South Korea’s Artificial Intelligence Strategy and Laws

South Korea's AI compliance picture changed materially on 22 January 2026, when the AI Framework Act came into force. For years, Korea operated through what observers called a "soft governance" model anchored on the Personal Information Protection Act (PIPA), the 2020 Data 3 Act amendments, and government-issued ethics guidelines. That description is now incomplete. Korea is one of only two jurisdictions worldwide with a comprehensive in-force AI statute, and businesses building or deploying AI for the Korean market are operating in a substantively new regulatory environment.

The defining characteristic of Korea's model differs from both the EU and Japan. The EU AI Act is prescriptive, risk-classified, and penalty-heavy. Japan's AI Promotion Act is a framework law with no AI-specific fines. Korea sits between them: a comprehensive statute with specific obligations on high-impact and generative AI, with administrative penalties (currently up to KRW 30 million per violation under the Act, with PIPA penalties remaining far higher) but a clear pro-innovation orientation. The Act's purpose, in its own words, is "to protect human rights and dignity, contribute to the enhancement of the quality of life, and strengthen national competitiveness."

The AI Framework Act

Background and structure

The AI Framework Act consolidated 19 separate AI-related bills that had circulated through the National Assembly since 2021. After several years of debate (including delays caused by the political turmoil surrounding former President Yoon Suk Yeol's December 2024 declaration of martial law and subsequent impeachment), the bill passed with overwhelming bipartisan support on 26 December 2024.

Key dates:

26 December 2024: National Assembly passed the AI Framework Act
21 January 2025: Act promulgated as Law No. 20676
22 January 2026: Act took full effect
22 January 2026: Enforcement Decree (Presidential Decree No. 36053) took effect

The Act operates as a framework statute, with detailed implementation delegated to subordinate legislation including the Enforcement Decree, sector-specific guidelines from the Ministry of Science and ICT (MSIT), and ongoing rule-making.

Scope and definitions

The Act applies to AI systems used or made available in South Korea, regardless of whether the developer or operator is based in Korea. Foreign companies above specified thresholds must designate a Korean representative to liaise with regulators on the company's behalf.

Two categories of AI systems carry heightened obligations:

High-impact AI: AI systems used in critical sectors including healthcare, energy, public services, judicial decisions, hiring, education, and law enforcement, where outputs may significantly affect human life, safety, or fundamental rights. Specific scope is defined by Presidential Decree.
Generative AI: AI systems capable of generating text, images, video, audio, or other content, with specific labelling and transparency obligations.

Core obligations

The Act imposes graduated obligations:

Risk management: high-impact AI operators must establish risk management plans, conduct impact assessments, and document mitigation measures throughout the AI lifecycle.
Transparency: users must be informed when interacting with AI systems, and generative AI outputs must carry visible or watermark-based labels indicating AI generation.
Human oversight: high-impact AI requires meaningful human supervision points, particularly where decisions significantly affect individuals.
Documentation: operators must maintain records sufficient to demonstrate compliance, including training data information, performance evaluations, and incident logs.
User rights: individuals have rights to receive explanations of significant AI-driven decisions affecting them.
Foreign representative: foreign companies above thresholds must designate a Korean local representative for regulatory communication and accountability.
Reporting: serious incidents involving AI systems must be reported to the relevant authorities under defined timelines.

Enforcement and penalties

MSIT is the primary regulator, supported by the National AI Committee and the AI Safety Institute. Penalties under the Act include:

Administrative fines (currently up to KRW 30 million per violation) for failures to comply with high-impact AI, generative AI labelling, or representative-designation obligations
Order of corrective measures including suspension of services in serious cases
Public disclosure of violations

Note that PIPA's pre-existing penalty framework, which can reach up to 3% of relevant sales revenue for serious violations, continues to apply in parallel. AI deployments processing personal data are therefore subject to both regimes simultaneously.

Pro-innovation provisions

The Act includes substantial public support for AI development, including data centre investments, training data access projects, technical standardisation support for SMEs and startups, regulatory sandboxes, and the AI Trust Mark certification scheme. Foreign AI experts may receive incentives to relocate to Korea.

The AI strategy and ecosystem

The 2019 National AI Strategy and successors

The original National Strategy for Artificial Intelligence was launched in December 2019, setting the goal of making Korea a top-tier AI nation. Updated strategies through 2024 and 2025 build on the original framework with specific commitments to AI semiconductor leadership, sovereign AI capability, and trusted AI infrastructure.

National AI Committee and AI Safety Institute

Two key institutions established in 2024 and operationalised in 2025-2026 form the central governance architecture:

National AI Committee operates under the President's Office and serves as the central coordinating body for national AI policy. It oversees implementation of the national AI strategy, drives public-private collaboration, harmonises regulatory approaches across ministries, and represents Korea in international AI fora.
AI Safety Institute (Korea AISI) is the dedicated research centre responsible for evaluating advanced AI models, developing safety benchmarks, addressing deepfake and cybersecurity threats, and partnering with the UK AISI, US AISI, and Japan AISI on safety research.

Investment and infrastructure

Korea's AI strategy emphasises sovereign AI capability anchored on:

AI semiconductors: Samsung and SK Hynix lead in memory and AI accelerator manufacturing, with government support for AI chip design through the K-Cloud project and PIM (Processing-in-Memory) initiatives
High-performance computing: government-funded HPC centres and cloud infrastructure
Sovereign LLM development: support for Korean-language and Korean-context AI models
5G and next-generation networks: building on Korea's existing telecommunications leadership
Talent: AI graduate schools at top universities (KAIST, SNU, Yonsei, POSTECH, etc.), AI curricula integration in K-12, and retraining programmes

Personal Information Protection Act (PIPA)

The Personal Information Protection Act remains the primary statute for personal data in Korea, enforced by the Personal Information Protection Commission (PIPC). PIPA was significantly amended in 2020 (the Data 3 Act amendments), 2023 (cross-border transfer reforms), and most recently effective 1 April 2025 (foreign company representative requirements).

Core PIPA provisions relevant to AI

Lawful basis: consent is the default; specific exceptions apply for legitimate interests, contractual necessity, legal obligation, and other narrow grounds.
Sensitive data: heightened protection for ideology, beliefs, union or political party membership, political views, health, sexual orientation, biometric data for unique identification, and others.
Pseudonymised data: introduced through the 2020 Data 3 Act amendments. Pseudonymised data may be used for statistical, research, and public-interest archiving purposes without consent, subject to safeguards. This was a major enabler for AI training on Korean datasets.
Cross-border transfer: permitted under specified mechanisms including consent, adequacy, contractual safeguards, or PIPC-approved certification.
Data subject rights: access, correction, deletion, suspension of processing, and rights regarding automated decision-making with significant effects.
Domestic representative: amended PIPA effective 1 April 2025 strengthens requirements for foreign organisations with established Korean business units to designate those local entities as their representatives, addressing earlier "formal" compliance with unrelated third-party agents.

PIPC AI-specific guidance and enforcement

PIPC's January 2025 Policy Roadmap and Work Direction signalled an active 2025-2026 enforcement posture for AI services. Specific actions included:

February 2025: PIPC announced a temporary suspension of new downloads of the Chinese generative AI application DeepSeek over potential PIPA breaches
Preliminary onsite inspections of AI agents and AI-powered legal and HR services
Guidance on use of unmodified personal data in AI development

PIPA penalties for serious violations can reach up to 3% of relevant sales revenue, with additional administrative fines and possible criminal liability for responsible individuals.

The Data 3 Act

The 2020 Data 3 Act consisted of amendments to PIPA, the Credit Information Use and Protection Act, and the Information and Communications Network Act. The amendments unified data protection oversight under PIPC, introduced the pseudonymised data regime, clarified anonymisation standards, and reduced regulatory uncertainty for data sharing across sectors. The Data 3 Act remains a foundational enabler for the Korean AI ecosystem.

Sector-specific regulation

In addition to the AI Framework Act and PIPA, sectoral regulators apply existing law to AI deployments:

Healthcare AI: governed by the Ministry of Food and Drug Safety (MFDS) for AI-based medical devices, including specific provisions in the Framework Act referencing digital medical devices effective 24 January 2026.
Financial AI: governed by the Financial Services Commission (FSC) and Financial Supervisory Service (FSS), with AI-specific guidelines for credit scoring, anti-money laundering, robo-advisory, and other use cases.
Autonomous vehicles: governed by the Ministry of Land, Infrastructure and Transport (MOLIT) and the Korea Transport Safety Authority, with specific permissioning regimes for L3 and L4 autonomous driving.
Telecommunications and digital services: Korea Communications Commission (KCC) addresses AI in broadcasting, telecom, and online platforms.

International cooperation

Korea participates actively in international AI governance:

AI Seoul Summit (May 2024): Korea co-hosted with the UK, producing the Seoul Declaration and the Frontier AI Safety Commitments signed by major model developers.
OECD AI Principles: Korea is an active participant in OECD AI policy work.
Hiroshima AI Process: Korea endorses the G7-led international guiding principles.
AI Safety Institute network: Korea AISI cooperates with UK, US, Japan, and other AISIs.
US-Korea AI cooperation: bilateral commitments on AI infrastructure, supply chain, and standards.
EU AI Act interoperability: Korean law shares concepts (high-impact, transparency, human oversight) with the EU AI Act, easing compliance for multinational deployments.

A practitioner's compliance plan

Step 1: Determine AI Framework Act scope

For each AI system, determine whether it is offered or made available in Korea, regardless of where the operator is based. Identify whether the system qualifies as high-impact AI under the Enforcement Decree's sectoral definitions, generative AI subject to labelling, or general AI subject to baseline transparency. Document the determination.

Step 2: Designate a Korean representative if required

Foreign companies above thresholds must designate a Korean representative under both the AI Framework Act and the amended PIPA. Where a Korean business unit exists, it should typically serve as the representative under the April 2025 PIPA amendment. Where no Korean entity exists, designate a qualified third party with operational substance.

Step 3: PIPA compliance baseline

For all AI systems processing personal data, ensure PIPA compliance: lawful basis (consent or applicable exception), purpose limitation, security, breach notification, sensitive data handling, and data subject rights. Apply the pseudonymised data framework correctly for AI training. Address cross-border transfer mechanisms for any data leaving Korea.

Step 4: Build high-impact AI governance for in-scope systems

For AI systems classified as high-impact under the Enforcement Decree, establish risk management plans, impact assessments, human oversight points, documentation regimes, and incident reporting procedures. For generative AI, implement labelling at the output level and disclosure to users.

Step 5: Align with international frameworks

Anchor the governance programme on ISO/IEC 42001 and the NIST AI Risk Management Framework. Korea's framework shares concepts with the EU AI Act, Japan's AI Promotion Act, and Singapore's Model AI Governance Framework, so a single internal standard with jurisdiction-specific annexes minimises duplicated effort. Consider AI Trust Mark certification if relevant to your market positioning.

Compliance FAQ

Is the AI Framework Act actually in force?

Yes. The Act took effect on 22 January 2026. The Enforcement Decree took effect simultaneously. Subordinate guidelines from MSIT continue to be issued and refined, but the core obligations are operative.

How does the AI Framework Act compare to the EU AI Act?

Korea's law shares the EU AI Act's risk-based concepts (high-impact AI roughly maps to high-risk; generative AI labelling has parallels to Article 50) but with materially lower penalty bands and a more pronounced pro-innovation orientation. The EU AI Act has fines up to €35M or 7% of global turnover; Korea's Act has administrative fines currently up to KRW 30 million per violation (with PIPA penalties up to 3% of sales revenue continuing to apply where personal data is involved). Compliance with one does not automatically satisfy the other, but governance built for the EU AI Act will largely cover Korean obligations with limited additional work.

What about generative AI labelling?

The Act requires generative AI systems to label outputs as AI-generated. The exact technical requirements (visible labels, watermarks, content provenance) are being detailed through subordinate guidelines. Treat this as a layered obligation alongside C2PA Content Credentials, EU AI Act Article 50, and similar regimes.

Does the Act apply to my company if we are based outside Korea?

Yes, if your AI system is offered or made available in Korea. The Act explicitly applies to foreign operators above specified thresholds, who must designate a Korean representative. The April 2025 PIPA amendment also strengthens the foreign-company representative regime, and these two requirements should be addressed in parallel.

What did the DeepSeek suspension actually mean?

In February 2025, PIPC announced a temporary suspension of new downloads of DeepSeek in Korea over potential PIPA breaches concerning personal data handling and cross-border transfer. The suspension was a real enforcement signal indicating PIPC's willingness to act against foreign generative AI services that fall short of Korean data protection standards. Foreign generative AI providers serving Korean users should expect similar scrutiny.

What should businesses prioritise in 2026?

PIPA compliance with the April 2025 amendments, AI Framework Act applicability assessment for each deployed AI system, foreign representative designation if applicable, generative AI labelling implementation, and high-impact AI governance for in-scope systems. Track MSIT and PIPC announcements as the subordinate guidelines continue to develop.

The bottom line

South Korea is now the second jurisdiction worldwide with a comprehensive in-force AI statute. The AI Framework Act, the amended PIPA, the National AI Committee, and Korea AISI together create a substantive operational regime that businesses cannot ignore. Penalty bands are moderate compared to the EU AI Act and PIPA's pre-existing 3% sales penalty, but the regulatory infrastructure is real and PIPC has demonstrated willingness to act against foreign generative AI services. Build a governance programme that addresses Framework Act obligations, PIPA compliance, sectoral rules, and international interoperability through ISO/IEC 42001 or NIST AI RMF. Korea is not a future-tense story. It is an in-force regime that started on 22 January 2026, and the rest of 2026 is the first year of operational compliance.

Last updated: April 2026. This article is educational content and is not legal advice. Korea's AI Framework Act is in active early enforcement, and subordinate guidelines from MSIT continue to be issued. Consult qualified counsel before making compliance decisions.

Last updated April 29, 2026. This article is educational content and is not legal advice. Consult qualified counsel before making compliance decisions in your jurisdiction.