KATS Updates KC Rules: CNC Cybersecurity Modules Must Meet IEC 62443-4-2

Korea’s National Institute of Technology Standards (KATS) revised the KC certification implementation rules effective 1 May 2026, mandating IEC 62443-4-2 certification for embedded cybersecurity modules in network-connected CNC controllers, HMIs, and industrial gateways. The requirement applies to all such products entering the Korean market from 1 October 2026. Manufacturers and exporters of mid-to-high-end CNC systems—particularly those supplying to Korea from China—must treat this as a critical compliance milestone, given that over 90% of relevant Chinese exports fall within its scope.

Event Overview

On 1 May 2026, KATS published an updated KC certification notice specifying that, starting 1 October 2026, all CNC controllers, human-machine interface (HMI) terminals, and industrial gateways with network connectivity must incorporate embedded cybersecurity modules certified to IEC 62443-4-2 (Secure Product Development Lifecycle). This requirement is formally binding and publicly confirmed in KATS’ official announcement. No transitional grace period or alternative conformity pathway has been indicated in the published notice.

Which Subsectors Are Affected

Direct Exporters (CNC System Manufacturers & OEMs)
These companies are directly responsible for KC certification submission and product compliance. Since the rule targets embedded cybersecurity modules—not just standalone devices—their firmware development lifecycle, documentation, and third-party assessment processes must now align with IEC 62443-4-2. Non-compliant units will be denied KC marking and barred from import clearance in Korea.

Component Suppliers (Embedded Module & Firmware Developers)
Suppliers providing secure boot, TLS stacks, secure update mechanisms, or hardware security modules (e.g., TPM/SE chips) to CNC OEMs face upstream demand shifts. Their design documentation, vulnerability management records, and SDLC evidence packages must now meet IEC 62443-4-2 criteria—even if they do not hold KC certification themselves—as their components form part of the certified end product.

System Integrators & Distributors Serving Korean End Users
Integrators sourcing or bundling networked CNC equipment for Korean clients must verify module-level IEC 62443-4-2 certification status before delivery. Absence of valid certification may void KC compliance for the full system, exposing integrators to contractual liability and customs rejection risk.

What Relevant Companies or Practitioners Should Focus On—and How to Respond Now

Monitor official KATS guidance on certification pathways and accredited bodies

KATS has not yet published a list of Korean-accredited labs authorized to assess IEC 62443-4-2 compliance for embedded modules. Companies should track KATS’ official portal and KC certification service providers for updates on recognized testing institutions and application procedures—especially whether existing IEC 62443-4-2 certificates issued outside Korea will be accepted.

Identify affected product families and prioritize firmware/module-level documentation review

Manufacturers should map all exported CNC/HMI/gateway models with Ethernet, Wi-Fi, or cellular connectivity against the 1 October 2026 deadline. For each model, confirm whether the embedded security module (e.g., secure bootloader, encrypted communication stack) was developed under a documented, auditable SDLC—and whether supporting evidence (e.g., threat modeling reports, secure coding guidelines, patch management logs) exists and meets IEC 62443-4-2 clause requirements.

Distinguish between policy issuance and operational readiness

The 1 May 2026 notice is a formal regulatory update—not yet a live enforcement action. However, KC applications submitted after 1 October 2026 will be subject to the new rule. Companies currently preparing KC submissions should not assume legacy documentation suffices; verification against IEC 62443-4-2 Annex A (required artifacts) is advisable before submission.

Engage early with testing labs and allocate time for iterative assessment cycles

IEC 62443-4-2 assessments require evidence across multiple development phases—not just final product testing. Early engagement with labs familiar with both KC processes and IEC 62443-4-2 helps identify gaps (e.g., missing secure coding training records or incomplete vulnerability disclosure logs) before formal audit. Allow at least 12–16 weeks for initial assessment and remediation rounds.

Editorial Perspective / Industry Observation

Observably, this revision signals a structural shift—not merely a technical update—in Korea’s approach to industrial cybersecurity regulation. Rather than treating networked CNC devices as general IT equipment, KATS is applying a standards-based, lifecycle-oriented framework typically reserved for safety-critical infrastructure. Analysis shows this reflects broader regional alignment with IEC 62443 adoption trends in Japan (METI guidance) and the EU (Cyber Resilience Act implications), but with direct KC enforcement teeth. It is more accurately understood as a compliance threshold than a warning signal: the timeline is fixed, the scope is defined, and no industry-wide exemptions are indicated. Continued monitoring is warranted—not for potential reversal, but for clarification on mutual recognition, lab accreditation, and interpretation of ‘embedded module’ boundaries.

This update underscores that cybersecurity compliance is increasingly inseparable from market access in advanced industrial economies. For exporters, it reinforces that functional performance alone no longer determines eligibility—secure development discipline must now be demonstrable, auditable, and certified.

Information Sources

Main source: Official KC Certification Notice published by Korea Agency for Technology and Standards (KATS), effective 1 May 2026.
Points requiring ongoing observation: Accreditation status of testing laboratories for IEC 62443-4-2 under KC scheme; acceptance criteria for foreign-issued IEC 62443-4-2 certificates; official definition of ‘embedded cybersecurity module’ in context of hybrid firmware/hardware implementations.