Vietnam AI Law 2026: The Complete English-Language Guide
Last Updated: 2026-03-26
tags: [Compliance, Guide]
On December 10, 2025, Vietnam’s National Assembly passed Law No. 134/2025/QH15 on Artificial Intelligence (Luat Tri tue nhan tao) with 429 of 434 votes — a 90.7% supermajority. It took effect on March 1, 2026. This makes Vietnam the first country in Southeast Asia to enact a binding, standalone AI law at the parliamentary level.
No thorough English-language guide to this law exists. Most coverage consists of law firm alerts summarizing a few provisions, or brief news reports noting the law’s passage. This guide fills that gap. It draws on the full Vietnamese text of the law, read in original Vietnamese. It is supplemented by analysis from Baker McKenzie, Tilleke & Gibbins, Duane Morris, IAPP, and other sources listed at the end.
One critical caveat before we begin:
Regulatory uncertainty notice: The law is in force, but most implementing regulations are not. Four draft subordinate instruments are under consultation or development as of March 2026. The high-risk AI systems list has not been finalized. No enforcement actions have occurred — the law is 23 days old. Treat the framework sections below as established law and the procedural sections as directionally accurate but subject to change.
Why This Law Matters
Three reasons this deserves your attention, even if Vietnam is not on your current compliance map.
First ASEAN AI law. No other Southeast Asian country has binding AI legislation. Singapore uses voluntary frameworks. Thailand has a draft AI Act in consultation. Indonesia is working on a presidential regulation. Vietnam moved first, and the law may set the template for a region of 680 million people. The ASEAN Digital Economy Framework Agreement (DEFA), expected by end of 2026, will create binding AI governance interoperability across the bloc (ISEAS, Kristina Fong, Feb 2026). Vietnam’s law will shape that agreement.
Sovereignty, not just compliance. The law dedicates an entire chapter (Chapter III, Articles 16-18) to “National AI Infrastructure and Sovereignty” (Phat trien ha tang va bao dam chu quyen tri tue nhan tao quoc gia). This is not standard regulatory language. Vietnam treats AI infrastructure as “strategic infrastructure.” It declares that “important AI applications in essential sectors” must deploy on national AI infrastructure (AI Law Art. 16). No other AI law in the world contains equivalent provisions. The Politburo’s Resolution 57-NQ/TW (December 22, 2024) frames AI as “the top strategic breakthrough” for Vietnam. It explicitly rejects the “if you can’t stop it, then ban it” mindset (regulations.ai, Dec 2024).
Extraterritorial reach. Article 2 applies the law to foreign organizations and individuals participating in AI activities in Vietnam. Foreign providers must appoint a local legal representative (AI Law Art. 14(6)). If your AI system serves the Vietnamese market, this law applies to you.
The Structure: 8 Chapters, 35 Articles
The law is deliberately concise. The EU AI Act has 113 articles plus annexes. Vietnam’s has 35 articles. Detailed implementation is deferred to government decrees, prime ministerial decisions, and ministerial circulars. Baker McKenzie (Feb 2026) calls it “principle-based,” noting it “contains many discrepancies and vague issues that are subject to further clarification from the Government.”
| Chapter | Subject | Articles |
|---|---|---|
| I | General Provisions | 1-8 |
| II | Risk Classification and Management | 9-15 |
| III | Infrastructure and National AI Sovereignty | 16-18 |
| IV | Application, Innovation, Human Resources | 19-25 |
| V | Ethics and Accountability | 26-27 |
| VI | Inspection and Violation Handling | 28-29 |
| VII | State Management | 30-32 |
| VIII | Implementation | 33-35 |
The law was drafted in roughly three months. MOST received the drafting assignment in late August 2025; the National Assembly passed it December 10, 2025. Venture North Law (Jan 2026) calls it “a half-baked legislation.” Key definitions are borrowed “almost word-for-word” from South Korea’s AI Basic Act. This speed reflects political urgency, not carelessness. The IAPP (Feb 2026) describes it as “a clear manifestation of the Brussels effect.”
The Three-Tier Risk Classification System
Vietnam classifies AI systems into three risk tiers (phan loai muc do rui ro): high, medium, and low (AI Law Art. 9). This mirrors the EU AI Act’s risk-based approach but with a simpler structure. Vietnam has three tiers where the EU has four.
High Risk (Rui ro cao)
Systems that “can cause significant damage to life, health, rights” or to national security (AI Law Art. 9).
Obligations are heavy:
This is binding pre-market approval, the strictest gate in Asia. South Korea’s AI Basic Act makes conformity assessment voluntary (“should endeavor”). Japan’s AI Promotion Act has no mandatory assessment. China requires CAC filing but through a different mechanism. Vietnam chose the EU model: you cannot put a high-risk system on the market without passing conformity assessment first.
The high-risk AI systems list has not been finalized. MOST released a draft list for public consultation on February 4, 2026 (MLex, Feb 2026), detailing five groups of criteria and three criteria groups for systems requiring mandatory conformity certification. On March 3, 2026, MOST issued Official Letter 1101/BKHCN-CNS&CDS requesting all ministries to propose AI systems for the high-risk list (Voice of Vietnam, March 4, 2026). The final list requires the Prime Minister’s signature. As of March 2026, that signature has not been given.
Medium Risk (Rui ro trung binh)
Systems that “can cause confusion, influence, or manipulate users regarding AI interaction” (AI Law Art. 9). Think chatbots that could be mistaken for humans, or content systems that could mislead.
Obligations are moderate: comply with transparency requirements under Article 11 plus accountability when requested (Art. 15).
Low Risk (Rui ro thap)
Everything else. Systems that do not fall into the above categories (AI Law Art. 9). Minimal obligations: accountability only when violation indicators exist (Art. 15).
Self-Classification
Providers self-classify their systems before placing them on the market (Art. 10(1)). Deployers can inherit the provider’s classification (Art. 10(2)). Medium and high-risk systems must notify MOST of their classification result (Art. 10(3)). If you are uncertain, you can request MOST guidance (Art. 10(4)).
If MOST finds a misclassification or dishonest declaration, the system must be reclassified (Art. 10(6)).
Six Prohibited AI Activities (Hanh vi bi nghiem cam)
Article 7 lists six categories of prohibited acts, effective immediately since March 1, 2026. These are not subject to transition periods. They apply now.
1. Exploitation for illegal purposes. Using AI systems to commit illegal acts or violate the rights and legitimate interests of organizations and individuals.
2. Harmful AI development and deployment. Developing, providing, deploying, or using AI systems to: (a) commit acts prohibited by law; (b) use fake or simulated elements to deceive or manipulate human perception and behavior, causing serious harm; (c) exploit vulnerable groups — children, elderly, persons with disabilities, ethnic minorities; (d) create or spread fake content causing serious danger to national security, social order, and safety.
3. Unlawful data use. Collecting, processing, or using data to develop, train, test, or operate AI systems contrary to data protection, intellectual property, or cybersecurity laws.
4. Blocking human oversight. Obstructing, disabling, or distorting mechanisms for human supervision, intervention, and control of AI systems.
5. Information concealment. Concealing information required to be public, transparent, or explained; erasing or falsifying mandatory information, labels, or warnings.
6. Abuse of research activities. Abusing research, testing, evaluation, or verification activities to commit unlawful acts.
Note: several English summaries count “seven prohibited activities.” The Vietnamese primary source has six numbered items; item 2 contains four sub-provisions (a-d), which some summaries count separately (AI Law Art. 7; read in original Vietnamese, March 2026).
Who the Law Applies To: Scope and Extraterritoriality
Four Roles in the AI Value Chain
Vietnam defines four distinct roles (AI Law Art. 3), more granular than any other jurisdiction:
| Role | Vietnamese | Definition |
|---|---|---|
| Developer (nha phat trien) | Nha phat trien | Designs, builds, trains, tests, or fine-tunes AI systems |
| Provider (nha cung cap) | Nha cung cap | Places AI system on market under their name, brand, or trademark |
| Deployer (ben trien khai) | Ben trien khai | Uses AI system within their control for professional, commercial, or service activities |
| User (nguoi su dung) | Nguoi su dung | Directly interacts with an AI system or uses its outputs |
The EU AI Act has two main roles (provider and deployer). Korea has two (development and utilization). Vietnam’s four-role structure creates more precise allocation of responsibility but also more complex compliance mapping.
A fifth role matters too: the “affected person” (nguoi bi anh huong) — any organization or individual whose rights are directly or indirectly affected by an AI system’s deployment or outputs (Art. 3).
Foreign Providers
Foreign organizations and individuals participating in AI activities in Vietnam are subject to the law (Art. 2). Foreign providers of high-risk AI systems must maintain a “lawful contact point in Vietnam” (Art. 14(6)). This is comparable to the EU AI Act’s authorized representative requirement (Art. 22) and Korea’s domestic representative obligation (Art. 36).
What Is Excluded
AI systems used exclusively for national defense, security, or cryptographic purposes are not covered (Art. 1). This exemption is narrower than Korea’s defense exemption but similar to China’s.
Transparency and Labeling (Minh bach)
Article 11 sets transparency obligations that, on paper, are among the most detailed in any AI law:
1. AI systems interacting directly with humans must be designed so users can recognize they are interacting with AI
2. AI-generated audio, images, and video must be marked in machine-readable format
3. Deployers must clearly notify the public when providing AI-generated content
4. Audio, images, or video simulating the appearance of real persons must carry easily recognizable labels
5. Providers and deployers must maintain transparency information throughout the system’s provision
Vietnam is the only jurisdiction requiring both machine-readable marks and human-readable labels in the primary law itself (AI Law Art. 11; read in original Vietnamese, March 2026). China has labeling measures and the EU has Article 50, but neither combines both requirements in the statutory text this explicitly.
Pending guidance: The notification and labeling forms have not been published. Article 11(6) delegates this to a government decree, which has not been issued as of March 2026.
Article 29 Strict Liability: The Most Aggressive in Asia
This is the provision that should command attention from any company deploying AI in Vietnam.
Article 29(2) states: “If a high-risk AI system managed and operated per regulations BUT STILL causes damage, the deployer bears compensation responsibility” (AI Law Art. 29; read in original Vietnamese, March 2026).
This is strict liability. The injured party does not need to prove fault. If the system causes damage, the deployer pays — even if they followed every rule.
Only two defenses exist:
Third-party hackers bear their own liability (Art. 29(4)).
No other Asian jurisdiction has AI-specific strict liability. Korea has no strict liability for AI. Japan has none. China applies general product liability but not AI-specific strict liability. The EU’s AI Liability Directive (AILD) was withdrawn. Our view: Vietnam may currently have the strictest AI liability regime globally for deployers.
The law “encourages” (khuyen khich) providers and deployers to participate in civil liability insurance (Art. 14), but does not mandate it.
Enforcement and Penalties
Who Enforces
Ministry of Science and Technology (MOST / Bo Khoa hoc va Cong nghe): Lead coordinator. Develops the high-risk list, oversees conformity assessments, manages the National AI Database, coordinates cross-ministerial enforcement (AI Law Art. 30).
Line ministries handle sector-specific enforcement: Ministry of Health (healthcare AI), Ministry of Education and Training (education AI), State Bank of Vietnam (financial AI), Ministry of Public Security (data protection), Ministry of Information and Communications (AI-generated content) (Decision 367/QD-TTg, March 3, 2026).
The Prime Minister can update the high-risk AI systems list in real-time without legislative amendment (Art. 13(4)).
Penalty Framework
| Violator | Maximum Fine | Notes |
|---|---|---|
| Organizations | VND 2 billion (~USD 75,800) | Standard administrative ceiling |
| Individuals | VND 1 billion (~USD 37,900) | Half the organizational maximum |
| Serious violations | Civil compensation per civil code (Art. 29) | Revenue-based fines were in the Nov 2025 draft but removed from the enacted law (MLex, Dec 11, 2025) |
Authorities can suspend non-compliant AI systems immediately (Herbert Smith Freehills, Dec 2025).
These numbers are low compared to the EU AI Act (up to EUR 35 million or 7% global turnover). But context matters: VND 2 billion is among the highest administrative fine ceilings in Vietnamese law. The November 2025 draft included revenue-based fines of up to 2% of annual revenue, but this provision was removed from the final enacted text (MLex, Dec 11, 2025). The implementing decree (Art. 29(5)) may introduce further penalty specifics (LNT Partners, July 2025).
No enforcement actions have occurred. The law took effect 23 days ago. The implementing decree with detailed penalty schedules has not been published.
The Data Localization Pincer: AI Law vs. PDPL
Here is the compliance risk that gets less attention but carries higher financial exposure.
Vietnam’s Personal Data Protection Law (PDPL, Law 91/2025/QH15), effective January 1, 2026, imposes revenue-based fines of up to 5% of prior year’s Vietnam revenue for cross-border data violations involving 5 million or more Vietnamese citizens’ data (LNT Partners, July 2025; Indochine Counsel, Jan 2026).
The PDPL’s revenue-based penalties (5%) far exceed the AI Law’s VND 2 billion flat cap. The AI Law’s revenue-based penalty was removed from the final enacted text.
Decree 356/2025/ND-CP, implementing the PDPL, explicitly identifies “sectors including AI, big data, metaverse, blockchain, and cloud computing” as subject to “distinct technical requirements and data protection” obligations (Indochine Counsel, Jan 2026). This creates a regulatory pincer: any AI system processing Vietnamese personal data must comply with both laws simultaneously.
For foreign AI providers using cloud-based infrastructure, the PDPL’s cross-border data transfer restrictions may be the bigger hurdle. AI training data derived from Vietnamese users’ personal data may be restricted from offshore processing. We recommend treating PDPL compliance as the priority for data-intensive AI systems. Layer AI Law compliance on top.
The Regulatory Sandbox (Thu nghiem co kiem soat)
Article 21 establishes controlled testing environments with partial or full exemptions from compliance requirements (AI Law Art. 21). Key features:
The sandbox does not exempt participants from Article 7 prohibited acts. If your AI system creates deceptive deepfakes, the sandbox will not save you.
Sandbox operational rules and detailed conditions are still pending as of March 2026. The broader Law on Digital Technology Industry (2025) also established sandbox mechanisms for digital innovation that may complement the AI-specific framework.
The Implementation Roadmap: Decision 367
On March 3, 2026, two days after the law took effect, Deputy Prime Minister Nguyen Chi Dung signed Decision 367/QD-TTg, the official implementation plan. It assigns seven task groups to ministries and localities:
1. Communication and training on the law — led by MOST with Ministry of Justice, Voice of Vietnam, Vietnam Television
2. Legal review — all ministries must identify and resolve conflicts with existing regulations
3. Drafting implementing decrees — MOST leads on the high-risk systems list, technical guidance, and classification criteria
4. National AI Strategy — MOST must issue and review every three years
5. Infrastructure development — one-stop AI portal, National AI Database, National AI Development Fund
6. Inspections and compliance monitoring — MOST leads
7. Coordination mechanism between ministries and localities
(DataGuidance, March 11, 2026; english.luatvietnam.vn, March 18, 2026)
What Has Been Issued (as of March 2026)
What Has NOT Been Issued
Transition Deadlines
| Deadline | Who | What |
|---|---|---|
| March 1, 2026 (now) | All parties | Prohibited acts apply immediately. New AI systems must comply from day one. |
| March 1, 2027 | Existing general-sector AI | 12-month transition. Full compliance with risk classification, documentation, and registration requirements. |
| September 1, 2027 | Healthcare, education, and finance AI | 18-month transition. These sectors get extra time due to sensitivity and complexity. |
The State Bank of Vietnam has already begun sector-specific work: it launched a public consultation on a draft circular for AI in banking in February 2026, covering chatbot notification, emotion recognition disclosure, and prohibition on exploiting customer weaknesses (DataGuidance, Feb 2026; Vietnam Law Magazine, Feb 2026).
How Vietnam Compares to the EU AI Act
The IAPP (Feb 2026) calls Vietnam’s law “a clear manifestation of the Brussels effect.” LNT Partners (Feb 2026) says it is “broadly similar to the approach taken under the EU AI Act” but “introduces several features that go a step further.” Here are the key divergences:
| Dimension | Vietnam | EU AI Act |
|---|---|---|
| Risk tiers | 3 (high, medium, low) | 4 (unacceptable, high, limited, minimal) |
| Articles | 35 (principle-based) | 113 + annexes (prescriptive) |
| Liability | Strict liability for deployers (Art. 29) | Product Liability Directive only; AILD withdrawn |
| Max fine | VND 2B (~$75.8K) flat cap. Revenue-based fines removed from enacted law | EUR 35M or 7% global turnover |
| High-risk list | PM decision, not yet published | Annex III, eight categories, published |
| Roles defined | 4 (developer, provider, deployer, user) | 2 main (provider, deployer) |
| Sovereignty chapter | Yes — entire Chapter III dedicated to national AI infrastructure | No equivalent |
| Drafting time | ~3 months | ~3 years |
Our view: Vietnam borrowed the EU’s risk-based architecture but built a lighter, more flexible law designed for fast iteration through government decrees. The strict liability provision goes further than the EU. The sovereignty chapter goes further than anyone. The penalty regime is far weaker in absolute terms. For a full comparison, see our upcoming Vietnam vs EU AI Act deep dive.
What Companies Should Do Now
The transition periods are not an invitation to wait. Vietnam’s enforcement track record shows selective but firm action. The country achieved a 94-97% compliance rate for content takedown requests from Meta, Google, and TikTok in 2024-2025 (RFA, Dec 2024; Asia Times, Oct 2025). In January 2026, Vietnam fined TikTok and Zalo a combined VND 1.69 billion for data consent violations (Business Times Singapore, Jan 2026). Foreign platforms are not immune.
Six steps for the next 12 months:
1. Inventory your AI systems operating in or serving the Vietnamese market. Map each to the four-role framework: are you a developer, provider, deployer, or user? The obligations differ per role.
2. Preliminary risk classification. Even without the final high-risk list, the three-tier structure is clear from Articles 9-15. Classify conservatively. Systems in healthcare, education, credit scoring, and law enforcement are likely candidates for the high-risk category based on the draft criteria (MLex, Feb 2026).
3. Appoint a local legal representative. If you are a foreign provider of AI systems in Vietnam, Article 14(6) requires a lawful contact point. Do not wait for the implementing decree to begin this process.
4. Audit data flows for PDPL compliance. This is the higher-stakes compliance challenge. Map all personal data flows involving Vietnamese users. Assess whether AI training data transfers constitute cross-border transfers under Decree 356/2025. The PDPL’s 5% revenue penalty far exceeds the AI Law’s VND 2 billion flat cap (revenue-based penalties were removed from the enacted AI Law).
5. Review Article 7 prohibited acts against current operations. These apply immediately. Deepfake labeling, human oversight mechanisms, and data collection practices should be checked against the six prohibitions now.
6. Monitor MOST publications. The high-risk list, conformity assessment procedures, and penalty schedules will likely arrive in mid-to-late 2026 based on the Decision 367 roadmap. Subscribe to monitoring from english.luatvietnam.vn, Digital Policy Alert, and Tilleke & Gibbins.
We recommend treating the March 2027 general deadline as a hard target. Vietnam’s enforcement style relies on pressure and market access leverage over formal legal proceedings. The consequences of non-compliance may not be a fine. They may be an inability to operate. For deeper compliance guidance, see our August 2026 deadline tracker and FRIA template guide for assessment methodology that applies to the Vietnamese context.
What to Watch
The law’s real shape will emerge from the implementing regulations. These are the milestones that matter:
Vietnam has built the legal foundation. The walls and roof come next. For practitioners operating in Southeast Asia, the question is no longer whether Vietnam will regulate AI. It did. The question is how aggressively it will enforce what it built.
*Reg Intel is not a law firm and does not provide legal services. This content is for informational purposes only and does not constitute legal advice. Consult qualified Vietnamese legal counsel for jurisdiction-specific compliance guidance.*
*Last verified: March 26, 2026*