Vietnam passed its first AI law on December 10, 2025, and it took effect on March 1, 2026, making it the first standalone AI statute in Southeast Asia. If your business uses AI tools in Vietnam, whether for marketing automation, customer service, product recommendations, or content creation, you are now operating under a legal framework with real compliance obligations and civil liability attached to them. This guide covers what the law actually requires, who it applies to, and what your business needs to do before the deadlines arrive.

What is the Vietnam AI Law?

The Vietnam AI Law (Luật Trí tuệ nhân tạo), officially Law No. 134/2025/QH15, consists of 8 chapters and 35 articles. The National Assembly passed it on December 10, 2025, and it entered into force on March 1, 2026.¹

The law replaced the AI provisions that had been embedded in the Law on Digital Technology Industry No. 71/2025/QH15, consolidating all AI governance into a single framework. The Ministry of Science and Technology, led by Minister Nguyen Manh Hung, who presented the draft to the National Assembly, oversees enforcement. The National AI Committee will be established by July 1, 2026.¹

The approach is modeled on the EU AI Act in its core structure (risk-based classification, role-driven obligations, and transparency requirements) while placing specific emphasis on data sovereignty, cultural values, and national security. Unlike the EU AI Act, which lists high-risk categories exhaustively in its annexes, Vietnam’s law delegates that list to the Prime Minister, which means the categories are still being finalized. What is already in force is the obligation to self-classify, register, and meet transparency requirements.

How does the law classify AI risk?

The law sets out three risk tiers, and understanding where your systems fall determines most of what you are required to do.

High-risk systems are those with the potential for significant harm to life, health, legal rights, or national security. The law specifically names healthcare, education, and finance as high-risk sectors by default. Systems in these categories must go through conformity assessments before deployment, register in the national AI database, maintain audit logs, and operate under human oversight mechanisms. The Prime Minister will publish the full list of high-risk systems, and it has not been issued as of May 2026, but healthcare, education, and finance systems should be treated as high-risk now rather than waiting for that list to confirm them.

Medium-risk systems are those where users might not realize they are interacting with AI or where AI-generated content could mislead them about real events or people. These require notification to the Ministry of Science and Technology before deployment and periodic reporting thereafter. Most customer-facing AI tools (chatbots, content generators, and lead scoring systems) will land here.

Low-risk systems face minimal obligations, though the law encourages voluntary transparency disclosures even for them.

Providers are responsible for self-classifying their systems before deployment and notifying the ministry for medium- and high-risk systems through the national AI portal, which goes live July 1, 2026.¹

Who does the law apply to?

Rather than regulating by industry, the law assigns obligations by role. It defines five roles: developer (designs, builds, trains, or fine-tunes AI models), provider (places an AI system on the market under their own name), deployer (uses an AI system in professional or commercial activities), user (interacts directly with an AI system), and affected person (anyone whose rights or interests are impacted by an AI system’s output).

One business can play multiple roles across different systems, and the compliance obligations stack accordingly. A company that uses a third-party AI chatbot in its customer service function is a deployer for that system, but if it also builds and sells its own AI-powered reporting tool, it is a provider for that one. Both roles carry different requirements under the law, and many organizations will not realize how many systems they are deploying until they map this out.

The law applies to Vietnamese organizations and individuals and to any foreign entity that operates AI systems touching Vietnamese users. For foreign providers of high-risk AI systems, the law requires establishing a local contact point in Vietnam. Systems that require mandatory pre-use conformity certification may need a commercial presence or an authorized representative on the ground.¹ National defense, security, and cryptography activities are explicitly excluded.

What are the transparency requirements?

Article 11 of the law sets out transparency obligations for both providers and deployers, and they apply regardless of risk tier.¹

Providers must ensure that audio, image, and video content generated by their AI systems carries machine-readable markings. Deployers must clearly notify users when they are interacting with an AI system and, where AI-generated content could cause confusion about real events or real people, must apply visible labels. Content that simulates real individuals (deepfakes, synthetic voice, and AI-generated video of named persons) requires a specific warning.

For marketing teams, this means that automated email sequences, AI-written ad copy, chatbot conversations, and AI-generated social content all fall within these requirements. The exact format for labels and notifications will be specified in a government decree still being drafted as of May 2026, but the obligation itself is already in force. Waiting for the decree to define the format before building the workflow is a risk.

What are the penalties?

Article 29 establishes three categories of liability: administrative sanctions, penal liability, and civil damages.¹

The law specifies that penalties will be calculated as a percentage of global revenue, not just Vietnam revenue, but the actual percentages will be set by a government decree that has not yet been published. What is already established is the liability model: for high-risk AI systems, deployers must compensate affected parties first and can then seek reimbursement from the developer or provider. Critically, this liability applies even when the system was operating as intended. The standard is outcome-based, not fault-based. A system that functions correctly but causes harm still triggers deployer liability.

For most businesses, the more immediate risk is not criminal liability but civil claims and procurement barriers. Enterprise buyers and government procurement processes are increasingly requiring AI compliance attestations, and a company that cannot document what models it runs on, with what data, and with what oversight mechanisms in place will lose contracts before it faces a regulator.

How does Vietnam AI law compare to other countries in Asia?

SotaMedia tracked media coverage of AI regulation across seven countries in the region from December 10, 2025, to April 9, 2026, monitoring eight channels, including news, press, and social media. Over that period, Vietnam generated 87 total buzz mentions, 62 of which came from news and press outlets, with 73% positive sentiment. That outpaced every other country in the region: China at 52 mentions, South Korea at 40, Singapore at 37, Japan at 35, Thailand at 20, and Indonesia at 16.²

The volume reflects what the law actually is: binding, comprehensive, and the first of its kind in ASEAN. Singapore has a voluntary governance framework with no enforcement mechanism. Thailand’s draft law is still being written. Indonesia is at the advisory stage. Vietnam is the only country in Southeast Asia where non-compliance carries legal consequences right now.

Source: SotaMedia’s Social Listening Report on Vietnam AI Law 2026²

SotaMedia’s keyword monitoring across this period showed that the top conversation topics around Vietnam’s law were risk classification, compliance, high-risk AI, transparency, sandbox, deepfake labeling, conformity assessment, AI Voucher, civil liability, and the National AI Development Fund.² Those keywords map almost exactly to the compliance checklist below, which is a useful signal that these are the areas where the market is paying attention and where documentation gaps will be most scrutinized.

What government support is available?

The law is not purely regulatory. It includes three mechanisms specifically designed to make compliance easier for smaller businesses and to encourage AI product development.

AI Voucher: A subsidy program for SMEs to offset the cost of adopting AI tools. This directly addresses the access gap for smaller companies that want to adopt AI but face upfront implementation costs. Application procedures were not yet published as of May 2026.¹

Sandbox: A controlled testing environment where businesses developing AI products can operate for up to 3 years with reduced compliance obligations, including exemptions from certain legal liability requirements during the testing period. For companies building AI products in the marketing, fintech, or healthcare space, early sandbox registration is worth pursuing before the National AI Committee formalizes the process. ¹

National AI Development Fund: A grant mechanism for research and commercialization. The law also recognizes AI models and algorithms as assets that can be contributed as legal capital, which creates a fundraising option for companies whose primary value is in their models rather than physical assets.¹

The National AI Committee, which will oversee these programs, is required to be operational by July 1, 2026. The national AI portal (where registrations, sandbox applications, and compliance notifications will be filed) goes live at the same time.

What does your business need to do before the deadline?

The compliance window runs until March 1, 2027, for most industries and September 1, 2027, for healthcare, education, and finance. That is enough time to build proper documentation and controls if you start now. It is not enough time if you wait for all the sub-decrees to be published first.

Step 1: Build an AI inventory

The starting point is a complete list of every AI system your business uses: customer chat, content generation, recommendation engines, fraud monitoring, approval workflows, and anything your vendors have embedded in the tools you already use. For each system, document the business owner, what the system does, what data it processes, whether it is vendor-built or internal, and what changes have been made to it since deployment. Most companies discover they have significantly more AI systems than their internal reporting reflects because vendor products regularly include AI features that are not labeled as such.

Step 2: Triage by risk

For each system on that list, apply two questions. First: can it affect safety, legal rights, access to services, or financial outcomes? If the answer is yes, treat it as high-risk until a proper assessment says otherwise. Second: could a user reasonably interact with it without knowing they are dealing with AI? If yes, treat it as medium-risk at minimum. Do not wait for the Prime Minister’s published list of high-risk categories before starting this triage. Build the evidence trail now, and update classifications when the list arrives.

Step 3: Set up audit-ready controls

For each medium- or high-risk system, you need input and output logging, model versioning records, a defined human override process (who can intervene, under what conditions, and how), and a documented rollback plan for when performance degrades or the system behaves unexpectedly. The law’s outcome-based liability standard means that “the vendor told us it was compliant” is not sufficient documentation. You need to be able to show what your system did, in what context, with what oversight.

Step 4: Review vendor contracts

Every AI vendor powering a medium- or high-risk system in your stack needs to be able to answer four questions: Can you provide model version and change logs? Can you produce audit evidence without exposing source code? What is your incident notification SLA? Do you have a local contact point in Vietnam for high-risk systems requiring conformity certification? A vendor that cannot answer these questions is a compliance liability, not just a performance risk.

Step 5: Enforce transparency in your publishing workflow

Labeling AI-generated content has to be built into the process itself (a checklist step, a UI gate, a publishing rule) and not left to individual judgment. A policy document that says “label AI content” will fail in an audit if you cannot show that it happens systematically.

Step 6: Apply for Sandbox or AI Voucher if relevant

If you are actively developing AI products, the Sandbox reduces legal exposure during testing. If you are an SME adopting AI tools for the first time, the Voucher program may cover part of the implementation cost. Both programs will be administered through the national AI portal from July 2026.

Step 7: Monitor sub-decree publications

The Ministry of Science and Technology is still finalizing the decrees that will specify detailed high-risk categories, conformity assessment procedures, penalty amounts, and AI portal submission formats. These are worth tracking, but they should not be used as a reason to delay the steps above, since the core obligations (transparency, role mapping, audit controls) are already in force.

What is the compliance timeline?

Source: Law No. 134/2025/QH15, Articles on transitional provisions¹