AI Agency

Law 134/2025/QH15

VN AI Law Compliance

The law is in effect. Compliance deadlines begin March 2027. Most organisations are already in scope and do not know it.

On 10 December 2025, the National Assembly passed Vietnam's first standalone AI Law. It took effect on 1 March 2026, making Vietnam the first country in Southeast Asia to establish a comprehensive, risk-based AI regulatory framework.

Start a conversation View FAQ

Key facts

  • • First standalone AI law in Southeast Asia
  • • 35 articles, risk-based framework
  • • Applies to domestic and foreign entities
  • • Human-centric: AI serves as a support tool
  • • 12-month grace period (18 for health/edu/finance)
  • • Implementing Decree 142/2026/NĐ-CP effective 1 May 2026

Timeline

What's in force and when

The law introduces obligations in phases. The compliance clock is running — and most organisations have not yet conducted an AI inventory.

10 Dec 2025

Law passed — National Assembly passes Law 134/2025/QH15 with 90.7% approval.

1 Mar 2026

Law takes effect — All organisations must begin risk classification of AI systems. Human-centric principle and prohibited practices enforceable.

1 May 2026

Implementing decree — Decree 142/2026/NĐ-CP provides implementation guidance for providers, developers, deployers, and users.

1 Mar 2027

Compliance deadline — All AI systems must comply. High-risk systems require registration, documentation, human oversight, and conformity assessment.

1 Sep 2027

Extended deadline — Health, education, and financial sector AI systems have an additional 6 months to comply.

Risk classification

Three-tier risk-based framework

Mirroring global regulatory trends, the AI Law categorises systems by their potential impact on human rights, safety, security, and public interests.

🔴

High-risk

Systems that pose significant potential harm to life, health, national security, or lawful rights.

  • • Pre-market conformity assessment
  • • Ongoing risk management
  • • Human oversight mechanisms
  • • Registration via national AI portal
  • • Foreign providers: local presence or authorised rep required
🟡

Medium-risk

Systems carrying risks such as user confusion or minor market disruptions.

  • • Ongoing monitoring reports
  • • Sample audits by authorities
  • • Transparency disclosures to users
  • • Documentation of system purpose and scope
🟢

Low-risk

Systems with minimal impact on rights, safety, or public interests.

  • • Minimal regulatory oversight
  • • Incident monitoring
  • • Voluntary best-practice guidelines encouraged
  • • AI literacy obligation still applies

Exposure

Most organisations are in scope and do not know it

The law applies to five distinct roles in the AI value chain. Most organisations occupy at least one — often more than one — without having formally identified their position. Shadow AI adoption across departments means exposure is frequently wider than leadership believes. If your organisation uses a third-party AI tool in a high-risk context, the deployer obligations sit with you. The vendor relationship does not transfer liability.

👨‍💻

Developer

Designs, builds, trains, or refines AI models with control over technical methods and training data.

🏢

Provider

Markets AI systems under their own name, brand, or trademark — regardless of who built it.

⚙️

Deployer

Integrates or uses AI systems as part of their service offerings or internal operations.

👤

User

Directly interacts with AI systems or relies on their outputs in decision-making.

⚖️

Affected Party

Entities whose lawful rights, life, health, property, reputation, or access to services are impacted by AI deployment or outputs.

Our services

How we help you comply

We help organisations understand their obligations under the VN AI Law and build practical compliance programs that fit real operations.

  1. Step 1

    AI inventory

    Audit all AI systems in use across the organisation — including shadow AI.

  2. Step 2

    Risk classification

    Classify each system under the law's three-tier framework.

  3. Step 3

    Gap analysis

    Identify where your current practices fall short of obligations.

  4. Step 4

    Remediation roadmap

    Prioritised plan to close gaps before the March 2027 deadline.

Obligations

What compliance requires

AI inventory

Identify and document every AI system in use across the organisation — including shadow AI adopted without IT knowledge.

Risk classification

Classify each system as high, medium, or low risk under the law's criteria. Document the rationale for each classification.

Human oversight

Design and implement mechanisms that keep humans in the loop for all high-risk AI decisions. The law requires humans to remain the final arbiter.

Technical documentation

Maintain comprehensive records: system purpose, training data, performance metrics, risk assessment, and operational logs.

Registration

High-risk systems must be registered on the national AI portal before the compliance deadline. Foreign providers: local presence or authorised rep required.

AI literacy

Ensure staff who develop, deploy, or use AI systems have appropriate AI literacy — understanding capabilities, limitations, risks, and governance obligations.

Highest obligation

Which sectors face the highest obligation

Which sectors face the highest obligation

The law applies broadly across the economy, but certain sectors carry substantially higher compliance obligations due to the nature of their AI use cases.

  • • Manufacturing — quality inspection AI, predictive maintenance, production analytics
  • • Banking and fintech — fraud detection, credit scoring, KYC automation, customer support AI
  • • Healthcare — clinical decision support, diagnostic assistance, patient triage (extended deadline)
  • • Education — AI tutors, automated grading, student analytics (extended deadline)
  • • HR and recruitment — AI-assisted shortlisting, candidate assessment, workforce planning
  • • Retail and e-commerce — recommendation engines, customer analytics, pricing algorithms
  • • State bodies — automated processing of citizen applications, eligibility decisions
  • • Legal and professional services — AI used in contract review, due diligence, document analysis

Sector deadlines

Different sectors face different compliance deadlines. All non-extended sectors must comply by 1 March 2027.

  • • Manufacturing — deadline 1 Mar 2027. 45% of Vietnamese manufacturers already use AI.
  • • Banking & fintech — deadline 1 Mar 2027. KYC, fraud detection, credit scoring in scope.
  • • Healthcare — deadline 1 Sep 2027. Extended deadline applies.
  • • Education — deadline 1 Sep 2027. Extended deadline applies.
  • • Retail & e-commerce — deadline 1 Mar 2027. Recommendation systems, pricing algorithms.
  • • HR & recruitment — deadline 1 Mar 2027. AI screening tools are high-risk.

FAQ

Common questions

Does the VN AI Law apply to my organisation?
If your organisation develops, provides, deploys, or uses AI systems in Vietnam — or sells AI products or services to Vietnamese customers — the law applies. This includes foreign entities. Even if you use a third-party AI tool, deployer obligations sit with you. Most organisations are already in scope without knowing it.
What is the compliance deadline?
1 March 2027 for most AI systems (12 months from the law's effective date). Organisations with AI systems in healthcare, education, and financial services have until 1 September 2027 (18 months). Prohibited practices have been enforceable since the law took effect.
Do I need a local presence in Vietnam?
Foreign providers of high-risk AI systems that require pre-market conformity assessment must establish a commercial presence in Vietnam or appoint an authorised representative. This requirement does not apply to medium- and low-risk systems, but foreign entities are still subject to the law's other obligations.
What are the penalties for non-compliance?
The law establishes that violations are subject to administrative sanctions, revocation of licences, suspension of AI system operations, and potential criminal liability depending on the severity. Specific penalty amounts and enforcement mechanisms are being detailed in implementing decrees currently under development.
How is "AI system" defined under the law?
The law defines AI as "the implementation, through electronic means, of human intellectual capabilities, including learning, reasoning, perception, judgment, and natural language understanding." This definition is borrowed from Korea's AI Act and captures a broad range of systems — from simple automation to advanced generative AI.
What counts as a high-risk AI system?
High-risk systems are those that pose significant potential harm to life, health, national security, or lawful rights. The Ministry of Science and Technology is preparing a Prime Ministerial decision listing specific high-risk categories. Until then, organisations should classify based on the law's general criteria. Typical examples include: credit scoring, recruitment screening, biometric identification, access to essential services, and safety-critical components in products.

VN AI Law compliance review

Know your obligation. Start with a readiness review.

Fixed-fee, four-week engagement. We audit your AI systems, classify them under the law's risk framework, identify gaps, and deliver a prioritised remediation roadmap.

Start a conversation Back to top