{# PostHog web analytics (EU region) — deliberately cookieless: memory-only persistence, no cookies, no cross-visit identity, so no consent banner is needed. Pageviews only (autocapture, session recording and surveys off). Marketing pages only — the client app and HQ are never tracked. Feeds the HQ Analytics panel. Public project token, same precedent as GA in base.html. #}
← Insights / Compliance

South Korea's AI Basic Act: What International Firms Must Do Before 2026 Enforcement

South Korea's AI Basic Act took effect on 22 January 2026. For international professional services firms and global enterprises operating in or targeting the Korean market, the window for passive observation has closed. The legislation is live, the Enforcement Decree is enacted, and whilst a grace p

Compliance 18 July 2026 6 min read

South Korea's AI Basic Act: What International Firms Must Do Before 2026 Enforcement Begins

South Korea's AI Basic Act took effect on 22 January 2026. For international professional services firms and global enterprises operating in or targeting the Korean market, the window for passive observation has closed. The legislation is live, the Enforcement Decree is enacted, and whilst a grace period on administrative fines runs through the end of 2026, the compliance obligations themselves are not deferred. Organisations that wait for enforcement to sharpen before acting are already behind.

This briefing sets out what the AI Basic Act requires, how it intersects with South Korea's evolving data protection regime, and what international firms specifically need to prioritise now.

What the AI Basic Act Actually Covers

The Basic Act on Artificial Intelligence and Creation of a Trust Base establishes a unified, risk-based framework for AI systems operating in or impacting South Korea. Critically, it applies extraterritorially. A firm headquartered in London, Frankfurt, or Singapore that deploys AI services accessed by Korean users falls within scope. The origin of the operator is irrelevant — what matters is the effect.

The Act introduces defined categories of AI, including "high-impact AI systems" — those that significantly affect human life, safety, or fundamental rights — and "generative AI." Both classifications carry specific obligations. For high-impact AI, operators must implement robust risk management systems, maintain meaningful human oversight, and conduct structured impact assessments. For generative AI broadly, the Act mandates user notification and clear labelling of AI-generated content. These are not aspirational standards. They are baseline legal requirements.

The Enforcement Decree, enacted on 21 January 2026, adds operational precision. It sets a computation threshold of 10²⁶ floating-point operations per second (FLOPS) as the trigger for enhanced obligations on high-impact AI operators. This is a technical benchmark that AI development teams need to assess against their own systems, not assume they fall beneath.

The Domestic Representative Requirement: A Wake-Up Call for Foreign Operators

Perhaps the most immediately actionable provision for international firms is the domestic representative requirement. Foreign AI operators without a registered presence in South Korea must designate a local representative if they meet any one of the following thresholds:

  • Total annual revenue of KRW 1 trillion (approximately £580 million)
  • Annual AI services revenue of KRW 10 billion (approximately £5.8 million)
  • At least one million daily users in South Korea

For many global enterprises and mid-to-large professional services firms, the first or third threshold alone will apply. The representative must be capable of engaging with regulators on compliance matters — this is not a nominal appointment. Firms that have not yet assessed whether they cross these thresholds should treat that assessment as urgent.

Data Protection: Higher Stakes Than Most Firms Expect

The AI Basic Act does not operate in isolation. South Korea's Personal Information Protection Act (PIPA) has undergone substantial amendments, promulgated in March 2026 with most provisions taking effect from September 2026. The most significant change for international businesses is the increase in maximum administrative penalties for severe data breaches from 3% to 10% of total global turnover. That places South Korea's enforcement exposure firmly in GDPR territory, and firms that have calibrated their Korean data risk on the basis of the previous penalty regime need to recalibrate immediately.

The amendments also extend breach notification obligations and reinforce CEO accountability for data protection failures. That last point deserves emphasis. Personal liability for senior executives is not a theoretical risk in this framework — it is an explicit mechanism, and one that tends to concentrate boardroom attention.

The PIPC's Role in AI Governance

The Personal Information Protection Commission (PIPC) has emerged as a significant force in AI compliance enforcement, independent of the AI Basic Act itself. In August 2025, the PIPC released its Guidelines for Personal Data Processing for the Development and Utilisation of Generative AI. Whilst non-binding, these guidelines function as an enforcement benchmark — regulators will assess organisations against them in practice.

The guidelines set expectations across several areas that matter directly to AI operators: legal basis documentation for training data, pseudonymisation requirements, input and output filtering controls, and CPO-led governance structures. Firms using third-party generative AI tools in their Korean operations — not just those building models — need to understand how their supply chain maps against these expectations.

The PIPC's enforcement posture is not theoretical. In January 2025, it ordered the destruction of an AI algorithm trained on unlawfully obtained data. That is a significant remedy, and one with material operational and financial consequences. In March 2026, the PIPC adopted a revised risk-based framework for pseudonymised information processing. Combined with the Korea Communications Commission's own Guidelines on the Protection of Users of Generative AI Services, adopted in February 2025, the regulatory landscape in South Korea is layered and active.

The Grace Period Is Not a Compliance Deferral

The Ministry of Science and ICT (MSIT) has confirmed that administrative fines under the AI Basic Act will generally be deferred throughout 2026, except in cases involving serious social harm. This is a meaningful concession, and it reflects a pragmatic recognition that industry needs time to build compliance infrastructure.

However, it would be a strategic error to treat the grace period as a pause button. The obligations are live. Regulators are watching. The PIPC has already demonstrated willingness to act. And the firms that use 2026 to build genuine compliance frameworks will be substantially better positioned when enforcement normalises — whilst those that defer will face both compliance debt and heightened regulatory scrutiny.

What International Firms Should Prioritise Now

Based on the current regulatory picture, international firms with Korean market exposure should focus on the following immediately:

Scoping and classification. Identify which AI systems you operate that are accessible to Korean users. Determine whether any meet the definition of high-impact AI or generative AI under the Act. Assess computation thresholds where relevant.

Domestic representative assessment. Determine whether your revenue or user-base thresholds trigger the representative designation requirement and, if so, initiate appointment.

User-facing obligations. Audit current disclosure practices for high-impact and generative AI usage. Ensure labelling of AI-generated content meets the Act's requirements.

Impact assessments. For high-impact AI systems, begin scoping the assessment process. These are not checkbox exercises — they require documented methodology and evidence.

Data governance alignment. Review training data provenance, legal basis documentation, and pseudonymisation practices against PIPC guidelines. Assess breach notification and CEO accountability structures against the amended PIPA.

Cross-jurisdictional mapping. South Korea's framework intersects with the EU AI Act, GDPR-equivalent data regimes, and other national AI governance frameworks. Firms operating across multiple jurisdictions need a compliance architecture that accounts for convergence and divergence simultaneously.


South Korea has built one of the most substantive AI governance frameworks in the Asia-Pacific region, and its extraterritorial reach means international firms cannot treat it as a domestic Korean matter. The compliance obligations are real, the enforcement capability is demonstrated, and the cost of getting this wrong is rising.

Ops Intel works with international professional services businesses and global enterprises to navigate AI compliance obligations across multiple jurisdictions, including South Korea's AI Basic Act and PIPA regime. If you need to understand your exposure, build a compliance framework, or prepare for enforcement, speak with our team today.

Work with Ops Intel

Need help navigating AI compliance?

We build AI compliance frameworks and automation systems for professional services firms worldwide. Book a free 30-minute call or email us directly.

Call Now Claim Your Free Audit