Last reviewed
May 18, 2026
Sources
No citations yet
Review status
Needs citations
Revision
v1 · 4,500 words
Add missing citations, update stale details, or suggest a clearer explanation.
The South Korea AI Basic Act, officially the Framework Act on the Development of Artificial Intelligence and Establishment of a Foundation for Trust (Korean: 인공지능 발전과 신뢰 기반 조성 등에 관한 기본법), is a comprehensive statute regulating artificial intelligence in the Republic of Korea. The National Assembly passed the Act on December 26, 2024, with bipartisan support; it was promulgated on January 21, 2025, and took effect on January 22, 2026, following a one-year preparation period.[^1][^2][^3]
The Act consolidated nineteen separate AI-related bills introduced during the 22nd National Assembly into a single framework statute. It is widely described as the world's second comprehensive AI law, following the EU AI Act, and as the first such legislation in the Asia-Pacific region.[^2][^4] The Act establishes a tiered system of obligations centered on "high-impact AI" (the Korean equivalent of the EU's "high-risk" category), generative AI, and frontier models exceeding specified compute thresholds. It also creates a national governance architecture including the National AI Committee (later renamed the National AI Strategy Committee), the AI Policy Center, and the Korea AI Safety Institute.[^5][^6]
Compared with the EU AI Act, the Korean statute imposes substantially lower administrative fines (capped at KRW 30 million, or roughly US$21,000) and contains no outright prohibitions on specific AI uses. It does, however, claim extraterritorial application to foreign companies whose AI systems affect users or markets in Korea, and it requires qualifying foreign operators to designate a domestic representative.[^7][^8]
South Korea pursued AI as a national priority for years before passing a binding statute. In December 2019, the Moon Jae-in administration released the National Strategy for Artificial Intelligence, a pan-government roadmap with the vision "Toward AI World Leader beyond IT" by 2030. The strategy organized nine strategies and 100 action tasks across three pillars: AI ecosystem development, AI utilization, and people-centered AI.[^9] The 2019 strategy set targets including generating up to KRW 455 trillion in economic impact through AI by 2030 and reaching the top three globally in digital competitiveness.[^9]
The Ministry of Science and ICT (MSIT) followed up in 2020 with National AI Ethics Standards, a non-binding set of principles, and integrated AI into the broader Digital New Deal launched in July 2020.[^10] In May 2021, MSIT announced the Strategy to Realize Trustworthy AI for Everyone, a five-year plan (2021 to 2025) built around three pillars (technology, system, ethics) and ten action items, partly in reaction to public controversies such as the 2021 Iruda chatbot incident and rising deepfake harms.[^11]
These instruments were strategies and guidelines, not law. The patchwork left enforcement under existing sectoral statutes, primarily the Personal Information Protection Act (administered by the Personal Information Protection Commission, or PIPC), the Credit Information Use and Protection Act, the Medical Devices Act, and provisions of the Public Official Election Act as amended in 2023 to address election deepfakes.[^7][^12]
A first attempt at comprehensive AI legislation began in the 21st National Assembly (2020 to 2024). Several lawmakers introduced standalone bills, and the National Assembly's Science, ICT, Broadcasting and Communications Committee approved a consolidated bill in February 2023 that adopted a "permit first, regulate later" approach. The 21st Assembly bill stalled before plenary passage amid civil-society concerns over insufficient safeguards, particularly around generative AI and deepfakes.[^4][^7]
When the 22nd National Assembly convened in June 2024, members introduced approximately twenty further AI-related bills. The Information and Communication Broadcasting Bill Review Subcommittee consolidated these into a unified Framework Act in November 2024, which then advanced to plenary.[^2][^7]
The Act was passed against a backdrop of aggressive industrial-policy commitments. In September 2024, President Yoon Suk Yeol launched the National AI Committee, a presidential committee chaired by the head of state and including roughly thirty civilian AI experts and ten ministerial-level officials, with Taejae University President Yeom Jae-ho appointed vice chair.[^13] Korean private-sector firms collectively pledged KRW 65 trillion (about US$49 billion) in AI investment through 2027, and the government raised the AI budget from KRW 1.4 trillion in 2024 to KRW 1.8 trillion in 2025, later expanding the proposed 2026 AI budget to KRW 10.1 trillion.[^13][^14]
In November 2024, MSIT formally launched the Korea AI Safety Institute (AISI) within the Electronics and Telecommunications Research Institute (ETRI) at the Pangyo Global R&D Center, joining the international network of AI safety institutes that emerged from the AI Seoul Summit of May 2024 and the preceding Bletchley summit.[^15]
The National Assembly passed the Framework Act on the Development of Artificial Intelligence and Establishment of a Foundation for Trust on December 26, 2024, in plenary session with broad bipartisan support. The vote occurred amid acute political turmoil: President Yoon Suk Yeol's brief declaration of martial law on December 3, 2024, and his subsequent impeachment on December 14, 2024, dominated the news cycle. Despite the political crisis, the bill cleared both chambers without significant opposition.[^2][^4]
The Act was promulgated on January 21, 2025, formally entering the statute books, with a built-in one-year transition period before substantive obligations took force on January 22, 2026.[^1][^3] On the eve of the effective date, MSIT confirmed that the Enforcement Decree (subordinate regulations) would also commence on January 22, 2026, after a public-comment process that ran into late 2025.[^16]
The Framework Act comprises six chapters that together combine industrial-policy promotion with regulatory obligation:[^5]
The statute's structure reflects a deliberate dual identity: roughly half of its provisions promote AI development through subsidies, infrastructure, and talent measures, while the other half imposes risk-based duties on operators of certain AI categories.[^5][^6]
Article 2 establishes the central legal definitions:[^4][^5][^17]
The Enforcement Decree adds a fourth tier known informally as high-performance AI (also referred to as frontier AI), defined as systems trained with cumulative compute of at least 10^26 floating-point operations (FLOPs). This threshold mirrors definitions used in the United States and the EU AI Act for general-purpose AI models with systemic risk.[^6][^18]
The Act and its decree enumerate ten domains where AI may qualify as high-impact, subject to confirmation through sector-by-sector criteria:[^17][^18]
This sectoral approach narrows the scope relative to the EU AI Act's Annex III, which addresses similar areas but extends to migration, law enforcement, and judicial use cases that the Korean Act treats less explicitly.[^7][^19]
All operators within the Act's scope are subject to baseline duties, including conducting initial self-assessments to determine whether their systems qualify as high-impact and designating a domestic representative when applicable thresholds are met. The Act also encourages, but does not strictly require, internal AI ethics committees for larger operators.[^7][^8]
Article 31 establishes a transparency regime for generative AI, requiring providers of generative AI products and services to:[^4][^17][^20]
The Enforcement Decree permits flexibility in how disclosures are made, including non-visible watermarking and metadata-based provenance signals, alongside more conventional on-screen labels.[^18] These rules are independent of (and stricter in some respects than) the deepfake provisions of the Public Official Election Act, which since 2023 has banned election-related deepfake content during the 90 days prior to election day with criminal penalties of up to seven years' imprisonment and fines between KRW 10 million and KRW 50 million.[^21]
Operators of high-impact AI must, under Articles 33 through 35:[^4][^17][^20]
Notification duties also apply: where a high-impact AI is used in customer-facing contexts, users must be told in advance.[^7][^17]
Operators of AI systems exceeding the 10^26 FLOPs threshold (or otherwise designated as frontier or high-performance under the decree) must implement lifecycle safety programs, deploy continuous monitoring, and report results to MSIT.[^6][^18] The Korean approach broadly parallels the systemic-risk model thresholds in the EU AI Act and the original US Executive Order 14110 on AI (since rescinded under the second Trump administration's AI Action Plan).[^7]
Article 36 codifies the Act's extraterritorial reach. The statute applies to "acts performed abroad that affect Korea's domestic market or users in Korea," a broader formulation than the EU AI Act's market-placement test.[^7][^8] Foreign operators without an office in Korea must appoint a local representative (a domestic agent registered with MSIT) if they meet any of the following thresholds, set by the Enforcement Decree:[^8][^20]
The local representative is legally responsible for responding to government inquiries, supporting safety reporting, and submitting required risk assessments. The appointing operator remains accountable for any breach by its representative.[^8] AI developed or deployed for South Korean national defense or national security purposes is exempted from the Act.[^17]
MSIT is the primary enforcement authority. The Minister of Science and ICT may investigate suspected violations on a fact-finding basis, issue corrective orders, suspend or correct breaches that pose immediate safety threats, and impose administrative fines.[^4][^17]
The Act sits alongside the existing personal-data regime administered by the Personal Information Protection Commission (PIPC), which retains de facto authority over AI systems that process personal information. This creates a dual-track regulatory environment that organizations must navigate, analogous to (but distinct from) the EU's overlapping AI Act and GDPR architecture.[^7]
The Act caps administrative fines at KRW 30 million (approximately US$21,000) per violation. Fineable conduct includes:[^4][^7][^17]
The KRW 30 million ceiling is dramatically lower than comparable penalties under the EU AI Act (up to EUR 35 million or 7% of global annual turnover for prohibited-use violations and up to EUR 15 million or 3% of turnover for most other infringements). It is also lower than under the Colorado Artificial Intelligence Act and the Texas Responsible AI Governance Act (TRAIGA), where fines can range up to US$200,000 per violation in Texas.[^22][^23]
MSIT publicly committed to a one-year grace period before enforcing administrative fines, focusing instead on guidance, voluntary compliance, and corrective dialogue during the first year of the Act's operation. This grace mechanism is set out in the Enforcement Decree's enforcement-policy provisions.[^6][^16]
The Act itself contains administrative rather than criminal penalties, but related criminal exposure exists under adjacent statutes, notably:
These criminal regimes operate independently of the Framework Act.
The Act establishes the AI Policy Center under MSIT as the strategic and analytical hub for Korea's AI policy. Its mandated functions include technical support for the Master Plan, analysis of AI's social, economic, and cultural impacts, forecasting of technology trends and legislative needs, coordination of cross-ministerial AI initiatives, and international cooperation activities.[^5][^6] Korea's National Information Society Agency (NIA) operates a dedicated Department of AI Policy that supports the Center's research function.[^24]
The Korea AI Safety Institute (AISI) was established within ETRI in November 2024, before the Framework Act took effect, but was given statutory grounding by Article 12 of the Act. AISI's mandate covers analysis of AI risks, development of safety evaluation standards and technologies, model evaluations, and international cooperation as part of the international AI Safety Institute network that includes the US AI Safety Institute, the UK AISI, and counterparts in Japan, Singapore, Canada, and others.[^15]
The presidential National AI Committee, launched in September 2024 ahead of the Act's passage, was renamed the National AI Strategy Committee in September 2025. Chaired by the President, it includes ministerial-level officials and civilian experts. The Committee approves the three-year Master Plan, sets the national AI strategy, and possesses authority to mandate cross-ministerial regulatory action.[^6][^13] Eight subcommittees cover technology and infrastructure, data, global cooperation, society, science, defense, industrial application, and public-sector use.[^6]
On September 8, 2025, MSIT released for public comment a consolidated package of subordinate regulations supplementing the Framework Act, including the Enforcement Decree and accompanying notices.[^25][^26] After a roughly 40-day comment period and revisions, MSIT issued a second legislative notice in November 2025 (running until December 22, 2025), with final adoption timed for January 22, 2026, in parallel with the Act's effective date.[^16]
The Enforcement Decree operationalizes the statute in six main areas:[^25][^26]
Civil-society organizations criticized the draft Enforcement Decree for what they viewed as an excessively narrow scope. The Digital Justice Network's Director Oh Byung-il argued that whereas the EU AI Act prohibits high-rights-risk uses such as real-time biometric identification in public spaces, Korea's framework contains no such prohibitions and the decree did not expand the list of high-impact sectors to encompass surveillance technologies like workplace monitoring or robot patrols.[^27] Rights advocates also faulted the decree's classification of organizations that "merely use" AI in critical decisions (such as hospitals applying diagnostic AI, employers using AI hiring, or banks using AI for credit) as users with limited explanatory duties, rather than as accountable deployers.[^27]
Although Korean officials have publicly described the Act as inspired in part by the EU AI Act, significant differences exist:[^4][^7][^17][^19][^28]
| Dimension | EU AI Act | Korea AI Basic Act |
|---|---|---|
| Risk tiers | Four (unacceptable, high, limited, minimal) plus separate general-purpose AI rules | Functionally three (high-impact, generative, high-performance) plus universal baseline |
| Prohibited uses | Eight prohibited categories (Article 5) | No outright prohibitions |
| High-risk scope | Detailed Annex III, including law enforcement, migration, judicial uses | Ten enumerated sectors via decree |
| Maximum fine | Up to EUR 35 million or 7% of global turnover | KRW 30 million per violation (about US$21,000) |
| Compute threshold (frontier) | 10^25 FLOPs for general-purpose AI with systemic risk | 10^26 FLOPs for high-performance AI |
| Conformity assessments | Third-party conformity for high-risk AI | Self-assessment with notification to MSIT |
| Foreign-operator scope | Market-placement test | Effects-on-Korean-market test (broader) |
| Local representative | Required for non-EU providers of high-risk AI | Required when foreign operator meets revenue or user thresholds |
| Codes of practice | GPAI Code of Practice for general-purpose AI | Industry-led standards encouraged, not codified |
Where the EU AI Act is dense, prescriptive, and heavily penalty-driven, the Korean statute is shorter, more promotional in tone, and far less punitive. Korean lawmakers and MSIT have repeatedly emphasized "minimum regulation" and a posture more friendly to industrial competitiveness, partly out of concern that Korea's leading AI firms might otherwise be disadvantaged against US and Chinese rivals.[^4][^7] Korea also lacks the EU's third-party conformity-assessment infrastructure; reliance is placed instead on self-assessment and MSIT-led inspection.
The Act emerged alongside a wave of US state-level AI legislation. The two most directly comparable state laws are:
Comparison points:[^22][^29]
Korea's major technology firms publicly endorsed the law's clarity-providing role even as they sought favorable interpretations of its provisions. Samsung Electronics, Naver, Kakao, and the three major telecommunications operators reorganized internal compliance frameworks during the 2025 transition year. Samsung positioned its on-device AI strategy as inherently aligned with the Act's data-security and privacy emphases, and Naver and Kakao expanded preexisting voluntary governance frameworks to meet the new statutory transparency duties.[^30]
Reaction from the startup community was sharper. The Korea Startup Alliance and similar bodies warned that mandatory risk-management plans, impact assessments, and the prospect of dedicated compliance personnel could disadvantage smaller firms, even with the regulatory sandboxes the Act contemplates. A Startup Alliance survey reported that only about 2% of Korean AI startups had completed formal compliance frameworks by the effective date.[^30] Trade associations from the game and content industries expressed concern that mandatory visible watermarking on generative AI outputs could weaken creative market value, prompting MSIT to allow non-visible watermarking and other alternatives in the Enforcement Decree.[^30][^16]
Coverage in Korean media identified persistent uncertainty over interpretation, particularly the absence of quantitative thresholds beyond compute for triggering "high-impact" status. Industry observers warned of a potential chilling effect, especially the obligation to re-confirm compliance for each new model version, and academic commentary urged MSIT to balance promotion against regulation.[^31]
International law firms and trade-policy analysts framed the Act primarily as a regulatory marker: the first comprehensive AI law outside the European Union, signaling that "Brussels-effect" AI regulation was diffusing into Asia.[^2][^4][^7] Western analyses generally emphasized:
The US Department of Commerce's International Trade Administration issued an advisory in 2025 highlighting US-company compliance obligations under the Act, particularly the local-representative requirement for those exceeding the revenue or user thresholds.[^1]
The Information Technology and Innovation Foundation (ITIF) published a critical assessment in September 2025 arguing that the broad statutory definition of "AI system" risked sweeping in conventional software, that compute thresholds are unreliable predictors of risk, that mandatory labeling was technically fragile, and that the National AI Strategy Committee's centralized regulatory authority risked overriding sectoral expertise.[^6]
As of mid-2026, the Act is in its grace period. MSIT has signaled that it will prioritize guidance, voluntary compliance, and corrective dialogue over punitive enforcement during the initial year. Forthcoming work expected to shape practice includes:[^5][^6][^16]
The Act is widely expected to be amended within the following Assembly term, as gaps identified during early implementation (including the human-rights and surveillance scope criticisms raised by civil society, and the foreign-firm and startup concerns raised by industry) drive a second wave of revisions.[^6][^27][^30]