Presidential Decree No. 16457, Jun. 30, 1999
Amended by Presidential Decree No. 17625, Jun. 10, 2002
Presidential Decree No. 18312, Mar. 17, 2004
Presidential Decree No. 19507, Jun. 12, 2006
Presidential Decree No. 19570, Jun. 29, 2006
Presidential Decree No. 20741, Feb. 29, 2008
Presidential Decree No. 20917, Jul. 17, 2008
Presidential Decree No. 22016, Feb. 4, 2010
Presidential Decree No. 22151, May 4, 2010
Presidential Decree No. 22846, Apr. 5, 2011
Presidential Decree No. 23898, Jun. 29, 2012
Presidential Decree No. 24425, Mar. 23, 2013
Presidential Decree No. 25050, Dec. 30, 2013
Presidential Decree No. 25406, Jun. 30, 2014
Presidential Decree No. 25532, Aug. 6, 2014
Presidential Decree No. 25840, Dec. 9, 2014
Presidential Decree No. 26166, Mar. 30, 2015
Presidential Decree No. 26980, Feb. 12, 2016
Presidential Decree No. 27751, Dec. 30, 2016
Presidential Decree No. 27960, Mar. 27, 2017
Presidential Decree No. 28210, Jul. 26, 2017
Presidential Decree No. 33723, Sep. 12, 2023
Article 1 (Purpose) |
Article 2 (Public announcement of issuance of certificate) |
Article 3 (Revocation of accreditation of compliance with operating standards) |
(1) | The accreditation agency may revoke the accreditation of a certification-service provider that has obtained an accreditation of compliance with the operating standards if it falls under any of the following subparagraphs; provided, the accreditation shall be revoked if it falls under subparagraph 1 or 2: |
1. | Where it has obtained the accreditation of compliance with the operating standards by fraud or other improper means; |
2. | Where the business is permanently closed or is dissolved; |
3. | Where it is received a corrective order for the reason specified in subparagraph 1 of Article 17 of the Act, but fails to comply without good cause. |
(2) | If the accreditation agency revokes the accreditation of compliance with the operating standards pursuant to paragraph (1), it shall publicly announce the fact on its website. |
Article 4 (Period of validity of accreditation of compliance with operating standards) |
Article 5 (Criteria and procedures for selection of assessment bodies) |
(1) | The selection criteria for an assessment body under Article 10 (1) of the Act (hereinafter referred to as "assessment body") are as follows: |
1. | It shall be a legal person; |
2. | Its selection as an assessment body shall not have been revoked within the last 2 years; |
3. | It shall employ at least 5 full-time professional personnel who meet the requirements specified in Appendix 1; |
4. | It shall have the operational and management capabilities and technical and physical capabilities necessary to conduct assessments; |
5. | It shall be able to ensure independence, objectivity, impartiality, and reliability in conducting assessments. |
(2) | Details, including assessment items and assessment methods, to confirm compliance with the criteria under paragraph (1) 4 and 5 shall be prescribed by Ministerial Decree of Science and ICT. |
(3) | A person that seeks to be selected as an assessment body shall submit an application for selection in the form prescribed by Ministerial Decree of Science and ICT to the Minister of Science and ICT. |
(4) | Upon receipt of an application under paragraph (3), the Minister of Science and ICT may, if necessary, request assistance from the Korea Internet and Security Agency under Article 52 of the Act on Promotion of Information and Communication Network Utilization and Information Protection (hereinafter referred to as the "Korea Internet and Security Agency") to determine whether to select the application, and obtain opinions from the applicant or experts and others with abundant knowledge and experience in electronic signatures. |
(5) | Where the Minister of Science and ICT reviews an application under paragraph (3) and recognizes that the body meets the selection criteria under paragraph (1), he or she shall issue a certificate of selection as an assessment body in the form prescribed by the Ministry of Science and ICT Ordinance and publicly announce the fact in the Official Gazette or on the website of the Ministry. |
Article 6 (Code of conduct of assessment body) |
(1) | The assessment body shall prepare detailed standards for assessment and guidelines for conducting assessments, necessary for the performance of assessment work, and shall conduct assessments fairly and objectively in accordance with them. |
(2) | The guidelines for conducting assessments pursuant to paragraph (1) shall include the following: |
1. | Assessment methods, such as written assessment and on-site assessment; |
2. | Assessment procedures (including reasons and procedures for discontinuing or omitting portions of assessment); |
3. | Matters regarding management in conducting assessments, such as quality control and operations management in conducting assessments; |
4. | Matters related to security and management of assessment-related documents, facilities, etc.; |
5. | Duties and responsibilities of staff conducting assessments; |
6. | Other matters necessary to ensure independence, objectivity, impartiality, and reliability in conducting assessments. |
(3) | Where the assessment body receives an application from a certification-service provider for an assessment to obtain an accreditation of compliance with the operating standards pursuant to Article 10 (2) of the Act, it shall consult with the accreditation agency in advance on the detailed assessment standards to be applied to the assessment, the scope of the assessment, the assessment schedule, matters related to the observation of the assessment, and other relevant matters. |
(4) | The assessment body shall complete the assessment within 180 days from the date of receipt of the application for assessment; provided, if there are unavoidable reasons that make it difficult to complete the assessment, the period may be extended only once up to 180 days, and if the assessment period is extended, the fact shall be notified to the relevant certification-service provider. |
(5) | The assessment body shall submit the previous year's assessment performance report to the Minister of Science and ICT by the end of February every year. |
Article 7 (Selection criteria for internationally-accepted assessments) |
1. | It must be an assessment of the safety and reliability of the electronic-signature certification services; |
2. | The assessment criteria shall meet the operating standards under Article 7 (2) of the Act; |
3. | It must be an assessment that is commonly used or recognized by international organizations or organizations that establish standards or standards related to electronic signature authentication services, or international electronic signature authentication service user groups, etc. |
Article 8 (Revocation of selection as assessment body and suspension of business) |
(1) | Criteria for revocation of selection of an assessment body and disposition for suspension of its business under Article 12 (1) of the Act shall be as specified in Appendix 2. |
(2) | If the Minister of Science, ICT and Future Planning revokes the selection of an assessment body or orders the suspension of its business pursuant to Article 12 (1) of the Act, the Minister shall publicly announce the fact in the Official Gazette or on the website of the Ministry. |
Article 9 (Methods of verifying identities) |
(1) | When a certification-service provider that has obtained an accreditation of compliance with the operating standards verifies the identity of a person who intends to sign up for electronic-signature certification services pursuant to Article 14 of the Act, it shall do so in the following relevant method: |
1. | If the relevant certification-service provider is an identification service agency pursuant to Article 23-3 (1) of the Act on Promotion of Information and Communications Network Utilization and Information Protection (hereinafter referred to as "identification service agency"): Method of verification based on the real name defined in subparagraph 4 of Article 2 of the Act on Real Name Financial Transactions and Confidentiality (hereinafter referred to as "real name"); provided, if the relevant certification-service provider can confirm that the identity of the person who intends to sign up is verified based on the real name, the subscriber verification method accredited for compliance with the operating standards may be used. |
2. | If the relevant certification-service provider is not an identification service agency: Subscriber verification methods accredited for compliance with the operating standards. |
(2) | Details regarding the methods of verifying identity based on the real name under paragraph (1) 1 shall be prescribed by Ministerial Decree of Science and ICT. |
Article 10 (Corrective order) |
Article 11 (Obtainment of insurance for liability of damages) |
1. | The limit of the total annual compensation amount shall be 1 billion won or more; |
2. | Incidents that occur during the period of validity under Article 4 shall be covered. |
Article 12 (Entrustment of Duties) |
1. | Provision of assistance in respect of the matters specified in subparagraphs 2 through 4 of Article 5 of the Act; |
2. | Establishment of operating standards for electronic-signature certification services pursuant to Article 7 (2) of the Act. |
Article 13 (Processing of personally identifiable information) |
(1) | The accreditation agency processes data containing resident registration numbers, passport numbers, or alien registration numbers under Article 19 of the Enforcement Decree of the Personal Information Protection Act if it is essential for conducting the tasks related to confirming whether the qualification requirements under Article 8 (3) of the Act are met. |
(2) | A certification-service provider that has obtained an accreditation of compliance with the operating standards (only applicable to cases in which the relevant service provider is an identification service agency) may process data containing resident registration numbers, passport numbers, or alien registration numbers under Article 19 of the Enforcement Decree if it is essential for conducting the verification of identities under Article 9 (1) 1. |
Article 14 (Processing of connecting information) |
Article 15 (Standards for imposition of fines) |