KATS Updates KC Certification: CNC Cybersecurity Modules Must Comply with IEC 62443-4-2

On May 7, 2026, the Korean Agency for Technology and Standards (KATS) issued a new KC certification requirement (Notice No. 2026-112), mandating that all network-connected CNC equipment—including models with IoT remote monitoring or cloud-based maintenance interfaces—must integrate cybersecurity firmware modules certified to IEC 62443-4-2:2022. Effective September 1, 2026, this update directly affects manufacturers and exporters of industrial automation equipment, particularly those supplying to the Korean market, and signals a tightening of regulatory expectations for embedded device security in critical manufacturing infrastructure.

Event Overview

On May 7, 2026, KATS published Notice No. 2026-112, stipulating that, starting September 1, 2026, all CNC equipment with network connectivity (e.g., IoT remote monitoring, cloud运维 interfaces) must incorporate firmware modules validated under IEC 62443-4-2:2022. Certification requires both development lifecycle audit and penetration testing, with an average duration of 10–12 weeks. The notice is publicly available through KATS’s official regulatory bulletin system.

Industries Affected by This Update

Direct Exporters to Korea

Manufacturers exporting CNC systems to South Korea will face mandatory re-certification before shipment post-September 2026. Non-compliant devices risk rejection at customs or inability to obtain KC marking, halting market access. Impact manifests in delayed order fulfillment, increased pre-market validation costs, and potential renegotiation of delivery timelines with Korean distributors or end users.

OEMs and System Integrators

Companies integrating third-party CNC controllers or firmware into larger automated production lines must now verify upstream suppliers’ compliance with IEC 62443-4-2:2022. Absence of valid certification may invalidate their own KC certification for the integrated system, triggering redesign or revalidation efforts across product families.

Firmware Development and Security Testing Providers

Vendors offering firmware security services—including secure development lifecycle consulting and IEC 62443-4-2 conformance testing—will see increased demand from CNC equipment makers preparing for the deadline. However, capacity constraints are likely given the 10–12 week average certification timeline and limited number of accredited labs authorized for IEC 62443-4-2 assessments in Asia.

Key Points for Enterprises and Practitioners to Monitor and Act Upon

Track Official Implementation Guidance from KATS and KTL

KATS has not yet published detailed technical guidance or recognized laboratory lists specific to IEC 62443-4-2:2022 for CNC firmware. Enterprises should monitor updates from KATS and the Korea Testing & Research Institute (KTL), especially regarding acceptable evidence formats, scope definitions for ‘network-connected’ functionality, and transitional arrangements for pending applications.

Prioritize Product Lines with Korean Market Exposure and Near-Term Shipments

Exporters should identify CNC models currently certified under KC, scheduled for Korean delivery between September 2026 and March 2027, and initiate IEC 62443-4-2:2022 assessment planning immediately—accounting for the 10–12 week cycle. Delaying initiation risks missing the September 1, 2026 enforcement date for new certifications.

Distinguish Between Policy Signal and Operational Requirement

The notice establishes a hard deadline but does not specify grandfathering provisions for existing KC-certified units shipped before September 2026. Enterprises should treat the requirement as binding for all new KC applications filed on or after September 1, 2026—not as a voluntary best practice—and align internal R&D and QA roadmaps accordingly.

Prepare Firmware Documentation and Supply Chain Coordination Early

IEC 62443-4-2:2022 certification requires comprehensive documentation of secure development processes (e.g., threat modeling records, code review logs, vulnerability management workflows). Manufacturers relying on external firmware vendors must secure contractual commitments and data-sharing agreements well in advance to meet audit requirements.

Editorial Perspective / Industry Observation

Observably, this update reflects KATS’s broader shift toward embedding cybersecurity-by-design requirements into industrial equipment regulation—not just as a standalone IT concern, but as a functional safety and market access prerequisite. Analysis shows it is less a one-off revision and more a signal of convergence with global trends, including EU’s EN 50131-8 and U.S. NIST SP 800-82 updates. From an industry perspective, the 10–12 week certification lead time suggests KATS anticipates phased adoption rather than immediate full compliance, but the absence of grace periods for new applications indicates enforcement readiness. Current observability points to heightened scrutiny on firmware supply chains—not only for final OEMs, but for component-level developers whose code underpins certified modules.

Conclusion: This regulatory update formalizes cybersecurity as a non-negotiable element of KC certification for connected CNC equipment. It does not introduce novel technical concepts but enforces standardized evaluation of firmware development rigor and resilience. For stakeholders, it is best understood not as an isolated compliance checkpoint, but as a structural recalibration of how industrial control system security integrates into product lifecycle management and international market access strategy.

Source: Korean Agency for Technology and Standards (KATS), Notice No. 2026-112, published May 7, 2026. Further implementation details—including accredited laboratories and interpretation guidelines—remain pending and require ongoing monitoring.