South Korea’s AI Basic Act (Inji Neung Gibonbeop, Law No. 20676) took effect on January 22, 2026, making it the first comprehensive AI law in Asia. The Act establishes a risk-based framework with 11 high-impact sectors, mandatory transparency obligations, a presidential-level AI Committee, and regulatory sandboxes that have been operational since 2019. But the only full English translation is a CSET Georgetown PDF, and no practitioner-oriented guide exists in English.
This article breaks down every chapter of the Act in plain language with compliance implications for each provision. If your AI system serves the Korean market, this is your reference.
Key Takeaways
- The AI Basic Act covers 43 articles across 6 chapters. It took effect January 22, 2026 with an approximately one-year grace period before full enforcement.
- Eleven sectors are classified as “high-impact AI,” triggering mandatory transparency, risk management, and human oversight obligations. These include healthcare, finance, transportation, education, and government decision-making.
- Most compliance obligations use “noryeok hayeoya” (should endeavor) language, meaning they are soft duties. But three provisions are mandatory: transparency (Art. 31), safety for compute-heavy systems (Art. 32), and domestic representative requirements for foreign operators (Art. 36).
- The AI Basic Act’s maximum administrative fine is KRW 30 million (~$21,000). The real enforcement threat comes from Korea’s data protection law (PIPA), which allows fines up to 10% of total turnover from September 2026.
- Korea’s approach is explicitly promotional. Chapter 3 dedicates 14 articles to industry support, R&D funding, sandbox programs, and government procurement preferences for AI. No other national AI law has an equivalent innovation chapter.
[Source: AI Basic Act Law No. 20676, effective Jan 22, 2026; CSET Georgetown translation, Jul 2025]
What Is the AI Basic Act and Why Does It Matter?
The AI Basic Act is Asia’s first binding, comprehensive AI law enacted at the parliamentary level. South Korea’s National Assembly passed it on January 21, 2025. It entered force exactly one year later on January 22, 2026, with an implementing decree (Presidential Decree No. 36053, 33 articles) published the same day. [Source: law.go.kr]
Three facts make this law significant for any organization deploying AI in or serving the Korean market.
First, it applies extraterritorially. Article 4(1) extends the Act’s reach to AI activities outside Korea that affect the domestic market or Korean users. Foreign operators meeting revenue or user thresholds must designate a domestic representative (Art. 36). [Source: AI Basic Act Art. 4(1), Art. 36]
Second, Korea is the world’s 12th-largest economy and a top-5 AI investment market. Samsung, Naver, Kakao, SK Telecom, and LG AI Research are building foundation models that serve global markets. The regulatory framework governing these companies affects the entire AI supply chain. [Source: Trade.gov, 2026]
Third, the Act was amended just one day before taking effect. On January 20, 2026, amendments added AI Responsibility Officers (Art. 10(4)), AI Research Institutes (Art. 22-2), and government procurement preferences (Art. 16(3-5)). This signals active legislative development during the grace period. [Source: law.go.kr amendment record]
What Does Each Chapter of the Act Cover?
The Act has 6 chapters and 43 articles. Here is what each chapter establishes and what it requires from organizations.
What Do the General Provisions Establish?
Chapter 1 (Articles 1-5) defines the Act’s scope, purpose, and key terms. Article 2 defines 12 terms including AI, AI System, High-Impact AI (11 categories), Generative AI, and four distinct roles in the AI value chain. [Source: AI Basic Act Art. 2]
Article 3 establishes a right to explanation: “Affected persons shall be able to receive clear and meaningful explanations about the main criteria and principles used in AI’s final result derivation, within technically and reasonably feasible scope” (Art. 3(2)). This applies to all AI systems, not just high-impact ones. [Source: AI Basic Act Art. 3(2); CSET Georgetown translation]
Article 4 makes the Act extraterritorial and exempts AI used exclusively for national defense, security, or cryptographic purposes. The defense exemption covers three designated agencies: the Ministry of National Defense, the National Intelligence Service, and the National Police Agency (Decree Art. 2). [Source: AI Basic Act Art. 4; Decree Art. 2]
How Does the AI Policy Framework Work?
Chapter 2 (Articles 6-12) creates the governance architecture. The centerpiece is the National AI Strategy Committee (Art. 7), a presidential-level body with up to 60 members, chaired by the President. The majority must be private-sector experts, and gender diversity is required. The Committee has a 5-year sunset clause (Art. 7(13)). [Source: AI Basic Act Art. 7]
The Committee’s recommendations carry real weight. Article 8(3) requires national institutions to respond to Committee recommendations, creating a mandatory feedback mechanism even though the Committee itself has no direct enforcement power. [Source: AI Basic Act Art. 8(3)]
Korea also established the AI Safety Research Institute (K-AISI) under Article 12, operationally launched in November 2024 under the Electronics and Telecommunications Research Institute (ETRI) in Pangyo. K-AISI evaluates AI safety risks, conducts research, and coordinates with partner safety institutes globally including the UK, US, Japan, Singapore, and EU. [Source: ETRI official site; Korea Times, Nov 27, 2024]
How Does Korea Promote AI Industry?
Chapter 3 (Articles 13-26) is what makes the AI Basic Act unique among global AI laws. No other national AI legislation dedicates an entire chapter to industry promotion. The EU AI Act is purely regulatory. Vietnam’s AI Law includes innovation provisions but not at this scale. [Source: AI Basic Act Chapter 3; Baker McKenzie, Feb 2026]
Key provisions: Article 13 funds R&D. Article 14 promotes standardization. Article 15 mandates a training data management platform. Article 16(3) creates a government procurement preference for AI products, effective July 21, 2026. Article 17 provides special compliance support for SMEs. Article 24 builds shared testing infrastructure. Article 25 develops AI data centers. [Source: AI Basic Act Art. 13-25]
Our view: Chapter 3 is the clearest signal that Korea’s regulatory philosophy is “develop AND regulate” rather than “regulate to protect.” Organizations should use the SME support (Art. 17) and sandbox infrastructure (Art. 24) during the grace period.
What Counts as High-Impact AI?
Chapter 4 (Articles 27-36) is the core compliance chapter. It establishes the obligations that matter most for practitioners.
Article 31 creates three tiers of mandatory transparency obligations. First, operators of high-impact and generative AI must notify users before use that the product or service is AI-based (Art. 31(1)). Second, generative AI outputs must be labeled as AI-generated (Art. 31(2)). Third, realistic AI-generated content must carry clear labels, with an exception for artistic or creative works (Art. 31(3)). Transparency guidelines were published on January 22, 2026, alongside the Act. [Source: AI Basic Act Art. 31; Kim and Chang, Jan 2026]
Article 32 imposes safety obligations on AI systems exceeding a compute threshold. The Implementing Decree (Art. 24) sets this as a triple-criteria test: cumulative training compute must exceed 10^26 FLOPs, the system must use state-of-the-art technology, and it must pose broad and significant risk. All three conditions must be met simultaneously. Compute alone is not sufficient. This threshold is 10 times higher than the EU AI Act’s 10^25 FLOPs for GPAI systemic risk. [Source: Decree Art. 24; CSET Georgetown translation]
Article 34 imposes six mandatory duties on high-impact AI operators: (1) a risk management plan, (2) an explanation mechanism, (3) a user protection plan, (4) human oversight with named contact, (5) documentation retention for five years, and (6) any additional matters from the AI Committee. These must be published on the operator’s website. [Source: AI Basic Act Art. 34; Decree Art. 27]
Article 35 requires impact assessments, but with critical nuance: it uses “noryeok hayeoya” (should endeavor), making this a soft duty, not mandatory. Seven items must be covered if an assessment is conducted, including affected groups, rights types, mitigation measures, and improvement plans. [Source: AI Basic Act Art. 35; Decree Art. 28]
What Are the Ethics and Trustworthiness Requirements?
Articles 27-30 address ethics and voluntary certification. Article 27 directs the government to publish AI ethics principles. Article 28 encourages private self-regulatory ethics committees. Article 30 establishes voluntary verification and certification, again using “noryeok hayeoya” language. [Source: AI Basic Act Art. 27-30]
The government procurement preference (Art. 16(3)) creates a practical incentive: organizations that voluntarily certify their AI systems receive priority consideration for government contracts. This soft approach contrasts with the EU’s mandatory conformity assessment.
What Are the Penalties and Enforcement Mechanisms?
Chapter 6 (Articles 42-43) sets penalties that are, by global standards, low for AI-specific violations.
Article 42 imposes criminal penalties of up to 3 years imprisonment or KRW 30 million for leaking Committee secrets. Article 43 sets administrative fines of up to KRW 30 million (~$21,000 at 1 USD = 1,460 KRW) for three violations: failing to notify users about high-impact or generative AI (Art. 31(1)), failing to designate a domestic representative (Art. 36(1)), or failing to comply with MSIT cessation or correction orders (Art. 40(3)). [Source: AI Basic Act Art. 42-43]
Article 40 gives MSIT investigation powers: it can investigate, inspect premises, and order cessation or correction of non-compliant AI operations. [Source: AI Basic Act Art. 40]
The AI Basic Act’s KRW 30 million cap looks negligible next to the EU AI Act’s EUR 35 million or 7% of global turnover. But this comparison is incomplete. Korea’s Personal Information Protection Act (PIPA) was amended in February 2026 to allow fines up to 10% of total turnover for serious violations, effective September 11, 2026. PIPA also introduces CEO personal supervisory liability. Any AI system processing Korean personal data faces the PIPA enforcement regime alongside the AI Basic Act. The PIPC has already imposed fines exceeding KRW 15 billion on Korean tech companies. [Source: IAPP, Mar 2026; PIPA amendment Feb 12, 2026]
We recommend treating the PIPA penalty track as the primary enforcement risk for AI companies in Korea.
Which 11 Sectors Are Classified as High-Impact?
Article 2(4) defines “High-Impact AI” (Goyanghyang Inji Neung) as AI systems posing significant risk to life, physical safety, and fundamental rights in 11 designated domains.
| Ref | Sector | Real-World Examples |
|---|---|---|
| (a) | Energy supply | KEPCO AI grid management |
| (b) | Drinking water production | K-Water AI quality monitoring |
| (c) | Healthcare provision | Hospital AI triage, AI-assisted diagnosis |
| (d) | Medical devices and digital medical products | Lunit INSIGHT CXR (chest X-ray, 97-99% accuracy), VUNO Med-Chest X-ray |
| (e) | Nuclear facilities management | Korea Hydro and Nuclear Power AI safety monitoring |
| (f) | Biometric ID for criminal investigation | National Police Agency forensic AI, facial recognition |
| (g) | Employment, loan screening, and rights-affecting decisions | Kakao Bank/Toss credit scoring, Samsung SDS HR analytics, Coupang workforce management |
| (h) | Transportation systems | Hyundai autonomous driving, Naver Labs delivery robots |
| (i) | Government decisions affecting citizens | Welfare eligibility AI, tax assessment, KRX market monitoring |
| (j) | K-12 student evaluation | AI tutoring platforms, automated essay grading |
| (k) | Other areas by Presidential Decree | No additional areas designated as of April 2026 |
[Source: AI Basic Act Art. 2(4)(a)-(k)]
Category (g) is the broadest: it covers any AI used for “employment, loan screening, and other decisions significantly affecting individual rights and obligations.” Most B2B AI products touching HR, credit, insurance, or customer service in Korea qualify. For a detailed sector-by-sector breakdown, see our High-Impact AI: 11 Sectors Mapped.
What Obligations Apply to Developers, Deployers, and Users?
The Act defines four roles with different obligations.
| Obligation | Development Operator | Utilization Operator | User |
|---|---|---|---|
| Risk management plan (Art. 34(1)) | Must create | Must implement | N/A |
| Explanation mechanism (Art. 34(2)) | Must build | Must maintain | Can request (Art. 3(2)) |
| User protection plan (Art. 34(3)) | Must design | Must implement | Protected |
| Human oversight (Art. 34(4)) | Must enable | Must operate, name contact | N/A |
| Documentation (Art. 34(5)) | Must create (5-year retention) | Must maintain | N/A |
| Transparency (Art. 31) | Must label generative outputs | Must notify users before use | Must be notified |
| Impact assessment (Art. 35) | Should endeavor (soft) | Should endeavor (soft) | N/A |
| Domestic representative (Art. 36) | Must designate if thresholds met | Must designate if thresholds met | N/A |
| Safety (Art. 32) | Must comply if compute threshold met | N/A | N/A |
[Source: AI Basic Act Art. 31-36; Decree Art. 27-29]
Foreign operators must designate a domestic representative if they meet any threshold: total revenue KRW 1 trillion or more (~$685 million), AI service revenue KRW 10 billion or more (~$6.85 million), 1 million or more daily Korean users, or prior fine. [Source: AI Basic Act Art. 36; Decree Art. 29]
What Is the AI Committee and What Powers Does It Have?
The National AI Strategy Committee (Art. 7) sits under the President with up to 60 members. The President chairs it. The majority must be private-sector, and gender diversity is required. It has a 5-year sunset, expiring around January 2031. [Source: AI Basic Act Art. 7]
The Committee deliberates on the National AI Basic Plan, high-impact AI regulation, investment strategy, and international norms. Its recommendations require mandatory institutional response (Art. 8(3)). But it cannot issue fines, order compliance, or suspend operations. Those powers belong to MSIT (Art. 40) and PIPC (under PIPA). [Source: AI Basic Act Art. 7-8]
Three agencies share enforcement: MSIT enforces the AI Basic Act, PIPC enforces data protection for AI systems processing personal data, and KFTC handles competition issues. PIPC’s 10% turnover fines dwarf MSIT’s KRW 30 million cap, creating a de facto authority imbalance. [Source: Choi, Network Law Review, Fall 2025]
How Does the Regulatory Sandbox Work?
Korea’s AI sandbox infrastructure predates the AI Basic Act by several years. Three sandbox programs have been operational since approximately 2019, and the Act reinforces them through Article 24. [Source: AI Basic Act Art. 24]
The ICT Regulatory Sandbox (administered by MSIT) is the primary program for AI. It grants temporary regulatory exemptions for 2-4 years. In February 2025, the government designated two AI-specific projects: one for AI using CCTV video data and another for AI on financial intranets with sensitive data. [Source: MLex, Feb 13, 2025]
The Financial Regulatory Sandbox (FSC) has processed over 100 designations since April 2019. A 2026 Fintech AI Development Program offers up to KRW 350 million in subsidies for AI in financial services. [Source: FSC; Pertama Partners, Feb 2026]
Korea’s sandbox system is approximately seven years ahead of the EU, where most member states have not yet established mandatory AI sandboxes (deadline: August 2, 2026). For full details, see our South Korea AI Sandbox guide.
How Does Korea’s AI Basic Act Compare to the EU AI Act?
| Dimension | Korea | EU |
|---|---|---|
| Approach | Promotion + regulation | Regulation only |
| Risk categories | 11 high-impact sectors | 8 Annex III areas + prohibited |
| Prohibited practices | None explicitly | 8 banned uses (Art. 5) |
| Compute threshold | 10^26 FLOPs triple-criteria | 10^25 FLOPs (GPAI systemic risk) |
| Conformity assessment | Voluntary | Mandatory pre-market |
| Max AI-specific fine | KRW 30M (~$21K) | EUR 35M / 7% turnover |
| Data protection fine | 10% turnover (PIPA, Sep 2026) | 4% turnover (GDPR) |
| Criminal penalties | Yes (Art. 42) | No |
| Innovation chapter | Yes (14 articles) | No equivalent |
| Right to explanation | All AI (Art. 3(2)) | Limited (Art. 86) |
| Sandbox maturity | Operational since 2019 | Deadline Aug 2026 |
[Source: AI Basic Act; Regulation (EU) 2024/1689]
The most important structural difference: Korea has no equivalent to the EU’s prohibited practices (Art. 5). Korea does not ban social scoring, real-time biometric identification, or manipulative AI through the AI Basic Act. These activities are regulated through separate laws. For a full comparison, see our South Korea vs EU AI Act analysis.
What Is the Implementation Timeline?
| Date | Event | Days from Apr 7 |
|---|---|---|
| Jan 22, 2026 | Act + Decree take effect. Transparency Guidelines published | Passed (76 days ago) |
| Jul 21, 2026 | Government procurement preference (Art. 16(3)) | 105 days |
| Sep 11, 2026 | PIPA 10% turnover penalty takes effect | 157 days |
| ~Jan 2027 | Grace period ends. Full enforcement expected | ~290 days |
| Jan 1, 2029 | First regulatory re-review (Decree Art. 33) | ~998 days |
[Source: AI Basic Act; Decree Art. 33; PIPA amendment Feb 2026]
MSIT launched a 40-expert AI Basic Act Improvement Task Force in late March 2026, signaling active calibration during the grace period. [Source: DigitalToday, Mar 25, 2026]
What Should You Do Now?
- Map your AI systems to the 11 high-impact categories. If any fall into Article 2(4)(a)-(k), Chapter 4 obligations apply. Category (g) is the broadest. Start with a self-assessment under Article 33.
- Distinguish soft from hard obligations. Impact assessments (Art. 35) and certification (Art. 30) are “should endeavor.” Transparency (Art. 31), safety for compute-heavy systems (Art. 32), and domestic representative (Art. 36) are mandatory.
- Prepare for PIPA enforcement, not just AI Basic Act fines. If your AI processes Korean personal data, the 10% turnover penalty under PIPA (effective September 2026) is your primary financial risk.
- Appoint a domestic representative if you meet the thresholds. Revenue KRW 1 trillion or more, AI service revenue KRW 10 billion or more, 1 million or more daily Korean users, or a prior fine.
- Use the sandbox infrastructure. Korea’s ICT, financial, and industrial convergence sandboxes are operational now. The SME support provisions (Art. 17) include compliance assistance. For how to apply, see our sandbox guide.
For enforcement trends, see our PIPC enforcement analysis.
Reg Intel is not a law firm and does not provide legal services. This content is for informational purposes only and does not constitute legal advice. Consult qualified Korean legal counsel for jurisdiction-specific compliance guidance.
Last verified: April 7, 2026
Sources
Official Sources
- AI Basic Act (Law No. 20676) via law.go.kr
- Presidential Decree No. 36053 via law.go.kr (January 22, 2026)
- CSET Georgetown, “Framework Act on the Development of Artificial Intelligence” (English translation, July 2025) — Link
Analysis and Commentary
- IAPP, “South Korea Overhauls PIPA and Ties Fines to CEO Accountability” (March 2026) — Link
- Baker McKenzie, “South Korea’s AI Basic Act” (February 2026) — Link
- Kim and Chang, “PIPC Releases Guidelines on AI” (January 2026) — Link
- OneTrust, “South Korea’s AI Basic Act” (2026) — Link
- Trade.gov, “South Korea AI Basic Act” (2026) — Link
- Schellman, “Guide to South Korea’s AI Basic Act” (2026) — Link
- ECIPE, Nigel Cory, “Korea’s New AI Law: Not a Progeny of Brussels” (2026) — Link
- Choi, Yo Sop, “The New AI Regulation in Korea: Problems of Jurisdictional Overlaps,” Network Law Review (Fall 2025)
Data Sources
- Korea Times, “AI Safety Research Institute Launch” (November 27, 2024)
- MLex, “South Korea Designates Two AI Projects for Regulatory Sandbox” (February 13, 2025)
- DigitalToday, “MSIT AI Basic Act Improvement Task Force” (March 25, 2026)
- Pertama Partners, “Korea Fintech AI Development Program” (February 2026)
Compare: EU vs South Korea
For the global keystone comparison across twelve dimensions — high-impact vs high-risk classification, mandatory vs voluntary conformity, KRW 30M vs €35M penalties, Korea’s innovation chapter, and a five-step dual-market compliance baseline — see EU vs South Korea AI Act: High-Impact vs High-Risk Compared (2026).