I. RELEASE OF DRAFT PUBLIC NOTICES AND GUIDELINES
In anticipation of the enforcement of the Framework Act on the Development of Artificial Intelligence and the Establishment of a Trust-based Environment, etc. (“Framework Act on AI”) on January 1, 2026, the Ministry of Science and ICT (“MSIT”) released the draft Enforcement Decree on September 8, 2025, followed by the publication of drafts of two Public Notices and five Guidelines on September 17, 2025, thereby initiating a public consultation process with industry stakeholders.
Bae, Kim & Lee’s AI Team previously provided an overview of the draft Enforcement Decree in our September 12, 2025 newsletter. In this issue, we summarize the newly released Public Notices and Guidelines and the expected timeline. In the coming weeks, we will provide a series of newsletters analyzing the detailed contents of each instrument.
II. LEGISLATIVE BACKGROUND AND POLICY DIRECTION
The subordinate legislation under the Framework Act on AI has been formulated with an emphasis on industry promotion over regulation, reflecting Korea’s “balanced model” approach in the context of both domestic AI development and the global competition over AI governance. Drawing upon legal developments in the US, EU, and Japan, and incorporating feedback from industry and civic groups through more than 70 consultations, the legislation aims to create a flexible, predictable regulatory framework that minimizes burdens on companies.
The draft Enforcement Decree consists of 34 provisions (32 main articles and 2 supplementary provisions). A key feature is the planned grace period for administrative fines. Non-compliance with obligations such as providing prior notice for transparency, designating a domestic representative for overseas operators above a certain threshold, or complying with corrective orders may result in fines of up to KRW 30 million (Article 43(1)). The duration of the grace period will be finalized through stakeholder consultation to minimize disruption in the early implementation phase.
In addition, the two Public Notices (on Safety Assurance Obligations and on Business Operators’ Responsibilities) and the five Guidelines (on Transparency, Safety Assurance for High-Performance AI, High-Impact AI Confirmation, Business Operators’ Responsibilities, and AI Impact Assessment) are intended to clarify the scope of obligations and responsibilities applicable to AI businesses.
III. OVERVIEW OF THE PUBLIC NOTICES AND GUIDELINES
1. Public Notice on Safety Assurance Obligations
-
The safety assurance obligations impose minimum duties on operators of high-performance AI systems to eliminate or mitigate foreseeable risks and ensure accident preparedness.
-
The public notice specifies methods for risk identification, assessment, and mitigation, establishment of risk management systems, and submission of results.
-
In this context, “risk” is defined as the possibility that the use of an AI system may infringe fundamental rights or endanger public safety, limited to technically foreseeable cases.
-
The obligations apply to AI systems with cumulative computation of 10²⁶ FLOPs or more, incorporating state-of-the-art AI technologies and capable of exerting broad and material impacts on human life, safety, and fundamental rights.
2. Public Notice on Business Operators’ Responsibilities
-
Under the Framework Act on AI, business operators are subject to obligations such as establishing risk management systems, implementing explanatory measures, protecting users, and ensuring human oversight.
-
Depending on the lifecycle of high-impact AI and the nature of obligations, the responsibilities differ between developers and users.
※ Example: Developers must establish explanatory measures for the outcomes of high-impact AI, while users must implement them for end-users.
-
The public notice stipulates the specific matters for establishing and operating risk management and user protection measures for high-impact AI, and for developing and implementing explanatory measures regarding major standards.
3. Guidelines on Transparency
-
(Unit of transparency) Labelling is required on the final outputs generated by AI, with illustrative examples.
-
Prior notice may be provided at the point of product or service delivery via terms of use, contracts, manuals, or device labelling, with actual notice examples included.
-
(Labelling) Outputs of generative AI must be labelled in a manner that is both human- and machine-readable, with reference to global practices (including visible and invisible labelling).
-
(Deepfake outputs) Requires notice or labelling methods that enable users to clearly recognize such outputs, with detailed examples provided.
-
(Exemptions) Where the use of generative AI or high-impact AI is obvious, or where the system is used exclusively for internal business purposes.
4. Guidelines on Safety Assurance for High-Performance AI
-
(Scope of application) Clarifies the scope of AI systems subject to the computational threshold (≥10²⁶ FLOPs), the timing for assessing cumulative computation, components included in the calculation, and calculation methods.
-
(Safety assurance measures) Provides guidance on risk identification, evaluation, mitigation, and risk management, with reference to EU and U.S. standards to facilitate global regulatory alignment
-
(Submission of results) Outlines requirements for documenting implementation results, considerations in preparing documentation, evidentiary requirements, and submission procedures.
5. Guidelines on High-Impact AI Confirmation
-
(Assessment method) Whether an AI system constitutes high-impact AI is determined by considering both ➊ the domain in which AI is used and ➋ the level of impact (risk) arising therefrom.
-
(Step 1) Determine whether the AI system is used in any of the ten domains listed in each Item of Subparagraph 4 of Article 2 of the Act:
➊ energy supply, ➋ drinking water production processes, ➌ establishment and operation of healthcare delivery and utilization systems, ➍ development and utilization of medical devices and digital medical devices, ➎ management and operation of nuclear facilities, ➏ crime investigation and arrest, ➐ decision-making and evaluations materially affecting rights and obligations, such as hiring and credit screening, ➑ activation and operation of transportation means, facilities, and systems, ➒ public services, ➓ student assessments in the education sector
-
(Step 2) Apply the detailed interpretive criteria for determining whether the AI system falls within the concept of high-impact AI:
- (Human life, physical safety, and fundamental rights) Evaluated based on the extent to which the use of the AI system may affect the life, physical safety, or fundamental rights (interests) of natural persons, depending on their use of products and services and the outcomes generated.
- (Impact and risk) “Impact” primarily refers to the extent to which negative effects reach the level of actual risk. “Risk” is assessed by combining the probability (frequency) of occurrence with the severity of the consequences, while also considering the AI system’s purpose, functions, and usage context, together with the Enforcement Decree.
- (Materiality) Determined by comprehensively considering (i) the nature of the user rights at issue (life, physical safety, fundamental rights), and (ii) the degree of risk increase compared to the existing baseline. The Guidelines also provide appropriate domain-specific methods for risk assessment and review.
6. Guidelines on Business Operators’ Responsibilities for High-Impact AI
|
Category
|
Detailed Responsibilities of Business Operators (Guidelines)
|
|
Establishment and Operation of
Risk Management Measures
(Subpara. 1)
|
-
Establishment and implementation of risk management policy: Establish and implement risk management plans through dedicated organizations and personnel, to identify, assess, and eliminate potential risks of high-impact AI and mitigate them to an acceptable level.
-
Organization and operation of risk management organization: Establish a risk management organization or designate responsible personnel within the organization.
※ Depending on the scale and capacity of the operator, personnel may be assigned on a concurrent basis.
|
|
Formulation and Implementation of
Explanatory Measures
(Subpara. 2)
|
-
Formulation of bases for of AI outcomes and key criteria: In formulating explanatory measures on high-impact AI, technical measures to be required within feasible scope to enhance transparency and explainability.
-
Management of information on training data: Manage information on training data utilized in AI, including general content as well as format, quantity, size, collection methods, and preprocessing methods.
-
Development and implementation of explanatory measures: Formulate and implement explanatory measures by reviewing procedures, scope, and methods for providing explanations to users.
|
|
User Protection Measures
(Subpara. 3)
|
-
AI Development Stage: ▲ lawful and safe data collection, ▲ secure algorithm design and system development, ▲ sufficient evaluation to prepare for various risks
-
Operation Stage: ▲ establish real-time monitoring framework for problem detection, ▲ build user feedback processes, ▲ establish policies to safeguard user rights including personal data
|
|
Human Oversight of High-Impact AI
(Subpara. 4)
|
-
Design Stage: Establish standards, procedures, and methods that allow human intervention in the operation of high-impact AI.
-
Operation Stage: Establish regular inspection plans and measures to prevent performance degradation and errors and prepare education and training measures to enhance understanding of high-impact AI to be provided by developer to user, and by user to end-user.
|
|
Preparation and Retention of Documentation
(Subpara. 5)
|
-
Preparation of documents (including electronic documents) concerning the above responsibilities, periodic review thereof, and management to ensure that the latest technologies and methodologies are applied.
|
7. Guidelines on AI Impact Assessment
-
(Contents of Impact Assessment) Provides detailed definitions and explanations for each item that AI business operators must include when conducting an impact assessment, namely:
① Identification of affected parties, ② Identification of relevant types of fundamental rights, ③ Understanding the content and scope of social and economic impacts, ④ Analysis of usage patterns, ⑤ Application of evaluation metrics, ⑥ Matters concerning risk prevention and loss recovery, ⑦ Improvement plans, etc.
-
(Methods of Impact Assessment) Provides practical instructions, including specific methods for conducting an impact assessment, templates and examples of impact assessment, methods for preserving follow-up measures and results, and methods for obtaining expert advice on impact assessments through professional institutions.
IV. FUTURE SCHEDULE
MSIT plans to hold explanatory sessions and collect opinions from relevant ministries and stakeholders during the 2nd to 4th weeks of September, proceed with the administrative legislative process including legislative notice, regulatory review, and review by the Ministry of Government Legislation from October to November, finalize the Enforcement Decree within the year, and publish the completed guidelines.
As the subordinate legislation will likely be further refined considering stakeholder feedback and evolving international regulatory trends, it will be important for companies to closely monitor developments and actively provide input during the consultation process.
* * *
Bae, Kim & Lee’s AI Team continuously monitors AI regulatory developments in Korea and worldwide and stands ready to provide comprehensive advisory services and practical support, helping companies leverage AI effectively while minimizing legal risks. For any inquiries, please feel free to contact us at any time.
[Korean Version]
