ENFORCEMENT DECREE OF THE ACT ON THE DEVELOPMENT OF CLOUD COMPUTING AND PROTECTION OF ITS USERS
Presidential Decree No. 26550, Sep. 25, 2015
Amended by Presidential Decree No. 28210, Jul. 26, 2017
Presidential Decree No. 31056, Sep. 29, 2020
Presidential Decree No. 31220, Dec. 8, 2020
Presidential Decree No. 31221, Dec. 8, 2020
Presidential Decree No. 33220, Jan. 10, 2023
| Article 2 (Cloud Computing Technologies) |
| 1. | Technologies used by virtually combining or dividing resources for information and communications (hereinafter referred to as "information and communications resources"), including integrated or shared information and communications devices, information and communications facilities, and software; |
| 2. | Technologies that process a large volume of information by dispersing it into multiple information and communications resources; |
| 3. | Other technologies that utilize information and communications resources in setting up and using cloud computing systems, including technologies that automate the placement, management, etc. of information and communications resources. |
| Article 3 (Cloud Computing Services) |
"Services specified by Presidential Decree" in subparagraph 3 of Article 2 of the Act means the following services: | 1. | Service of providing servers, storage, networks, etc.; |
| 2. | Service of providing software, including applications; |
| 3. | Service of providing an environment for developing, distributing, operating, managing, etc. software, including applications; |
| 4. | Other services of providing a combination of at least two kinds of services among those specified in subparagraphs 1 through 3. |
| Article 4 (Formulation of Master Plans) |
| (1) | When the Minister of Science and ICT intends to formulate a master plan referred to in Article 5 (1) of the Act (hereinafter referred to as "master plan"), he or she shall establish guidelines for formulating a specific plan for the administrative affairs assigned to the head of each central administrative agency involved in developing cloud computing services, facilitating the use of such services, and protecting users (hereinafter referred to as "related central administrative agency"), and shall notify the head of each related central administrative agency of such guidelines by no later than the end of February of the year immediately preceding that year in which the master plan is implemented. <Amended on Jul. 26, 2017> |
| (2) | The head of each related central administrative agency shall formulate a specific plan for the administrative affairs assigned to the agency in accordance with the guidelines for formulation referred to in paragraph (1) and shall submit it to the Minister of Science and ICT by no later than April 30 of the year immediately preceding that year in which the master plan is implemented. <Amended on Jul. 26, 2017> |
| (3) | The Minister of Science and ICT shall combine the specific plans submitted pursuant to paragraph (2) and the specific plan of the Minister of Science and ICT for the administrative affairs assigned to the ministry to formulate a master plan and shall finalize the master plan by no later than June 30 of the year immediately preceding that year in which the master plan is implemented, upon deliberation thereon by the Strategic Committee for Information and Communications Technology under Article 7 of the Special Act on Promotion of Information and Communications Technology and Vitalization of Convergence Thereof. <Amended on Jul. 26, 2017> |
| (4) | The Minister of Science and ICT shall promptly notify the head of each related central administrative agency of the master plan finalized under paragraph (3). <Amended on Jul. 26, 2017> |
| Article 5 (Formulation and Evaluation of Implementation Plans) |
| (1) | The Minister of Science and ICT shall establish guidelines for the method, etc. of formulating implementation plans referred to in Article 5 (3) of the Act and shall notify the head of each related central administrative agency of the guidelines to assist the head of each related central administrative agency formulate the implementation plan according to such guidelines. <Amended on Jul. 26, 2017> |
| (2) | The head of each related central administrative agency shall submit to the Minister of Science and ICT a report on the outcomes of executing the implementation plan for the preceding year and the implementation plan formulated for the following year in accordance with the guidelines under paragraph (1) with respect to the administrative affairs assigned to the agency, by no later than August 31 each year. <Amended on Jul. 26, 2017> |
| (3) | If deemed necessary, the Minister of Science and ICT may request the head of the related central administrative agency to revise or amend the implementation plan in compliance with the master plan. <Amended on Jul. 26, 2017> |
| (4) | The Minister of Science and ICT shall evaluate the reports submitted pursuant to paragraph (2) with regard to the outcomes of executing the implementation plans for the preceding year and shall notify the head of each related central administrative agency of the findings from evaluation by no later than October 31 each year. In such cases, the head of each related central administrative agency shall reflect the findings from evaluation in the implementation plan for the following year. <Amended on Jul. 26, 2017> |
| (5) | The head of each related central administrative agency shall comprehensively review each request made under paragraph (3), the findings from evaluation under paragraph (4), matters concerning assistance to small and medium enterprises under Article 8, etc., and shall finalize an implementation plan by no later than December 31 of the year immediately preceding that year in which the implementation plan is implemented. |
| (6) | The Minister of Science and ICT shall consult with the Minister of the Interior and Safety on the matters concerning the realization, operation, and development of electronic government, among the matters concerning the formulation, etc. of an implementation plan under paragraphs (1), (3), and (4). <Amended on Jul. 26, 2017> |
| Article 6 (Scope and Methods of Fact-Finding Surveys) |
| (1) | When the Minister of Science and ICT conducts a fact-finding survey pursuant to Article 7 (1) of the Act (hereinafter referred to as "fact-finding survey"), he or she shall include the following matters: <Amended on Jul. 26, 2017> |
| 1. | Status of the enterprises related to cloud computing and the size of the market; |
| 2. | Status of sales of cloud computing service providers; |
| 3. | Status of the use and distribution of cloud computing technologies and cloud computing services; |
| 4. | Status of human resources in the cloud computing industry and the estimated demand for human resources; |
| 5. | The scale of research and development of and investment in cloud computing; |
| 6. | Other matters necessary for formulating master plans and implementation plans. |
| (2) | When the Minister of Science and ICT intends to conduct a fact-finding survey, he or she shall formulate a survey plan which includes the purposes, targets, methods, period, etc. of the survey. <Amended on Jul. 26, 2017> |
| (3) | Fact-finding surveys shall be conducted by field survey, document investigation, statistical survey, literature survey, etc. and may be conducted electronically, such as via information and communications networks, and electronic mail, if necessary for conducting the fact-finding survey efficiently. |
| (4) | When the Minister of Science and ICT requests cloud computing service providers, etc. to submit data or express opinions pursuant to Article 7 (2) of the Act, he or she shall notify them of the necessary matters in the survey plan formulated pursuant to paragraph (2) to request them to cooperate with him or her in such matters. <Amended on Jul. 26, 2017> |
| Article 7 (Pilot Projects) |
Pursuant to Article 9 (1) of the Act, the head of a related central administrative agency may implement the following projects as pilot projects: | 2. | Projects for commercializing cloud computing technologies; |
| 3. | Projects for commercializing cloud computing services; |
| 4. | Projects for developing converged services by utilizing cloud computing technologies and cloud computing services; |
| 5. | Other projects for promoting the use and distribution of cloud computing, including projects for technologies and services for protecting user information. |
| Article 8 (Assistance to Small and Medium Enterprises) |
When the Minister of Science and ICT or the head of a related central administrative agency intends to implement a research and development project pursuant to Article 8 of the Act, he or she shall formulate a plan to take measures for encouraging participation of small and medium enterprises engaging in cloud computing, determine the scope of assistance to such small and medium enterprises and specific methods for implementing the project, etc., and shall reflect them in the implementation plan. <Amended on Jul. 26, 2017>
| Article 9 (Facilitation of Introduction of Cloud Computing to State Agencies or Other Public Authorities) |
| (1) | If comprehensive plans and action plans for the intelligent information society formulated under the Framework Act on Intelligent Informatization contain policies related to the introduction of cloud computing or budget necessary for implementing cloud computing projects, the Minister of Science and ICT shall review the relevant matters pursuant to Article 12 (2) of the Act, and may express his or her review opinion on the matters to the Minister of Economy and Finance and the head of the related central administrative agency. <Amended on Jul. 26, 2017; Dec. 8, 2020> |
| (2) | When the Minister of Science and ICT intends to express his or her opinion pursuant to paragraph (1), he or she shall consult with the Minister of the Interior and Safety on the matters concerning the introduction of cloud computing in connection with the realization, operation, and development of the electronic government. <Amended on Jul. 26, 2017> |
| Article 10 (Methods for Forecast on Demand) |
| (1) | Pursuant to Article 13 (1) of the Act, the head of each State agency or other public authority shall submit data on demand for cloud computing projects for the following year by October 31 each year to the Minister of the Interior and Safety, and the Minister of the Interior and Safety shall compile such data and submit it to the Minister of Science and ICT. <Amended on Jul. 26, 2017; Sep. 29, 2020> |
| (2) | The Minister of Science and ICT shall disclose the details of data on demand for the cloud computing projects within 30 days from the date of receiving such information pursuant to paragraph (1) through the Software Industry Information Total System referred to in Article 5 (1) of the Enforcement Decree of the Software Promotion Act or on the website of the Minister of Science and ICT or by any other means. <Amended on Jul. 26, 2017; Dec. 8, 2020> |
| (3) | Except as provided for in paragraph (2), the Minister of Science and ICT shall determine the specific methods and procedure for disclosure in consultation with the Minister of the Interior and Safety. <Amended on Jul. 26, 2017> |
| Article 11 (Formulation of Policy for Training Specialized Human Resources) |
| (1) | When the Minister of Science and ICT formulates a policy for training human resources specialized in cloud computing pursuant to Article 14 (1) of the Act, the policy shall be based on the data obtained by surveying the status of human resources in the cloud computing industry and demand forecast for human resources under Article 6 (1) 4. <Amended on Jul. 26, 2017> |
| (2) | If the Minister of Science and ICT deems it necessary to formulate a policy under paragraph (1), he or she may gather consensus from related central administrative agencies, experts, organizations, institutions, etc. <Amended on Jul. 26, 2017> |
| Article 12 (Designation of Institutions for Training Specialized Human Resources) |
| (1) | Any person who wishes to be designated as an educational institution specialized in cloud computing pursuant to Article 14 (2) of the Act (hereinafter referred to as "institution for training specialized human resources") shall meet all the following requirements for designation: |
| 1. | The person shall be any of the following institutions and organizations: |
| (b) | An institution that operates educational courses related to cloud computing, among institutions established pursuant to any other Act as educational institutions similar to those defined in Article 2 of the Higher Education Act; |
| (e) | Any other institution or organization that executes affairs related to cloud computing; |
| 2. | The person shall meet all the requirements under attached 1 regarding human resources, facilities, etc. |
| (2) | A person who wishes to be designated as an institution for training specialized human resources shall file an application for designation in the attached Form with the Minister of Science and ICT, along with the following documents: <Amended on Jul. 26, 2017> |
| 1. | Articles of incorporation; |
| 2. | Status of human resources, facilities, and equipment secured for education; |
| 3. | An education plan, including educational courses and curricula; |
| 4. | A financing plan for operating expenses and a plan for utilizing subsidies; |
| 5. | Education regulations. |
| (3) | When the Minister of Science and ICT designates an institution for training specialized human resources, he or she shall notify the relevant institution or organization of such designation and shall publish it on the website of the Ministry of Science and ICT. <Amended on Jul. 26, 2017> |
| (4) | Pursuant to Article 14 (2) of the Act, the Minister of Science and ICT may fully or partially subsidize the training institutions for professional human resources for the following expenses: <Amended on Jul. 26, 2017; Sep. 29, 2020> |
| 1. | Lecture fees and allowances; |
| 2. | Costs of teaching materials and equipment, and materials for practice; |
| 3. | Expenses for practice; |
| 4. | Other expenses incurred in training human resources specialized in cloud computing. |
| Article 13 (Procedure for Revoking Designation of Institutions for Training Specialized Human Resources) |
| (2) | When the Minister of Science and ICT revokes designation of an institution for training specialized human resources, he or she shall notify the relevant institution or organization of such revocation and shall publish it on the website of the Ministry of Science and ICT. <Amended on Jul. 26, 2017> |
| Article 14 (Assistance in Establishment of Integrated Information and Communications Facilities Based on Cloud Computing Technologies) |
| (1) | Pursuant to Article 16 (1) of the Act, the State and local governments may grant subsidies within budgetary limits for expenses incurred in building infrastructure necessary for establishing information and communications facilities integrated by using cloud computing technologies (hereinafter referred to as "integrated information and communications facilities based on cloud computing technologies"), such as information and communications networks. |
| (2) | Pursuant to Article 16 (1) of the Act, the State and local governments may provide technical assistance in improving energy efficiency of facilities and securing stable operation in connection with the establishment of integrated information and communications facilities based on cloud computing technologies. In this regard, the head of a related central administrative agency or the head of a local government may request the Minister of Science and ICT or the Minister of the Interior and Safety to cooperate in technical assistance. <Amended on Jul. 26, 2017> |
| Article 15 (Designation of Specialized Agency) |
| 1. | Research and development of cloud computing technologies; |
| 2. | Introduction and active use of cloud computing; |
| 3. | Introduction and active use of cloud computing in State agencies or other public authorities; |
| 4. | Assistance in training human resources specialized in cloud computing; |
| 5. | Research, development, and technical assistance for protecting users of cloud computing; |
| 6. | Creation of an environment safe for using cloud computing; |
| 7. | Assistance in projects implemented by the Minister of Science and ICT, the head of a related central administrative agency, or the head of a local government to promote the cloud computing industry and to facilitate the use of cloud computing. |
| (2) | Pursuant to Article 19 (1) of the Act, the Minister of Science and ICT shall designate the following institutions as the specialized agencies, taking into consideration the nature of business affairs: <Amended on Jul. 26, 2017; Dec. 8, 2020> |
| (3) | Each specialized institutions referred to in paragraph (2) shall submit a business plan for the relevant year and a performance report for the preceding year to the Minister of Science and ICT by no later than January 1 each year. <Amended on Jul. 26, 2017> |
| Article 15-2 (Selection of Digital Services) |
| (1) | Pursuant to Article 20 (3) of the Act, the Minister of Science and ICT shall publicly notify the standards for selecting the services specified in any subparagraph of that paragraph (hereinafter referred to as "digital services") after consultation with the Minister of Economy and Finance, the Minister of the Interior and Safety, and the Administrator of the Public Procurement Service. <Amended on Jan. 10, 2023> |
| (2) | Where the Minister of Science and ICT intends to select digital services pursuant to Article 20 (3) of the Act, he or she shall refer the relevant matter to the Digital Services Examination Commission under Article 15-3 (hereinafter referred to as the "Examination Commission"). In such cases, the Examination Commission shall conduct an examination according to the standards for selecting digital services referred to in paragraph (1). <Amended on Jan. 10, 2023> |
| (3) | Where the Minister of Science and ICT establishes a system for the registration and management of digital services selected under Article 20 (3) of the Act (hereinafter referred to as "use support system"), the functions of such system shall include the following: <Amended on Jan. 10, 2023> |
| 1. | The registration and management of selected digital services; |
| 2. | Search for the registered digital services. |
| (4) | Except as provided in paragraph (3), matters necessary for the registration procedures and operation, etc. of the use support system shall be determined by the Minister of Science and ICT. |
| (5) | When the head of a State agency, a local government, or a public agency defined in subparagraph 3 of Article 2 of the Electronic Government Act (hereinafter referred to as "State agency or other public authority") uses digital services selected pursuant to Article 20 (3) of the Act, he or she shall register the details of use with the use support system. <Amended on Jan. 10, 2023> |
[This Article Newly Inserted on Sep. 29, 2020]
[Moved from Article 8-2 <Jan. 10, 2023>]
| Article 15-3 (Composition and Operation of Examination Commission) |
| (1) | An Examination Commission shall be established under the Ministry of Science and ICT to conduct an examination for the selection of digital services suitable for the use by the State agency or other public authority. <Amended on Jan. 10, 2023> |
| (2) | The Examination Commission shall be comprised of not more than 20 members including one chairperson. |
| (3) | The Minister of Science and ICT shall appoint or commission the chairperson of the Examination Commission (hereinafter referred to as the "chairperson") from among public officials in the deputy ministerial level of the Ministry of Science and ICT and the members of the Examination Commission (hereinafter referred to as "members") from among any of the following persons; in such cases, the Minister shall commission non-public official members in consideration of gender equality, and the number of non-public official members shall be at least 1/2 of the total number of the members: |
| 1. | A senior executive of the central administrative agency taking charge of the business affairs related to digital services who are nominated by the head of the relevant agency; |
| 2. | A person who has worked at an organization related to digital services (excluding public enterprises or quasi-governmental institutions prescribed in the Act on the Management of Public Institutions) at least for the periods classified as follows, after obtaining a doctorate or master's degree in the field of information and communications: |
| (a) | A person with a doctorate degree: 3 years; |
| (b) | A person with a master's degree: 5 years; |
| 3. | A person who has at least three years’ experience in the business affairs related to digital services in a public enterprise or a quasi-governmental institution prescribed in the Act on the Management of Public Institutions after obtaining a doctorate degree in the field of information and communications; |
| 4. | A person who is in the position of associate professor or higher (excluding an honorary professor) at a university or college in a field related to digital services; |
| 5. | Other persons who have credentials equivalent to those specified in subparagraphs 2 through 4, as recognized by the Minister of Science and ICT. |
| (4) | The term of office of non-public official members shall be two years, and it may be consecutively renewed only once: Provided, That the term of office of a member newly commissioned due to the resignation, etc. of an existing member shall be the remainder of his or her predecessor’s term. |
| (5) | If the chairperson of the Examination Commission is unable to perform his or her duties due to any unavoidable cause, a member designated in advance by the chairperson shall act on behalf of the chairperson. |
| (6) | The Examination Commission shall have one executive secretary to deal with the administrative affairs, and the executive secretary shall be appointed by the Minister of Science and ICT, from among the public officials of the Ministry of Science and ICT. |
| (7) | When the chairperson intends to hold a meeting, he or she shall notify each member of the Examination Commission of the time, date, and venue of the meeting by seven days prior to the meeting: Provided, That a notice may be given by the day before a meeting is held where a meeting is urgently required or where any unavoidable reason exists. |
| (8) | A majority of the members of the Examination Commission, including the chairperson, shall constitute a quorum, and any resolution thereof shall require the concurring vote of a majority of those present. |
| (9) | Except as provided in paragraphs (1) through (8), matters necessary for the operation and others of the Examination Commission shall be determined by the chairperson after resolution by the Examination Commission. |
[This Article Newly Inserted on Sep. 29, 2020]
[Title Amended on Jan. 10, 2023]
[Moved from Article 8-3 <Jan. 10, 2023>]
| Article 15-4 (Exclusion and Recusal of Examination Commission Members) |
| (1) | A member shall be excluded from deliberation and resolution by the Examination Commission in any of the following cases: |
| 1. | Where a member or his or her spouse is the party concerned providing the relevant digital service (where the party concerned is a corporation or an organization, it shall include the executive officers thereof; hereafter in this Article, the same shall apply) or a joint right holder with the party concerned; |
| 2. | Where a member has ever conducted services, consultation, research, etc. including subcontracting during the period from January 1 of the immediately preceding year to the date of deliberation and resolution for the party concerned providing the relevant digital service; |
| 3. | Where a member has worked as an executive officer or employee of the party concerned providing the relevant digital service within the last three years; |
| 4. | Where the donations sponsored by the party concerned providing the relevant digital service to an organization, academic society, etc. to which a member belongs are directly related to the relevant digital service; |
| 5. | Where the Examination Commission passes a resolution that it is impracticable to conduct a fair examination in any cases similar to those prescribed in subparagraphs 1 through 4; in such cases, no member who is subject to exclusion shall participate in the resolution. |
| (2) | If a member falls under any grounds for exclusion specified in the subparagraphs of paragraph (1), he or she shall voluntarily recuse himself or herself from deliberation and resolution on the relevant agenda item. |
[This Article Newly Inserted on Sep. 29, 2020]
[Moved from Article 8-4 <Jan. 10, 2023>]
| Article 15-5 (Dismissal and Removal of Examination Commission Members) |
The Minister of Science and ICT may dismiss or remove a member from office, in any of the following cases: <Amended on Jan. 10, 2023>
| 1. | Where a member becomes unable to perform his or her duties due to mental or physical disabilities; |
| 2. | Where a member commits any irregularities in relation to his or her duties; |
| 3. | Where a member is deemed unfit for the membership due to negligence, injury to dignity, or other reasons; |
| 4. | Where a member is sentenced to imprisonment without labor or heavier punishment; |
| 5. | Where a member voluntarily indicates that it is impracticable to perform his or her duties; |
| 6. | Where a member fails to voluntarily recuse himself or herself in violation of Article 15-4 (2). |
[This Article Newly Inserted on Sep. 29, 2020]
[Moved from Article 8-5 <Jan. 10, 2023>]
| Article 15-6 (Security Certification Process of Cloud Computing Services) |
| (1) | A person who intends to obtain security certification for cloud computing services (hereinafter referred to as "security certification") pursuant to Article 23-2 (1) of the Act shall submit an application for certification in the form prescribed by Ordinance of the Ministry of Science and ICT to the Korea Internet and Security Agency or an institution designated under paragraph (5) of that Article (hereinafter referred to as "certification institution") which performs business affairs related to security certification, along with the following documents: |
| 1. | A document verifying whether the applicant complies with the standards for protecting information in cloud computing services under Article 23 (2) of the Act (including managerial, physical, and technical protective measures; hereinafter referred to as "security certification standards"); |
| 2. | A list of security certification targets; |
| 3. | Other documents on matters necessary for security certification publicly notified by the Minister of Science and ICT. |
| (2) | Upon receipt of an application filed under paragraph (1), the Korea Internet and Security Agency or a certification institution shall require an institution designated as an institution performing assessment business affairs pursuant to Article 23-2 (6) of the Act (hereinafter referred to as "assessment institution") to verify whether the relevant service complies with the security certification standards referred to in Article 23-2 (5) 1 of the Act (hereinafter referred to as "assessment of certification"), to conduct an assessment of certification. |
| (3) | Notwithstanding paragraph (2), where the Minister of Science and ICT deems that it is appropriate for the Korea Internet and Security Agency to conduct an assessment of certification because a new assessment technology needs to be developed for an assessment of certification, the Minister may require the Korea Internet and Security Agency to conduct an assessment of certification. |
| (4) | Where the Korea Internet and Security Agency directly performs the business affairs concerning an assessment of certification pursuant to paragraph (3) upon receipt of an application filed under paragraph (1), it shall prepare the guidelines and procedures to be complied with in performing the business affairs concerning the assessment of certification, to ensure objectivity and fairness of such business affairs, including the following requirements: |
| 1. | It shall have professional human resources that independently perform the business affairs concerning an assessment of certification; |
| 2. | It shall have the procedures for independently reviewing the business affairs concerning an assessment of certification; |
| 3. | Matters necessary for ensuring the objectivity and fairness of the business affairs concerning an assessment of certification, which the Minister of Science and ICT determines and publicly notifies. |
| (5) | An assessment institution (including the Korea Internet and Security Agency under paragraph (3)) requested to conduct an assessment of certification pursuant to paragraph (2) shall conduct an assessment of certification and send the assessment results to the Korea Internet and Security Agency or a certification institution which has requested an assessment of certification. |
| (6) | The Korea Internet and Security Agency or a certification institution shall establish and operate a security certification committee comprised of persons with extensive knowledge of and experience in the protection of information, in order to deliberate on the results of assessment of certification received pursuant to paragraph (5). |
| (7) | Where a security certification committee under paragraph (6) resolves that the results of assessment certification are in compliance with the security certification standards, the Korea Internet and Security Agency or a certification institution shall issue the certificate of security of cloud computing services prescribed by Ordinance of the Ministry of Science and ICT to the applicant and shall post such fact on the website of the Korea Internet and Security Agency or the certification institution. |
| (8) | Except as provided in paragraphs (1) through (7), matters necessary for security certification shall be determined and publicly notified by the Minister of Science and ICT: Provided, That the Minister shall preconsult with the head of the National Intelligence Service on the security certification standards for cloud computing services used by the State agencies or other public authorities and with the Minister of the Interior and Safety on matters concerning ensuring safety in the use of cloud computing services. |
[This Article Newly Inserted on Jan. 10, 2023]
| Article 15-7 (Effective Period of Security Certification) |
| (2) | A person who intends to obtain an extension of the effective period under paragraph (1) shall apply for an extension of the effective period of security certification by no later than six months before the expiration of the effective period of security certification. |
| (3) | Article 15-6 shall apply mutatis mutandis to the procedures for extending the effective period of security certification. |
[This Article Newly Inserted on Jan. 10, 2023]
| Article 15-8 (Follow-Up Management of Security Certification) |
The follow-up management of security certification under Article 23-2 (5) 4 of the Act shall be conducted annually in accordance with public notice determined by the Minister of Science and ICT, such as verification of whether the relevant security certification conducted under paragraph (1) of that Article complies with the security certification standards. [This Article Newly Inserted on Jan. 10, 2023]
| Article 15-9 (Fees for Assessment of Certification) |
| (1) | Fees referred to in Article 23-2 (7) of the Act shall be determined and publicly notified by the Minister of Science and ICT within the scope of actual expenses incurred in conducting an assessment of certification by an assessment institution. |
| (2) | Where an applicant for security certification is a small and medium enterprise, the Minister of Science and ICT may, pursuant to Article 11 (1) 2 of the Act, provide subsidies to cover all or some of the fees under paragraph (1). |
[This Article Newly Inserted on Jan. 10, 2023]
| Article 15-10 (Procedures for Designation of Certification Institution or Assessment Institution) |
| (1) | A person who intends to be designated as a certification institution or an assessment institution shall submit an application for designation in the form prescribed by Ordinance of the Ministry of Science and ICT, to the Minister of Science and ICT, along with the following documents: |
| 1. | The articles of incorporation or bylaws of an organization (applicable only if the applicant is a corporation or organization); |
| 2. | Documents verifying that the applicant has complied with the standards for designation under paragraph (2); |
| 3. | Other documents determined and publicly notified by the Minister of Science and ICT as required for designation of a certification institution. |
| (2) | A person who intends to be designated as a certification institution or an assessment institution shall meet all the following requirements: |
| 1. | To have an organization that takes full charge of security certification or assessment of certification; |
| 2. | To have at least four full-time professional workers who take full charge of security certification or assessment of certification; |
| 3. | To have a system required for conducting security certification or assessment of certification and to prepare security measures for the system; |
| 4. | To meet the standards necessary for designation of a certification institution or an assessment institution, such as financial capability to perform duties, which are determined and publicly notified by the Minister of Science and ICT. |
| (3) | Upon receipt of an application filed under paragraph (1), the Minister of Science and ICT may conduct a field investigation or request the submission of additional documents, if necessary for designating a certification institution or an assessment institution. |
| (4) | Where the Minister of Science and ICT has designated a certification institution or an assessment institution, he or she shall issue a certificate of designation in the form prescribed by Ordinance of the Ministry of Science and ICT to the applicant and shall publish such fact on the website of the Ministry of Science and ICT. |
| (5) | Except as provided in paragraphs (1) through (4), matters necessary for designating a certification institution or an assessment institution shall be determined and publicly notified by the Minister of Science and ICT. |
[This Article Newly Inserted on Jan. 10, 2023]
| Article 15-11 (Effective Period of Designation of Certification Institution or Assessment Institution) |
| (1) | The effective period of designation of a certification institution or an assessment institution shall be five years. |
| (2) | A certification institution or an assessment institution which intends to obtain an extension of the effective period under paragraph (1) shall file an application with the Minister of Science and ICT at least six months before the expiration of the effective period of such designation. |
| (3) | Article 15-10 shall apply mutatis mutandis to the procedures for extending the effective period of designation of a certification institution or an assessment institution. |
[This Article Newly Inserted on Jan. 10, 2023]
| Article 15-12 (Revocation of Designation of Certification Institution or Assessment Institution) |
| (1) | Detailed criteria for revoking the designation of a certification institution or an assessment institution and for issuing administrative dispositions to suspend its business under Article 23-4 (1) of the Act shall be as specified in attached Table 3. |
| (2) | Where the Minister of Science and ICT has revoked the designation of a certification institution or an assessment institution pursuant to Article 23-4 (1) of the Act, he or she shall publish such fact on the website of the Ministry of Science and ICT without delay. |
[This Article Newly Inserted on Jan. 10, 2023]
| Article 16 (Suspension Period of Cloud Computing Services Subject to Notification) |
| 1. | Where the period during which cloud computing services are suspended continuously is at least ten consecutive minutes; |
| 2. | Where cloud computing services are suspended at least twice during 24 hours from the time cloud computing services are initially suspended and the period of suspension in total is not less than 15 minutes. |
| Article 17 (Details and Method of Notice) |
| (1) | In any case referred to in Article 25 (1) of the Act, the person who provides cloud computing services (hereinafter referred to as "cloud computing service provider") shall promptly notify the relevant users of the following matters: Provided, That if it is impracticable to ascertain the cause of the suspension referred to in subparagraph 2 immediately, the cloud computing service provider shall promptly notify the relevant user of the rest of the following matters first, and then shall notify the relevant user of the cause of the suspension, when ascertained: |
| 1. | Details of the suspension; |
| 2. | Cause of the suspension; |
| 3. | Measures taken by the cloud computing service provider to prevent the worsening of loss; |
| 4. | Methods for preventing users of cloud computing services (hereinafter referred to as "cloud computing service users") from sustaining loss or preventing the worsening of loss; |
| 5. | The office in charge and its contact information. |
| (2) | A cloud computing service provider shall give notice under paragraph (1) by at least one means, among telephone, mobile phone, mail, electronic mail, text message, posting the notice on the access screen for cloud computing services, and other similar means: Provided, That the notice shall be posted for at least 15 days, if it is given on the access screen for cloud computing services. |
| (3) | If it is impracticable to give notice under paragraph (1) due to a natural disaster or any other unavoidable cause, public notice may be given in lieu thereof by publishing it at least once in two or more general daily newspapers distributed nationwide defined in subparagraph 1 (a) of Article 2 of the Act on the Promotion of Newspapers. |
| (4) | A cloud computing service provider who gives public notice pursuant to paragraph (3) shall promptly notify the Minister of Science and ICT of the natural disaster or any other unavoidable cause and of details of the public notice, in writing (or by electronic document). <Amended on Jul. 26, 2017> |
| (5) | When a cloud computing service provider notifies the Minister of Science and ICT of the divulgence of user information referred to in Article 25 (1) 2 of the Act pursuant to Article 25 (2) of the Act, he or she shall include the following information in the notification: <Amended on Jul. 26, 2017> |
| 1. | A summary of the user information divulged (limited to where such information has been ascertained); |
| 2. | The time and details of divulgence; |
| 3. | Measures taken by the cloud computing service provider to prevent the worsening of loss. |
| Article 18 (Measures for Preventing Worsening of Loss) |
Pursuant to Article 25 (3) of the Act, the Minister of Science and ICT may take the following measures: <Amended on Jul. 26, 2017> | 1. | Requesting the preservation and submission of data for analyzing causes of divulgence accidents, etc. and conducting on-site investigations; |
| 2. | Rendering assistance with technology and human resources in recovering from loss incurred by divulgence accidents and preventing recurrence of such accidents; |
| 3. | Ascertaining whether measures necessary for preventing the worsening of loss and recurrence, and for recovering from loss have been taken and requesting to take measures for improvement; |
| 4. | Other necessary measures, such as guidance and publicity necessary for preventing the worsening and recurrence of loss and recovering from loss. |
| Article 19 (Notice of Expiration of Contract or Closure of Business) |
| (1) | Pursuant to Article 27 (3) and (6) of the Act, a cloud computing service provider shall notify a user of the following matters by no later than 30 days before the contract with the user expires: |
| 1. | The date and time the contract expires; |
| 2. | A statement that the user may demand user information to be returned; |
| 3. | A statement that user information will be destroyed, if the user does not accept the return of user information or does not wish to have user information returned before the contract expires; |
| 4. | The method and procedure for returning user information; |
| 5. | The office in charge and its contact information. |
| (2) | When a cloud computing service provider intends to completely or partially discontinue its services, it shall notify users of the following matters by no later than 30 days before the date the services discontinue, in accordance with Article 27 (4) of the Act, and shall post such matters on the website of the cloud computing service provider until the services discontinue: |
| 1. | Details of the matters to be discontinued and reasons for discontinuance; |
| 2. | Date services discontinue; |
| 3. | A statement that users may demand to return user information; |
| 4. | A statement that user information will be destroyed, if a user does not accept the return of user information or does not want to have user information returned before the date the services discontinue; |
| 5. | The method and procedure for returning user information; |
| 6. | The office in charge and its contact information. |
| (3) | A cloud computing service provider shall give notice under paragraph (1) or (2) by at least one means, among telephone, mobile phone, mail, electronic mail, text message, and other similar means. |
| (4) | Pursuant to Article 27 (3) and (4) of the Act, a cloud computing service provider shall return user information before the relevant contract expires or the services discontinue, and such user information shall be returned in a usable state. |
| (5) | When a cloud computing service provider destroys user information pursuant to Article 27 (3) and (4) of the Act, it shall permanently delete the information irrecoverably. |
| (6) | When a public institution under subparagraph 3 of Article 2 of the Electronic Government Act intends to use cloud computing services, it shall make a contract with a cloud computing service provider in accordance with the guidelines established by the Minister of the Interior and Safety, pursuant to Article 27 (5) of the Act, regarding the methods and timing for giving notice of the expiration of a contract or of the discontinuance of services; and regarding the methods and timing for returning or destroying user information under paragraphs (1) through (5). <Amended on Jul. 26, 2017> |
| Article 20 (Delegation and Entrustment) |
| (2) | Pursuant to Article 31 (2) of the Act, the Minister of Science and ICT shall entrust the following affairs under his or her jurisdiction, to the National IT Industry Promotion Agency: <Amended on Jul. 26, 2017> |
| 4. | Projects for promotion of international cooperation and overseas expansion under Article 15 of the Act; |
| 5. | Assistance in establishing integrated information and communications facilities based on cloud computing technologies under Article 16 of the Act. |
| (3) | Pursuant to Article 31 (2) of the Act, the Minister of Science and ICT shall entrust the following business affairs under his or her jurisdiction, to the Korea Internet and Security Agency: <Amended on Jul. 26, 2017; Jan. 10, 2023> |
| 3. | Business affairs concerning the receipt of applications for the designation of certification institutions under Article 23-2 (5) of the Act; |
| 4. | Business affairs concerning the receipt of applications for the designation of assessment institutions under Article 23-2 (6) of the Act; |
| 6. | Measures for preventing the worsening and recurrence of damage, and for restoring damaged systems under Article 25 (3) of the Act. |
| (4) | Pursuant to Article 31 (2) of the Act, the Minister of Science and ICT and the Minister of the Interior and Safety may entrust the following business affairs under their jurisdiction to NIA or the Korea Local Information Research and Development Institute; In such cases, the Minister of Science and ICT and the Minister of the Interior and Safety shall publicly notify the trustee institutions and the entrusted business affairs: <Amended on Jul. 26, 2017; Dec. 8, 2020; Jan. 10, 2023> |
| 1. | Formulation of policies and technical assistance for introducing cloud computing by State agencies or other public authorities under Article 12 of the Act; |
| 2. | Assistance in establishing integrated information and communications facilities based on cloud computing technologies under Article 16 of the Act (limited to the matters in which assistance is requested to the Minister of the Interior and Safety pursuant to Article 14 (2) of this Decree); |
| 3. | Formulation of policies and technical assistance for the use of cloud computing services by a State agency or other public authority under Article 20 (1) of the Act; |
| 4. | Support for the establishment and operation of the use support system. |
| Article 20-2 (Re-Examination of Regulation) |
| (1) | The Minister of Science and ICT shall examine the appropriateness of the following matters every five years, counting from the following base date (referring to the period that ends on the day before the base date of every fifth year) and shall take measures, such as making improvements: |
| 1. | The criteria for designating a certification institution or an assessment institution under Article 15-10: January 1, 2023; |
| 2. | The criteria for revoking the designation of a certification institution or an assessment institution under Article 15-12 or attached Table 3: January 1, 2023. |
[This Article Newly Inserted on Jan. 10, 2023]
| Article 21 (Criteria for Imposing Administrative Fines) |
ADDENDUM <Presidential Decree No. 26550, Sep. 25, 2015>
This Decree shall enter into force on September 28, 2015.
ADDENDA <Presidential Decree No. 28210, Jul. 26, 2017>
Article 1 (Enforcement Date)
This Decree shall enter into force on the date of its promulgation.
Articles 2 through 6 Omitted.
ADDENDUM <Presidential Decree No. 31056, Sep. 29, 2020>
This Decree shall enter into force on October 1, 2020.
ADDENDA <Presidential Decree No. 31220, Dec. 8, 2020>
Article 1 (Enforcement Date)
This Decree shall enter into force on December 10, 2020.
Articles 2 through 6 Omitted.
ADDENDA <Presidential Decree No. 31221, Dec. 8, 2020>
Article 1 (Enforcement Date)
This Decree shall enter into force on December 10, 2020.
Articles 2 through 9 Omitted.
ADDENDA <Presidential Decree No. 33220, Jan. 10, 2023>
Article 1 (Enforcement Date)
This Decree shall enter into force on January 12, 2023.
Article 2 (Applicability to Criteria for Imposing Administrative Fines)
The amended provisions of subparagraph 1 (c) (v) of attached Table 2 shall also apply where an administrative fine is imposed after this Decree enters into force against any violations committed before this Decree enters into force.
Article 3 (Transitional Measures concerning Selection of Digital Services)
The digital services that were selected pursuant to the previous provisions of Article 8-2 (1) as at the time this Decree enters into force shall be deemed to have been examined and selected by the Examination Commission according to the standards for selecting digital services under the amended provisions of Article 15-2 (1).