A Historic First for Southeast Asia
Vietnam's Law on Artificial Intelligence (Law No. 134/2025) is the first standalone, legally binding AI law in Southeast Asia. Passed by the National Assembly in 2025, it takes effect on 1 March 2026 and establishes comprehensive requirements for AI development, deployment, and management.
The law is significant not just for Vietnam but for the entire region — it signals a shift from voluntary guidelines to mandatory regulation and may influence other ASEAN countries developing their own AI laws.
Who Must Comply
The law applies to:
- Local organizations: Vietnamese companies developing or deploying AI systems
- Foreign organizations: Any entity whose AI systems impact users, markets, or national interests in Vietnam
- Foreign providers: Must appoint a local legal representative who coordinates compliance and serves as the point of contact for Vietnamese authorities
This extraterritorial reach means that any company serving Vietnamese users or operating AI systems that affect the Vietnamese market must comply — regardless of where the company is based.
Risk-Based Classification
Like the EU AI Act, Vietnam's law categorizes AI systems by risk level:
High-Risk AI
AI systems that pose significant risks to health, safety, security, or fundamental rights. Likely categories include:
- AI in healthcare and medical decisions
- AI in financial services and credit decisions
- AI in education and academic assessment
- AI in critical infrastructure
- AI used by government for decisions affecting individuals
Other Risk Levels
The law establishes graduated requirements based on the assessed risk level, with lower-risk systems facing lighter obligations.
Core Requirements
For High-Risk AI Systems
- Conformity assessments: High-risk AI systems must undergo assessments to verify compliance before deployment
- Registration: High-risk AI must be registered in the National AI Database
- Human oversight: Mechanisms must be in place for meaningful human oversight
- Incident reporting: AI safety incidents must be reported to authorities
- Continuous risk management: Ongoing monitoring and risk management throughout the AI lifecycle
- Documentation and logs: Detailed records of system design, testing, and operation
- Transparency: Clear information about AI system capabilities, limitations, and intended use
- Cooperation with authorities: Compliance with information requests and inspections
For Foreign Providers
Foreign companies deploying AI in Vietnam face additional requirements:
- Must appoint a local legal representative based in Vietnam
- The representative coordinates compliance activities
- Serves as the primary point of contact for Vietnamese authorities
- Responsible for ensuring the foreign provider meets local requirements
Transition Periods
The law provides graduated transition periods from the effective date of 1 March 2026:
| Sector | Transition Period |
|---|---|
| Healthcare, education, finance | 18 months (until September 2027) |
| Other AI systems | 12 months (until March 2027) |
During the transition period, companies should work toward full compliance while not yet subject to full enforcement.
Penalties
| Violation | Maximum Penalty |
|---|---|
| Organizations | Up to VND 2 billion (~USD 75,800) |
| Individuals | Up to VND 1 billion (~USD 37,900) |
| Serious violations by large organizations | Revenue-based fines |
Additional consequences may include:
- Suspension of AI system operation
- Mandatory corrective actions
- Revocation of licenses or registrations
Vietnam's Broader Digital Regulation Landscape
The AI Law sits within a broader regulatory framework:
Law on Data (effective July 2025)
- Governs data governance and critical data transfers
- Requires impact assessments for outbound data transfers
- Breach notification requirements
Law on Personal Data Protection (effective January 2026)
- Comprehensive personal data protection
- Applies to all AI systems processing personal data
- Complements the AI Law's data-related provisions
Law on Cybersecurity 2025 (effective July 2026)
- Consolidates existing cybersecurity laws
- Retains data localization requirements
- Specifies types of data that must be stored in Vietnam (account names, service usage, payment info, IP addresses)
Fintech Regulatory Sandbox (Decree No. 94/2025)
- Effective July 2025
- Controlled testing environment for fintech solutions
- Covers AI-powered credit scoring, automated lending
How to Comply
Now (Before March 2026)
- Inventory: Identify all AI systems that impact Vietnamese users or markets
- Risk assessment: Classify AI systems by risk level
- Local representative: If you are a foreign provider, begin the process of appointing a local legal representative
- Gap analysis: Compare current practices against the law's requirements
March 2026 — Effective Date
- Registration: Register high-risk AI systems in the National AI Database
- Documentation: Prepare conformity assessment documentation
- Monitoring: Implement ongoing risk management and monitoring
- Incident response: Establish AI incident detection and reporting procedures
Transition Period (12-18 months)
- Full compliance: Complete implementation of all requirements by the end of the transition period for your sector
- Ongoing monitoring: Continue monitoring regulatory guidance and implementation rules
Related Regulations
- EU AI Act: The primary model for Vietnam's risk-based approach
- Singapore PDPA & Model Framework: Complementary voluntary governance from a regional leader
- ASEAN AI Governance Guide: Regional framework that Vietnam's law aligns with
- Indonesia Perpres on AI: Indonesia's upcoming mandatory AI regulation takes a similar approach
Frequently Asked Questions
The law takes effect on 1 March 2026. However, transition periods of 12-18 months apply — 18 months for healthcare, education, and finance sectors (until September 2027), and 12 months for other AI systems (until March 2027). Companies should begin compliance preparations now.
Yes. The law applies to any organization whose AI systems impact users, markets, or national interests in Vietnam. Foreign providers must appoint a local legal representative based in Vietnam to coordinate compliance and serve as the point of contact for authorities.
Penalties include administrative fines of up to VND 2 billion (~USD 75,800) for organizations and VND 1 billion (~USD 37,900) for individuals. Serious violations by large organizations may face revenue-based fines. Additional consequences can include suspension of AI operations and mandatory corrective actions.
The AI Law itself focuses on AI governance, but Vietnam's broader regulatory framework includes data localization requirements. The Cybersecurity Law (effective July 2026) specifies types of data that must be stored in Vietnam. Companies should consider the combined impact of the AI Law, Data Law, Personal Data Protection Law, and Cybersecurity Law.
Vietnam's law is directly inspired by the EU AI Act and uses a similar risk-based classification approach. Both require conformity assessments, registration, and ongoing monitoring for high-risk AI. Key differences include Vietnam's requirement for foreign providers to appoint local representatives and the lower penalty caps (VND 2 billion vs EU's €35 million).
References
- Law on Artificial Intelligence (Law No. 134/2025). Vietnam National Assembly (2025)
- Vietnam's First Standalone AI Law: Key Provisions and Implications. IAPP (2025). View source
- Vietnam AI Law: Regulatory Milestone and Business Implications. Vietnam Briefing (2025). View source