South Korea considers updates to data and cyber laws

Key amendments

1. Enhancements to Governance and Information Management

Proposed Network Act Amendments

• The role of the Chief Information Security Officer (“CISO”) will be expanded to include oversight of both staffing and budget allocation for cybersecurity, as well as regular reporting to the board.
• Large ISPs will be required to form dedicated committees focused on information security.
• Companies that meet certain size or operational criteria will undergo mandatory annual reviews of their information security standards.
• The criteria and process for obtaining ‘Information Security Management System (“ISMS”) certification’ from the PIPC will be tightened, with greater emphasis on the volume of data handled and the potential societal impact of the business.

Proposed PIPA Amendments

• The Chief Executive Officer (“CEO”) will be explicitly designated as the individual ultimately accountable for personal data management and protection.
• The Chief Privacy Officer (“CPO”) will be tasked with ensuring adequate resources for data protection and must provide regular updates to both the CEO and the board.
• For organizations above a specified threshold, board approval will be necessary for appointing or removing the CPO, and the PIPC must be notified of these changes.
• Certain organizations will be required to obtain an ‘ISMS – Personal Information Protection’ certification from the PIPC to demonstrate compliance with enhanced data protection standards.

2. Incident response, investigations and sanctions

Proposed Network Act Amendments

• ISPs will have a strict 24-hour window to inform users after discovering a cybersecurity breach involving users’ personal information.
• The MSIT will have the authority to launch investigations into suspected incidents and can direct companies to take corrective actions.
• The MSIT will have the authority to launch investigations into suspected incidents and can direct companies to take corrective actions (up to 0.03% of average daily sales per day). Repeat offenders, particularly those whose alleged negligence leads to recurring incidents, may face administrative fines of up to 3% of their annual revenue.

Proposed PIPA Amendments

• The definition of “data breach” that requires notification to data subjects and reporting to the PIPC will be broadened to include falsification/alteration and damage, in addition to the data loss, theft, and leakage already covered.
• Where a data breach poses a significant impact and level of risk to data subjects, the data controller must notify all affected data subjects without delay upon becoming aware that such a data breach may have occurred.
• Heavier administrative fines, potentially up to 10% of total revenue, may be imposed for repeated or large-scale violations, or for breaches resulting from failure to comply with regulatory orders. However, these fines may be reduced if the organization can demonstrate substantial investment in data protection measures as evidenced by a large budget dedicated to data protection, personnel, facilities and equipment. Further details on these reductions are expected to be detailed in a Presidential Decree.

South Korea’s cybersecurity and personal data enforcement landscape in 2026

Recent announcements and publications from the Ministry of Science and ICT (MSIT) and the Personal Information Protection Commission (PIPC) indicate a clear and assertive regulatory direction for cybersecurity and personal data protection in South Korea in 2026.

MSIT’s Enforcement Priorities

The MSIT has designated the private sector’s handling of hacking incidents as a key focus of its 2026 Work Plan.¹ The Ministry signals that it plans to:

• Emphasize swift investigation of cybersecurity incidents and provide clear, transparent reporting of the results.
• Strictly enforce statutory obligations and apply strong enforcement measures where violations are identified.
• Launch its own investigations whenever indications of hacking or unauthorized system access arise.
• Increase the severity of penalties, including imposing administrative surcharges on repeat offenders and issuing fines for failures to implement required preventive or corrective measures.

PIPC’s Strategic Direction

The PIPC has recently set out five major strategic directions to reform South Korea’s privacy and data protection framework.² These initiatives are designed to enhance deterrence, improve preventive measures, support responsible AI innovation, strengthen everyday privacy protections, and foster global trust in data systems. The PIPC’s investigation policy for 2026 highlights several key areas:

1. Effective Sanctions and Increased Investment in Protection

• Introduction of more severe penalties for repeated or serious violations, including punitive fines and the possibility of collective compensation for damages.
• A risk-based approach to legal responsibility, scaling obligations according to company size and risk profile, and offering incentives such as mandatory fine reductions for organizations that proactively invest in privacy protection.
• Governance reforms requiring CEOs to assume ultimate responsibility for personal data protection, and mandatory reporting of Chief Privacy Officer (CPO) appointments to the PIPC for large organizations handling sensitive data.

2. Proactive Prevention and Public–Private Sector Oversight

• Early detection initiatives, including proactive investigations in industries processing large volumes or sensitive categories of data, and the establishment of a Technology Analysis Center for ongoing risk assessment.
• Enhanced safeguards in the public sector, with increased penalties for data breaches and stricter requirements for vulnerability assessments.
• Investment in Privacy Enhancing Technologies (PETs), such as anonymization and advanced encryption.

Both the MSIT and the PIPC have made it clear that enforcement efforts in 2026 will prioritize:

• Data controllers managing large volumes of personal data, with particular attention to the frequency of incidents, the nature of services provided, and the sensitivity of the data processed.
• Inspections targeting the handling of high-risk personal information, such as biometric and video data.
• Monitoring of major online platforms and applications to identify and address “dark patterns” or practices that manipulate user choices.

These developments signal the intention for an even more rigorous and proactive enforcement environment in South Korea, with heightened expectations for both private and public sector organizations to strengthen their cybersecurity and data protection frameworks.

Key takeaways for organizations with ties to Korea

• Regulators are becoming more assertive.

The evolving legislative landscape reflects a decisive shift toward more proactive investigations, stricter oversight, and faster regulatory intervention. Companies are well advised to prepare for heightened scrutiny across both cybersecurity and personal data practices.

• A more mature and proactive security posture is expected.

As regulatory obligations become increasingly calibrated to organizational size, data sensitivity, and risk exposure, businesses should clearly identify the requirements applicable to them and assess whether existing governance and compliance structures remain fit for purpose.

• Incident response protocols require reassessment and reinforcement.

With accelerated breach notification timelines and broadened reporting duties on the horizon, companies may wish to revisit their incident response plans to confirm they are comprehensive, operationally realistic, and capable of ensuring timely compliance.

• Post incident remediation will be closely scrutinized.

To avoid escalating penalties, particularly for repeat violations, organizations are well advised to conduct post-incident reviews, including to identify potential patterns or contributing factors across incidents, and implement corrective actions and enhancements that lead to demonstrable, sustainable improvements in their security posture.

Conclusion

The proposed amendments to Korea’s Network Act and Personal Information Protection Act represent a significant shift toward a more rigorous and proactive regulatory environment. Both the MSIT and PIPC are signalling their intent to hold organizations to higher standards of accountability, transparency, and preparedness in the face of evolving cybersecurity and data protection risks. Businesses operating in Korea should take this opportunity to review and enhance their governance, compliance, and incident response capabilities.

For further guidance on the impact of these changes, please reach out to the authors of this alert or your usual Hogan Lovells contact.

Authored by Charmian Aw, Paul Otto, and Ciara O'Leary.