Ministry of Science and ICT and National Intelligence Service Announce Plan to Improve Entry Process for Public Cloud Market

The Ministry of Science and ICT (the “MSIT”) and the National Intelligence Service (the “NIS”) jointly announced the “Plan to Improve Entry Process to the Public Cloud Market” (the “Improvement Plan”) on April 20, 2026 (Link).

Historically, cloud service providers seeking to enter the public sector were subject to a dual-layered burden: (i) Cloud Security Assurance Program (“CSAP”) managed by the MSIT, and (ii) a separate Security Verification conducted by the NIS. The Improvement Plan aims to integrate these processes into a single verification system led by the NIS, enhancing procedural efficiency for foreign and domestic providers alike. Please refer to the key details of the Improvement Plan below.

1.	Integration of the Public Cloud Security Verification System While specific technical criteria are still being finalized, the integration of the existing dual processes is expected to create a “one-stop” market entry route. Key takeaways include:

Administrative Efficiency: The new NIS integrated security verification process will replace the separate CSAP and NIS security checks.
Grandfathering Provisions: Services that obtained CSAP certification prior to the new system’s launch will remain valid for their existing certification term.
Cloud-Native Criteria: The Korean government (the “Government”) plans to establish new verification system standards that better align with modern cloud architecture, potentially reducing the burden on the cloud service providers while maintaining high security standards.

2.	Implementation Schedule and Promotion System The transition will follow a phased approach to ensure market stability:

Timeline: Regulatory revisions, including the “National Cloud Computing Security Guidelines,” are expected in the first half of 2026. Following a one-year grace period, the new system is slated for full implementation in the second half of 2027.
Public-Private Cooperation: A “Public-Private Verification Deliberation Committee” – comprised of industry experts, academics, research institutes, and MSIT-recommended officials – will be established to ensure the fairness and validity of the verification results.
Continuity: The current CSAP evaluation agencies’ expertise and experience will be reflected into the new NIS-led framework.

Reorganization of Private Cloud Security Verification System

As the NIS takes the lead on public sector security, the MSIT will shift its focus to the private sector. The existing CSAP framework for private cloud services is expected to be absorbed into the Information Security Management System (“ISMS”) certification to create an autonomous security certification system.

While the Improvement Plan outlines a clear path forward, several practical implementation details remain under active discussion within the Government:

CSAP and ISMS Integration: Stakeholders are determining whether to maintain the practical strengths of the CSAP system while successfully integrating it into the ISMS certification framework.
Regulatory Consistency: Efforts are ongoing to ensure the Improvement Plan aligns seamlessly with the Security Guidelines on the National Network Security Framework (“N2SF”) previously announced by the NIS in September 2025.
Transparency and Predictability: The Government is developing specific measures to ensure that the transition to an NIS-led integrated system remains transparent and predictable for service providers.

Given these evolving factors, we recommend that cloud service providers intending to enter the public cloud market closely monitor the detailed rollout of the Improvement Plan and related regulatory trends.

[Korean Version]

Share

Professionals

Professionals