Law Viewer

Back Home

ENFORCEMENT DECREE OF THE DIGITAL SIGNATURE ACT

Presidential Decree No. 16457, Jun. 30, 1999

Amended by Presidential Decree No. 17625, Jun. 10, 2002

Presidential Decree No. 18312, Mar. 17, 2004

Presidential Decree No. 19507, Jun. 12, 2006

Presidential Decree No. 19570, Jun. 29, 2006

Presidential Decree No. 20741, Feb. 29, 2008

Presidential Decree No. 20917, Jul. 17, 2008

Presidential Decree No. 22016, Feb. 4, 2010

Presidential Decree No. 22151, May 4, 2010

Presidential Decree No. 22846, Apr. 5, 2011

Presidential Decree No. 23898, Jun. 29, 2012

Presidential Decree No. 24425, Mar. 23, 2013

Presidential Decree No. 25050, Dec. 30, 2013

Presidential Decree No. 25406, Jun. 30, 2014

Presidential Decree No. 25532, Aug. 6, 2014

Presidential Decree No. 25840, Dec. 9, 2014

Presidential Decree No. 26166, Mar. 30, 2015

Presidential Decree No. 26980, Feb. 12, 2016

Presidential Decree No. 27751, Dec. 30, 2016

Presidential Decree No. 27960, Mar. 27, 2017

Presidential Decree No. 28210, Jul. 26, 2017

Presidential Decree No. 33723, Sep. 12, 2023

 Article 1 (Purpose)
The purpose of this Decree is to prescribe matters mandated by the Electronic Signature Act and matters necessary for the enforcement thereof.
 Article 2 (Public announcement of issuance of certificate)
The accreditation agency under Article 9 (1) (hereinafter referred to as the "accreditation agency") of the Electronic Signature Act (hereinafter referred to as the "Act") shall, if it has issued a certificate to a certification-service provider pursuant to the former part of paragraph (3) of that Article in accreditation of the service provider's compliance with the operating standards under Article 8 (2) of the Act (hereinafter referred to as "accreditation of compliance with the operating standards"), publicly announce the fact on its website.
 Article 3 (Revocation of accreditation of compliance with operating standards)
(1) The accreditation agency may revoke the accreditation of a certification-service provider that has obtained an accreditation of compliance with the operating standards if it falls under any of the following subparagraphs; provided, the accreditation shall be revoked if it falls under subparagraph 1 or 2:
1. Where it has obtained the accreditation of compliance with the operating standards by fraud or other improper means;
2. Where the business is permanently closed or is dissolved;
3. Where it is received a corrective order for the reason specified in subparagraph 1 of Article 17 of the Act, but fails to comply without good cause.
(2) If the accreditation agency revokes the accreditation of compliance with the operating standards pursuant to paragraph (1), it shall publicly announce the fact on its website.
 Article 4 (Period of validity of accreditation of compliance with operating standards)
The accreditation of compliance with operating standards shall be valid for one year from the date of accreditation.
 Article 5 (Criteria and procedures for selection of assessment bodies)
(1) The selection criteria for an assessment body under Article 10 (1) of the Act (hereinafter referred to as "assessment body") are as follows:
1. It shall be a legal person;
2. Its selection as an assessment body shall not have been revoked within the last 2 years;
3. It shall employ at least 5 full-time professional personnel who meet the requirements specified in Appendix 1;
4. It shall have the operational and management capabilities and technical and physical capabilities necessary to conduct assessments;
5. It shall be able to ensure independence, objectivity, impartiality, and reliability in conducting assessments.
(2) Details, including assessment items and assessment methods, to confirm compliance with the criteria under paragraph (1) 4 and 5 shall be prescribed by Ministerial Decree of Science and ICT.
(3) A person that seeks to be selected as an assessment body shall submit an application for selection in the form prescribed by Ministerial Decree of Science and ICT to the Minister of Science and ICT.
(4) Upon receipt of an application under paragraph (3), the Minister of Science and ICT may, if necessary, request assistance from the Korea Internet and Security Agency under Article 52 of the Act on Promotion of Information and Communication Network Utilization and Information Protection (hereinafter referred to as the "Korea Internet and Security Agency") to determine whether to select the application, and obtain opinions from the applicant or experts and others with abundant knowledge and experience in electronic signatures.
(5) Where the Minister of Science and ICT reviews an application under paragraph (3) and recognizes that the body meets the selection criteria under paragraph (1), he or she shall issue a certificate of selection as an assessment body in the form prescribed by the Ministry of Science and ICT Ordinance and publicly announce the fact in the Official Gazette or on the website of the Ministry.
 Article 6 (Code of conduct of assessment body)
(1) The assessment body shall prepare detailed standards for assessment and guidelines for conducting assessments, necessary for the performance of assessment work, and shall conduct assessments fairly and objectively in accordance with them.
(2) The guidelines for conducting assessments pursuant to paragraph (1) shall include the following:
1. Assessment methods, such as written assessment and on-site assessment;
2. Assessment procedures (including reasons and procedures for discontinuing or omitting portions of assessment);
3. Matters regarding management in conducting assessments, such as quality control and operations management in conducting assessments;
4. Matters related to security and management of assessment-related documents, facilities, etc.;
5. Duties and responsibilities of staff conducting assessments;
6. Other matters necessary to ensure independence, objectivity, impartiality, and reliability in conducting assessments.
(3) Where the assessment body receives an application from a certification-service provider for an assessment to obtain an accreditation of compliance with the operating standards pursuant to Article 10 (2) of the Act, it shall consult with the accreditation agency in advance on the detailed assessment standards to be applied to the assessment, the scope of the assessment, the assessment schedule, matters related to the observation of the assessment, and other relevant matters.
(4) The assessment body shall complete the assessment within 180 days from the date of receipt of the application for assessment; provided, if there are unavoidable reasons that make it difficult to complete the assessment, the period may be extended only once up to 180 days, and if the assessment period is extended, the fact shall be notified to the relevant certification-service provider.
(5) The assessment body shall submit the previous year's assessment performance report to the Minister of Science and ICT by the end of February every year.
 Article 7 (Selection criteria for internationally-accepted assessments)
The selection criteria for internationally-accepted assessments under Article 11 (1) of the Act are as follows:
1. It must be an assessment of the safety and reliability of the electronic-signature certification services;
2. The assessment criteria shall meet the operating standards under Article 7 (2) of the Act;
3. It must be an assessment that is commonly used or recognized by international organizations or organizations that establish standards or standards related to electronic signature authentication services, or international electronic signature authentication service user groups, etc.
 Article 8 (Revocation of selection as assessment body and suspension of business)
(1) Criteria for revocation of selection of an assessment body and disposition for suspension of its business under Article 12 (1) of the Act shall be as specified in Appendix 2.
(2) If the Minister of Science, ICT and Future Planning revokes the selection of an assessment body or orders the suspension of its business pursuant to Article 12 (1) of the Act, the Minister shall publicly announce the fact in the Official Gazette or on the website of the Ministry.
 Article 9 (Methods of verifying identities)
(1) When a certification-service provider that has obtained an accreditation of compliance with the operating standards verifies the identity of a person who intends to sign up for electronic-signature certification services pursuant to Article 14 of the Act, it shall do so in the following relevant method:
1. If the relevant certification-service provider is an identification service agency pursuant to Article 23-3 (1) of the Act on Promotion of Information and Communications Network Utilization and Information Protection (hereinafter referred to as "identification service agency"): Method of verification based on the real name defined in subparagraph 4 of Article 2 of the Act on Real Name Financial Transactions and Confidentiality (hereinafter referred to as "real name"); provided, if the relevant certification-service provider can confirm that the identity of the person who intends to sign up is verified based on the real name, the subscriber verification method accredited for compliance with the operating standards may be used.
2. If the relevant certification-service provider is not an identification service agency: Subscriber verification methods accredited for compliance with the operating standards.
(2) Details regarding the methods of verifying identity based on the real name under paragraph (1) 1 shall be prescribed by Ministerial Decree of Science and ICT.
 Article 10 (Corrective order)
When ordering to take corrective measures pursuant to Article 17 of the Act, the Minister of Science and ICT shall notify in writing the fact of violation and the deadline for correction.
 Article 11 (Obtainment of insurance for liability of damages)
A certification-service provider that has obtained an accreditation of compliance with the operating standards shall obtain liability insurance that satisfies all of the following requirements pursuant to Article 20 (2) of the Act:
1. The limit of the total annual compensation amount shall be 1 billion won or more;
2. Incidents that occur during the period of validity under Article 4 shall be covered.
 Article 12 (Entrustment of Duties)
The Minister of Science and ICT shall entrust the following duties to the Korea Internet and Security Agency pursuant to Article 23 of the Act:
1. Provision of assistance in respect of the matters specified in subparagraphs 2 through 4 of Article 5 of the Act;
2. Establishment of operating standards for electronic-signature certification services pursuant to Article 7 (2) of the Act.
 Article 13 (Processing of personally identifiable information)
(1) The accreditation agency processes data containing resident registration numbers, passport numbers, or alien registration numbers under Article 19 of the Enforcement Decree of the Personal Information Protection Act if it is essential for conducting the tasks related to confirming whether the qualification requirements under Article 8 (3) of the Act are met.
(2) A certification-service provider that has obtained an accreditation of compliance with the operating standards (only applicable to cases in which the relevant service provider is an identification service agency) may process data containing resident registration numbers, passport numbers, or alien registration numbers under Article 19 of the Enforcement Decree if it is essential for conducting the verification of identities under Article 9 (1) 1.
 Article 14 (Processing of connecting information)
A certification-service provider that has obtained an accreditation of compliance with the operating standards may process information that an identification service agency has generated by connecting resident registration numbers of signatories, etc. for the purpose of interlinking on-line and off-line services by providers of information and communications services as defined in subparagraph 3 of Article 2 of the Act on Information and Communications Network Utilization and Information Protection information, with the consents of the signatories, etc., if it is essential for conducting the verification of identities under Article 9 (1) or allowing users to identify the identities of signatories.
 Article 15 (Standards for imposition of fines)
The criteria for imposing fines under Article 26 (1) and (2) of the Act shall be shown in Appendix 3.
ADDENDA <Presidential Decree No. 31222, Dec. 8, 2020>
Article 1 (Enforcement Date)
This Decree shall enter into force on December 10, 2020.
Article 2 Omitted.
Article 3 (Relationship to other statues or regulations)
Where other statutes or regulations cite the provisions of the previous Enforcement Decree of the Digital Signature at the time this Decree enters into force and if this Decree contains any corresponding provisions, the corresponding provisions of this Decree shall be deemed cited in lieu of the previous provisions.
ADDENDA <Presidential Decree No. 33723, Sep. 12, 2023>
Article 1 (Enforcement Date)
This Decree shall enter into force on September 15, 2023. (Proviso Omitted.)
Article 2 Omitted.
Article 3 Omitted.