Read in PDF version (including citations)
“Act on the Development of Artificial Intelligence and Establishment of Trust” that is a Korea’s comprehensive framework on AI was approved on December 26, 2024 and promulgated on January 21, 2025 in South Korea. This Act implements a broad rule of extra-territorial applicability and could give an impact on the business of Japanese companies.
I. Introduction
New regulations and legal framework on Artificial Intelligence (hereinafter referred to as the “AI”) are being actively discussed throughout the world. Notably, one significant highlight must be mentioned: the “Act on the Development of Artificial Intelligence and Establishment of Trust” (hereinafter referred to as the “AI Basic Act”), was approved on December 26, 2024 and promulgated on January 21, 2025 in South Korea.
The AI Basic Act, which consolidates nineteen separated AI bills introduced to the National Assembly until November 2024, was approved by 260 out of 264 lawmakers in its final passage and was finally promulgated on January 21, 2025. It constitutes the first comprehensive framework on AI in the Asian region and the second on a global level, following the adoption of the EU AI Act in August 2024 (please, read our previous newsletter if you want to know more about the EU AI Act).
As the AI Basic Act implements a broad rule of extra-territorial applicability and could give an impact on the business of Japanese companies, this article will outline its content. Furthermore, this Act presents many similarities with the Regulation laying down harmonized rules on AI in the European Union (hereinafter referred to as the “EU AI Act”), we will also propose a comparison with the EU AI Act.
II. An Overview of the newly enacted “AI Basic Act” in South Koreab
1. The purpose of the “AI Basic Act”
The AI Basic Act, which was passed in a plenary session of the National Assembly of South Korea on December 26, 2024, has the purpose of “protect[ing] the rights and dignity of the people, improv[ing] their quality of life and strengthen[ing] national competitiveness by stipulating the basic matters necessary for the safe development of artificial intelligence and the establishment of trust”. The AI Basic Act focuses on the promotion of the ideal conditions to launch a national cooperative system for AI, allows the sector to flourish, and shapes the legal basis to prevent the occurrence of the risks associated with the use of such technologies. Nevertheless, the AI Basic Act provides that enforcement will generally occur starting from January 22, 2026, thus giving exactly one year to related AI businesses to comply with it. The AI Basic Act only mentions one exception to this general rule regarding the timeline of application of the Act itself: Article 2, paragraph 4 related to digital medical devices will come into effect on January 24, 2026.
It goes without saying that to fully understand how to comply with the AI Basic Act, businesses should keep up with the developments concerning the adoption of subordinate legislation and sector-specific guidelines, including definitions of high-impact AI, computational thresholds, and safety measures.
The AI Basic Act has four main parts: (i) creation of a comprehensive governance framework to support the AI development and the establishment of a trust-based foundation; (ii) measures to promote technological and industrial development; (iii) identification of specific duties and responsibilities for AI businesses; (iv) fact-finding investigations and penalties. Each will be explained in detail in the following subsections.
2. Creation of a comprehensive governance framework to support the AI development and the establishment of a trust-based foundation
First of all, the AI Basic Act stipulates the creation of a specific institutional framework to comprehensively promote the related policy. In particular, the Ministry of Science and ICT (hereinafter referred to as the “MSIT”) is required to establish and implement every three years a Basic AI Plan (hereinafter referred to as the “Basic Plan”) to promote AI technology and the related industry. Such Basic Plan will be subject to the deliberation and resolution of the National AI Committee, which is established under Article 7 of the AI Basic Act. It will be chaired by the President and will deliberate on matters concerning policy, investment, infrastructure and regulations related to AI. To guarantee the organized and consistent development and execution of AI-related policies and initiatives, the AI Basic Act also establishes the legal basis for other institutions, including: the AI Policy Center, the AI Safety Research Institute, and the Korea AI Promotion Association.
3. Measures to promote technological and industrial development
Secondly, under the AI Basic Act, the government is required to formulate supportive measures to mitigate the risks arising from the use of AI, to increase trust and to ensure the advancement of AI and the affected industries. Some measures may include promoting R&D in this area, facilitating the distribution of information, ensuring a smooth cooperation between industries and the academia, implementing projects to raise awareness for the safe development and use of artificial intelligence, elaborating and providing support for the standardization of AI technology by the private sector. Additionally, the government shall facilitate the production, collection, management, distribution, and utilization of training data, while also encouraging the establishment and operation of data centers. In addition to this, the AI Basic Act prescribes that the government may formulate and publish AI Ethics Principles (“Ethics Principles”) on AI safety, reliability and accessibility.
4. Identification of specific duties and responsibilities for AI businesses
Moreover, the AI Basic Act identifies specific duties and obligations of AI business. Such obligations imposed by the AI Basic Act on AI businesses can be divided according to the following categories: (i) Obligations for AI systems that exceed certain threshold; (ii) Obligations for Business Operators involved with high-impact AI; (iii) Obligations concerning Generative AI; (iv) Obligations for non-domestic Business Operators.
4.1 Obligation for AI system that exceeds certain threshold: the establishment of a risk management system
Under Article 32 of the AI Basic Act, AI Business Operators whose AI systems exceed a threshold of cumulative computational usage for training as it will be determined by Presidential Decree shall assess the potential risks related to AI and thus establish a risk management system. Such risk management system will be used to monitor and respond to AI-related safety accidents, whose results must be duly submitted to the MSIT.
4.2 Obligations for Business Operators involved with high-impact AI System
Some of the obligations under the AI Basic Act imposed on AI Business Operators incorporating high-impact AI systems (as defined in Article 2(4) of the AI Basic Act) in their products or services are as follows:
– AI Business Operators shall inform the users in advance that the products or services provided are AI-powered ;
– AI Business Operators must assess in advance whether their AI systems fall within the definition of high-impact AI systems and, if needed, ask for confirmation to the MSIT;
– AI Business Operators incorporating high-impact AI systems in their products or services must ensure safety and reliability by implementing the measures listed in Article 34 of the AI Basic Act, including user protection measures, providing explanations about the AI system used, ensuring human oversight and supervision of high-impact AI, preparing and maintaining documentation on measures concerning safety and reliability, etc.;
– AI Business Operators shall assess the potential effects on fundamental rights when providing products or services using high-impact AI.
4.3 Obligation relevant to Generative AI
Businesses offering Generative AI (as defined in Article 2(5) of the AI Basic Act) products or services must indicate that their output is artificially created. Additionally, the AI Business Operators are required to notify the users if the contents generated by AI systems, such as voices, images, or videos, are difficult to distinguish from reality (i.e. deepfakes).
4.4 Extraterritorial Application and Obligations for non-domestic Business Operators
The AI Basic Act adopts a broad rule of extraterritorial application and that it “shall apply to any acts conducted abroad that affect the domestic market or users in the Republic of Korea”. This means that also Japanese companies may be subject to the AI Basic Act. Additionally, AI Business Operators that meet certain user and revenue thresholds defined by Presidential Decree must appoint a domestic representative if they are without an address or business location in South Korea. Such representatives will ensure that AI Business Operators will comply with the obligations prescribed by the AI Basic Act. It is important to note that the AI Business Operators will be deemed liable if the domestic representative violates or does not comply with the obligations imposed by the Act.
Being applicable to non-domestic Business Operators, such obligations will be also quite relevant to Japanese companies that will have developed or used AI systems in Japan, but whose acts will have implications on the domestic market or users in the territory of South Korea. In this case, Japanese companies need to comply with the above obligations within the deadline of January 22, 2026. As already mentioned, to understand whether a business without address or office in Korea must designate a domestic representative, it is fundamental to monitor the status of the Presidential Decree, which will indicate the thresholds above which the above obligation will apply.
5. Fact-finding Investigations and Penalties
Article 40 of the AI Basic Act grants the MSIT investigative powers in case of suspected, identified or reported violation of some of the obligations imposed by the AI Basic Act, including: (i) transparency requirement under Article 31; (ii) adoption of a risk management system under Article 32; (iii) implementation of measures to secure the safety and reliability of high-impact AI systems under Article 34. The MSIT may order the AI Business Operators to take the necessary measures if a violation of the AI Basic Act is detected as a result of an investigation. However, there is a widespread concern among AI Business Operators that the AI Basic Act could grant a broad authority to MSIT to investigate based on complaints or reports, which could lead to regulatory uncertainty and confidentiality risks. Nevertheless, the MSIT assured the establishment of detailed investigative criteria through future regulations to mitigate such issue
Any failure to comply with the orders adopted by the MSIT in case of violation of the obligations imposed on the AI Business Operators and, in general, the rules set out in the AI Basic Act can result in fines of up to KRW 30 million.
III. Comparison between the “AI Basic Act” and the “EU AI Act”.
Under a comparative approach, it can be said that the AI Basic Act does reveal a certain degree of influence and resemblance with the provisions of the EU AI Act, being the first comprehensive regulatory framework on AI.
Firstly, both regulations use a risk-based approach by proposing a classification of AI systems through the identification of certain areas where AI poses intensified risks. However, there are two differences with regard to specific contents of their risk-based approaches that must be underlined. To begin with, while the EU AI Act identifies four different levels of risks (i.e., unacceptable risk, high risk, limited risk and minimal risk), the AI Basic Act proposes only two types of AI systems (i.e., high-impact AI and generative AI) that are regulated according to the threats associated with the use of such technologies. Additionally, while Article 5 of the EU AI Act with regard to the so-called “Prohibited AI Practices” prohibits the use of specifically categorized AI systems as unacceptable risk, the Korean Act does not provide any regulation to prohibit specific type of AI system depending on the dangers to life, personal safety and fundamental rights.
Secondly, both acts include obligations on transparency (Art. 50 of the EU AI Act and Art. 31 of the AI Basic Act); risk management system, documentation and oversight (Articles 9-15 of the EU AI Act and Articles 32 and 34 of the AI Basic Act); the establishment of a robust institutional system to oversight the enforcement of the Act and the development of AI (Chapter VII of the EU AI Act and Articles 7, 11, 12, 26 of the AI Basic Act).
Thirdly, the regulation adopted in the EU and the one that has just been promulgated in Korea both include a provision on their extraterritorial application.
Nevertheless, a major difference can be found with regard to the penalties: while enforcement mechanisms are included in both laws, there is a marked discrepancy with regard to the severity of the fines applicable in case non-compliance. Any failure to comply with the AI Basic Act can result in fines of up to KRW 30 million (about JPY 3milion/€20,000), but the penalties prescribed in the EU AI Act can be as high as €35 million (about JPY 5.6 billion) or 7% of worldwide annual turnover.
IV. Implications and Future trends in Laws and Regulations
The enactment of the AI Basic Act represents an important milestone for South Korea as it demonstrates its commitment to take a leap forward in creating a risk-mitigated environment characterized by the responsible use of the potential of AI, especially since such technologies have now become part of our daily lives and are having a major impact on many sectors. However, it is expected that further subordinate statutes and policies for AI development will be adopted in order to provide guidance to AI Business Operators in addition to the compliance with the obligations set out in the Act.
[AIL AI Newsletter Series]
– [Japan] “Publication of the “Draft Interim Report” of the AI Strategy Council and the AI Institutional Research Group: The future direction of the legal system surrounding AI”, January, 9, 2025;
– [Japan] “Policy Trends and Discussion on Regulating AI Technologies in Japan”, October 31, 2024;
– [EU] “The EU AI Act explained: the major effects produced by the new Regulation”, September 6, 2024 (last updated on 27, February 2025).