What is AI regulation in Vietnam?
AI regulation: countries and regions
As of June 2026, AI regulation in Vietnam is a live legal regime, not just a policy discussion. Vietnam now has a dedicated AI Law, in force since 1 March 2026, backed by an implementing decree from 1 May 2026. The model is risk based and human centred. Higher risk systems face stricter duties on classification, transparency, human oversight, conformity assessment, incident handling and public sector impact review, while personal data and wider data governance remain governed by separate laws.
What this means
AI regulation in Vietnam is not one rule and it is not just about AI ethics. It is the combined effect of Vietnam's AI Law, its implementing decree, the national AI strategy, the personal data protection regime, the Data Law and any sector rules that still apply to health, education, finance, online services and public administration.
That matters because Vietnam now regulates the supply, deployment and use of AI systems in a fairly practical way. A business must look at what kind of system it is running, how risky it is, whether people know they are dealing with AI, whether personal data is involved and whether the system is being used in a public service or another sensitive field.
In regional terms, Vietnam is also operating inside the ASEAN conversation on AI governance and ethics. ASEAN guidance is useful for policy alignment and interoperability, but the binding duties come from Vietnamese law.
Why it matters
For organisations building, buying or using AI in Vietnam, the compliance question now starts before launch. You may need to classify the system, keep technical records, design human oversight, tell users when they are dealing with AI and prepare for incident reporting or conformity assessment if the system is high risk. If you are a foreign provider, Vietnam specific market access and contact point issues can also arise.
The AI rules do not stand alone. If the system trains on, analyses or generates material linked to personal data, the personal data regime becomes critical. If the project depends on larger data flows, public datasets, data intermediaries or data exchanges, the Data Law also matters. In practice, an AI project in Vietnam is now a joined up governance exercise, not a single product compliance check.
How it works
Vietnam has moved from policy to hard law
Vietnam's position changed quickly between 2025 and 2026. The country had already set a long term direction through the 2021 national AI strategy, but it has now moved into a true statute based model. The dedicated AI Law was passed on 10 December 2025 and took effect on 1 March 2026. Decree 142/2026, effective from 1 May 2026, adds the operational detail for classification, notifications, conformity assessment, the one stop AI portal and public sector impact review.
That means the centre of gravity has shifted. Earlier digital technology legislation helped prepare the ground, but the dedicated AI Law is now the main text for AI specific duties. The 2021 strategy still matters because it frames Vietnam's wider state policy on AI capability, infrastructure, talent, domestic development and public service adoption. The AI Law also requires the national AI strategy to be reviewed and updated periodically, so policy and law are now more tightly linked.
The AI Law uses a three tier risk model
Vietnam regulates AI through the whole lifecycle. The law applies to research, development, supply, deployment and use of AI systems in Vietnam, including certain foreign actors participating in AI activity in Vietnam. It does not cover AI used only for defence, security or cryptographic purposes, which sit on separate legal tracks.
The core model is a three tier risk system. High risk AI is the category with the greatest potential to harm life, health, lawful rights, the public interest or national security. Medium risk AI covers systems that can confuse, influence or manipulate users because they do not realise they are interacting with AI or AI generated content. Low risk AI is the residual category for systems that do not fall into the other two groups.
This is a risk based approach, but it is not simply a copy of the EU AI Act. Vietnam's categories, procedures and institutions are its own. The practical test is less about legal labels from other jurisdictions and more about whether the system falls into Vietnam's high, medium or low risk framework once its context of use is assessed.
High risk systems carry the main compliance load
The provider must classify an AI system before it is put into use. For medium and high risk systems, the provider must notify the result through the Ministry of Science and Technology's AI one stop portal before use. Decree 142 adds technical detail on how risk is assessed, what supporting records need to exist and how reclassification works if the system changes.
High risk systems face the most demanding duties. Depending on the final high risk list and the relevant sector, this can include a conformity assessment before use, risk management, governance of training, testing and operational data, technical files, activity logs, human oversight and intervention design, transparency, incident handling and explainability. The law is explicit that explainability cannot be used to force disclosure of source code, detailed algorithms, model parameters or trade secrets.
Foreign providers are not outside the picture. Where a foreign provider offers high risk AI into Vietnam, it must have a lawful contact point in Vietnam. If the system falls into the category that requires conformity certification before use, the foreign provider must also have a commercial presence or an authorised representative in Vietnam.
There is also a transition layer. AI systems already in operation before the law took effect do not all need to comply overnight. Existing systems in healthcare, education and finance get an 18 month transition period. Other existing systems generally get 12 months, unless authorities step in because the system presents a serious danger.
Vietnam also keeps a controlled testing route. The law allows controlled experimentation and says that sandbox results can support later conformity decisions or adjusted compliance obligations. So the framework is not only restrictive. It is also meant to preserve room for testing and staged deployment.
Transparency, synthetic content and incident handling are not optional extras
Vietnam's AI regime places real weight on transparency. If a system interacts directly with a person, the provider must design and operate it so the user can recognise that they are dealing with AI, unless another law says otherwise. Audio, image and video generated by AI must be marked in a machine readable form according to government rules.
Deployers also have direct duties. If they release AI generated or AI edited text, audio, images or video to the public and that material could mislead people about the truth of an event or person, they must make that clear. Content that simulates a real person's appearance or voice, or recreates real events, must be labelled in a way the audience can recognise. In other words, Vietnam is building transparency duties straight into synthetic media governance rather than treating deepfakes only as a later enforcement problem.
Incident management is another hard requirement. Developers, providers, deployers and users all have responsibilities to detect, record and address AI incidents. When a serious incident occurs, providers must apply technical corrective measures and can be required to suspend or withdraw the system. Deployers and users must record and promptly notify incidents and cooperate in remediation. The one stop AI portal is part of that reporting architecture.
For the public sector, the bar is higher still. When a state body uses high risk AI, or another AI system with substantial effects on rights, society or the public interest, in state management or public service delivery, it must prepare an impact assessment report. That report must identify risks, control measures and human supervision arrangements, and it must be disclosed subject to exceptions for state secrets, business secrets and personal data.
Privacy and data law sit underneath AI compliance
Vietnam's AI Law does not replace the country's privacy and data rules. Those sit underneath it and often decide whether the AI project is lawful in the first place. The Personal Data Protection Law took effect on 1 January 2026 and is implemented by Decree 356/2025. This regime gives data subjects core rights, including rights to know, consent, access, correct, delete and seek protective measures. It also bans the buying and selling of personal data except where another law specifically allows it.
For AI teams, the operational message is simple. If you are using personal data for training, testing or live operation, personal data compliance is not a side issue. You need to think about consent design, lawful processing, retention, deletion, access rights, incident response, cross border transfer controls and sector specific rules. Vietnam's law contains tailored provisions for employment, health, insurance, finance, credit information, advertising, social media, online communication services, biometric data and location data.
That sector detail matters. Health and insurance actors cannot treat patient information as freely shareable data for model development or downstream analytics. Finance and credit actors cannot score or rank a person using credit information without consent. Social platforms and online communication services must provide clear privacy policies, user controls and rapid handling of security and privacy breaches. The law also bars social platforms from requiring users to submit images or video containing identity documents as an account verification factor.
The Data Law is different again. It is not a privacy law. It governs digital data development, national data infrastructure, the National Data Centre, the aggregated national database, data intermediaries, data analysis services and data exchanges. It can matter to AI because it shapes how legally usable datasets are created, shared and commercialised. The law allows data exchanges, but it bans transactions in data that threaten defence, security or foreign affairs, and it blocks trading in data where the data subject has not consented, unless another rule authorises it.
So there are two different questions. The Personal Data Protection Law asks whether you can lawfully process personal data at all. The Data Law asks how digital data is built, shared, combined and traded inside Vietnam's national data architecture. AI projects often need answers to both.
Institutions and ASEAN context shape the practical picture
On the AI side, the Government has the overall coordinating role, while the Ministry of Science and Technology is the lead ministry. It manages the AI one stop portal, receives risk notifications, coordinates implementation and sits at the centre of standard setting and technical guidance. Other ministries and provincial authorities still matter because Vietnam's model expects sector specific management for sensitive uses and allows sector input into the identification of high risk systems.
On the personal data side, the Ministry of Public Security remains central to the protection, reporting and filing architecture. In practice, organisations using AI in Vietnam often need to think about both ministries at once. One set of questions is about AI risk, transparency and system documentation. The other is about personal data, permitted processing, breach handling and transfer control.
ASEAN adds an important regional layer. The ASEAN Guide on AI Governance and Ethics is a practical governance guide for organisations and policymakers across the region, aimed at alignment and interoperability. It is useful context for any business trying to build one regional playbook across Southeast Asia. But it is not itself the binding rulebook for Vietnam. For legal compliance, Vietnamese statutes, decrees and sectoral instruments come first.
Examples
A public hospital or health service deploying an AI diagnostic, triage or patient support tool has to run two compliance tracks at the same time. Under the AI Law, healthcare is treated as a sensitive field and existing systems already in operation before 1 March 2026 benefit from the longer 18 month transition period. Under the personal data regime, health data is tightly protected, and health and insurance actors cannot freely pass patient information to third parties just because an AI workflow would make that convenient.
A ministry, provincial authority or public service body using AI to support administrative decisions cannot hand responsibility to the model. Human decision makers remain responsible under the AI Law. If the system is high risk, or if its use in state management or public services can materially affect rights or the public interest, the authority must prepare an impact assessment report, set risk controls and disclose the report except where protected information must be withheld.
A social platform or online communications service using synthetic media tools has to combine AI transparency with privacy rules. Users must be able to recognise when they are interacting with AI. Synthetic audio, images or video that could mislead people about a real person or a real event must be labelled. At the same time, the personal data law requires privacy controls, breach handling and clear data use disclosures, and it bars platforms from demanding images or video of identity documents as an account verification factor.
Common misunderstandings
A common mistake is to say that Vietnam still has no AI law. That was true before 2026, but it is no longer true. Vietnam now has a dedicated AI Law and an implementing decree.
Another mistake is to assume that only AI developers are regulated. Vietnam's framework also reaches providers, deployers, users and public bodies, depending on what they do with the system.
It is also wrong to think that low risk AI means no compliance at all. Even low risk tools can still trigger transparency duties, personal data rules, consumer law, sector rules and misuse prohibitions.
Many people also mix up the Data Law with the personal data protection regime. They are related, but they do different jobs. The Data Law governs digital data infrastructure and data markets. The personal data regime governs the protection and lawful processing of personal data.
Finally, ASEAN guidance should not be mistaken for directly binding Vietnamese law. It is an important regional benchmark, but Vietnam's binding duties come from Vietnamese statutes, decrees and sectoral instruments.
Risks and boundaries
Vietnam's AI Law is important, but it is not a complete code for every digital issue. It does not remove sector rules on health, education, finance, online services, advertising, cybersecurity, intellectual property, public procurement or state secrets. It also does not cover AI used solely for defence, security or cryptographic purposes. Those sit on separate legal tracks.
The framework is also still settling. The law and decree rely on follow on decisions, technical criteria and sector specific implementation, especially around the catalogue of high risk systems and the detailed way some sectors will apply the rules. Penalty practice will also continue to develop through general administrative law, sectoral sanctions and future implementing instruments. For that reason, June 2026 should be treated as a point in time, not as the final shape of Vietnam's AI regime.
This is a practical explainer, not legal advice. Organisations with material exposure in Vietnam still need a closer review of their system type, data flows, contracts and sector obligations.
What to do next
Start by mapping every AI system that touches Vietnam and assigning the role your organisation actually plays in each case. In different projects you may be a developer, provider, deployer or user, and the duties are not the same. Then carry out a first pass risk classification and decide whether the system could fall into Vietnam's medium or high risk categories, whether pre use notification is required and whether high risk conformity work may be needed.
Next, fix the data layer and the user layer. Check whether the system uses personal data, especially health, financial, employee, biometric or location data. Review notices, consent design, retention, deletion, breach response and cross border transfer controls. At the same time, make sure product design can tell users when they are dealing with AI, label synthetic content where needed, preserve human oversight and generate the technical records the law expects. Finally, keep live watch on Vietnam's follow on instruments, especially any Prime Ministerial high risk list, technical standards and sector level guidance.
FAQs
Does Vietnam now have a dedicated AI law?
Yes. Vietnam's dedicated AI Law took effect on 1 March 2026, and the main implementing decree followed on 1 May 2026.
Is Vietnam simply copying the EU AI Act?
No. Vietnam also uses a risk based model, but its categories, institutions, procedures and public sector rules are its own.
Who is covered by Vietnam's AI rules?
The framework reaches developers, providers, deployers, users, public bodies and certain foreign actors participating in AI activity in Vietnam.
Do foreign AI providers have to do anything special?
Potentially yes. If they supply high risk AI into Vietnam, they may need a lawful contact point in Vietnam and, in some cases, a commercial presence or authorised representative.
What if our AI system was already operating before the AI Law took effect?
Existing systems generally have a transition period. Systems in healthcare, education and finance get 18 months. Other existing systems generally get 12 months, unless authorities intervene because of serious danger.
How do personal data rules affect AI projects?
They are often decisive. If the AI project uses personal data for training, testing or operation, the Personal Data Protection Law and Decree 356 apply alongside the AI Law.
Is the Data Law the same thing as the personal data law?
No. The Data Law governs digital data infrastructure, sharing and data related services. The personal data law governs the protection and lawful processing of personal data.
Are ASEAN AI guides legally binding in Vietnam?
Not in the same way as Vietnamese statutes and decrees. They are regional policy guides that help shape expectations and interoperability, but domestic Vietnamese law creates the enforceable duties.