South Korea’s AI Basic Act and the EU AI Act are the two most comprehensive AI laws in force today. Both use risk-based classification. Both apply extraterritorially. Both mandate transparency for AI-generated content. But the similarities end there. Korea’s Act has no prohibited practices, treats most obligations as voluntary, and caps AI-specific fines at $21,000. The EU bans eight categories of AI outright, mandates pre-market conformity assessment, and can fine up to 7% of global turnover. Korea dedicates 14 articles to promoting AI industry. The EU has no equivalent.
If you operate AI systems in both jurisdictions, this comparison shows where dual compliance is straightforward and where you need separate strategies.
Why Does This Comparison Matter?
Korea is the world’s 12th-largest economy and a top-5 AI investment market. The EU is the world’s largest single market with 450 million consumers. A company selling an AI diagnostic tool, credit scoring system, or content generation platform in both Seoul and Berlin faces both frameworks simultaneously. Where they align, compliance work transfers. Where they diverge, the cost doubles. [Source: AI Basic Act Art. 4; Regulation (EU) 2024/1689 Art. 2]
The comparison also matters because Korea’s law was drafted with explicit awareness of the EU model. The ECIPE characterized it as “not a progeny of Brussels,” noting that Korea made deliberate choices to diverge on enforcement, innovation support, and the role of voluntary compliance. [Source: ECIPE, Nigel Cory, 2026]
How Do the Two Frameworks Compare Side by Side?
| Dimension | Korea AI Basic Act | EU AI Act |
|---|---|---|
| In force | January 22, 2026 | Phased: Feb 2025 (prohibitions) through Aug 2027 |
| Approach | Promotion + regulation | Regulation only |
| Structure | 6 chapters, 43 articles | 13 titles, 113 articles + annexes |
| Risk categories | 11 “high-impact” sectors | 4 tiers (unacceptable, high, limited, minimal) |
| Prohibited practices | None in the Act | 8 banned uses (Art. 5) |
| Compute threshold | 10^26 FLOPs triple-criteria | 10^25 FLOPs (GPAI systemic risk) |
| Conformity assessment | Voluntary (“should endeavor”) | Mandatory pre-market (high-risk) |
| AI-specific max fine | KRW 30M (~$21K) | EUR 35M or 7% global turnover |
| Data protection fine | 10% total turnover (PIPA, Sep 2026) | 4% global turnover (GDPR) |
| Criminal penalties | Yes (Art. 42: 3 years) | No (member state discretion) |
| Innovation chapter | Yes (14 articles, Chapter 3) | No equivalent |
| Right to explanation | All AI (Art. 3(2)) | Limited (Art. 86, high-risk only) |
| Sandbox maturity | Operational since 2019 | Deadline August 2, 2026 |
| Roles defined | 4 | 5 |
| Extraterritorial | Yes (Art. 4(1)) | Yes (Art. 2(1)) |
[Source: AI Basic Act Law No. 20676; Regulation (EU) 2024/1689]
How Do the Risk Classification Systems Differ?
Korea classifies by sector. The EU classifies by use case and harm level. This structural difference means the same AI system can be classified differently in each jurisdiction.
Korea designates 11 sectors as “high-impact” (Goyanghyang Inji Neung) in Article 2(4)(a)-(k): energy, water, healthcare, medical devices, nuclear, biometric identification for criminal investigation, employment and rights-affecting decisions, transportation, government decisions, K-12 education, and a Presidential Decree expansion clause. [Source: AI Basic Act Art. 2(4)]
The EU uses four tiers. Eight practices are banned outright (Art. 5): social scoring, real-time remote biometric ID in public spaces, manipulative AI, and others. High-risk systems are listed in Annex III across eight areas. Limited-risk systems face transparency-only obligations. Minimal-risk systems face no mandatory requirements. [Source: Regulation (EU) 2024/1689 Art. 5-6, Annex III]
Where Do the Categories Overlap?
| Korea Category | EU Annex III Equivalent | Match |
|---|---|---|
| Energy supply (a) | Critical infrastructure (Area 2a) | Full overlap |
| Drinking water (b) | Critical infrastructure (Area 2b) | Full overlap |
| Healthcare (c) | Essential services (Area 5) | Full overlap |
| Medical devices (d) | MDR/IVDR + Area 5 | Full overlap |
| Nuclear facilities (e) | No equivalent | Korea only |
| Biometric ID for criminal investigation (f) | Remote biometric (Area 1) | Partial: EU broader |
| Employment/loans/rights (g) | Employment + Essential services (Areas 3-4) | Partial: Korea broader |
| Transportation (h) | Critical infrastructure (Area 2c) | Full overlap |
| Government decisions (i) | Justice and democratic processes (Area 8) | Full overlap |
| K-12 evaluation (j) | Education (Area 3a) | Partial: EU includes vocational |
| Presidential Decree (k) | Delegated acts | Similar mechanism |
| N/A | Law enforcement beyond biometric (Area 6) | EU only |
| N/A | Migration/asylum/border (Area 7) | EU only |
[Source: AI Basic Act Art. 2(4); Regulation (EU) 2024/1689 Annex III]
A system can be high-impact in Korea but not high-risk in the EU (nuclear AI), and vice versa (migration processing AI). Check both frameworks independently.
How Do Enforcement and Penalties Compare?
The penalty gap is the most cited difference between the two laws. But the comparison is more nuanced than the headline numbers suggest.
| Factor | Korea | EU |
|---|---|---|
| AI-specific max fine | KRW 30M (~$21K) | EUR 35M or 7% global turnover |
| Data protection max fine | 10% total turnover (PIPA, Sep 2026) | 4% global turnover (GDPR) |
| Combined max exposure | 10% turnover (PIPA) + KRW 30M | 7% turnover (AI Act) + 4% turnover (GDPR) |
| Criminal penalties | 3 years / KRW 30M (Art. 42) | None in the Act |
| CEO personal liability | Yes (PIPA, Sep 2026) | Member state variation |
| Model deletion power | Yes (Kakao Pay precedent, Jan 2025) | Not explicit in the Act |
| Service suspension | Yes (DeepSeek precedent, Feb 2025) | Via market surveillance authorities |
[Source: AI Basic Act Art. 42-43; PIPA amendment Feb 2026; Regulation (EU) 2024/1689 Art. 99]
The AI Basic Act’s KRW 30 million cap is, in isolation, negligible for any international company. But Korea’s enforcement threat does not come from the AI Basic Act alone. The PIPC enforces PIPA, which from September 2026 allows fines up to 10% of total turnover for serious violations. PIPA applies to any AI system processing Korean personal data. The PIPC has already imposed fines exceeding KRW 21 billion (Meta, 2024) and ordered AI model destruction (Kakao Pay/Alipay, 2025). [Source: IAPP, Mar 2026; PIPC decisions]
The combined Korean regime (AI Basic Act + PIPA) approaches EU severity for data-processing AI. For AI systems that do not process personal data, the AI Basic Act’s penalties are a fraction of the EU’s.
For the full enforcement story including model deletion orders, see our PIPC enforcement analysis.
How Do the Compute Thresholds Compare?
Both frameworks impose additional obligations on the largest AI models, but the thresholds and triggers differ.
Korea’s AI Basic Act (Art. 32) applies safety obligations when a system meets a triple-criteria test (Decree Art. 24): cumulative training compute must exceed 10^26 FLOPs, the system must use state-of-the-art technology, and it must pose broad and significant risk to life, safety, or fundamental rights. All three conditions must be met simultaneously. Compute alone is not sufficient. [Source: Decree Art. 24]
The EU AI Act (Art. 51) applies GPAI systemic risk obligations when cumulative training compute exceeds 10^25 FLOPs (one-tenth of Korea’s threshold) or when the European Commission designates a model. The EU uses a single compute trigger with a rebuttable presumption. [Source: Regulation (EU) 2024/1689 Art. 51]
| Factor | Korea | EU |
|---|---|---|
| Threshold | 10^26 FLOPs | 10^25 FLOPs |
| Ratio | 10x higher than EU | Baseline |
| Additional criteria | State-of-art tech AND broad risk | None (compute alone triggers) |
| Who it applies to | AI Development Operators | GPAI model providers |
| Rebuttable | Not specified | Yes (Art. 51(2)) |
| Review cycle | Every 3 years (Decree Art. 33) | Commission can update |
[Source: Decree Art. 24; Regulation (EU) 2024/1689 Art. 51]
Korea’s higher threshold and triple-criteria test mean fewer models are captured. As of April 2026, only a handful of frontier models worldwide exceed 10^26 FLOPs. The EU’s 10^25 threshold captures a broader set, including several Korean models (Naver’s HyperCLOVA X and Samsung’s Gauss2 are both Frontier AI Safety Commitments signatories).
How Do the Sandbox Provisions Compare?
Korea has a seven-year head start.
| Factor | Korea | EU |
|---|---|---|
| Operational since | ~2019 (pre-AI Basic Act) | Deadline August 2, 2026 |
| Types | 3: ICT, financial, industrial convergence | 1: AI regulatory sandbox (Art. 57) |
| Projects approved | 100+ (financial alone) | Spain (8 companies), Denmark (2 rounds), France CNIL (pre-Act) |
| AI-specific projects | At least 2 ICT designations (Feb 2025) | Starting |
| Duration | ICT: 2-4 years. Financial: 2+2 years | National authority determines |
| Real-world testing | Yes (financial sandbox uses real customers) | Art. 60-61 with safeguards |
[Source: AI Basic Act Art. 24; FSC; MLex Feb 2025; Regulation (EU) 2024/1689 Art. 57-63]
Korea’s sandbox system is the most mature in the world for AI testing. Companies can obtain temporary regulatory exemptions and test with real customers and real data. The EU’s sandbox framework is well-designed but largely unbuilt. Most member states have not yet established their mandatory sandboxes. [Source: EP Think Tank, Mar 2026]
For full details on Korea’s three sandbox types, eligibility, and application process, see our Korea AI Sandbox guide.
Where Does Dual Compliance Get Easier?
Four areas where compliance work transfers between jurisdictions.
Transparency. Both frameworks require disclosure when AI interacts with users and labeling of AI-generated content. A single transparency policy can cover both, with minor adjustments for Korea’s three-tier system (Art. 31) versus the EU’s Article 50 requirements.
Risk assessment methodology. Both use risk-based classification. An organization that has mapped its AI systems against the EU’s Annex III has completed most of the analytical work needed for Korea’s 11-sector assessment. The categories differ but the assessment approach is similar.
Documentation. Both require technical documentation for high-risk/high-impact systems. Korea requires 5-year retention (Art. 34(5)). EU requires 10 years (Annex IV). Building to the EU standard satisfies Korea.
Human oversight. Both mandate human oversight mechanisms. Korea requires a named contact person published on the operator’s website (Art. 34(4)). The EU requires similar measures under Article 14 with additional specificity. The EU standard covers Korea’s requirements.
Where Do You Need Separate Strategies?
Five areas where the frameworks diverge enough to require distinct compliance work.
1. Prohibited practices. Korea has none in the AI Basic Act. The EU bans eight categories (Art. 5). An AI system that is legal in Korea (such as real-time biometric identification in public spaces) may be prohibited in the EU. You cannot assume Korea-legal means EU-legal.
2. Conformity assessment. Korea uses voluntary self-regulatory certification (“should endeavor,” Art. 30). The EU mandates pre-market conformity assessment for high-risk systems (Art. 43), with third-party notified body review required for biometric systems. This is the largest single compliance cost difference.
3. Penalty planning. Korea’s combined PIPA + AI Basic Act regime and the EU’s AI Act + GDPR regime require separate financial risk modeling. PIPA’s 10% turnover (Sep 2026) exceeds GDPR’s 4% for data-intensive AI. The EU’s AI Act 7% exceeds Korea’s AI Basic Act KRW 30M by orders of magnitude.
4. Innovation incentives. Korea’s Chapter 3 offers R&D support, procurement preferences, SME assistance, and sandbox access. The EU has no equivalent in the AI Act itself (though Horizon Europe and Digital Europe provide separate funding). Take advantage of Korea’s Chapter 3 provisions if you operate there.
5. GPAI/Foundation model obligations. The EU has a dedicated GPAI framework (Chapter V, Art. 51-56) with the Code of Practice (published July 2025), systemic risk evaluations, and AI Office enforcement. Korea addresses large models through the general safety obligations (Art. 32) with its triple-criteria compute test. The EU is more prescriptive. Korea is more flexible.
What Happens Next?
Both frameworks are evolving.
Korea is in its grace period (approximately until January 2027). MSIT launched a 40-expert AI Basic Act Improvement Task Force in March 2026 to study potential amendments. The PIPA 10% turnover penalty takes effect September 2026, transforming Korea’s enforcement landscape. Watch for the first AI Basic Act enforcement actions in late 2026 or early 2027. [Source: DigitalToday, Mar 25, 2026]
The EU’s high-risk provisions apply from August 2, 2026. The Commission proposed a Digital Omnibus simplification package that could delay some deadlines by 6 months. Harmonised standards remain overdue (CEN-CENELEC targets Q4 2026). No notified bodies have been formally designated in the NANDO database. [Source: EP Think Tank, Mar 2026]
For the complete Korea framework, see our AI Basic Act guide. For the 11 high-impact sectors in detail, see our sector mapping.
Reg Intel is not a law firm and does not provide legal services. This content is for informational purposes only and does not constitute legal advice. Consult qualified legal counsel for jurisdiction-specific compliance guidance.
Last verified: April 7, 2026
For a detailed breakdown of how EU penalties will work in practice, see our EU AI Act penalty analysis.
Sources
Official Sources
- AI Basic Act (Law No. 20676) via law.go.kr
- Presidential Decree No. 36053 via law.go.kr
- Regulation (EU) 2024/1689 (EU AI Act) via EUR-Lex
- PIPA amendment (Feb 12, 2026; promulgated Mar 10, 2026)
- CSET Georgetown English translation (July 2025) — Link
Analysis and Commentary
- ECIPE, Nigel Cory, “Korea’s New AI Law: Not a Progeny of Brussels” (2026) — Link
- IAPP, “South Korea Overhauls PIPA” (March 2026) — Link
- Baker McKenzie, “South Korea AI Basic Act” (February 2026) — Link
- Kim and Chang, “PIPC Guidelines on AI” (January 2026) — Link
- EP Think Tank, “AI Act National Implementation” (March 2026)
- Choi, Yo Sop, “The New AI Regulation in Korea: Problems of Jurisdictional Overlaps,” Network Law Review (Fall 2025)
Data Sources
- DigitalToday, “MSIT AI Basic Act Improvement Task Force” (March 25, 2026)
- MLex, “South Korea Designates Two AI Projects for Regulatory Sandbox” (February 13, 2025)
- FSC, Financial Regulatory Sandbox portal
Compare: EU vs South Korea
For the global keystone comparison across twelve dimensions — high-impact vs high-risk classification, mandatory vs voluntary conformity, KRW 30M vs €35M penalties, Korea’s innovation chapter, and a five-step dual-market compliance baseline — see EU vs South Korea AI Act: High-Impact vs High-Risk Compared (2026).