Ley Básica de IA de Corea del Sur
Resumen ejecutivo
Why South Korea AI Basic Act is the architectural counterpoint to Japan within Asia-Pacific
The most common framing of South Korea’s AI Basic Act describes it as Asia-Pacific’s first comprehensive AI legislation, often grouped together with Japan’s AI Promotion Act as «the APAC AI laws». The grouping captures the chronological proximity and misses the architectural divergence entirely. South Korea and Japan represent the two principal architectural alternatives for comprehensive AI legislation in Asia-Pacific, and the choice each made reflects fundamentally different national strategies.
The dominant narrative reads the AI Basic Act as a moderate version of the EU AI Act — risk-tiered, with high-impact AI obligations, transparency requirements, and administrative penalties. The reading is correct as taxonomy and incomplete as architecture. South Korea’s regulatory choice is structurally distinct from both the EU AI Act and Japan’s AI Promotion Act in three concrete ways. First, South Korea has chosen comprehensive AI legislation with binding obligations and penalties, where Japan chose comprehensive AI legislation with no penalties. Second, South Korea applies its framework extraterritorially to any AI activity affecting the Korean market regardless of geographic origin, where Japan’s framework is structured around domestic stakeholder responsibilities. Third, South Korea pairs binding regulation with strong industrial policy support (industry-building data centers, training datasets, government compute support), where Japan’s industrial policy and regulatory architecture are more cleanly separated.
This matters in three concrete ways. First, South Korea is the test case for whether risk-tiered AI regulation can work at moderate-penalty enforcement intensity: KRW 30 million administrative fines are an order of magnitude below EU AI Act fines, but the regime includes operational suspension, corrective orders, and potential imprisonment as enforcement teeth. Second, the extraterritorial reach is genuinely broad: any AI activity affecting the Korean market triggers compliance obligations, which captures any global AI vendor with Korean users. Third, the high-impact AI definition is sectoral, not horizontal: it explicitly enumerates employment, credit decisions, biometrics, healthcare, transport, and public services as high-impact sectors, leaving room for additional sectors to be defined by presidential decree. This is structurally closer to the EU AI Act Annex III approach than to a fully horizontal definition.
What makes the South Korean architecture particularly significant in 2026 is the two-track structure: sectoral high-impact AI obligations on one track, and compute-threshold-based safety obligations for high-performance AI systems on another track. The compute-threshold track focuses on lifecycle risk management for AI systems exceeding a cumulative training compute threshold, with the threshold and detailed procedures to be set through the enforcement decree. This is structurally similar to the EU AI Act’s general-purpose AI obligations and to the US Trump deregulation backlash where compute thresholds were stripped from federal AI policy after the January 2025 transition.
What South Korea represents in the global AI regulatory landscape, then, is the moderate-penalty, broad-extraterritorial-reach, sectoral-plus-compute alternative to both the EU AI Act and the Japan AI Promotion Act. The rest of this reference treats the regulatory architecture explicitly rather than measuring South Korea against EU benchmarks.
Subjective and material scope
Who is covered. The AI Basic Act applies to AI business operators — a broad category that includes both AI developers and AI deployers (or in the language used in some Korean regulatory analyses, AI providers and AI users). The Act distinguishes:
- AI developers: organizations that develop AI models or systems
- AI providers: organizations that supply AI systems and services to others
- AI users (operators): organizations that deploy AI systems in their own operations affecting Korean residents
The tripartite structure parallels the EU AI Act’s provider/deployer/importer-distributor distinction and Japan’s developer/provider/business-user distinction, with Korean-specific framing.
Geographic scope. The Act applies to any AI activity affecting the Korean market regardless of where the AI business operator is located. This extraterritorial reach captures:
- Korean organizations operating AI in Korea
- Foreign organizations selling AI products or services to Korean users
- Foreign organizations whose AI activities have material effects on Korean residents
Foreign organizations without a physical presence in Korea must designate a domestic representative in Korea responsible for compliance communication with the Ministry of Science and ICT.
Exemptions. The Act exempts AI systems developed exclusively for national defense or security purposes. Other categorical exemptions are limited.
High-impact AI systems
The Act defines high-impact AI as AI systems with potential to significantly impact human life, safety, or rights when used in specified sectors. The sectors explicitly enumerated include:
- Employment: hiring, performance evaluation, termination decisions
- Credit and financial services: lending decisions, credit scoring, financial product recommendations
- Biometrics: facial recognition, voice identification, biometric authentication
- Healthcare: diagnosis, treatment recommendation, medical decision support
- Transport: autonomous vehicles, transportation safety systems
- Public services: government service delivery, public benefit determination
Additional high-impact sectors may be defined by presidential decree, providing a mechanism for the regulatory scope to evolve without parliamentary action.
High-performance AI systems (compute-threshold track)
A second regulatory track addresses high-performance AI systems — AI systems exceeding a cumulative training compute threshold. The exact threshold is to be set through the enforcement decree. Operators of high-performance AI systems carry lifecycle risk management obligations including:
- Risk identification, assessment, and mitigation
- Risk management system establishment
- Continuous monitoring and incident response
- Documentation supporting regulatory review
The compute-threshold track is structurally analogous to the EU AI Act’s general-purpose AI obligations and reflects the global regulatory convergence on compute as a proxy for AI capability and systemic risk.
Generative AI obligations
The Act imposes transparency obligations on generative AI independent of the high-impact and high-performance classifications. Key duties include:
- Pre-use notification: prior notification when providing products or services using generative AI or high-impact AI
- Output labeling: clear labeling of AI-generated text, images, audio, and video
- Deepfake-specific labeling: AI outputs that can look or sound real require additional labeling
A related telecommunications-rule revision is bringing AI-generated advertising labeling into effect in early 2026, as part of South Korea’s broader response to the more than 96,700 illegal online ads identified in 2024 and 68,950 through September 2025 for food and pharmaceutical products.
Principal obligations under the Act
Impact assessments. Operators of high-impact AI systems must conduct comprehensive impact assessments documenting potential effects on human rights, safety, and fundamental interests. The assessments cover the AI system’s purpose, deployment context, data processed, risk identification and mitigation measures, and post-deployment monitoring.
Safety documentation throughout lifecycle. High-impact AI operators must maintain detailed safety documentation throughout the AI lifecycle — from design through deployment, monitoring, and decommissioning. The documentation must support regulatory review and audit.
Continuous risk monitoring with human oversight. Operators must implement continuous monitoring of high-impact AI systems with meaningful human oversight mechanisms. «Meaningful» excludes procedural rubber-stamping; human oversight must include genuine review capability and authority to intervene.
Pre-use notification and labeling. Pre-use notification is required when providing products or services using high-impact AI or generative AI. Generative AI outputs require clear labeling. Deepfakes require additional labeling.
Domestic representative for foreign operators. Foreign organizations without a physical presence in Korea must designate a domestic representative responsible for compliance communication with MSIT.
Compute-threshold lifecycle obligations. Operators of high-performance AI systems exceeding the compute threshold must implement comprehensive lifecycle risk management, including identification, assessment, mitigation, and continuous monitoring.
Audit readiness. All covered organizations must prepare documentation outlining safety measures, risk management processes, and incident response procedures for potential regulatory review by MSIT.
The two-track regulatory structure: sectoral plus compute
The South Korean architecture is structurally distinctive in combining two regulatory tracks that operate independently.
Track 1: Sectoral high-impact AI. Triggered by deployment in enumerated sectors (employment, credit, biometrics, healthcare, transport, public services, plus additional sectors by presidential decree). Triggers impact assessment, safety documentation, monitoring, and notification obligations.
Track 2: Compute-threshold high-performance AI. Triggered by cumulative training compute exceeding the threshold to be defined by enforcement decree. Triggers comprehensive lifecycle risk management obligations.
Track interaction. An AI system can be subject to both tracks simultaneously. A foundation model exceeding the compute threshold and deployed in healthcare diagnosis is subject to both Track 2 (compute-threshold lifecycle obligations) and Track 1 (sectoral high-impact obligations for healthcare).
This two-track design is structurally distinct from:
- EU AI Act: combines Annex III high-risk classification (sectoral) with general-purpose AI obligations (compute-related), but the high-risk classification is broader than Korea’s enumerated sectors
- Japan AI Promotion Act: uses neither sectoral nor compute-threshold triggers, relying on the AI Guidelines for Businesses’ actor categories instead
- China AI Regulation: structured by technology stack layer (algorithm, deep synthesis, generative AI service, generated content), not by sectoral or compute triggers
- Colorado AI Act: sectoral high-risk classification only, no compute-threshold track
For multinational organizations, the two-track structure means South Korea compliance work cannot be entirely subsumed within EU AI Act compliance work; the compute-threshold track may apply to Korean operations even where the EU equivalent does not.
Enforcement: moderate penalties, real escalation paths
Administrative monetary penalties. Maximum administrative fines reach KRW 30 million (~USD 21,000) per violation. This is structurally moderate compared to EU AI Act penalties (which can reach €35 million or 7% of worldwide turnover for prohibited practices). The moderate penalty cap reflects the Korean regulatory choice to combine binding obligations with industry-friendly enforcement intensity.
Operational sanctions. Beyond administrative fines, MSIT can:
- Conduct fact-finding investigations of suspected violations
- Order mandatory suspension of non-compliant AI systems
- Issue corrective orders requiring operational changes
- Pursue imprisonment for severe violations
The operational sanctions are the substantive enforcement teeth. Fact-finding investigations and corrective orders impose real operational costs even before any administrative fine is levied. Mandatory suspension of an AI system in production can be operationally devastating regardless of the financial penalty cap.
Grace period through 2026. The Ministry of Science and ICT has emphasized that 2026 focuses on guidance rather than enforcement, providing organizations a practical one-year transition period. Enforcement is expected to intensify in 2027 as the enforcement decree details finalize and MSIT moves from compliance education to active investigation.
The DeepSeek precedent. In February 2025, South Korea’s data protection authority suspended new downloads of DeepSeek, citing privacy compliance issues. The action signaled MSIT and adjacent regulators are willing to take operational enforcement action against AI services even before the AI Basic Act’s enforcement date. Foreign AI vendors operating in Korea should expect similar enforcement intensity once the AI Basic Act is in force.
The institutional architecture: National AI Committee, MSIT, KAISI
The AI Basic Act establishes a multi-tier institutional architecture for AI governance.
National AI Committee. Chaired by the President, the National AI Committee provides apex coordination across the Korean government on AI policy. The structure mirrors Japan’s AI Strategic Headquarters in placing AI policy under presidential coordination but with formal committee structure.
Ministry of Science and ICT (MSIT). Principal regulator under the Act. Responsible for enforcement, investigation, corrective orders, administrative penalties, and the AI Basic Plan that operationalizes the Act’s principles. MSIT operates the AI Basic Act Lower Statute Alignment Bureau launched in January 2025 to finalize enforcement decree details with input from working groups of experts from government, industry, academia, and legal sectors.
Korea AI Safety Institute (KAISI). Government-affiliated technical evaluation body for AI safety and risk-reduction measures. Part of the international AI Safety Institute network alongside UK AISI (rebranded AI Security Institute February 2025), US AISI, Japan AISI, Singapore AISI, Canadian AISI, and others. KAISI focuses on:
- Safety evaluation of AI systems
- Technical input to MSIT enforcement
- International AI safety coordination
- Support for compute-threshold-based safety obligations
Sectoral coordination. Beyond MSIT, sectoral regulators apply existing mandates to AI: the Personal Information Protection Commission (PIPC) for personal information protection under PIPA, the Financial Services Commission (FSC) for AI in financial services, the Ministry of Health and Welfare for AI medical devices, the Ministry of Land, Infrastructure and Transport for autonomous vehicles. The two-tier architecture (MSIT for horizontal AI regulation plus sectoral regulators for vertical sectoral application) creates a regulatory coordination challenge that MSIT is positioned to mediate.
Industrial policy support alongside regulation
A distinctive structural feature of the South Korean approach is the deliberate pairing of binding regulation with strong industrial policy support. The AI Basic Act includes provisions for:
- Government-supported data centers to support Korean AI development
- Training datasets made available for Korean AI developers
- Government compute support for AI research and development
- Industry-building incentives for Korean AI companies
The industrial policy track operates in parallel with the regulatory track. Korean AI developers benefit from government support while complying with the regulatory framework. This is structurally analogous to Canada’s CAD $2.4B AI investment package (Canadian AI Sovereign Compute Strategy + AI Compute Access Fund) but integrated within the same statute as the regulatory obligations rather than treated as separate industrial policy.
The strategic logic mirrors the broader Korean industrial policy tradition: the state plays an active role in shaping market conditions for strategic technologies, with regulation and support operating as complementary instruments rather than as opposing forces.
Intersections with other regimes
Five intersections shape how the South Korea AI Basic Act operates within the broader international AI regulatory architecture.
EU AI Act. Korean and EU AI Acts share the risk-tiered structure but differ in penalty intensity and scope of high-risk classification. Korean organizations operating in or selling AI to the EU are subject to the EU AI Act independently of Korean law. Multinational organizations can structure compliance programs that satisfy both frameworks, with EU AI Act technical documentation and fundamental rights impact assessments substantially covering Korean impact assessment requirements.
Japan AI Promotion Act. Korea and Japan represent the two architectural alternatives for comprehensive AI legislation in Asia-Pacific. South Korean organizations operating in Japan and Japanese organizations operating in Korea navigate genuinely different regulatory architectures: binding obligations with penalties in Korea, soft law with reputational enforcement in Japan. Compliance programs can be structured to satisfy both, with the Korean obligations functioning as the higher-intensity baseline.
Council of Europe Framework Convention on AI. South Korea is not a Council of Europe member but is among the non-CoE states that participated in Convention negotiations and signed the Convention on its opening day, 5 September 2024 in Vilnius. Korean ratification timing has not been announced. Korean ratification would commit Korea to substantive international obligations on human rights, democracy, and rule of law in AI design, development, use, and decommissioning.
G7 Hiroshima Process. South Korea is not a G7 member but participates as observer and partner. The Korean AI Basic Act’s transparency and safety obligations align substantively with the Hiroshima Code of Conduct, even though Korea is not formally a Code signatory.
ISO/IEC 42001 and international standards. South Korea is an active participant in ISO/IEC JTC 1/SC 42 (Artificial Intelligence). Korean national standards (KS) align substantively with ISO/IEC standards on AI. ISO/IEC 42001 certification is the principal international assurance asset available to Korean organizations seeking demonstrable AI governance posture, and is operationally aligned with the AI Basic Act’s risk management and lifecycle documentation obligations.
## ⚖️ How Zertia operates within the South Korean AI regulatory environment
>
> ### Built for Korean AI Basic Act compliance from day one
>
> Accreditations and memberships: 🎖️ ANAB-accredited (US) · 🎖️ UKAS process (UK) · 🎖️ ENAC process (EU) · 🏛️ IAPP member · 🏛️ INCITS member · 🏛️ UKAI member · 📜 EU AI Pact signatory
>
> Zertia is an ANAB-accredited AI management system certification body, with offices in Boston, Madrid, and London, and ANAB accreditation in the United States. Active accreditation processes are underway with UKAS (United Kingdom) and ENAC (Spain/EU). The South Korean AI regulatory environment — binding obligations with moderate financial penalties but real operational and criminal escalation paths, broad extraterritorial reach, two-track sectoral-plus-compute structure, grace period through 2026 with enforcement intensification in 2027 — makes accredited certification and standards-based assurance directly relevant for Korean organizations and for international organizations operating into the Korean market.
>
> Certification — ISO/IEC 42001, AIUC-1, ISO/IEC 27001, ISO/IEC 27701, ISO/IEC 22301. Accredited ISO/IEC 42001 certification is the most operationally significant AI governance asset available to Korean organizations seeking international assurance recognized in EU, UK, and US markets, and to international organizations seeking demonstrable AI Basic Act compliance positioning. ISO/IEC 42001 alignment maps substantively to the Act’s tripartite operator structure (developer, provider, user), the high-impact AI lifecycle obligations, and the compute-threshold lifecycle risk management requirements. AIUC-1 provides agent-level technical assurance for AI vendors operating in Korean enterprise markets, particularly relevant for vendors subject to high-impact AI obligations in employment, credit, healthcare, or biometric sectors. ISO/IEC 27001 and ISO/IEC 27701 are the operational complements for PIPA personal information protection requirements that operate in parallel with the AI Basic Act.
>
> Regulatory frameworks — EU AI Act Conformity Assessment, NIST AI RMF Attestation, ISO/IEC 23894 Risk Assessment, Algorithmic Impact Assessment, Pre-Certification Assessment. Algorithmic Impact Assessments structured to satisfy the South Korean impact assessment requirements for high-impact AI systems and the lifecycle risk management requirements for high-performance AI systems, with documentation that supports parallel EU AI Act conformity and US state AI law compliance for multinational organizations. EU AI Act Conformity Assessment is operationally relevant for Korean AI developers and providers selling AI systems into the EU and for multinational organizations integrating Korean AI components into EU-bound AI systems.
>
> Audit — AI Management System audits, High-Risk AI System audits, AI Model audits, EU AI Act audits, NIST AI risk audits. Independent audits structured to provide assurance evidence portable across South Korean regulatory expectations, EU AI Act requirements, Japan AI Promotion Act soft-law expectations, and US state AI laws. Particularly relevant for Korean multinationals with EU and US operations and for international organizations with Korean supply chain integration or market presence.
>
> Training — AI Governance, Data Governance, Privacy Governance through Zertia Academy. Programmes treat the South Korean AI Basic Act explicitly, including the two-track sectoral-plus-compute structure, the high-impact AI sectoral obligations, the high-performance AI compute-threshold obligations, the generative AI labeling requirements, the domestic representative requirement, and integration with EU AI Act and ISO/IEC 42001 for organizations operating across multiple jurisdictions. Particularly relevant for legal, compliance, and AI governance teams in Korean multinationals and in international organizations with Korean operations.
>
> Zertia operates from Boston, Madrid, and London, with ANAB accreditation in the United States and active accreditation processes with UKAS and ENAC. Member of IAPP, INCITS, and UKAI. Signatory to the EU AI Pact.
>
> ### 🎯 Take action
>
> | 🔍 Diagnose your gap | 📊 Build the management backbone |
> |—|—|
> | Pre-Certification Assessment → | ISO/IEC 42001 Certification → |
> | Independent diagnosis against the AI Basic Act high-impact AI obligations (in force 22 Jan 2026), MSIT guidance, and PIPC AI principles for organisations operating in or selling into Korea. | The accredited management system that operationalises Korean AI Basic Act obligations into auditable practice, with documentation portable to EU AI Act and NIST AI RMF expectations. |
>
> Discuss South Korea AI Basic Act compliance and international AI governance positioning →
Regulación que entiendes es regulación que puedes convertir en ventaja competitiva.
¿No estás seguro de si este marco aplica a tu organización? Hablemos.
