The European Union (EU) is accelerating legislation related to cybersecurity, including the 'Network and Information Systems Cybersecurity Directive (NIS2 Directive)'. In South Korea, there have been calls to refer to the EU's legislative trends and emphasize the need for not only technological responses but also institutional responses in cybersecurity. The argument is that policies should support focusing on resilience to ensure the normal continuation of essential societal functions even in the event of large-scale cyberattacks, rather than merely blocking and punishing cyberattacks.
On the 15th, Yoon Ji-young, head of the Legal Research Team at the Korea Internet & Security Agency (KISA), stated this during a meeting with reporters in Gwanghwamun.
Yoon Ju-yeon, head of the Legal Research Team at KISA, is presenting on "Cybersecurity Directions and Implications for Building the EU Digital Future." [Photo by KISA]
Since COVID-19, the scope and risks of cyberattacks have increased across all sectors of society. The EU is discussing cybersecurity strategies in major policies such as 'Building a Digital Future', the 'European Recovery Plan', and the 'EU Security Union Strategy'. In particular, the EU enacted the 'NIS2 Directive' in January. This directive includes resilience measures to maintain essential economic and social activities even in the event of large-scale cyberattacks. Yoon said, "Previously, the focus was on how to punish cyberattacks, but the NIS2 Directive considers defense against cyberattacks and approaches it institutionally for the first time."
The 'Critical Entities Resilience Directive (CER Directive)', which came into effect in January, includes obligations to protect and recovery strategies for critical entities against all types of threats such as natural disasters and terrorism, and it also includes cyber threats. Additionally, the 'Cyber Resilience Act (CRA)' applies cybersecurity standards to all products that have direct or indirect data connections to devices or networks, thereby strengthening corporate responsibility.
Yoon emphasized the need for a shift in perception regarding cybersecurity regulations domestically by referring to the EU. She stated that policies should support restoring essential societal functions in the event of cyberattacks. She said, "Cybersecurity is often approached technically, but the EU approaches it institutionally and normatively from a policy perspective." She explained, "For example, if a company suffers damage, it may be difficult to hold them responsible as victims, but the EU believes that if the service is socially important, the company should bear some responsibility."
Following this, Choi Young-jun, a KISA team leader, explained the Zero Trust Guideline 1.0 and Zero Trust implementation strategy. Zero Trust is a new security concept meaning 'never trust, always verify.' When users or devices request access, they are thoroughly verified and granted the minimum necessary permissions. This concept has gained attention following the hacker group Lapsus incident, which stole internal data from major global companies such as Nvidia and Microsoft (MS) by hijacking employee accounts. In South Korea, the Ministry of Science and ICT and KISA announced Zero Trust Guideline 1.0 reflecting the domestic environment. In the U.S., the Biden administration plans to implement a Zero Trust strategy by September next year through an executive order.
However, there are recent criticisms that Zero Trust is being distorted into a marketing term, exaggerated as a 'universal key' that can solve all security problems. Choi said, "All companies say they are implementing Zero Trust, but Zero Trust is a kind of concept," adding, "Implementing Zero Trust does not mean security becomes perfect, and there are many issues to consider after implementation. The U.S. Department of Defense has set a target period of 10 years." He added, "A strategy is needed to maintain security while minimizing inconvenience to employees."
Choi also stated, "In the second half of this year, we plan to implement Zero Trust security models in various environments such as telecommunications, finance, and public sectors through demonstration projects," and "We will enhance Guideline 1.0, including companies' own demonstration case applications."
© The Asia Business Daily(www.asiae.co.kr). All rights reserved.
![15-Year Veteran Field Mechanic Becomes AI Talent... Korean Air's Experiment [AI Era, Jobs Are Changing]](https://cwcontent.asiae.co.kr/asiaresize/319/2025121111232252273_1765419802.jpg)
