AI Governance in South Korea: The AI Basic Act, Personal Information, and Sector Regulation

South Korea's AI Basic Act — second comprehensive AI law globally

On 22 January 2026, the Republic of Korea's Framework Act on the Development of Artificial Intelligence and the Establishment of a Foundation for Trustworthiness — commonly known as the AI Basic Act or AI Framework Act — came into effect. South Korea is the second jurisdiction globally (after the EU) to adopt a comprehensive AI regulatory framework, and the first in the Asia-Pacific region. The Act was promulgated on 21 January 2025 (Act No. 20676) and took effect one year later, with the Enforcement Decree (Presidential Decree No. 36053) taking effect on the same day.

South Korea has positioned its approach as balancing industrial promotion with risk-based regulation. The Act consolidates 19 separate AI bills into a unified framework that covers research funding, talent programs, AI safety institute establishment, transparency obligations, and high-impact AI risk management. The drafting reflects deliberate departure from the EU's prohibition-heavy approach — South Korea's government has stated it will "prioritise promotion over regulation," with penalty enforcement delayed by at least one year after the Act's implementation.

Scope and applicability

The AI Basic Act applies to both domestic and foreign organisations providing AI systems to Korean users. For foreign AI businesses, the Act requires designation of a Korean representative to liaise with the government — closing a gap that previously allowed unrelated third parties to be designated as domestic agents in formal compliance arrangements without meaningful accountability. The amendment to the Personal Information Protection Act (PIPA) domestic representative system, effective from 1 April 2025, requires foreign companies with established business units in South Korea to designate those local entities as their representatives.

Key obligations under the Act

Transparency and disclosure (Article 31). AI business operators providing products or services using generative AI or high-impact AI must inform users in advance that AI is being used. Where AI-generated outputs may be difficult to distinguish from non-AI content, the operators must label or otherwise indicate that the output is AI-generated. The Enforcement Decree Article 23 details watermarking and labelling requirements for generative AI outputs.

High-impact AI risk management (Article 32). AI business operators must identify, assess, and mitigate risks for AI systems where cumulative computing used for learning exceeds prescribed standards. The Enforcement Decree sets the technical threshold: AI systems trained with at least 10²⁶ floating-point operations (FLOPs), incorporating state-of-the-art AI technology, and presenting material risk of significant impact. This threshold is broadly comparable to the EU AI Act's general-purpose AI model thresholds and US Executive Order frontier model definitions, though South Korea's implementation is less prescriptive.

High-impact AI sectoral applications. The Act introduces specific obligations for "high-impact" AI systems in critical sectors including healthcare, energy, and public services. Digital medical devices are specifically addressed under Article 2(4)(d), which takes effect from 24 January 2026 — three days after the broader Act's effective date — to allow for medical device regulatory coordination.

Personal Information Protection Act (PIPA) continues to apply. The PIPC has published its Policy Roadmap for 2025 outlining specialised oversight provisions for AI development. The PIPC Notice on Personal Information Impact Assessment was amended effective September 2025 to add explicit AI-related subfields for public institutions' privacy impact assessments. The PIPC's Work Direction for 2025 includes preliminary onsite inspections of AI-powered services including AI agents.

Governance architecture

Two institutions established in 2024 form the backbone of South Korea's AI assurance ecosystem. The National AI Committee, operating under the President's Office, serves as the central coordinating body for national AI policy — implementing the national AI strategy, driving public-private collaboration, harmonising regulatory approaches across ministries, and representing South Korea in international AI governance initiatives. The AI Safety Institute is a dedicated research centre responsible for evaluating advanced AI models, developing safety benchmarks, and addressing deepfake and frontier AI risks. The Ministry of Science and ICT (MSIT) is the primary regulatory ministry, with delegated authority to issue subordinate regulations and guidelines.

Civil society and industry response

The draft Enforcement Decree was open for public comment for 40 days, until 22 December 2025, ahead of the Act's full implementation. Civil society organisations including the Digital Justice Network criticised the regulation as "virtually non-existent," arguing the "high-impact AI" definition is too narrow and that penalty deferment removes immediate compliance pressure. Industry voices pushed back that further regulation would hinder AI competitiveness. The MSIT has taken an iterative approach — considering stakeholder feedback through the decree finalisation process while signalling a regulator's intent to prioritise development.

One contrast with the EU AI Act is notable: South Korea's law does not outright ban categories of AI that the EU prohibits (facial recognition in public spaces, exploitation of vulnerabilities, emotion recognition in workplaces and schools). South Korea's approach is closer to disclosure and risk management requirements rather than prohibition.

Additional regulatory frameworks

Generative AI Service User Protection Guideline (February 2025) — published by the Korea Communications Commission (KCC) as a practical voluntary framework aimed at preventing user harm from generative AI services. Principles include human-centeredness, explainability, safety, and accountability.

AI Security Guide (December 2025) — published by MSIT and the Korea Internet & Security Agency (KISA), this provides a framework for securing AI models and services against cyber threats, outlining 113 security requirements across the AI lifecycle. The guide operationalises aspects of the AI Basic Act's risk management obligations.

February 2025 DeepSeek action — the PIPC temporarily suspended new downloads of the Chinese generative AI application DeepSeek over concerns about potential breaches of PIPA. This signalled the PIPC's willingness to take action against foreign AI services on data protection grounds.

What organisations operating in or supplying South Korea should do

Map AI systems against AI Basic Act applicability. Determine which systems are "high-impact" (sector and risk-based) and which involve generative AI outputs requiring labelling. For non-Korean entities supplying AI to Korean users, designate a qualified Korean representative — and ensure that representative has the authority and resources to engage meaningfully with regulators. Update PIPA compliance documentation to address AI-specific processing under the PIPC's 2025 guidelines. For systems triggering the 10²⁶ FLOPs threshold or close to it, implement risk management documentation aligned with the Act's Article 32 requirements. Track Enforcement Decree finalisation closely — the technical details that determine compliance scope are still being refined through stakeholder consultation. Consider ISO/IEC 42001 implementation as a defensible international standard that maps to South Korea's emerging requirements. Implement AI Trust Mark certification (the voluntary scheme being developed under the Act) where it provides market differentiation.

Primary sources: Library of Congress — South Korea AI Basic Act · US International Trade Administration