What is AI regulation in South Korea?
Global AI regulation
As of 5 June 2026, AI regulation in South Korea is built around the AI Basic Act, its Enforcement Decree, and ministry guidance issued when the regime took effect on 22 January 2026. The model is not a full licensing system for all AI. It combines industrial support with a narrower trust layer: transparency duties for generative and high-impact AI, safety duties for only the most advanced systems, added responsibilities for high-impact uses, and a domestic representative rule for certain foreign providers.
What this means
South Korea now has a national AI framework law in force. In practice, that means organisations need to look at one core statute, one implementing decree, and guidance from the Ministry of Science and ICT, usually called MSIT, to understand what is expected.
The Korean model is more selective than the EU AI Act. It does not put every AI system into a detailed compliance ladder. Instead, it focuses on a few practical questions. Are you directly providing a generative AI product or service to users. Are you in a high-impact use case such as recruitment, lending, healthcare, transport or public services. Are you building or operating an exceptionally advanced model that crosses the decree's safety threshold.
That makes the regime easier to misunderstand. The law is already in force, but MSIT has also said it will apply an at least one-year grace period before ordinary fact-finding investigations and penalties, except in highly exceptional cases involving severe harm. At the same time, a further decree amendment has been proposed for July 2026, so the current position needs to be read carefully and by date.
Why it matters
For organisations buying, building, deploying or governing AI in South Korea, the stakes are practical rather than theoretical. Product teams need notice and labelling flows for generative AI. Risk and governance teams need a way to decide whether a service is "high-impact AI" and, if it is, to keep evidence of risk management, user protection, human oversight and explanation practices. Frontier model developers need to test whether they cross the separate safety threshold for very advanced systems. Foreign providers may also need a Korean domestic representative.
The law also matters because it sits at the junction between market trust and market access. Korean public bodies are directed to give preference to high-impact AI that has been through verification, certification or impact assessment. That means the evidence an organisation creates for compliance can also affect procurement, enterprise sales and regulatory assurance.
Finally, this is a fast-dating area. The core regime is live, guidance is still being refined, and a further decree amendment is under consultation. A team that assumes the law is either not in force or already settled will get the Korean position wrong in both directions.
How it works
Current legal position
South Korea's AI Basic Act was promulgated on 21 January 2025 and took effect on 22 January 2026. The current text also reflects a statutory amendment promulgated on 20 January 2026. The Enforcement Decree was promulgated on 21 January 2026 and also took effect on 22 January 2026. On the same day, MSIT released transparency guidance to explain how the new rules should work in practice.
As of 5 June 2026, the core trust layer is therefore in force. But that is not the end of the story. Some amendments made in January 2026 were designed to start later, and MSIT issued a draft amending decree on 21 May 2026 to fill in that next layer. That draft is proposed to take effect on 21 July 2026 if finalised.
South Korea's regulatory model
The Korean model is a framework regime. It promotes AI development, infrastructure, talent, data, standardisation and international cooperation, while adding a narrower set of safety-and-trust duties. That matters because it is not best understood as a blanket approval system for every model or use case.
The law separates at least four ideas that organisations should not collapse into one another. First, "generative AI" triggers transparency obligations. Second, "high-impact AI" covers certain contexts where AI can seriously affect life, physical safety or fundamental rights. Third, the safety duty in Article 32 is aimed at only the most advanced systems, not routine enterprise AI. Fourth, "impact assessment" under the AI Basic Act is a best-efforts mechanism for private providers of high-impact AI, not a universal filing duty.
In other words, the Korean regime is lighter than a full ex ante licensing model, but it is not soft law. It creates live statutory duties, decree-level thresholds and government powers to investigate and order corrections.
Who is in charge
The President-led National AI Strategy Committee is the top national coordination body. Its mandate includes deliberation and resolution on national AI policy, inter-ministerial coordination, implementation monitoring and performance management. That makes it a governance body rather than a daily regulator for individual firms.
MSIT is the ministry that matters most in day-to-day legal operation. It leads subordinate legislation, publishes guidelines, receives certain submissions, can confirm whether a system is high-impact AI on request, and can conduct fact-finding investigations and issue cessation or correction orders. The law also provides for an AI Policy Center and an AI Safety Institute, which support policy development, standards and AI safety work.
In practical terms, this means South Korea's AI regime is administered through a central policy ministry with a strong steering role, supported by specialist institutions and by sector-specific laws where relevant.
Main duties under the safety-and-trust layer
The first live duty is transparency. AI business operators that provide products or services using high-impact AI or generative AI must notify users in advance that the product or service is AI-based. For generative AI, there is also a separate duty to indicate that AI-generated content was produced by generative AI.
MSIT's January 2026 transparency guidance makes this more concrete. It draws a practical line between content that stays inside a service environment and content that is exported outside that environment. If AI-generated content stays within the service, more flexible notices can be used through user interfaces, pre-use notices or visual markers. If the content is downloaded or distributed outside the service, more explicit marking is expected, either in a human-recognisable form such as visible or audible identifiers, or through machine-readable means such as metadata after a text or voice notice. For AI-manipulated video and similar deepfake-style content, the guidance expects labelling that users can clearly recognise.
The second duty is safety, but only for a narrow class of systems. Under the Act, operators of systems above the decree's threshold must identify, assess and mitigate risks across the AI lifecycle and build a risk-management system for monitoring and responding to safety incidents. The final decree says this duty applies only where all three conditions are met: the system is at the state of the art in technology, the cumulative training compute is at least 10^26 FLOPs, and the model can have broad impact across economic and social fields. In practice, that points to frontier-scale models rather than ordinary business tools.
The third duty set concerns high-impact AI. The Act treats high-impact AI as systems that can significantly affect life, bodily safety or fundamental rights in specific areas. MSIT says the ten areas include energy, drinking water, health and medical services, medical devices, nuclear operations, crime investigation and arrest, employment, lending, transport, public services and education. Operators that provide high-impact AI, or products and services using it, must implement measures on risk management, user protection, human supervision, explanation where technically feasible, and document retention showing what was done to secure safety and reliability.
The fourth mechanism is impact assessment. Under Article 35, providers of high-impact AI should make efforts to assess in advance the impact of that AI on basic rights. That wording matters. It is not drafted as an across-the-board mandatory filing duty for private operators. Even so, it is not meaningless. National institutions are instructed to prioritise high-impact AI that has undergone impact assessment, which gives the mechanism commercial and governance weight.
The fifth duty is cross-border representation. Certain foreign AI business operators with no address or place of business in South Korea must appoint a domestic representative in writing and report that appointment to MSIT. The decree sets the trigger by threshold. It covers, among others, operators with annual total revenue of at least KRW 1 trillion, AI-service revenue of at least KRW 10 billion, or an average of at least 1 million domestic users per day over the previous three months. The domestic representative handles specified compliance contacts, including safety-result submissions, high-impact confirmation requests and support for high-impact reliability measures.
How classification, overlap and enforcement work
The classification question is central because most practical duties start there. Providers are expected to review in advance whether the AI they are providing qualifies as high-impact AI. If the answer is not clear, they may request confirmation from MSIT. The decree says the ministry should reply within 30 days, and a dissatisfied operator can seek re-confirmation within 10 days of receiving the reply.
MSIT's explanation of the final decree shows that classification is not based only on sector labels. The ministry also considers the scale, seriousness and frequency of potential harm to life, physical safety and fundamental rights, along with characteristics of the sector. The same materials indicate that where a human remains involved in the final decision-making process, the system is treated as more controllable and can fall outside the high-impact category.
The AI Basic Act also works alongside sectoral law rather than replacing it. The clearest official example is digital medical devices. MSIT said that where equivalent obligations under sector-specific law are met, the corresponding high-impact AI duties under the AI Basic Act can be treated as satisfied. That is an important signal for regulated sectors more broadly: the Korean framework is meant to reduce overlap, not create a second full compliance stack on top of everything else.
Enforcement is real, but phased. MSIT can require submission of data and conduct fact-finding investigations where it discovers or suspects violations of the content-labelling rules, the frontier safety duty or the high-impact operator duties, or where a report or complaint is received. If it finds a breach, it can order the operator to stop or correct it. The Act allows administrative fines of up to KRW 30 million for failing to provide the Article 31(1) notice, failing to designate a domestic representative, or failing to comply with a cessation or correction order. The decree then sets the ordinary fine schedule. But MSIT has also announced an at least one-year grace period after the Act's start date, with ordinary investigations and penalties deferred except in highly exceptional cases involving death, serious rights violations or similarly grave social harm.
What is still moving
The biggest near-term uncertainty is not whether the AI Basic Act exists. It does. The live question is what the next implementation layer will look like.
On 21 May 2026, MSIT issued a draft amending decree to implement January 2026 statutory changes. According to the official notice, the draft would flesh out public-sector AI adoption and use, procedures and support for AI research institutes, and a broader category of AI-vulnerable groups and support recipients. The notice says comments are open until 19 June 2026 and that the amendment is intended to take effect on 21 July 2026.
So, as of 5 June 2026, the practical position is this: the core trust layer is already operative, transparency guidance is available, normal enforcement has been softened for an initial grace period, and a further decree amendment is pending that will expand the supporting architecture and some operational detail from July if finalised.
Examples
A public-facing chatbot or image generator serving Korean users needs two compliance moments, not one. Before use, it should tell users that the product or service relies on generative AI or high-impact AI where relevant. If the service lets users export or share AI-generated text, images or video outside the platform, it then needs a stronger labelling step, such as visible or audible identifiers or machine-readable metadata. If the content is deepfake-style and hard to distinguish from reality, the label needs to be clearly recognisable.
A film production company that uses an AI video tool to make a film is not automatically treated as the regulated AI provider for transparency purposes. MSIT's guidance says that a company in that position is using an AI tool in its own operations rather than directly providing the AI product or service to end users. That does not remove every other legal issue, but it does matter for who carries the AI Basic Act's product-facing transparency duty.
A foreign AI platform with no Korean office cannot assume the law stops at the border. If it directly serves Korean users and crosses the decree's thresholds, such as major revenue or an average of at least 1 million Korean users a day over the last three months, it may need a domestic representative in South Korea. That representative becomes the local contact point for certain filings, high-impact confirmation requests and compliance support, and the foreign operator remains responsible for breaches within that scope.
Common misunderstandings
"South Korea now licenses all AI." No. The Korean regime is a framework law with targeted duties, not a universal pre-approval model.
"Every AI system used in healthcare, lending or education is automatically high-impact AI." Not necessarily. Sector matters, but so do the seriousness, scale and frequency of risk, and the decree also looks at whether humans remain in the final decision process.
"The safety duty applies to any powerful model." No. Article 32 is tied to a very high threshold in the decree and is aimed at frontier-scale systems.
"Impact assessment is a mandatory filing for every private AI deployment." No. Under the AI Basic Act it is framed as a best-efforts measure for providers of high-impact AI, although it still matters for procurement and governance.
"Foreign providers are outside scope unless they incorporate in Korea." No. Direct providers to Korean users can be caught by transparency rules, and larger foreign operators may need a domestic representative.
Risks and boundaries
The Korean AI Basic Act is a real law, but it is not a complete map of every AI-related obligation in South Korea. Privacy, sectoral product law, consumer protection, advertising, platform rules, labour and credit rules can still apply depending on the use case. The Act should therefore be read as a framework layer, not as a substitute for all other legal analysis.
Its classifications also leave room for edge cases. "High-impact AI" is more specific than a general high-risk label, but there is still judgement involved. That is why the confirmation process matters, and why organisations should not rely only on marketing labels such as "assistant", "recommendation engine" or "decision support".
There is also a timing boundary. As of 5 June 2026, the core statute and decree are in force, while normal enforcement has been softened by MSIT's grace period. That does not mean firms can ignore the rules. It means the government is signalling a staged landing, backed by guidance and consultations, before ordinary penalty practice hardens.
Finally, some of the January 2026 statutory amendments still depend on the July 2026 decree amendment now under consultation. Those provisions may change before final adoption, so organisations should distinguish between what is already legally operative and what is proposed but not yet final.
What to do next
Start with a classification exercise, not a generic policy refresh. Identify which services directly face Korean users, which rely on generative AI, which could plausibly fall into a high-impact category, and whether any model might cross the frontier safety threshold.
Then build evidence around the live duties. Put advance notices and content labels into product flows. For any high-impact use case, keep a documented risk-management plan, user-protection measures, human oversight design, explanation approach where technically feasible, and records showing what was actually implemented. If you are a foreign provider, test the domestic representative trigger now rather than waiting for a complaint or procurement request.
Finally, track the July 2026 implementation path and use official support channels where the classification is borderline. In South Korea, compliance is increasingly about being able to show your reasoning, your governance and your records, not only about having a policy document on file.
FAQs
Is South Korea's AI law already in force?
Yes. The AI Basic Act and its Enforcement Decree took effect on 22 January 2026. As of 5 June 2026, the core regime is live, although MSIT has said it will apply an at least one-year grace period before ordinary investigations and fines, except in highly exceptional severe-harm cases.
Is South Korea following the EU AI Act model?
Not closely. South Korea's model is more framework-based and promotion-oriented. It imposes targeted duties on transparency, high-impact AI and frontier-scale safety, but it does not create the same broad ex ante compliance structure for all AI systems.
Who has to comply with the transparency rules?
The rules apply to AI business operators that directly provide products or services using generative AI or high-impact AI to users. MSIT has said they also apply to international companies serving Korean users. They do not automatically apply to every business that merely uses AI tools internally.
What counts as high-impact AI in South Korea?
The law focuses on AI that can significantly affect life, bodily safety or fundamental rights in specified areas such as healthcare, medical devices, nuclear operations, crime investigation and arrest, recruitment, lending, transport, public services and education. Operators can ask MSIT for confirmation where classification is uncertain.
Are AI impact assessments mandatory?
Not in the broad way many people assume. Under the AI Basic Act, private providers of high-impact AI should make efforts to assess rights impacts in advance. That still matters because national institutions are told to prioritise high-impact AI that has undergone impact assessment.
Do foreign AI companies need a representative in Korea?
Some do. Foreign AI business operators with no address or place of business in Korea must appoint a domestic representative if they meet the decree's thresholds, which include certain revenue or user-base levels.
What is the main practical duty for generative AI services?
In most cases it is a combination of advance notice and output labelling. Users need to be told they are dealing with AI-based or generative AI services, and AI-generated content, especially deepfake-style material or content exported outside the service, needs clear marking.
What changes might happen next?
The main near-term change is the draft amending decree published by MSIT on 21 May 2026. It is proposed to take effect on 21 July 2026 and would add detail on public-sector AI use, AI research institutes and expanded support for AI-vulnerable groups if finalised.