designation of critical information infrastructure. During incident investigation stages, Cyber Incident Response Headquarters (designated as the National Cyber Crisis Management Center) will be activated to lead coordinated response efforts. To minimize confusion at the field level, the government will streamline the currently fragmented investigation processes across ministries. This includes introducing a one-stop reporting system, optimizing the timing of investigation team deployments, and strengthening inter-agency information sharing.
While the current comprehensive plan focuses on short-term initiatives that can be implemented immediately, the government also intends to establish a long-term national cybersecurity strategy within the year.
|
[1] 288 public infrastructure systems, 152 central and local government systems, 261 financial sector systems, and 949 ISMS-certified companies in telecom, platform services sectors, etc.
[2] This will increase coverage from the current 666 companies to approximately 2,700.
[3] Under the act on the Promotion of Information Security Industry, this designation system certifies companies as providers of secure and reliable information protection services. Currently, it applies only to firms specializing in security consulting and monitoring, but it will be expanded to include specialized providers in areas, such as AI security and software supply chain protection.
[Korean Version]
