The Ministry of Science and ICT on the 8th released the list of 693 corporations subject to mandatory information security disclosure in 2026 under the information security disclosure system. This year's mandatory disclosure list increased by 27 corporations from a year earlier. In particular, corporations meeting the revenue criterion (300 billion won or more) rose by 13, and those meeting the user-base criterion (1 million users or more) rose by 10.
The information security disclosure system, based on the Act on the Promotion of the Information Security Industry, requires disclosures on information security investments, dedicated personnel, and related activities to induce corporations' investment in information security and strengthen user protection. The corporations subject to mandatory disclosure are selected each year under the law based on criteria such as business sector, revenue, and number of users.
By business sector, the list includes line-facility-owning common telecommunications service providers (ISP), internet data center providers (IDC), and tertiary general hospitals and infrastructure-as-a-service providers (IaaS). Listed corporations with revenue of 300 billion won or more and information and communications service providers with an average of 1 million or more daily users over the past three months are also included.
Corporations subject to disclosure must submit their information security status through the integrated information security disclosure portal by June 30. If a subject fails to carry out the disclosure, it may be subject to fines (up to 10 million won) under the relevant law.
Corporations not subject to mandatory disclosure that voluntarily carry out information security disclosure will receive a 30% discount on certification audit fees for the Information Security Management System or the Information Security and Personal Information Management System (ISMS or ISMS-P). If there are objections to the newly released list of mandatory subjects, an objection form and supporting documents may be submitted by May 15. The Ministry of Science and ICT plans to finalize the 2026 mandatory information security disclosers by reflecting the review results.
The Ministry of Science and ICT is providing disclosure guidelines. Practice-centered disclosure training to improve understanding of the system is being offered through May 22. Starting in July, disclosure verification will also be pursued to improve the reliability and accuracy of materials disclosed by corporations.
Im Jeong-gyu, director general for Information Protection Network Policy at the Ministry of Science and ICT, said, "The information security disclosure system is an important mechanism that allows the public to check corporations' information security status by having corporations transparently disclose their information security level," adding, "We will continue to use the disclosure system to guarantee the public's right to know, encourage corporations to expand voluntary information security investment, and work to raise the overall level of information security nationwide."
The 2026 list of corporations subject to mandatory information security disclosure can also be checked on the Ministry of Science and ICT website and the integrated information security disclosure portal.