ChatGPT
Google AI
Claude
Perplexity
Grok
Vietnam is rapidly emerging as a technology hub in Southeast Asia, with artificial intelligence playing an increasingly central role in its digital transformation strategy. As AI adoption accelerates across industries, Vietnam's regulatory framework is evolving to address data protection, cybersecurity, and AI-specific governance concerns.
This comprehensive guide examines Vietnam's current AI regulatory landscape, upcoming legislative developments, and practical compliance strategies for businesses operating in or with the Vietnamese market.
Current Regulatory Landscape
Personal Data Protection Decree 13/2023/ND-CP
Vietnam's most significant data protection regulation, Decree 13/2023/ND-CP on Personal Data Protection, came into effect on July 1, 2023. While not AI-specific, this decree establishes fundamental principles that directly impact AI systems processing personal data.
The decree imposes several provisions that bear directly on AI deployments. AI systems must obtain explicit consent before processing personal data, with heightened requirements for sensitive data categories. Organizations are bound by data minimization principles, limiting collection to what is necessary and relevant for specified purposes. The decree also creates transparency obligations, requiring data controllers to clearly inform individuals about automated processing and profiling activities. For organizations operating across borders, cross-border transfer restrictions impose stringent requirements for moving personal data outside Vietnam, demanding adequacy assessments or contractual safeguards. Individuals retain robust data subject rights, including access, rectification, erasure, and the right to object to automated decision-making.
For machine learning systems specifically, Decree 13 requires organizations to document the legal basis for data processing in training datasets and implement technical measures to prevent unauthorized access during model training. Organizations must also establish retention policies for training data and model outputs, and provide mechanisms for individuals to object to AI-driven decisions affecting them.
Cybersecurity Law 2018
The Law on Cybersecurity (No. 24/2018/QH14) establishes broad security requirements for technology providers operating in Vietnam. The law mandates data localization for certain data categories, requiring storage on servers within Vietnam. Technology companies must cooperate with authorities on content monitoring, and the law imposes mandatory incident reporting within 24 hours of any cybersecurity breach. Foreign technology providers may face additional scrutiny, as the law allows authorities to require demonstrations of compliance with Vietnamese standards through technology assessments.
For AI systems, these requirements translate into robust security controls spanning model training infrastructure, API endpoints and data transmission channels, third-party integrations and cloud services, and adversarial attack prevention measures.
Decree 85/2016/ND-CP on Information Security
This decree mandates information security measures for network operators and service providers. Organizations must conduct risk assessments for information systems and implement security standards equivalent to ISO 27001. The decree further requires regular security audits and penetration testing, along with documented incident response procedures. AI systems processing sensitive information must demonstrate compliance through documented security practices and regular assessments.
Emerging AI-Specific Regulations
Draft AI Development and Application Strategy
Vietnam's Ministry of Science and Technology is developing a comprehensive National Strategy on AI Development and Application to 2030. The strategy rests on five regulatory pillars. First, an AI Ethics Framework would establish principles of transparency, fairness, accountability, and human oversight. Second, sector-specific guidelines would introduce tailored requirements for healthcare, finance, education, and transportation. Third, a high-risk AI classification system would impose special requirements for systems affecting fundamental rights or safety. Fourth, mandatory AI impact assessments would be required for high-risk applications before deployment. Fifth, algorithmic transparency requirements would compel organizations to explain AI decision-making processes to affected individuals.
Proposed AI Governance Mechanisms
Anticipated regulatory developments for 2026 and 2027 point toward three significant governance mechanisms.
An AI registry would require registration of high-risk AI systems with relevant ministries, disclosure of system capabilities, limitations, and intended use cases, and annual compliance reporting with performance monitoring.
New AI safety standards would establish technical specifications for AI system testing and validation, mandate human oversight in critical applications, and create provisions for continuous monitoring and performance evaluation.
A clarified liability framework would address responsibility for AI-caused harm or errors, introduce insurance requirements for high-risk AI deployments, and define remediation obligations for system failures.
Sector-Specific Considerations
Financial Services
The State Bank of Vietnam (SBV) has issued guidance on technology application in banking that carries significant implications for AI deployments. Requirements around credit scoring algorithms mandate fairness, transparency, and non-discrimination in lending decisions. Fraud detection systems must meet standards for false positive rates and customer notification. Robo-advisory services face disclosure requirements and suitability assessments. Underlying all of these is a model risk management mandate that requires governance frameworks for AI model development, validation, and monitoring.
Financial institutions deploying AI must maintain thorough documentation covering model development methodology and validation results, bias testing and mitigation strategies, governance structures and oversight mechanisms, and incident response procedures for model failures.
Healthcare
The Ministry of Health is developing guidelines for AI in medical applications across several domains. Clinical decision support tools will require clinical validation and physician oversight. Diagnostic AI must meet standards for accuracy, reliability, and integration with existing workflows. Patient data protection provisions will mandate enhanced security measures for health information. The ministry is also establishing regulatory pathways for AI-enabled medical devices through its medical device classification framework.
Healthcare AI providers will need to obtain clinical evidence demonstrating safety and efficacy, implement quality management systems aligned with ISO 13485 or equivalent standards, establish post-market surveillance mechanisms, and maintain detailed documentation of system performance and adverse events.
E-Commerce and Digital Platforms
The Ministry of Industry and Trade regulates AI applications in e-commerce with attention to several key areas. Recommendation systems must provide transparency about how products and content are ranked. Dynamic pricing algorithms face fairness requirements and a prohibition on discriminatory pricing. Consumer protection provisions require clear disclosure when customers interact with automated customer service and chatbots. Advertising standards impose requirements on AI-generated or targeted advertising practices.
Compliance Framework for AI Systems
Step 1: Data Protection Impact Assessment (DPIA)
Under Decree 13, organizations must conduct DPIAs for AI systems that process large-scale sensitive personal data, involve systematic monitoring of public areas, evaluate or score individuals through profiling, or make automated decisions with legal or significant effects.
A thorough DPIA comprises five components. The system description should provide detailed documentation of AI functionality, data flows, and processing activities. A necessity assessment must justify data processing and consider alternatives. The risk analysis identifies risks to data subjects' rights and freedoms. Mitigation measures detail the technical and organizational controls addressing identified risks. Finally, the consultation component documents engagement with stakeholders and, where required, data protection authorities.
Step 2: Legal Basis and Consent Management
Organizations must establish valid legal grounds for data processing. Explicit consent is required for most personal data processing, with special consent provisions for sensitive categories. Contractual necessity applies when processing is required to fulfill contractual obligations. Legal obligation covers processing required for compliance with Vietnamese legal requirements. Legitimate interest has limited application and requires a balancing test.
Vietnam's consent requirements are notably rigorous. Organizations must secure clear, specific, and informed consent before data collection, obtain separate consent for different processing purposes, provide users with the ability to withdraw consent easily, and maintain comprehensive documentation of consent records.
Step 3: Technical Safeguards
Organizations must implement security measures appropriate to their risk level. On the data security front, this means encryption at rest and in transit (AES-256 or equivalent), access controls and authentication mechanisms, audit logging and monitoring, and regular security testing and vulnerability assessments.
AI-specific controls extend further to include model security and adversarial robustness testing, training data integrity verification, output monitoring and anomaly detection, and version control with model governance protocols.
Step 4: Transparency and Explainability
Providing meaningful information to affected individuals is a core obligation. Organizations must issue clear system disclosure notifications when individuals interact with AI systems and provide decision explanations that convey the logic, significance, and consequences of automated decisions. A right to human review must be preserved through mechanisms that allow individuals to request human intervention. All of these practices must be supported by comprehensive documentation of AI system design, testing, and performance.
Step 5: Cross-Border Data Transfers
For AI systems involving international data transfers, organizations must navigate a five-part process. An adequacy assessment determines whether the destination country provides adequate protection. Standard contractual clauses implement approved contractual safeguards for the transfer. Binding corporate rules establish internal data protection policies for corporate groups. Where other mechanisms prove unavailable, specific consent from data subjects can authorize transfers. Finally, a transfer impact assessment evaluates the implications of destination country laws on the transferred data.
Step 6: Governance and Accountability
Organizational accountability requires a well-defined governance structure. Organizations should designate responsible individuals for AI compliance, establish cross-functional AI ethics committees, implement model risk management frameworks, and create escalation procedures for ethical concerns.
Documentation requirements under this step are extensive. Organizations must maintain an AI system inventory and classification, data processing records and impact assessments, model validation and testing results, incident logs and corrective actions, and training records for staff involved in AI development and deployment.
Practical Compliance Strategies
For Startups and SMEs
Smaller organizations should prioritize core requirements by conducting an initial DPIA for their primary AI application, implementing basic data security controls such as encryption and access management, drafting clear privacy notices and consent mechanisms, establishing data retention and deletion procedures, and documenting AI system design and decision-making processes.
Resource-efficient approaches can significantly reduce the compliance burden. Organizations can leverage compliance templates and frameworks adapted for Vietnam, use cloud providers with Vietnam data center presence, implement privacy-by-design principles from inception, and consider privacy-enhancing technologies (PETs) to minimize data collection requirements.
For Enterprises and Multinational Corporations
Larger organizations require a comprehensive compliance program. This begins with establishing dedicated data protection and AI governance functions, then conducting an organization-wide AI system inventory and risk assessment. Enterprise-grade security and monitoring infrastructure must be deployed alongside internal AI ethics guidelines aligned with Vietnamese regulations. Organizations should create cross-border data transfer mechanisms through binding corporate rules or standard contractual clauses, establish vendor management programs for third-party AI services, and implement ongoing training and awareness programs.
Regional harmonization is equally critical for multinational operations. Organizations should align Vietnam compliance with broader ASEAN data protection initiatives, leverage APEC CBPR certification where applicable, develop scalable compliance frameworks adaptable to multiple jurisdictions, and monitor regulatory developments across Southeast Asia for consistency.
For Foreign Companies Entering Vietnam Market
Market entry demands careful attention to several considerations. Organizations must establish a local presence through a registered entity or representative office in Vietnam. Data localization requirements necessitate evaluation of data storage needs and local cloud provider options. Language requirements mandate translation of privacy notices and user-facing documentation into Vietnamese. Engaging local expertise through Vietnamese legal counsel and data protection specialists is essential. Building government relations with relevant ministries and regulatory bodies provides long-term strategic value.
A practical compliance timeline spans roughly seven months. The first two months should focus on legal structure setup and regulatory mapping. Months three and four are devoted to data protection framework implementation. Months five and six involve technical infrastructure deployment and security testing. From month seven onward, organizations shift to ongoing monitoring, training, and compliance maintenance.
Enforcement and Penalties
Administrative Penalties Under Decree 13
Violations of personal data protection requirements carry escalating financial consequences. Minor violations result in warnings and fines up to VND 50 million (approximately $2,000 USD). Moderate violations draw fines ranging from VND 50 to 100 million (approximately $2,000 to $4,000 USD). Serious violations incur fines from VND 100 to 150 million (approximately $4,000 to $6,000 USD). Very serious violations can attract fines up to VND 200 million (approximately $8,000 USD) or higher for systemic failures.
Beyond financial penalties, organizations face additional consequences including suspension of data processing activities, revocation of business licenses or operating permits, public disclosure of violations, and criminal liability for intentional breaches or data theft.
Enforcement Authorities
Vietnam's enforcement landscape involves multiple regulators. The Ministry of Public Security oversees cybersecurity enforcement and incident response. The Ministry of Information and Communications handles data protection and telecommunications oversight. Sector-specific ministries exercise authority within their respective domains: the State Bank of Vietnam for financial services, the Ministry of Health for healthcare, and the Ministry of Education and Training for education.
Enforcement trends indicate increasing scrutiny of foreign technology companies, a growing focus on data localization compliance and cross-border transfers, heightened attention to consumer protection in digital services, and enhanced cooperation with international regulatory bodies.
Comparison with Regional Frameworks
| Aspect | Vietnam | Singapore | Thailand | Indonesia |
|---|---|---|---|---|
| Primary Law | Decree 13/2023 | PDPA 2020 | PDPA 2022 | UU PDP 2022 |
| AI-Specific Rules | Emerging | Model AI Governance | Developing | Proposed |
| Data Localization | Required (certain data) | No | Conditional | Required (certain sectors) |
| Consent Standard | Opt-in | Opt-in | Opt-in | Opt-in |
| DPIA Required | High-risk processing | High-risk processing | High-risk processing | High-risk processing |
| Max Penalties | VND 200M (~$8K) | SGD 1M (~$750K) | THB 5M (~$140K) | IDR 6B (~$375K) |
| Cross-Border Transfers | Restricted | Permitted (adequacy) | Restricted | Restricted |
Future Outlook: 2026-2027 Developments
Expected Regulatory Changes
In 2026, regulatory priorities center on the publication of AI ethics guidelines by the Ministry of Science and Technology, the introduction of sector-specific AI regulations for banking and healthcare, enhanced cybersecurity requirements for critical infrastructure, and expanded data localization mandates.
Looking to 2027 and beyond, the regulatory trajectory points toward a comprehensive AI governance law addressing high-risk systems, the establishment of a dedicated AI regulatory authority or expansion of existing agency mandates, international cooperation frameworks with ASEAN and global partners, and standards development for AI testing, certification, and auditing.
Industry Engagement Opportunities
Businesses can actively shape Vietnam's AI regulatory development through participation in public consultation processes, engagement with industry associations and chambers of commerce, collaboration with academic institutions on AI research and policy, and pilot programs demonstrating responsible AI practices.
Regional Integration
Vietnam is actively participating in several international frameworks. The ASEAN Framework on Digital Data Governance aims to harmonize data protection approaches across the region. The APEC Cross-Border Privacy Rules (CBPR) provide a certification pathway for data transfers. Vietnam is also pursuing adoption of international AI standards, including ISO/IEC standards for AI management systems.
Conclusion
Vietnam's AI regulatory landscape is rapidly maturing, with comprehensive data protection requirements already in place and AI-specific regulations on the horizon. Organizations deploying AI systems in Vietnam must navigate a complex framework balancing innovation with data protection, cybersecurity, and emerging AI governance principles.
Successful compliance demands proactive engagement with evolving regulations, investment in technical and organizational safeguards, local expertise and partnerships, adoption of privacy-by-design and ethical AI principles, and the organizational flexibility to adapt as regulatory developments unfold. By implementing robust compliance programs now, organizations can position themselves for success in Vietnam's growing digital economy while demonstrating commitment to responsible AI development and deployment.
For tailored guidance on Vietnam AI compliance specific to your industry and use cases, consult with Pertama Partners' regulatory experts.
Common Questions
Vietnam does not yet have comprehensive AI-specific legislation, but AI systems are regulated through existing frameworks. Decree 13/2023/ND-CP on Personal Data Protection establishes requirements for AI systems processing personal data, including consent, transparency, and data subject rights. The Cybersecurity Law 2018 addresses security requirements for AI infrastructure. Vietnam's Ministry of Science and Technology is developing a National Strategy on AI Development and Application to 2030, which will introduce AI-specific governance requirements including ethics frameworks, impact assessments, and sector-specific guidelines. Businesses should monitor these developments closely as formal AI regulations are expected to emerge in 2026-2027.
Vietnam's Cybersecurity Law 2018 requires certain categories of data to be stored on servers physically located in Vietnam. This includes personal data of Vietnamese users for domestic service providers and foreign companies operating in Vietnam. For AI systems, this means training data, user data, and potentially model parameters must be stored locally if they contain personal information of Vietnamese citizens. Organizations can use international cloud providers that have data centers in Vietnam (such as AWS, Google Cloud, or Azure with Vietnam regions). Cross-border data transfers for AI model training or processing require adequacy assessments, standard contractual clauses, or explicit user consent. The scope of localization requirements may expand in future regulations, so maintaining flexible architecture is advisable.
Decree 13/2023/ND-CP requires explicit, informed consent before processing personal data with AI systems. Consent must be: (1) freely given without coercion, (2) specific to defined purposes, (3) informed with clear information about processing activities, and (4) expressed through clear affirmative action. For AI applications, this means organizations must disclose when automated decision-making or profiling occurs, explain the logic and consequences, and obtain separate consent for different processing purposes. Sensitive data (health, biometrics, financial information) requires heightened consent standards. Consent must be documented and individuals must be able to withdraw it easily. For AI training data, organizations should obtain consent that explicitly covers model training and potential future uses. Pre-checked boxes or silence do not constitute valid consent.
Yes, Decree 13 requires Data Protection Impact Assessments (DPIAs) for AI systems that involve high-risk processing activities. This includes AI applications that: (1) process large-scale sensitive personal data, (2) systematically monitor public areas, (3) evaluate or score individuals (profiling), or (4) make automated decisions with legal or significant effects on individuals. A DPIA must document the system's functionality, data flows, necessity justification, risk analysis, and mitigation measures. For AI systems, particular attention should be paid to risks of discrimination, unfair treatment, or errors in automated decision-making. Organizations should conduct DPIAs before deploying high-risk AI systems and update them when significant changes occur. While not explicitly required to submit DPIAs to authorities before deployment, organizations must make them available upon request during investigations or audits.
Administrative penalties under Decree 13 range from warnings to fines up to VND 200 million (approximately $8,000 USD) depending on violation severity. While monetary fines may seem modest compared to GDPR, additional consequences can be severe: suspension of data processing activities, revocation of business licenses, public disclosure of violations, and potential criminal liability for intentional breaches or data theft. The Cybersecurity Law also imposes penalties for security violations, with fines up to VND 200 million for failure to implement required security measures. Enforcement authorities include the Ministry of Public Security, Ministry of Information and Communications, and sector-specific regulators. Foreign companies face additional scrutiny and may experience operational disruptions, reputational damage, and restrictions on market access. Compliance costs are typically far lower than potential business disruption from enforcement actions.
Foreign companies should follow a structured market entry approach: (1) Establish legal presence through a registered entity or representative office in Vietnam, which is required for formal business operations. (2) Conduct comprehensive data mapping to understand what personal data your AI systems collect, process, and store, and assess data localization requirements. (3) Engage Vietnamese legal counsel and data protection specialists familiar with local interpretation and enforcement practices. (4) Implement technical infrastructure that supports data localization, using cloud providers with Vietnam data centers or establishing local servers. (5) Translate all user-facing documentation, privacy notices, and consent mechanisms into Vietnamese. (6) Develop relationships with relevant ministries and regulatory bodies, as informal guidance can be crucial for compliance interpretation. (7) Implement Data Protection Impact Assessments for high-risk AI systems before market entry. (8) Establish local data protection officer or compliance function. Plan for a 6-7 month timeline from initial planning to operational compliance, and budget for ongoing legal counsel, compliance monitoring, and potential infrastructure investments.
While Vietnam's current regulations do not prescribe specific technical standards for AI explainability, Decree 13 requires transparency about automated processing and profiling activities. Organizations must: (1) clearly notify individuals when they interact with AI systems or when AI makes decisions affecting them, (2) provide meaningful information about the logic, significance, and consequences of automated decisions, (3) offer mechanisms for individuals to request human review of automated decisions, and (4) maintain documentation of AI system design, testing, and performance. Emerging AI governance frameworks emphasize algorithmic transparency as a core principle, suggesting that future regulations will formalize explainability requirements. Best practices include: implementing interpretable models where possible, maintaining detailed model documentation, providing user-friendly explanations of AI decisions, establishing human oversight mechanisms for high-stakes decisions, and conducting regular bias and fairness testing. Sector-specific requirements (especially in finance and healthcare) may impose stricter transparency standards, so organizations should consult industry-specific guidance.
References
- Law on Artificial Intelligence 2025, No. 134/2025/QH15 (English). National Assembly of Vietnam (2025). View source
- Vietnam Enacts Its First Law on Artificial Intelligence: Key Regulatory Obligations. VILAF (Vietnam International Law Firm) (2026). View source
- Vietnam AI Law: Regulatory Milestone and Business Implications. Vietnam Briefing (Dezan Shira) (2025). View source
- Vietnam's First Standalone AI Law: An Overview of Key Provisions. IAPP (2025). View source
- A Closer Look at Vietnam's New AI Law. Tilleke & Gibbins (2025). View source
- ASEAN Guide on AI Governance and Ethics. ASEAN Secretariat (2024). View source
- Vietnam: The First Law on Artificial Intelligence (Analysis). Duane Morris Vietnam (2026). View source
