Statutes of the Republic of Korea

Article 1 (Purpose)

The purpose of this Decree is to prescribe matters mandated by the Act on the Promotion of Information Security Industry and matters necessary for the enforcement thereof.

Article 2 (Scope of Public Institutions)

"Corporations, organizations and institutions prescribed by Presidential Decree" in Article 2 (1) 5 (d) of the Act on the Promotion of Information Security Industry (hereinafter referred to as the "Act") means schools prescribed in Article 2 of the Elementary and Secondary Education Act; schools prescribed in Article 2 of the Higher Education Act; or schools founded or established pursuant to other statutes.

Article 3 (Formulation of Plan for Promoting Information Security Industry)

(1)

The Minister of Science and ICT shall formulate a plan for promoting the information security industry under Article 5 (1) of the Act (hereinafter in this Article referred to as "promotion plan") by December 31 of the year preceding the year in which the promotion plan is implemented. <Amended on Jul. 26, 2017>

(2)	The Minister of Science and ICT may formulate a promotion plan including matters necessary for the detailed implementation thereof each year. <Amended on Jul. 26, 2017>

(3)

Where the Minister of Science and ICT formulates a promotion plan pursuant to paragraph (1), he or she shall immediately notify the heads of relevant central administrative agencies, local governments, and relevant public institutions of the promotion plan, and publicly notify the details thereof. <Amended on Jul. 26, 2017>

Article 4 (Submission of Information on Purchase Demand)

(1)

The head of an administrative agency or public institution referred to in subparagraph 2 of Article 2 of the Electronic Government Act (hereinafter referred to as "public institution, etc.") shall annually submit information on purchase demand (hereinafter referred to as "information on purchase demand") for information security technology, information security products, and information security services (hereinafter referred to as "information security technology, etc.") provided by information security enterprises to the Minister of Science and ICT, by the deadlines classified as follows, pursuant to Article 6 (1) of the Act: <Amended on Jul. 26, 2017>

1.	Information on purchase demand of the relevant year: March 31;

2.	Information on purchase demand of the following year: October 31.

(2)	The Minister of Science and ICT shall convene meetings of a deliberative committee under Article 6 (3) of the Act within 30 days from the deadlines prescribed in paragraph (1) 1 and 2. In such cases, the period of deliberation shall not exceed 15 days. <Amended on Jul. 26, 2017>

(3)

The Minister of Science and ICT may construct and operate a purchase demand information system on information security technology, etc. provided by information security enterprises in order to efficiently conduct affairs related to submitting and providing information on purchase demand under Article 6 (1) and (2) of the Act. <Amended on Jul. 26, 2017>

Article 5 (Payment of Reasonable Prices for Information Security Products and Information Security Services)

(1)

The Minister of Science and ICT shall formulate standards for calculating reasonable prices for information security products and information security services for developing the information security industry and the quality assurance of information security products and information security services. <Amended on Jul. 26, 2017>

(2)	The Minister of Science and ICT may disclose the outcomes of investigations conducted through public-private partnership monitoring pursuant to Article 10 (2) of the Act on a quarterly basis via the website, etc. of the Ministry of Science and ICT. <Amended on Jul. 26, 2017>

(3)	Where the Minister of Science and ICT intends to request the heads of public institutions to submit data pursuant to Article 10 (5) of the Act, he or she shall pre-notify them of the following matters in writing: <Amended on Jul. 26, 2017>

1.	Grounds for requesting submission;

2.	Deadline for submission;

3.	Specific matters of data to be submitted;

4.	Means for and types of data to be submitted;

5.	Methods of utilizing data to be submitted.

Article 6 (Requirements and Procedures for Registration of Agencies Evaluating Level of Information Security Preparedness)

(1)	"Matters prescribed by Presidential Decree, such as documents that may prove the human, technical and financial capability" in Article 12 (2) 3 of the Act means the following documents:

1.	Documents that may prove human, technical, and financial capability necessary to evaluate the level of information security preparedness;

2.	Documents that may prove the independence of an evaluation agency registered pursuant to Article 12 (2) of the Act (hereinafter referred to as "agency for evaluating the level of information security preparedness") and the fairness of evaluation and deliberation;

3.	Documents on the evaluation-related regulations of an agency for evaluating the level of information security preparedness;

4.	Documents that may prove that an agency for evaluating the level of information security preparedness has facilities for evaluating the level of information security preparedness.

(2)	A person who intends to apply for registration of an agency for evaluating the level of information security preparedness shall submit an application for registration as such, to the Minister of Science and ICT along with the following documents: <Amended on Jul. 26, 2017>

1.	Documents under Article 12 (2) 1 and 2 of the Act;

2.	Documents under the subparagraphs of paragraph (1).

(3)	Where a person who applies for registration pursuant to paragraph (2) is a corporation, the Minister of Science and ICT shall verify a certificate of incorporation through administrative data matching information under Article 36 (1) of the Electronic Government Act. <Amended on Jul. 26, 2017>

(4)

Where an application for registration under paragraph (2) meets requirements for registration specified in attached Table 1, the Minister of Science and ICT shall issue a certificate of registration of an agency for evaluating the level of information security preparedness prescribed by Ordinance of the Ministry of Science and ICT, to the applicant within 60 days from the date of application. <Amended on Jul. 26, 2017>

(5)

Where the Minister of Science and ICT deems that the documents submitted pursuant to paragraph (2) require supplementation, he or she may request the applicant to supplement the documents within a specified period not exceeding seven days from the date the applicant is notified of such request. <Amended on Jul. 26, 2017>

(6)

Where the applicant requests the Minister of Science and ICT to extend the period on the grounds that he or she is unable to supplement documents within the period referred to in paragraph (5), such period may be extended by up to 10 days excluding the initial period requested for the supplement of documents.

(7)

Where any of the following matters registered is modified, a person who has obtained the registration of an agency for evaluating the level of information security preparedness shall submit an application for modification of registration of the agency for evaluating the level of information security preparedness prescribed by Ordinance of the Ministry of Science and ICT to the Minister of Science and ICT, along with the original certificate of registration of the agency for evaluating the level of information security preparedness and documents that may prove the modification thereof within 30 days from the date grounds for the modification thereof occur: <Amended on Jul. 26, 2017>

1.	Name, representative, or location of the agency for evaluating the level of information security preparedness;

2.	Articles of incorporation or bylaws of association of the agency for evaluating the level of information security preparedness;

3.	A plan for implementing a project to evaluate the level of information security preparedness;

4.	Regulations for evaluation of the level of information security preparedness.

(8)	Requirements for registration of agencies for evaluating the level of information security preparedness shall be as specified in attached Table 1.

Article 7 (Requesting Agency for Evaluating Level of Information Security Preparedness to Provide Data)

The Minister of Science and ICT may verify the following matters on an agency for evaluating the level of information security preparedness to provide support under Article 12 (3) and (4) of the Act: <Amended on Jul. 26, 2017>

1.	Whether the agency for evaluating the level of information security preparedness continues to meet the requirements for registration under attached Table 1;

2.	Performance in its evaluation of the level of information security preparedness;

3.	Results of evaluating enterprises that have undergone the evaluation of the level of information security preparedness.

Article 8 (Information Security Disclosure)

(1)

"Person ··· who meets the standards prescribed by Presidential Decree" in the main clause of Article 13 (2) of the Act means any of the following persons who provides information or intermediates the provision thereof through an information and communications network (hereinafter referred to as "person with information security disclosure obligations"): <Newly Inserted on Dec. 9, 2021>

1.	Any of the following persons:

(a)	A person who conducts business possessing line equipment provided in Article 11 of the Enforcement Decree of the Telecommunications Business Act, among facilities-based telecommunications business entities who file for registration of their business under Article 6 (1) of that Act;

(b)	A data center operator under Article 46 (1) of the Act on Promotion of Information and Communications Network Utilization and Information Protection;

(c)	A tertiary hospital under Article 3-4 (1) of the Medical Service Act;

(d)	A person who provides cloud computing services pursuant to subparagraph 1 of Article 3 of the Enforcement Decree of the Act on the Development of Cloud Computing and Protection of Its Users;

2.

A person who is required to designate a chief information security officer and to report such designation to the Minister of Science of ICT under the main clause of Article 45-3 (1) of the Act on Promotion of Information and Communications Network Utilization and Information Protection and whose sales for the immediately preceding business year amount to at least 300 billion won, among corporations which issue stock certificates listed on a marketable securities market (referring to a marketable securities market under Article 176-9 (1) of the Enforcement Decree of the Financial Investment Services and Capital Markets Act) or on the KOSDAQ market (referring to the KOSDAQ market under Article 8 of the Addenda to the Enforcement Decree of the Financial Investment Services and Capital Markets Act (Presidential Decree No. 24697));

3.

A person in whose case the average number of daily users of information and communications services provided in the Act on Promotion of Information and Communications Network Utilization and Information Protection (hereinafter referred to as "information and communications services") during three months immediately before the end of the preceding year is at least one million.

(2)	Notwithstanding paragraph (1), any of the following persons shall be excluded from persons with information security disclosure obligations: <Newly Inserted on Dec. 9, 2021>

1.	A public institution;

2.	A small enterprise under Article 8 (1) of the Enforcement Decree of the Framework Act on Small and Medium Enterprises, among those falling under paragraph (1) 1 or 3;

3.	A financial company under the Electronic Financial Transactions Act;

4.

An electronic financial business entity under the Electronic Financial Transactions Act which does not engage in, as its main business, the information and communications business or the wholesale or retail business as specified in the Korean Standard Industrial Classification publicly notified by the Commissioner of the Statistics Korea under Article 22 (1) of the Statistics Act.

(3)	Where a person who provides information or intermediates the provision thereof through an information and communications network discloses information security pursuant to Article 13 (1) or (2) of the Act, he or she shall include the following in the details thereof: <Amended on Dec. 9, 2021>

1.	Status of investment in the information security field in comparison with the current status of investment in the information technology field;

2.	Status of human resources exclusively in charge of the information security field in comparison with the current status of human resources in the information technology field;

3.	Matters concerning certification, evaluation, examination, etc. related to information security (limited to applicable cases);

4.	Status of other activities for information security performed by persons who use information and communications services.

(4)

Where information security is disclosed pursuant to Article 13 (1) or (2) of the Act, the chief information security officer of the business entity subject to disclosure shall preside over the process and obtain confirmation from the chief executive officer on the details of such disclosure beforehand. <Amended on Dec. 9, 2021>

(5)	The Minister of Science and ICT may establish and operate an electronic disclosure system (hereafter in this Article referred to as "electronic disclosure system") to ensure effective disclosure of information security under Article 13 (1) or (2) of the Act. <Amended on Jul. 26, 2017; Dec. 9, 2021>

(6)	A person who intends to disclose information security under Article 13 (1) or (2) of the Act shall enter the current status of information security into the electronic disclosure system no later than June 30 every year. <Newly Inserted on Dec. 9, 2021>

(7)	Except as provided in paragraphs (1) through (6), matters regarding preparation standards, methods and procedures for disclosing information security shall be determined and publicly notified by the Minister of Science and ICT. <Newly Inserted on Apr. 2, 2019; Dec. 9, 2021>

[Title Amended on Dec. 9, 2021]

Article 9 (Implementation of Projects for Standardization)

The Minister of Science and ICT may conduct the following affairs to revitalize the trade of information security technology and to ensure compatibility among information security products pursuant to Article 14 (4) of the Act. In such cases, he or she shall consult with the heads of related agencies about matters related to national security, such as ciphers or codes: <Amended on Jul. 26, 2017>

1.	Research on the demand for standards and formulating strategies for standards for domestic group standards and national standards related to information security technology, etc.;

2.	Organizing and operating a committee in the Republic of Korea for developing and deliberating on international standards related to Information security technology, etc.;

3.	Research on the trends of international standards related to information security technology, etc. and supporting the activities of domestic professionals related thereto;

4.	Providing support for the confirmation of conformity to, application or utilization of standards related to information security technology, etc.;

5.	Advertising on standards related to information security technology, etc.;

6.	Education, etc. to nurture domestic and international professionals in standards related to information security technology, etc.

Article 10 (Performance Assessment Methods and Designation of Performance Assessment Agency)

(1)	An assessment of the performance of an information security product under Article 17 (1) of the Act (hereinafter referred to as "performance assessment") shall include the following:

1.	The processing performance of security functions of the information security product;

2.	Whether the information security product realizes key functions related to information security other than its security functions;

3.	The processing performance of general functions other than information security functions when operating the information security product;

4.	Efficiency of the information security product in terms of time and resources.

(2)	The Minister of Science and ICT may designate the following institutions or organizations as an assessment agency under Article 17 (2) of the Act (hereinafter referred to as "performance assessment agency"): <Amended on Jul. 26, 2017>

1.	The Korea Internet and Security Agency (hereinafter referred to as the "Korea Internet and Security Agency") established under Article 52 of the Act on Promotion of Information and Communications Network Utilization and Information Protection;

2.	Corporations fully meeting the following requirements:

(a)	Organizational structure and human resources to assess performance;

(b)	Space for office work and testing, to assess performance;

(c)	Facilities to assess performance;

(d)	Procedures for operation to assess information security products subject to performance assessment.

(3)	Any person who intends to undergo performance assessment pursuant to Article 17 (3) of the Act shall submit an application for performance assessment, products subject to performance assessment, and the following data, to a performance assessment agency:

1.	A product manual;

2.	A user guide;

3.	Other data necessary for performance assessment.

(4)	Except as provided in paragraphs (1) through (3), the Minister of Science and ICT shall prescribe and publicly notify necessary matters concerning methods and procedures for performance assessment, designation of a performance assessment agency, etc. <Amended on Jul. 26, 2017>

Article 11 (Information Security Technology Eligible for Designation as Excellent Information Security Technology)

The Minister of Science and ICT may designate any of the following information security technology, etc. as excellent information security technology, etc. pursuant to Article 18 (1) of the Act: <Amended on Jul. 26, 2017>

1.	Information security technology, etc. deemed new, creative and commercializable, which has been developed in the Republic of Korea;

2.	Information security technology, etc. deemed new, creative and commercializable in the Republic of Korea, which was imported from a foreign country and has been improved.

Article 12 (Methods of Designation of Excellent Information Security Technology)

(1)

Any person who intends to apply for designation as excellent information security technology, etc. under Article 18 (1) of the Act shall submit an application for designation prescribed by Ordinance of the Ministry of Science and ICT to the Minister of Science and ICT along with the following documents: <Amended on Jul. 26, 2017>

1.	Name and development background of information security technology, etc.;

2.	Details of information security technology, etc. (including the outline of information security technology, etc. and specific explanation of matters falling under the subparagraphs of Article 11);

3.	Name of the person who has developed or improved information security technology, etc. (where the person is a corporation, referring to the name of the corporation and the name of the representative thereof);

4.	Level of contribution to revitalizing the information security industry both domestically and internationally;

5.	Outcomes of performance assessment, and other matters related to the findings of evaluation, testing and certification of information security technology, etc.

(2)

The Minister of Science and ICT shall notify a person who applied for designation as excellent information security technology, etc. as to whether the designation as excellent information security technology, etc., is made within 90 days from the date he or she received the relevant application under paragraph (1). In such cases, he or she shall issue a written designation prescribed by Ordinance of the Ministry of Science and ICT to a person who obtains designation as excellent information security technology, etc. <Amended on Jul. 26, 2017>

(3)	Where the Minister of Science and ICT designates excellent information security technology, etc., he or she may hear opinions of interested parties or opinions of institutions, organization, etc. related to excellent information security technology, etc. <Amended on Jul. 26, 2017>

(4)	Except as provided in paragraphs (1) through (3), the Minister of Science and ICT shall prescribe and publicly notify necessary matters concerning specific methods, etc. for designation of excellent information security technology, etc. <Amended on Jul. 26, 2017>

Article 13 (Details of Support for Excellent Information Security Technology)

(1)	The Minister of Science and ICT may provide the following support to a person who has obtained designation as excellent information security technology, etc. pursuant to Article 18 (1) of the Act: <Amended on Jul. 26, 2017>

1.	Support for providing prototypes and commercialization;

2.	Support for startup and advertising;

3.	Support for new market opening and exportation.

(2)	The Minister of Science and ICT shall prescribe and publicly notify necessary matters concerning procedures and methods for providing support and the details of support for excellent information security technology, etc. under paragraph (1). <Amended on Jul. 26, 2017>

Article 14 (Support for Excellent Information Security Enterprises)

"Matters prescribed by Presidential Decree" in Article 19 (2) 4 of the Act means the following matters:

1.	Providing support for international cooperation under Article 16 of the Act;

2.	Subsidizing expenses incurred in assessing performance;

3.	Providing support for exportation under Article 21 of the Act.

Article 15 (Methods of Designation of Exemplary Information Security Enterprises)

(1)

Any person who intends to apply for designation as an exemplary information security enterprise pursuant to Article 19 of the Act shall submit an application for designation prescribed by Ordinance of the Ministry of Science and ICT to the Minister of Science and ICT along with the following documents: <Amended on Jul. 26, 2017>

1.	Data on the achievements that contributed to promoting the information security industry, such as developing and commercializing excellent information security technology, etc.;

2.	Data evidencing the fact that the applicant is an information security enterprise or a statement of opinion of the Korea Information Security Industry Association established under Article 24 of the Act as to whether the applicant is an information security enterprise.

(2)

Article 12 (2) and (3) shall apply mutatis mutandis to procedures for notification of whether an applicant is designated as an exemplary information security enterprise. In such cases, "excellent information security technology, etc." shall be construed as "exemplary information security enterprise."

(3)	Except as provided in paragraphs (1) and (2), the Minister of Science and ICT shall prescribe and publicly notify necessary matters concerning detailed criteria, procedures, methods, etc. for examining designating exemplary information security enterprises. <Amended on Jul. 26, 2017>

Article 16 (Provision of Loans)

(1)	Where an information security enterprise intends to take out a loan pursuant to Article 20 (1) of the Act, it shall file an application for a loan with a financial institution that handles the relevant type of loan, on recommendation by the Minister of Science and ICT. <Amended on Jul. 26, 2017>

(2)

The Minister of Science and ICT shall determine and publicly notify the terms and conditions of loans, including interest rates, as prescribed by him or her pursuant to Article 20 (1) of the Act, and details regarding methods and procedures for providing loans, institutions that handle such loans, etc. under paragraph (1). <Amended on Jul. 26, 2017>

Article 17 (Measures for Promotion of Exportation)

(1)	The Minister of Science and ICT may take the following measures for facilitating investment in the information security industry and expanding export markets under Article 21 (1) of the Act: <Amended on Jul. 26, 2017>

1.	Collecting and providing information and data on the overseas markets of the information security industry;

2.	Establishing an international cooperation system to promote the exportation of the information security industry;

3.	Inducing foreign and domestic investment in the information security industry and supporting overseas investment of Korean enterprises;

4.	Researching policy measures for promoting investment in the information security industry and expanding export markets of the information security industry;

5.	Overseas marketing and advertising related to the information security industry;

6.	Other measures necessary for promoting investment in the information security industry and expanding export markets of the information security industry.

(2)	The Minister of Science and ICT may provide the following support to promote the exportation of the information security industry pursuant to Article 21 (2) of the Act: <Amended on Jul. 26, 2017>

1.	Providing consultation and advice on exporting information security products and information security services;

2.	Subsidizing expenses incurred in holding and participating in exhibitions and academic conferences both domestically and internationally for promoting exportation;

3.	Support for invitations and visits for negotiations for exportation;

4.	Support for the overseas dispatch of human resources and the operation of overseas offices for promoting exportation;

5.	Other support necessary for promoting exportation of the information security industry.

Article 18 (Support for Small and Medium Enterprises Related to Information Security)

The Minister of Science and ICT may provide the following support to small and medium enterprises, etc. (referring to small and medium enterprises, etc. under Article 5 (1) 5 of the Act; hereinafter the same shall apply) related to information security pursuant to Article 22 (2) of the Act: <Amended on Jul. 26, 2017>

1.	Support for trade or commercializing information security technology developed pursuant to Article 14 of the Act;

2.	Support for inducing foreign investment, international technology cooperation, and overseas expansion;

3.	Support for obtaining intellectual property rights, such as national and international patent applications for core information security technologies;

4.	Other matters the Minister of Science and ICT deems necessary for developing the information security industry and expanding investment in and nurturing small and medium enterprises, etc. related to information security.

Article 19 (Authorization for Incorporation of Korea Information Security Industry Association)

(1)	Any person who intends to incorporate the Korea Information Security Industry Association (hereinafter referred to as the "Association") under Article 24 (1) of the Act shall submit the following documents to the Minister of Science and ICT: <Amended on Jul. 26, 2017>

1.	Articles of incorporation;

2.	A list and curriculum vitae of promoters;

3.	A list of intending members of the Association;

4.	A business plan and forecast of revenues and expenditures;

5.	Minutes of the inaugural meeting.

(2)	The articles of incorporation under paragraph (1) 1 shall include the following:

1.	Name and objectives of the Association;

2.	Location of the head office;

3.	Matters concerning affairs and the management thereof;

4.	Matters concerning executive officers;

5.	Matters concerning qualifications of members;

6.	Matters concerning the amendment of the articles of incorporation;

7.	Other matters necessary to operate the Association.

(3)	Where the Minister of Science and ICT authorizes incorporation of the Association pursuant to Article 24 (1) of the Act, he or she shall publicly announce such fact. <Amended on Jul. 26, 2017>

(4)

Where the Association intends to amend any matter under the subparagraphs of paragraph (2), it shall file an application for approval of the amendment thereof with the Minister of Science and ICT within 10 days from the date the general meeting of its members that has decided such amendment is closed. In such cases, where the Minister of Science and ICT authorizes the change of the name of the Association or the location of its office, he or she shall publicly announce such fact. <Amended on Jul. 26, 2017>

Article 20 (Projects and Supervision of Association)

(1)	The Association shall implement the following projects concerning the information security industry:

1.	Researching and proposing improvements to systems for creating the environment for the information security industry;

2.	Supporting training of human resources for information security;

3.	Researching the current status and preparing statistics related to the information security industry;

4.	Researching technical trends and activities to disseminate new technologies concerning the information security industry;

5.	Preparing statements of opinion on whether an enterprise is an information security enterprise;

6.	Facilitating international cooperation and overseas expansion concerning the information security industry;

7.	Researching standards for reasonable prices for information security technology, etc. of the information security industry;

8.	Technical research necessary for the information security industry;

9.	Other projects necessary for developing the information security industry and achieving the objectives of incorporation of the Association.

(2)	Where the Minister of Science and ICT deems that the Association implements projects other than the objectives provided in this Decree and its articles of incorporation, he or she may request the Association to rectify its projects. <Amended on Jul. 26, 2017>

Article 21 (Operation of Dispute Mediation Committee)

(1)

Where the chairperson of the dispute mediation committee of the information security industry under Article 25 (1) of the Act (hereinafter referred to as the "Mediation Committee") intends to convene a meeting of the Mediation Committee, he or she shall designate the date, time, venue, and agenda of the meeting and notify each member of such designated date, time, venue, and agenda seven days beforehand: Provided, That in emergency or other extenuating circumstances, he or she may shorten the aforesaid period.

(2)	A majority of the members of the Mediation Committee including the chairperson shall constitute a quorum, and any decision thereof shall require the concurring vote of a majority of those present.

(3)	The Mediation Committee may have subcommittees to efficiently conduct its affairs.

(4)	No meeting of the Mediation Committee shall be made public: Provided, That where deemed necessary, the Mediation Committee, by resolution, may allow relevant persons or interested parties to attend its meetings.

Article 22 (Methods and Procedures for Dispute Mediation)

(1)

Any person who intends to receive aid to recover loss and participate in mediation to settle a dispute in relation to using, etc. an information security product and information security service shall submit an application for mediation to the Mediation Committee, as prescribed by the Mediation Committee.

(2)	The Mediation Committee upon receipt of an application under paragraph (1) shall immediately notify disputants of the details thereof.

(3)

The Mediation Committee may recommend that the disputants reach an autonomous agreement; and where the disputants fail to reach an agreement within 20 days from the date it give notification under paragraph (2) to them, the chairperson of the Mediation Committee shall submit an application for mediation under paragraph (1) to the Mediation Committee.

Article 23 (Allowances and Travel Expenses)

The Mediation Committee may pay allowances and reimburse travel expenses of members, etc. who attend its meetings within budgetary limits: Provided, That the foregoing shall not apply where a member of the Mediation Committee who is a public official attends its meetings in direct relation to his or her duties.

Article 24 (Costs for Mediation)

(1)	In cases of mediation in which the Mediation Committee requires an applicant to bear the costs of the mediation pursuant to Article 31 (1) of the Act, the applicant for mediation shall prepay such costs when he or she applies for mediation.

(2)	The amount of costs for mediation under paragraph (1) shall be determined by the Committee.

(3)

Where the Mediation Committee requires the disputants to share the costs for mediation pursuant to the proviso of Article 31 of the Act because the dispute was resolved between the disputants through mediation, it shall present a mediation agreement under Article 29 (3) of the Act including matters concerning the costs for mediation to each disputant.

Article 25 (Detailed Rules of Mediation to Settle Disputes)

Except as provided in this Act and this Decree, the chairperson of the Mediation Committee shall prescribe matters necessary for operating the Mediation Committee following a resolution thereon.

Article 26 (Detailed Terms and Conditions of Transactions of Information Security Products and Information Security Services)

Where an information security enterprise intends to prepare the terms and conditions for protecting users pursuant to Article 36 (2) of the Act, it shall include details regarding the following:

1.	Methods and procedures for returning amounts erroneously paid or overpaid;

2.	Methods of cancelling or terminating a contract for using an information security product and information security service;

3.	Compensation to users for loss which incurred due to a defect, etc in the product;

4.	Methods and procedures for resolving disputes;

5.	Other matters the information security enterprise deems necessary to protect users.

Article 27 (Entrustment of Affairs)

(1)	The Minister of Science and ICT shall designate the following institutions as specialized institutions pursuant to Article 38 of the Act: <Amended on Jul. 26, 2017>

1.	The Korea Internet and Security Agency;

2.	The Korea Information Security Industry Association established under Article 24 (1) of the Act;

3.	Science and technology research institutes specializing in manufacturing technology whose establishment was permitted pursuant to Article 42 of the Industrial Technology Innovation Promotion Act.

(2)	The Minister of Science and ICT shall entrust the following affairs to the Korea Internet and Security Agency designated under paragraph (1) 1 pursuant to Article 38 of the Act: <Amended on Jul. 26, 2017; Apr. 2, 2019; Dec. 9, 2021; Oct. 10, 2023>

1.	Receiving and providing information on purchase demand under Article 6 of the Act;

2.	Collecting and analyzing information related to an information security project under Article 10 (4) of the Act and requesting submission of data under Article 10 (5) of that Act;

3.	Researching and developing converged information security technology, etc., trading and commercializing converged information security technology, and pilot projects concerning converged information security technology, etc. under Article 11 (2) 1 through 3 of the Act;

4.	Support for the receipt of applications for registration and for registration of an agency for evaluating the level of information security preparedness under Article 12 (2) of the Act;

4-2.	Verifying disclosed information under Article 13 (4) of the Act;

5.	Surveying the levels of information security technologies under Article 14 (1) 1 of the Act and establishing regional clusters of industries related to information security under subparagraph 4 of that paragraph;

6.	Establishing and operating relevant facilities under Article 14 (3) of the Act, and permitting to use and lend such facilities;

7.	Ascertaining the actual conditions of demand for professionals and formulating mid-term and long-term prospects of supply and demand under Article 15 (1) 1 of the Act;

8.	Deleted; <Apr. 2, 2019>

9.	Support for establishing a qualification system and for the supply and demand of professionals related to the information security industry under Article 15 (1) 4 of the Act;

10.	Supporting projects, such as international exchanges of information security technology and professionals, and international joint research and development under Article 16 (2) of the Act;

10-2.

Receipt of an application for designation as a performance assessment agency under Article 17 (2) of the　Act and examination of whether the designation requirements under Article 10 (2) and (4) of this Decree are met;

11.	Receiving applications for designation and examination as to whether an applicant meets criteria for designation among affairs concerning the designation of an enterprise specializing in information security services under Article 23 (1) of the Act;

12.	Examining post management under Article 23 (3) of the Act;

13.	Projects for protecting users under Article 34 (1) of the Act;

14.	Constructing and operating a purchase demand information system under Article 4 (3);

15.	Constructing and operating an electronic disclosure system under Article 8 (5);

16.	Examining designation and receiving applications for designation of excellent information security technology, etc. under Articles 11 and 12 (1);

17.	Receiving applications for designation and examining designation of exemplary information security enterprises under Article 15;

18.	Receiving applications for recommendations for providing loans under Article 16.

(3)	The Minister of Science and ICT shall entrust the following affairs to the Association designated pursuant to paragraph (1) 2 pursuant to Article 38 of the Act: <Amended on Jul. 26, 2017>

1.	Public-private partnership monitoring under Article 10 (2) of the Act;

2.	Preparing standards for calculating prices for information security services under Article 10 (4) 5 of the Act;

3.	Operating a system to support the provision, etc. of information related to the information security industry under Article 14 (2) of the Act;

4.	Deleted. <Apr. 2, 2019>

(4)	The Minister of Science and ICT shall entrust the following affairs to an institution publicly notified by the Minister of Science and ICT, from among the specialized institutions designated under paragraph (1), pursuant to Article 38 of the Act: <Amended on Apr. 2, 2019>

1.	Support for developing and disseminating educational programs for training professionals under Article 15 (1) 3 of the Act;

2.	Project relating to support for exportation under Article 21 of the Act.

Article 27-2 (Re-Examination of Regulation)

The Minister of Science and ICT shall examine the appropriateness of the following matters every three years, counting from January 1, 2022 (referring to the period that ends on the day before the base date of every third year) and shall take measures, such as making improvements: <Amended on Mar. 8, 2022>

1.	Requirements for registration of agencies for evaluating the level of information security preparedness under Article 6 (8) and attached Table 1;

2.	Scope of persons with information security disclosure obligations under Article 8 (1) and (2).

[This Article Newly Inserted on Dec. 9, 2021]

Article 28 (Criteria for Imposition of Administrative Fines)

Criteria for imposing administrative fines under Article 41 of the Act shall be as specified in attached Table 2.

Law Viewer

ENFORCEMENT DECREE OF THE ACT ON THE PROMOTION OF INFORMATION SECURITY INDUSTRY