Vietnam AI Law (Law No. 134/2025): Southeast Asia's First Binding AI Regulation

A Historic First for Southeast Asia

For years, AI governance across Southeast Asia has relied on voluntary frameworks and non-binding guidelines. Vietnam has broken that pattern. With the passage of Law No. 134/2025, the country's National Assembly enacted the region's first standalone, legally binding AI statute. The law takes effect on 1 March 2026 and creates a comprehensive regulatory architecture governing how AI systems are developed, deployed, and managed within the country's borders and beyond.

The implications extend well past Vietnam. For multinational companies operating across ASEAN, this law represents a bellwether. It signals that the era of self-regulation is closing, and it will almost certainly accelerate similar legislative efforts in neighboring jurisdictions.

Who Must Comply

The law's reach is deliberately broad. Vietnamese companies developing or deploying AI systems fall squarely within scope, as expected. What demands closer attention from regional leadership teams is the law's extraterritorial dimension: any foreign organization whose AI systems impact users, markets, or national interests in Vietnam must also comply. This holds regardless of where the organization is incorporated or where its servers are located.

For foreign providers, the compliance burden carries a structural requirement. Each must appoint a local legal representative based in Vietnam who coordinates compliance activities and serves as the primary point of contact for Vietnamese authorities. This is not an optional advisory role. The representative bears responsibility for ensuring the foreign provider meets every local obligation the law imposes.

Risk-Based Classification

Vietnam's regulatory architects drew heavily from the European Union's AI Act, adopting a tiered, risk-based classification system. The framework calibrates regulatory obligations to the potential harm an AI system can cause, concentrating the heaviest requirements on the highest-risk applications.

High-Risk AI

AI systems classified as high-risk are those posing significant threats to health, safety, security, or fundamental rights. While implementing regulations will define the exact boundaries, the law's text and legislative intent point toward several likely categories: AI used in healthcare and medical decision-making, financial services and credit determinations, education and academic assessment, critical infrastructure operations, and government decisions that directly affect individuals.

Other Risk Levels

Systems assessed at lower risk levels face correspondingly lighter obligations. The graduated structure is designed to avoid imposing disproportionate compliance costs on applications that present minimal societal risk, while maintaining baseline transparency and accountability standards across the board.

Core Requirements

For High-Risk AI Systems

The obligations attached to high-risk AI systems are substantial and span the entire system lifecycle. Before deployment, each high-risk system must undergo a conformity assessment verifying compliance with the law's standards. Every qualifying system must be registered in the National AI Database, creating a centralized record that Vietnamese authorities can reference for oversight and enforcement.

Operationally, organizations must build meaningful human oversight mechanisms into their high-risk AI workflows. When AI safety incidents occur, they must be reported to the relevant authorities. The law mandates continuous risk management, requiring ongoing monitoring rather than a one-time compliance check at launch. Organizations must maintain detailed documentation and logs covering system design, testing, and operation. They must also provide clear, accessible information about each AI system's capabilities, limitations, and intended use. Finally, organizations are expected to cooperate fully with authorities on information requests and inspections.

For Foreign Providers

Beyond the general requirements, foreign companies deploying AI in Vietnam face the additional obligation of appointing a local legal representative who is physically based in the country. This representative is not a passive intermediary. They actively coordinate compliance, respond to regulatory inquiries, and bear accountability for ensuring the foreign provider satisfies Vietnamese law.

Transition Periods

The law provides graduated transition windows measured from the 1 March 2026 effective date. Organizations operating AI systems in healthcare, education, and finance receive 18 months to reach full compliance, extending their deadline to September 2027. All other AI systems face a 12-month transition period, with full compliance required by March 2027.

These windows are not grace periods for inaction. Companies should use them to systematically close compliance gaps, build internal processes, and prepare documentation, all while recognizing that enforcement capacity will ramp up as the deadlines approach.

Penalties

The enforcement regime carries real financial weight. Organizations face fines of up to VND 2 billion (approximately USD 75,800) per violation. Individuals can be fined up to VND 1 billion (approximately USD 37,900). For serious violations by large organizations, the law introduces revenue-based fines, a mechanism that scales penalties to the offender's size and ensures that fixed-amount caps do not become a manageable cost of doing business for major players.

Financial penalties are not the only risk. Authorities can order the suspension of an AI system's operation, mandate corrective actions, or revoke licenses and registrations. For companies that depend on AI-driven products to serve the Vietnamese market, an operational suspension could prove far more costly than any fine.

Vietnam's Broader Digital Regulation Landscape

Law 134/2025 does not exist in isolation. It is one pillar of an increasingly interconnected digital regulatory framework that companies must navigate holistically.

Law on Data (effective July 2025)

Vietnam's data governance statute establishes rules around critical data transfers and requires organizations to conduct impact assessments before moving data out of the country. It also imposes breach notification requirements that apply to any data processed by AI systems.

Law on Personal Data Protection (effective January 2026)

This comprehensive personal data protection statute applies to every AI system that processes personal data. Its requirements complement and overlap with the AI Law's own data-related provisions, creating a layered compliance obligation that demands coordinated attention.

Law on Cybersecurity 2025 (effective July 2026)

The consolidated cybersecurity law retains Vietnam's data localization requirements and specifies the categories of data that must be stored within the country, including account names, service usage records, payment information, and IP addresses. For AI systems that ingest or generate these data types, localization obligations will shape infrastructure decisions.

Fintech Regulatory Sandbox (Decree No. 94/2025)

Effective July 2025, this decree creates a controlled testing environment for fintech solutions, including AI-powered credit scoring and automated lending platforms. Companies exploring these applications can use the sandbox to validate compliance approaches before full-scale deployment.

How to Comply

Now (Before March 2026)

The compliance journey should begin with a thorough inventory of every AI system that impacts Vietnamese users or markets. Many organizations underestimate the breadth of their exposure, particularly when AI capabilities are embedded in products or services that were not originally designed for the Vietnamese market but have since found users there.

Next, each identified system needs a risk classification aligned with the law's tiered framework. Foreign providers should begin the process of appointing a local legal representative immediately, as finding, vetting, and formalizing this relationship takes time. Finally, a gap analysis comparing current practices against the law's specific requirements will reveal where the most significant compliance work lies.

March 2026: Effective Date

Once the law takes effect, organizations must register all high-risk AI systems in the National AI Database and prepare the documentation required for conformity assessments. Ongoing risk management and monitoring processes should be operational, and incident detection and reporting procedures must be in place and tested.

Transition Period (12 to 18 months)

The transition period is the window for completing full implementation of every requirement applicable to your sector. It is also the time to monitor closely for supplementary regulatory guidance and implementing rules that Vietnamese authorities are expected to issue as they build out the enforcement infrastructure.

Related Regulations

Vietnam's approach sits within a broader global trend toward mandatory AI governance. The EU AI Act served as the primary model for Vietnam's risk-based classification system. Singapore's PDPA and Model AI Governance Framework offer a complementary, though still largely voluntary, perspective from a regional leader in AI governance. The ASEAN Guide on AI Governance and Ethics provides the regional framework with which Vietnam's law is broadly aligned. And Indonesia's Perpres on AI signals that Vietnam will not remain the only ASEAN member with binding AI regulation for long.