Vietnam’s Law on Artificial Intelligence (No. 134/2025/QH15) took effect on March 1, 2026, but the 35-article framework deliberately leaves the hardest questions to implementing decrees that have not been published yet. Risk classification criteria, penalty schedules, conformity assessment procedures, sandbox rules — all deferred. Until these secondary instruments arrive, practitioners face a law that tells them what to do but not how.
This tracker monitors every implementing decree and subordinate regulation under the AI Law. We update it as documents move from draft to consultation to enactment. Bookmark this page if you are tracking Vietnam’s AI regulatory rollout.
How Does Vietnam’s AI Law Delegate to Implementing Decrees?
At least 15 provisions in the AI Law explicitly delegate operational details to the Government, the Prime Minister, or the Ministry of Science and Technology (MOST). The law is principle-based by design: 35 articles across 8 chapters establish the risk classification framework, prohibited activities, transparency requirements, and liability rules, but leave specifics to subordinate legislation. [Source: Law 134/2025/QH15, Articles 6(4), 8(4), 9(3), 10(7), 11(6), 12(5), 13(6), 19, 21, 29(5)]
On February 28, 2026, Deputy Prime Minister Nguyen Chi Dung signed Decision No. 367/QD-TTg, the official implementation plan. Published March 3, the Decision assigns seven task groups to ministries and provincial People’s Committees. MOST leads the drafting of implementing regulations, including the high-risk AI systems list and the main implementing decree. Source: Decision 367/QD-TTg; [DataGuidance, March 11, 2026]
This delegation pattern is standard in Vietnamese law-making. The Cybersecurity Law 2018 followed the same approach: its implementing decree (Decree 53) took four years to arrive, and its sanctions decree remains unfinished more than seven years later. Source: [Tilleke & Gibbins, Vietnam AI Law Overview, February 2026] Whether the AI Law’s subordinate legislation moves faster is an open question.
Which Implementing Decrees Have Been Issued?
One of the four tracked documents has been finalized. The remaining three are in various stages of consultation.
Status Table (as of March 26, 2026)
| # | Document | Lead | Status | Date/Expected | What It Covers |
|---|---|---|---|---|---|
| 1 | National AI Ethics Framework (Circular No. 05/2026/TT-BKHCN) | MOST (Minister) | ISSUED | Effective March 10, 2026 | Ethics principles for AI development and deployment; 3-year review cycle per Art. 26 |
| 2 | PM Decision: High-Risk AI Systems List | MOST to PM | Draft released; inter-ministerial consultation | Draft: Feb 4, 2026. Final: mid-2026 (est.) | 5 criteria groups for high-risk classification; 3 mandatory certification groups |
| 3 | Implementing Decree (guiding AI Law implementation) | MOST / Government | Under consultation | Mid-to-late 2026 (est.) | Penalty schedules, conformity assessment procedures, classification criteria, notification requirements, sandbox operational rules |
| 4 | PM Decision: Datasets for Essential Fields | MOST to PM | Under consultation | 2026 (est.) | Art. 17 list of datasets for AI development in priority sectors |
[Source: OneTrust, March 13, 2026; VietnamPlus, March 13, 2026 (ethics circular); MLex, February 4, 2026 (high-risk list draft)]
What We Know About the High-Risk List
MOST released a draft list for public consultation on February 4, 2026. It defines five groups of criteria for classifying AI systems as high-risk and three groups of systems requiring mandatory conformity certification before deployment. On March 3, MOST issued Official Letter 1101/BKHCN-CNS&CDS requesting all ministries and localities to propose specific AI systems for inclusion using standardized forms. [Source: MLex, February 4, 2026; baomoi.com / Voice of Vietnam, March 4, 2026]
The final list has not been signed. Inter-ministerial consultation is ongoing, with each ministry proposing systems from its sector. Until the list is finalized, providers cannot definitively classify their systems under the three-tier framework established in Article 9.
What We Know About the Implementing Decree
The main implementing decree is the most consequential document in this tracker. It will contain the operational rules that turn the AI Law’s principles into enforceable requirements. Based on available reporting and the law’s delegation provisions, the decree is expected to cover at minimum:
- Detailed penalty schedules beyond the VND 2 billion organizational cap (Art. 29(5))
- Conformity assessment procedures for high-risk systems (Art. 13(6))
- Risk classification criteria that expand on Art. 9’s three-tier framework (Art. 9(3))
- Notification content and format for risk classification reports to MOST (Art. 10(7))
- AI content labeling rules including watermark and metadata specifications (Art. 11(6))
- Incident reporting thresholds and procedures (Art. 12(5))
- Sandbox operational rules for the regulatory testing environment (Art. 21)
- Classify your AI systems provisionally. Article 10 requires provider self-classification. The three-tier framework (high, medium, low risk) in Article 9 provides enough structure for a preliminary assessment, even without the PM’s high-risk list. For a detailed breakdown, see our Vietnam AI Risk Classification guide.
- Review prohibited activities immediately. Article 7’s six categories of prohibited acts have been enforceable since March 1, 2026 with no transition period. Audit your AI systems against each category. For the full list, see our Vietnam AI Law guide.
- Prepare documentation frameworks. Article 14 requires technical documentation and operational logs for high-risk systems. Start building these workflows now. The implementing decree will specify formats, but the substance is clear from the law.
- Appoint a local legal representative if you are a foreign provider serving the Vietnamese market (Art. 14(6)). This obligation is in the law itself, not delegated to a decree.
- Monitor this tracker. We update this page as implementing documents progress. Subscribe to our newsletter for updates.
- Final risk classification of specific systems — depends on the PM’s high-risk list
- Conformity assessment submission — depends on procedures in the implementing decree
- Registration in the National AI Database — the portal is not yet operational
- Sandbox applications — operational rules have not been issued
- March 1, 2027: All AI systems in non-sensitive sectors must be fully compliant (12 months from law’s effective date).
- September 1, 2027: AI systems in healthcare, education, and finance must be fully compliant (18 months).
- Law on Artificial Intelligence (No. 134/2025/QH15) — Last accessed: March 22, 2026
- Decision No. 367/QD-TTg (February 28, 2026) — Implementation plan for AI Law
- MOST Official Letter 1101/BKHCN-CNS&CDS (March 3, 2026)
- Circular No. 05/2026/TT-BKHCN — National AI Ethics Framework — Effective March 10, 2026
- OneTrust, “Vietnam AI Law Explained” (March 13, 2026)
- DataGuidance, “Vietnam: Government Issues Plan for Implementation” (March 11, 2026)
- english.luatvietnam.vn, “Decision 367 Tasks and AI Strategy” (March 18, 2026)
- MLex, “Vietnam Passes First AI Law, Removes Revenue-Based Penalties” (December 11, 2025)
- Baker McKenzie, “Vietnam: AI Law — Foundation and Outlook” (February 2026)
- Tilleke & Gibbins, “Vietnam AI Law Overview” (February 2026)
- Vietnam Law Magazine, “Central Bank Moves to Tighten AI Use in Banking” (February 21, 2026)
[Source: Law 134/2025/QH15, delegation provisions; OneTrust, March 13, 2026]
A note on penalties: The November 2025 draft of the AI Law included revenue-based fines of up to 2% of annual revenue for serious violations. The final enacted law removed this provision, retaining only the VND 2 billion (~USD 75,800) flat cap for organizational administrative penalties plus civil compensation liability under the civil code (Art. 29). Whether the implementing decree reintroduces revenue-based penalties is unknown. [Source: MLex, December 11, 2025]
Which Key Definitions Are Still Pending?
Beyond the four tracked documents, at least eleven additional regulations are required by specific articles of the AI Law. None have been published.
| Regulation | Required By | What Practitioners Need It For | Status (Mar 2026) |
|---|---|---|---|
| Risk classification criteria | Art. 9(3) | Self-classification of AI systems | Not published |
| Conformity assessment procedures | Art. 13(6) | Pre-market assessment for high-risk systems | Not published |
| Administrative penalty schedule | Art. 29(5) | Knowing specific fine amounts by violation type | Not published |
| Notification content requirements | Art. 10(7) | What to report to MOST after classification | Not published |
| AI content labeling forms | Art. 11(6) | How to label AI-generated content | Not published |
| Incident reporting rules | Art. 12(5) | When and how to report AI incidents | Not published |
| Sector safety requirements | Art. 6(4) | Healthcare, education, and finance-specific rules | Not published |
| One-stop portal rules | Art. 8(4) | How the National AI Database will work | Not published |
| Sandbox operational rules | Art. 21 | How to apply for regulatory sandbox testing | Not published |
| National AI Strategy update | Art. 19 | Strategic direction for AI development | Unclear |
| SBV circular on AI in banking | SBV authority | Banking-specific AI requirements | Draft in consultation (Feb 2026) |
[Source: Law 134/2025/QH15, specific articles listed; DataGuidance, March 11, 2026; Vietnam Law Magazine, February 21, 2026 (SBV circular)]
The State Bank of Vietnam (SBV) is ahead of other sector regulators. Its draft circular on AI in banking, released for consultation in February 2026, would require banks and e-wallet providers to notify customers before AI interactions, prohibit AI exploitation of customer vulnerabilities, and mandate human oversight for banking AI systems. This is the first sector-specific AI regulation from a Vietnamese financial regulator. [Source: DataGuidance, February 16, 2026; Vietnam Law Magazine, February 21, 2026]
When Are the Remaining Decrees Expected?
No official deadlines have been published for any implementing decree. Decision 367/QD-TTg assigns tasks and responsible ministries but does not set completion dates. Based on the consultation stage of each document and Vietnam’s legislative patterns, here is what we expect:
Mid-2026: PM Decision on the High-Risk AI Systems List. This is the most advanced document — the draft has been circulated and inter-ministerial input is being collected. The final list is the single most important document for compliance planning because it determines which systems face mandatory pre-market assessment.
Mid-to-late 2026: Main implementing decree. This is complex legislation that must align with the high-risk list and address multiple operational areas simultaneously. Rushing it would create inconsistencies with the list and the law.
2026 (no further precision): Datasets for Essential Fields decision; one-stop portal rules; National AI Strategy update.
Unknown: Sector-specific safety requirements from line ministries. These depend on the main implementing decree establishing the general framework first.
These are estimates, not commitments. Vietnam’s Cybersecurity Law 2018 offers a cautionary reference point: its implementing decree took until 2022. The AI Law’s shorter transition periods (12-18 months vs. effectively open-ended for cybersecurity) create pressure for faster action, but no guarantee. [Source: Tilleke & Gibbins, February 2026; OneTrust, March 13, 2026]
What Does This Mean for Compliance Planning?
The gap between the law’s effective date and the implementing regulations creates a specific compliance challenge: certain obligations are already enforceable, while others cannot be fulfilled because the rules do not exist yet.
What you can do now
What you must wait for
Key deadlines
The transition periods are set in statute and do not depend on implementing decrees:
[Source: Law 134/2025/QH15, Art. 35]
For a side-by-side comparison of how Vietnam’s regulatory approach differs from the EU AI Act, see our Vietnam vs EU AI Act comparison. For sector-specific rules beyond the general framework, see our Vietnam AI Sandbox and Sector Rules guide.
Reg Intel is not a law firm and does not provide legal services. This content is for informational purposes only and does not constitute legal advice. Consult qualified legal counsel for jurisdiction-specific guidance.
Last verified: March 26, 2026
Reg Intel is not a law firm and does not provide legal services. This content is for informational purposes only and does not constitute legal advice. Consult qualified legal counsel for jurisdiction-specific guidance.
Last verified: March 26, 2026