この記事は現在英語でのみご利用いただけます。
Asia-Pacific AI Governance — What Companies Operating Across APAC Need to Know
A practical overview of AI governance obligations across the Asia-Pacific region: Australia, Japan, South Korea, Singapore, India, China, New Zealand, Hong Kong, and ASEAN member states.
Key Takeaways
APAC has no unified AI governance framework. Each jurisdiction takes a different approach — from Japan's framework law to China's layered regulation to Singapore's voluntary model.
Three jurisdictions now have AI-specific legislation: Japan (AI Promotion Act, June 2025), South Korea (AI Basic Act, January 2026), and China (Generative AI Measures, August 2023).
Data protection laws are the primary binding AI governance mechanism across APAC: PIPL (China), PDPA (Singapore), Privacy Act (Australia/NZ), APPI (Japan), PIPA (South Korea), DPDP Act (India).
Financial services regulators are the most active sector-specific AI regulators across APAC: MAS (Singapore), APRA (Australia), RBI (India), FSA (Japan), FSC (South Korea).
Companies operating across APAC must build governance frameworks satisfying multiple overlapping requirements — a unified approach is more efficient than jurisdiction-by-jurisdiction compliance.
"情報提供のみを目的としています。この記事は法律、規制、財務または専門的なアドバイスを構成するものではありません。具体的なアドバイスについては、資格を持つ専門家にご相談ください。"
The APAC AI governance landscape in 2026
Asia-Pacific is the most diverse AI regulatory environment in the world. There is no regional equivalent of the EU AI Act. Each jurisdiction has taken its own path, reflecting different legal traditions, economic priorities, and governance philosophies. For companies operating across APAC, this creates a patchwork compliance challenge — but also an opportunity to build governance frameworks that satisfy all jurisdictions simultaneously.
Jurisdiction overview
Australia. No standalone AI law. APRA CPS 230 (operational risk, 1 July 2025) applies to AI vendors in financial services. Privacy Act ADM transparency obligation effective 10 December 2026. Voluntary AI Safety Standard. ASIC REP 798 on AI governance gaps. NSW WHS Amendment (Digital Work Systems) Act 2026 for worker-facing AI.
Japan. AI Promotion Act (passed 28 May 2025, in force 4 June 2025) — first AI-specific statute, fundamental law with no penalties. METI/MIC AI Guidelines for Business V1.1 (March 2025) — operational reference. AI Basic Plan (December 2025). APPI for data protection. PMD Act for medical AI devices.
South Korea. AI Basic Act (Act No. 20676, promulgated 21 January 2025, effective 22 January 2026). Risk-based with mandatory transparency and assessment for high-impact AI. PIPA for data protection. Financial Services Commission regulation of AI in financial services.
Singapore. Voluntary frameworks (Model AI Governance Framework, three editions through Agentic AI 2026). PDPA with March 2024 Advisory Guidelines on AI. MAS AI Risk Management Guidelines (consultation November 2025, expected finalised 2026). AI Verify testing toolkit.
India. No standalone AI law. DPDP Act 2023 and Rules 2025 (notified 13 November 2025). RBI FREE-AI Framework for financial services. IndiaAI Mission with significant investment.
China. Layered regulation: PIPL + CSL + DSL plus Algorithm Recommendation Measures, Deep Synthesis Provisions, and Generative AI Measures. CAC filing required for generative AI. Approximately 350 LLMs filed. Active enforcement.
New Zealand. Privacy Act 2020. Algorithm Charter for Aotearoa NZ (voluntary, government agencies). Te Tiriti o Waitangi considerations for Maori data sovereignty.
Hong Kong. PDPO (Personal Data (Privacy) Ordinance) administered by the PCPD. Ethical AI Framework (voluntary). The PCPD has issued guidance on AI and personal data. HKMA regulation of AI in banking.
ASEAN. ASEAN Guide on AI Governance and Ethics (February 2024) provides regional principles. Implementation varies significantly across member states. Thailand (PDPA 2022), Indonesia (UU PDP 2024), Philippines (Data Privacy Act 2012), Malaysia (PDPA 2010) — all have data protection laws that apply to AI.
Common themes across APAC
Data protection as primary governance mechanism. In every APAC jurisdiction, data protection law is the binding framework that most directly regulates AI. Building AI governance on data protection compliance is the most efficient starting point.
Financial services leading. Financial services regulators (MAS, APRA, RBI, FSA, FSC, HKMA) are consistently ahead of general regulation in AI governance expectations. Financial services AI governance can serve as a template for other sectors.
Voluntary frameworks matter. In jurisdictions without binding AI law (Singapore, Hong Kong, pre-2025 Japan), voluntary frameworks function as the standard of care that courts and regulators reference. Non-compliance with voluntary frameworks creates soft risk even without formal penalties.
Building a unified APAC governance framework
Rather than maintaining separate compliance processes for each jurisdiction: build on ISO/IEC 42001 as the management system framework; map jurisdiction-specific requirements as overlays; use the most restrictive requirement as the baseline where jurisdictions conflict; maintain a regulatory monitoring function for APAC developments; implement data protection compliance as the foundation layer, then add AI-specific controls on top.
Primary sources: ISO/IEC 42001 · ASEAN Guide on AI Governance
Related reading
Japan AI Governance Guide · South Korea AI Basic Act · Singapore PDPA Business Guide · China AI Governance