South Korea's 2026 AI Basic Act: What Companies Must Know

South Korea's 2026 AI Basic Act: How High-Impact AI Regulations Will Reshape Industry and Corporate Strategy

On January 22, 2026, South Korea became the first country in the world to fully enforce a comprehensive AI regulatory framework. The Artificial Intelligence Development and Establishment of Trust Act, commonly known as the AI Basic Act, took effect while the EU's own AI Act continues to delay its high-risk provisions until August 2026. For businesses and individuals alike, this law signals more than just another regulation. It marks a fundamental shift in how AI is built, deployed, and held accountable.

Why the AI Basic Act Was Enacted Now

The formal name of the legislation is the Act on the Development of Artificial Intelligence and Establishment of Trust. It passed the National Assembly on December 26, 2024, with overwhelming bipartisan support — 260 out of 264 lawmakers voted in favor. After a one-year preparation period, enforcement began on January 22, 2026.

The catalyst was the explosive spread of generative AI. Within just two years of ChatGPT's debut, AI systems advanced to generating text, images, and video at scale. This rapid progress brought a wave of concerns: deepfake crimes, algorithmic bias, and the unauthorized use of personal data for model training. As countries around the world scrambled to develop their own regulatory frameworks, South Korea chose a "basic act" format that combines both industry promotion and safety regulation in a single statute. The reasoning was straightforward — individual existing laws could not adequately govern a general-purpose technology like AI.

The choice of a basic act rather than a pure regulatory statute reflects a deliberate policy balance. The law includes provisions for industry development, workforce training, and national strategy alongside safety obligations. The goal is to manage societal risks without throttling the pace of innovation.

What Qualifies as "High-Impact AI"

The regulatory core of the AI Basic Act revolves around the concept of "High-Impact AI" (고영향 인공지능). This refers to AI systems that could significantly affect human life, physical safety, or fundamental rights.

The enforcement decree specifies that High-Impact AI status is determined by considering the domain of use, the severity and frequency of risks to fundamental rights, and sector-specific characteristics. Medical diagnostics, credit scoring, autonomous driving, criminal investigations, and biometric recognition systems are representative examples.

One critical distinction sets South Korea's approach apart from the EU's. The EU AI Act uses an enumerated list approach, categorizing AI applications in healthcare, employment, law enforcement, and other specific sectors as high-risk. South Korea instead adopts a principle-based framework centered on the severity of fundamental rights infringement. The Ministry of Science and ICT (MSIT) makes case-by-case determinations, which provides regulatory flexibility but potentially reduces predictability for businesses trying to assess their compliance obligations.

The High-Impact AI verification procedure takes a baseline of 30 days, with one possible 30-day extension. MSIT plans to release self-assessment checklists for companies, though the specific details remain unpublished.

Watermark Requirements for Generative AI: Will They Actually Work?

The most visible change for everyday users is the mandatory labeling of generative AI outputs. When AI-generated text, images, video, or audio is provided to users, the fact must be disclosed. Downloads and shared content must carry watermarks.

The enforcement decree establishes two categories of watermarking. One is human-perceptible marking, such as visible text labels on images or audio disclaimers on voice content.

The other is machine-readable digital watermarks embedded in metadata. For creative works like animations and webtoons that are obviously not real, the latter method alone suffices.

Yet within just two weeks of enforcement, social media was already buzzing with tutorials on removing AI watermarks. Stripping metadata is technically straightforward, and visible watermarks can be edited out with basic post-processing tools. This raises legitimate questions about enforcement effectiveness. However, the law's primary intent is transparency at the point of creation. Deliberately removing watermarks could trigger separate legal liability, adding a deterrent layer beyond the technical measures themselves.

Five Compliance Obligations Every AI Business Must Meet

The AI Basic Act imposes five key obligations on AI service providers.

First, transparency. Businesses using High-Impact AI or generative AI in their products must proactively inform users that AI is involved. Companies can choose their disclosure method — pop-up notifications, UI indicators, or other approaches.

Second, safety assurance. AI systems with cumulative training computation exceeding 10 to the 26th power floating-point operations (FLOPs) must establish risk identification, assessment, and mitigation frameworks along with safety incident monitoring systems. The government currently believes no domestic AI models meet this threshold, though large language models from global tech giants may qualify.

Third, special duties for High-Impact AI operators. These include mandatory impact assessments, pre-deployment reviews, and comprehensive risk management systems.

Fourth, AI impact assessments. Public sector entities deploying AI must evaluate the potential effects on citizens' fundamental rights before implementation.

Fifth, domestic representative designation for foreign AI companies. Overseas AI firms providing services in South Korea without a local office must appoint a domestic representative. Violations carry fines of up to 30 million won (approximately USD 20,000).

The 30-Million-Won Fine and One-Year Grace Period

The maximum fine of 30 million won has drawn criticism as a slap on the wrist. Compare this to the EU AI Act, which imposes penalties of up to 35 million euros (approximately USD 38 million) or 7% of global annual revenue for prohibited AI practices. Even for high-risk violations, the EU allows fines up to 15 million euros or 3% of global turnover.

South Korea's lighter penalty structure reflects its priority of nurturing the domestic AI industry. Korean companies have not yet secured dominant positions in the global AI race, and the government judged that heavy penalties from the outset could stifle innovation.

Adding to this, MSIT will operate a grace period of at least one year. During this time, investigations and fines will be withheld except in cases involving loss of life or serious human rights violations. In practice, the earliest actual fines could be imposed is sometime after January 2027.

However, treating the grace period as a free pass would be a mistake. It is designed to give businesses time to build compliance systems, not to exempt them from the law's requirements. Companies that wait until the grace period ends to start preparations risk falling behind.

South Korea vs. the EU: How Their AI Regulation Philosophies Differ

South Korea's AI Basic Act and the EU AI Act share similar goals but take different paths.

The scope of regulated entities differs significantly. The EU covers developers, deployers, and even downstream users of AI systems. South Korea's law applies only to businesses that provide AI-based products and services. Companies using AI internally for their own operations are not directly regulated.

The risk classification systems diverge as well. The EU enumerates specific high-risk application domains. South Korea relies on principle-based assessment of fundamental rights impact. This makes the Korean framework more adaptable but potentially less predictable.

The penalty gap is stark, as noted above. The EU's maximum fine reaches 7% of annual global revenue; South Korea caps fines at 30 million won per violation. This difference directly affects the deterrent power of each regime.

Interestingly, even the EU is adjusting its enforcement pace. In late 2025, the European Commission proposed a "Digital Omnibus" package that could delay high-risk AI obligations until December 2027. The gap between writing regulations and enforcing them in the field appears universal.

How Telecom and Tech Companies Are Responding

Telecommunications companies were the first movers after the law took effect, given their positioning of AI as a core future business.

SK Telecom launched a company-wide "Good AI" campaign and enhanced its AI governance portal. The company also obtained ISO/IEC 42001 certification for AI management systems. KT established a dedicated Responsible AI Center (RAIC), appointed a Chief Responsible AI Officer (CRAIO), and applies its proprietary ethics framework "ASTRI" across all AI processes. KT publishes an annual Responsible AI Report disclosing its evaluation and guardrail systems.

Major platform companies including Naver and Kakao had already maintained voluntary AI ethics guidelines, but the new legal obligations are driving them to realign internal systems with statutory requirements.

For smaller AI startups, these obligations represent a significant burden. Without dedicated legal teams, self-assessing High-Impact AI status, building watermark systems, and establishing transparency disclosure frameworks can be prohibitively expensive. How effectively the government operates its support programs for SMEs will largely determine whether this law achieves smooth adoption across the broader AI ecosystem.

What Comes Next After the AI Basic Act

The enforcement of the AI Basic Act is just the beginning. Some details in the enforcement decree remain unfinalized, and the case-by-case nature of High-Impact AI determination means interpretation disputes and guideline updates will continue for some time.

Businesses should watch three areas closely. First, MSIT guideline updates. Companies need to determine whether their AI services fall under regulatory scope and build compliance systems before the grace period ends. Second, alignment with the EU AI Act. Companies operating in global markets will need integrated compliance strategies that satisfy both Korean and EU requirements simultaneously. Third, friction points with adjacent laws such as the Personal Information Protection Act and Copyright Act. The legality of AI training data and the copyright status of AI-generated content are issues that the AI Basic Act alone cannot resolve.

Changes are coming for individuals too. AI-generated content will carry labels, and AI systems that evaluate your creditworthiness will be required to explain their reasoning. Users gain a legally backed right to ask how an AI system reaches its decisions. The AI Basic Act's significance lies in surfacing the hidden risks behind technological convenience and assigning clear responsibility for managing those risks.

This article is for informational purposes only and does not constitute legal advice or investment recommendations. Please consult qualified professionals for specific legal or tax matters.