Vietnam’s Law on Artificial Intelligence (No. 134/2025/QH15) is the second major risk-based AI law in the world, after the EU AI Act (Regulation (EU) 2024/1689). Both classify AI systems by risk level and impose escalating obligations. Both require transparency for AI-generated content. Both assert extraterritorial reach. The IAPP describes Vietnam’s law as “a clear manifestation of the Brussels effect.” But the two frameworks diverge in enforcement power, liability structure, and regulatory philosophy in ways that matter for anyone operating AI systems in both jurisdictions.
This comparison covers every major dimension. If you need to build a dual compliance strategy, start here.
Why Does This Comparison Matter?
Organizations deploying AI systems across Asia and Europe face both frameworks simultaneously. Vietnam’s AI Law took effect March 1, 2026. The EU AI Act’s high-risk provisions apply from August 2, 2026. A company selling an AI diagnostic tool in both Hanoi and Berlin must comply with both. Where the two laws align, dual compliance is easier. Where they diverge, you need separate strategies.
The comparison matters for a second reason: Vietnam’s law was drafted in roughly three months (August to December 2025), drawing explicitly on the EU’s three-year legislative process. Understanding where Vietnam adopted, adapted, or rejected the EU approach reveals the choices behind Southeast Asia’s first binding AI law.
How Do the Risk Classification Systems Compare?
Vietnam uses three tiers. The EU uses four categories. The structural difference is not just a number. It reflects a different approach to prohibited practices.
| Dimension | Vietnam AI Law | EU AI Act |
|---|---|---|
| Risk levels | 3: High, Medium, Low (Art. 9) | 4: Unacceptable, High, Limited, Minimal (Art. 5-6, Annex III) |
| Prohibited practices | Separate from risk tiers — Art. 7 lists 6 banned categories | Integrated as “unacceptable risk” — Art. 5 lists 8 banned practices |
| Who defines high-risk | PM decision (deferred — draft released Feb 4, 2026, not finalized) | Listed in statute — Annex III specifies 8 areas with specific use cases |
| Classification method | Provider self-classification; can request MOST guidance if uncertain (Art. 10) | Provider self-assessment against Annex III criteria; notified bodies for biometrics |
| Medium/limited risk focus | “Confusion, influence, or manipulation” of users (Art. 9) | Transparency obligations for AI interacting with persons (Art. 50) |
[Source: Law 134/2025/QH15, Art. 7, 9-10; Regulation (EU) 2024/1689, Art. 5-6, Annex III]
Vietnam’s approach gives the executive branch more flexibility. The Prime Minister can update the high-risk list without legislative amendment. The EU embedded its high-risk categories in Annex III, requiring a formal delegated act to change them. For practitioners, this means Vietnam’s classification landscape is less predictable today but potentially more responsive to new technology.
Vietnam’s medium-risk tier maps roughly to the EU’s “limited risk” category, with both focusing on transparency when AI interacts with people. Vietnam’s low-risk tier corresponds to the EU’s minimal risk, with a light touch in both frameworks.
How Do Scope and Definitions Differ?
Both laws apply to foreign entities. Both require a local representative for foreign providers.
| Dimension | Vietnam | EU |
|---|---|---|
| Territorial reach | Domestic and foreign entities engaged in AI activities in Vietnam (Art. 2) | Providers placing AI on EU market + deployers within EU, regardless of location (Art. 2) |
| Foreign provider obligation | Appoint “lawful contact point in Vietnam” (Art. 14(6)) | Appoint authorized representative in EU (Art. 22) |
| Exclusions | AI solely for national defense, security, cryptographic purposes (Art. 1) | Military/defense; research before market placement; open-source with conditions (Art. 2) |
| AI system definition | “Machine-based system designed to perform AI capabilities with varying degrees of autonomy, capable of self-adaptation” (Art. 3(2)) | “Machine-based system that is designed to operate with varying levels of autonomy, that may exhibit adaptiveness after deployment” (Art. 3(1)) |
| Roles defined | 4: Developer, Provider, Deployer, User (Art. 3) | 2 primary (Provider, Deployer) + 3 supply chain (Importer, Distributor, Authorized Representative) (Art. 3) |
[Source: Law 134/2025/QH15, Art. 1-3; Regulation (EU) 2024/1689, Art. 2-3]
Vietnam’s exclusion for national defense AI is narrower than the EU’s research exclusion. The EU excludes AI systems “exclusively for research and development purposes before being placed on the market.” Vietnam has no equivalent carve-out. Vietnam’s AI definition closely mirrors the OECD’s, as does the EU’s. The practical overlap is near-total.
The role structure is where the frameworks diverge most for corporate compliance. Vietnam defines four distinct roles in the AI value chain. The EU has two primary obligation-bearing roles (provider and deployer) plus three supply chain roles (importer, distributor, authorized representative). An organization that develops and deploys AI in Vietnam must track obligations across both the “developer” and “deployer” roles separately, obligations that the EU consolidates under a single “provider” role.
How Do Enforcement and Penalties Compare?
The penalty gap between the two frameworks is substantial, and wider than many English-language analyses report.
| Dimension | Vietnam | EU |
|---|---|---|
| Maximum administrative fine (organizations) | VND 2 billion (~USD 75,800) flat cap | EUR 35 million or 7% global annual turnover (whichever higher) — for prohibited AI practices |
| Tiered penalties | Single cap (Art. 29). Implementing decree may add further tiers. | Three tiers: EUR 35M/7% (prohibited); EUR 15M/3% (high-risk violations); EUR 7.5M/1% (incorrect information) |
| Revenue-based penalties | Removed from enacted law. The November 2025 draft included 2% of revenue for serious violations; the December 10 final text replaced this with civil code compensation. | Yes — percentage of global turnover is the primary enforcement lever |
| Primary enforcement body | MOST (lead) + sector ministries | National competent authorities per member state + EU AI Office for GPAI |
| Suspension power | Authorities can suspend non-compliant systems immediately | Market surveillance authorities can withdraw or restrict non-compliant systems |
[Source: Law 134/2025/QH15, Art. 29; MLex, December 11, 2025 (revenue penalty removal); Regulation (EU) 2024/1689, Art. 99]
The VND 2 billion cap (~USD 75,800) is a fraction of the EU’s EUR 35 million ceiling. For a multinational with USD 1 billion in global revenue, the EU’s 7% turnover penalty represents a theoretical maximum of USD 70 million. Vietnam’s flat cap of USD 75,800 is rounding error by comparison. However, Vietnam’s Personal Data Protection Law (Law 91/2025) imposes fines up to 5% of Vietnam revenue for cross-border data transfer violations, creating a separate, steeper penalty track for data-intensive AI systems.
Does Either Law Have Extraterritorial Reach?
Both laws apply to foreign entities, but through different mechanisms.
Vietnam requires foreign AI providers to appoint a “lawful contact point in Vietnam” (Art. 14(6)) — functionally equivalent to the EU’s authorized representative requirement (Art. 22). Both laws can therefore reach companies headquartered anywhere in the world if they serve the domestic market.
The practical difference is enforcement capacity. The EU has 27 national competent authorities plus the EU AI Office, backed by decades of cross-border enforcement experience through GDPR. Vietnam’s enforcement infrastructure is still being built. MOST issued its implementation plan in March 2026, and the inspection machinery described in Decision 367/QD-TTg is in its early stages.
How Do the Regulatory Sandboxes Compare?
Both frameworks include regulatory sandbox provisions, but at different levels of development.
| Dimension | Vietnam | EU |
|---|---|---|
| Legal basis | Art. 21 — “controlled testing environment” | Art. 53-54 — “AI regulatory sandboxes” |
| Status | Not operational. Sandbox rules deferred to implementing decree. | Member states required to establish at least one sandbox by August 2, 2026 |
| Who operates | Government (details pending) | National competent authorities |
| Participation | “Startups can test high-risk products under controlled conditions” | Open to providers and prospective providers; priority access for SMEs |
| Safeguards | Pending | Art. 54 specifies personal data processing rules, exit criteria, and liability allocation |
[Source: Law 134/2025/QH15, Art. 21; Regulation (EU) 2024/1689, Art. 53-54]
The EU’s sandbox provisions are more detailed because they are further along. Spain launched the first EU AI regulatory sandbox in 2022, before the AI Act was even enacted. Vietnam’s sandbox is a statutory placeholder: the mechanism exists in law but cannot be used until the implementing decree establishes the operational rules. For the latest on Vietnam’s sandbox status, see our Vietnam AI Sandbox and Sector Rules guide.
How Do Transparency and GPAI Requirements Compare?
Both frameworks address AI-generated content and general-purpose AI models, but with different levels of specificity.
Vietnam requires AI systems interacting with humans to be “designed for users to recognize” the AI interaction (Art. 11(1)). AI-generated audio, images, and video must be marked in machine-readable format (Art. 11(2)). Content simulating real persons must carry “easily recognizable marks” (Art. 11(4)). The EU’s Article 50 imposes similar requirements: AI systems interacting with persons must disclose the AI nature, deepfakes must be labeled, and AI-generated text published to inform on matters of public interest must be disclosed.
Vietnam is the only jurisdiction requiring both machine-readable marks and human-readable labels in the primary law. The EU achieves a similar result through the interplay of the AI Act and the Digital Services Act’s algorithmic transparency provisions (DSA Art. 27).
On general-purpose AI (GPAI), the EU is significantly more developed. Chapter V of the EU AI Act creates a dedicated GPAI framework with two tiers: all GPAI models face transparency and documentation obligations, while models with “systemic risk” (trained with compute exceeding 10^25 FLOPs) face additional requirements including adversarial testing and incident reporting. The EU AI Office oversees GPAI compliance directly. [Source: Regulation (EU) 2024/1689, Art. 51-56]
Vietnam’s law addresses powerful AI models under its general framework. Article 6 applies risk management principles to all sectors. There is no GPAI-specific chapter and no compute threshold. Powerful models must meet transparency, safety, and IP standards, but the detailed obligations will be defined in the implementing decree rather than in the law itself.
How Do Ethics and Governance Structures Compare?
Vietnam has moved faster on ethics. MOST issued Circular No. 05/2026/TT-BKHCN establishing a National AI Ethics Framework, effective March 10, 2026 — less than ten days after the law took effect. The circular operationalizes the four principles in Article 4: human-centered development, human primacy over AI, fairness and non-discrimination, and sustainable development. It includes a mandatory three-year review cycle (Art. 26). [Source: MIC Vietnam, March 2026; VietnamPlus, March 13, 2026]
The EU took a different path. Rather than a standalone ethics instrument, the AI Act builds ethics into its regulatory structure: the prohibited practices in Article 5, the FRIA requirement in Article 27, and the codes of practice for GPAI models in Article 56. The European AI Office coordinates governance, with each member state designating national competent authorities. Voluntary ethics guidelines exist through the High-Level Expert Group on AI (2019), but these are not legally binding.
Vietnam also positions the state as a direct actor in AI development. Article 5(4) prioritizes state investment in data and computing infrastructure. The National AI Development Fund (2026-2027) and the target of reaching “top 3 in ASEAN for AI R&D” by 2030 give the government a developmental role absent from the EU framework, which is primarily regulatory.
Where Does Dual Compliance Get Easier?
Several areas of overlap reduce the dual compliance burden for organizations operating in both jurisdictions.
Risk assessment framework. Both laws use risk classification with similar underlying logic: assess the potential impact on human rights, safety, and public interests. An organization that has completed an EU AI Act risk assessment for a high-risk system has done most of the analytical work Vietnam will require. The three-tier and four-category structures differ in labeling, but the assessment methodology — mapping AI use cases to potential harms, evaluating severity, assigning risk levels — transfers directly.
Transparency requirements. Both require disclosure when AI interacts with humans and labeling of AI-generated content. Vietnam’s Article 11 and the EU’s Article 50 cover the same core scenarios: chatbot disclosure, deepfake labeling, and content identification. A single transparency policy can satisfy both frameworks with minor jurisdiction-specific adjustments to labeling formats and notification language.
Documentation and logging. Both require technical documentation and operational logs for high-risk systems. EU-compliant documentation (following the specifications in Annex IV of the AI Act) will likely satisfy Vietnam’s requirements, which are less prescriptive at this stage. The reverse may not hold — EU Annex IV specifies 15 documentation elements in detail, while Vietnam’s Article 14(1)(c) establishes the principle without the same granularity. If you build to the EU standard, you are likely covered in Vietnam.
Human oversight. Both mandate human oversight mechanisms for high-risk AI. Vietnam’s Article 14(1)(d) requires systems to be “designed ensuring human monitoring and intervention capability.” The EU’s Article 14 requires similar measures with additional specificity around override mechanisms, ability to intervene in real-time, and the competence requirements for human overseers. Again, building to EU specifications meets Vietnam’s principles.
Conformity assessment. Both require pre-market conformity assessment for high-risk AI systems. Vietnam’s Article 13 and the EU’s Article 43 establish the same gate: high-risk systems must demonstrate compliance before reaching the market. The EU specifies two assessment routes (internal control vs. third-party, depending on use case). Vietnam’s implementing decree will define its process — but the concept is identical.
Where Do You Need Separate Strategies?
Five areas require distinct compliance approaches for each jurisdiction.
1. Liability model. This is the most significant divergence. Vietnam’s Article 29(2) establishes strict liability for civil compensation: even if a high-risk AI system is operated in compliance with regulations and still causes damage, the deployer bears compensation responsibility. Exemptions apply only for the injured party’s intentional fault or force majeure (Art. 29(3)). The EU has no equivalent. The AI Liability Directive was withdrawn in February 2025. EU liability currently relies on the Product Liability Directive recast (covering manufacturers, not deployers, with a December 2026 transposition deadline) and national tort law (generally fault-based). A company deploying the same AI system in both jurisdictions faces no-fault civil liability in Vietnam and fault-based liability in most EU member states. [Source: Law 134/2025/QH15, Art. 29; Commission withdrawal COM(2025) 45, 11 February 2025]
2. Penalty planning. Vietnam’s VND 2 billion flat cap and the EU’s percentage-of-turnover model require different risk calculations. In Vietnam, the greater financial exposure comes from the PDPL (5% of revenue for data violations), not the AI Law itself.
3. Classification approach. Until Vietnam publishes its high-risk list, providers cannot use a definitive classification framework. In the EU, Annex III provides a concrete list. Provisional self-classification in Vietnam requires more judgment and less certainty.
4. Role-based obligations. Vietnam’s four-role system (developer, provider, deployer, user) creates different obligation boundaries than the EU’s three-role system. A vertically integrated company that develops and deploys AI must map obligations to two roles in Vietnam where one role covers them in the EU.
5. National security provisions. Vietnam’s prohibited practices include explicit national security and digital sovereignty provisions absent from the EU framework. Content that “threatens national security, social order, and safety” (Art. 7(2)(d)) has no EU equivalent. Organizations producing AI-generated content for the Vietnamese market must account for these provisions.
What Happens Next?
Both frameworks are incomplete. Vietnam is waiting for its implementing decrees, high-risk list, and penalty schedules. The EU is waiting for the August 2026 high-risk application date, codes of practice for GPAI models, and national transposition of the Product Liability Directive (December 2026).
For practitioners managing dual compliance, three developments are worth watching:
Vietnam’s implementing decree will determine whether the frameworks converge or diverge further. If the decree adopts conformity assessment procedures similar to the EU’s, dual compliance becomes simpler. If it creates a distinctly Vietnamese process, the compliance cost doubles.
The EU’s GPAI Code of Practice (published July 2025, voluntary but influential) sets the current standard for foundation model governance. Vietnam has no equivalent framework. Companies operating powerful models in both jurisdictions should assess whether EU GPAI compliance satisfies Vietnam’s general AI transparency provisions. [Source: Regulation (EU) 2024/1689, Art. 55-56; GPAI Code of Practice, July 10, 2025]
Vietnam’s high-risk list will reveal whether Vietnam follows the EU’s Annex III categories closely or charts a different path reflecting Southeast Asian priorities. Early signals from the February 4 draft suggest significant overlap in healthcare, finance, and law enforcement — but Vietnam’s emphasis on “national security” and “digital sovereignty” may produce categories without EU equivalents.
For our full analysis of Vietnam’s AI Law, start with the Vietnam AI Law: Complete Guide. For the EU side, see our EU AI Act explainer. To track Vietnam’s implementing regulations, see the Vietnam Implementing Decrees Tracker. For Vietnam’s risk classification specifically, see Vietnam AI Risk Classification: The Three-Tier System.
Reg Intel is not a law firm and does not provide legal services. This content is for informational purposes only and does not constitute legal advice. Consult qualified legal counsel for jurisdiction-specific guidance.
Last verified: March 26, 2026
Reg Intel is not a law firm and does not provide legal services. This content is for informational purposes only and does not constitute legal advice. Consult qualified legal counsel for jurisdiction-specific guidance.
Last verified: March 26, 2026