• Instgram
  • LinkeIn
  • Lexologoy
One Asia Lawyers > NEWSLETTER > Vietnam > Vietnam: KEY BUSINESS OBLIGATIONS UNDER VIETNAM’S NEW AI LAW

Vietnam: KEY BUSINESS OBLIGATIONS UNDER VIETNAM’S NEW AI LAW

2026年06月17日(水)

We published a newsletter regarding KEY BUSINESS OBLIGATIONS UNDER VIETNAM’S NEW AI LAW. To view PDF version, please click the following link.

KEY BUSINESS OBLIGATIONS UNDER VIETNAM’S NEW AI LAW

<KEY BUSINESS OBLIGATIONS UNDER VIETNAM’S NEW AI LAW>

11th June 2026
One Asia Lawyers Vietnam Office

Introduction

Vietnam has recently issued its first Law on Artificial Intelligence No. 134/2025/QH15 dated 10 December 2025 (the “AI Law”) effective from 01 March 2026, establishing a comprehensive legal framework for the development, deployment, management and use of artificial intelligence technologies in the country. While the Digital Technology Industry Law 2025 (the “DIT Law”) initially introduced AI through a set of high-level, foundational policy principles, these provisions remained broad and primarily directional. The AI Law now operationalizes and expands those principles into a detailed, risk-based regulatory regime and, upon taking effect, will supersede and repeal the AI-related provisions under the DIT Law. This marks a significant shift toward a more mature and coherent legislative approach supporting Vietnam’s digital transformation goals.

1. Risk-based classification of AI systems

The AI Law adopts a three-tier, risk-based classification framework:[1]

  • High-risk AI systems cover systems that may endanger life, health, lawful rights and legitimate interests of organizations, individuals, other important public interests or national security.
  • Medium-risk AI systems include systems that may mislead, influence, or manipulate users because they cannot recognize that they are interacting with an AI system or with AI-generated content.
  • Low-risk AI systems refer to systems that do not fall under the above categories.

2. Obligations for developers, providers, deployers respective to risk-based AI systems

2.1 Risk-based classification and notification of AI systems

AI Law imposes mandatory obligations on providers and deployers regarding risk-based classification of AI systems although detailed implementing guidance has not yet been issued.

  • Providers must self-classify their systems before market release and retain documentation for medium- and high-risk systems. Medium- and high-risk systems must be notified to the Ministry of Science and Technology (MOST), while low-risk systems may be voluntarily disclosed to enhance transparency. Where the risk level is unclear, providers may request official confirmation from MOST.
  • Deployers may rely on the provider’s classification but must reassess if any modification could increase the risk level.


Inspection is applied proportionately to the system’s risk level: high-risk systems are subject to periodic inspections or ad-hoc checks upon signs of violations; medium-risk systems are monitored through reports, sampling inspections or independent assessments; and low-risk systems are only reviewed in case of incidents, complaints, or safety concerns, without imposing unnecessary burdens on organisations or individuals. [2]

2.2 Transparency obligations for AI systems

Providers must ensure users can recognize when they are interacting with an AI system and must mark AI-generated audio, images and videos in a machine-readable format. Deployers must clearly disclose when AI-generated or AI-edited content is made public and could mislead users about real people or events. Content that imitates a person’s appearance or voice, or recreates real events, must carry a clear label, without affecting the display of artistic works. Both providers and deployers must maintain these transparency and labelling measures throughout the system’s lifecycle.[3]

2.3 AI incident reporting and management requirements

Developers, providers, deployers and users must ensure system safety and promptly detect and remedy incidents. For serious incidents, developers and providers must take urgent technical measures and notify authorities, while deployers and users must record and report the incident and cooperate in remediation. Authorities may require suspension or reassessment when necessary. Notably, although the Law requires reporting through the national AI portal, the detailed procedures and timelines are not yet defined and will be specified later by the Government.[4]

2.4 Obligations for each risk-based AI systems

a. High-risk AI systems:[5]

High-risk AI systems must undergo conformity assessment before deployment or when significant changes occur. Depending on the type of system, this assessment may require certification by a registered/recognized conformity assessment body or may be conducted through provider self-assessment subject to State supervision.

Obligations of providers and deployers throughout the lifecycle include:

  • Providers must implement risk-management measures; ensure quality and appropriate governance of training, testing and operational data; maintain and update technical documentation and system logs; ensure human oversight and intervention capability; comply with transparency, labelling, transparency and incident-handling requirements; provide necessary information to authorities and users without disclosing protected trade secrets; and cooperate with deployers and regulators in inspections, post-market monitoring and incident remediation.
  • Deployers must operate the system in line with its intended purpose and classified risk level; ensure data security and human-intervention capability; maintain compliance with applicable standards and transparency/incident-handling rules; provide required information to authorities and affected users; and coordinate with providers and competent authorities during inspections and remediation.


Foreign providers of high-risk systems must also have a legal point of contact or authorised representative in Vietnam, and must establish commercial presence where certification before use is required.

b. Medium-risk AI systems:[6]

Medium-risk AI systems must meet transparency requirements. Providers must explain the system’s purpose, functional principles, key input data and risk-control measures when requested, while deployers must explain system operation, risk control and incident handling and ensure user protection. Users must follow applicable notification and labelling duties.

c. Low-risk AI systems:[7]

Low-risk systems are subject to lighter obligations, with providers and deployers required to explain system operation only when signs of legal violations or harm arise.

d. AI systems in essential sectors [8]

AI applications in essential sectors that directly affect human life, health, lawful rights, or public safety must be subject to stricter, sector-specific risk management. This includes:

  • Healthcare: ensuring patient safety, reliability in real-world use, and protection of health data.
  • Education: ensuring age-appropriate use, preventing risks in assessment and influence on learners, and safeguarding data and privacy.

3. Prohibited acts

The AI Law prohibits the following:[9]

  • Misappropriating or exploiting AI systems to commit unlawful acts or infringe lawful rights;
  • Developing, providing, deploying, or using AI systems for prohibited purposes, including deception, manipulation, exploiting vulnerable groups, or creating/disseminating harmful deepfake content;
  • Collecting, processing, or using data for AI activities in violation of data, personal data protection, IP, or cybersecurity laws;
  • Interfering with, disabling, or distorting required human-oversight and control mechanisms;
  • Concealing or falsifying mandatory information, labels, or warnings related to AI systems;
  • Abusing AI research, testing, evaluation, or conformity-assessment activities for unlawful purposes.

4. Violations and liability

Violation of the AI Law or other relevant AI regulations may, depending on the nature and consequences of the violation, face administrative or criminal penalties, and must compensate for any damage caused in accordance with the law. If a high-risk AI system is properly managed and operated but still causes harm, the deployer is liable for compensation, with a right to seek reimbursement from the provider or developer if agreed. Liability is exempt where damage results entirely from the victim’s intentional fault or from force majeure or necessity. If a third party unlawfully interferes with or takes control of the system, that third party is liable; however, providers or deployers must share liability if their fault contributed to the system’s compromise. [10]

5. AI development policies – opportunities for businesses

Alongside general principles and strategic policies on AI (such as national AI infrastructure, AI data resources, and ethics frameworks), the AI Law introduces several mechanisms to promote AI development, including the establishment of the National AI Development Fund and a support-token (voucher-type) mechanism that enables organisations to access shared computing infrastructure, national datasets and Vietnamese large language models for research, development and deployment. The Law also establishes a controlled testing (sandbox) mechanism that allows organisations to trial AI systems under regulatory supervision before official deployment.[11] These tools help reduce experimentation costs, mitigate risks and enable technology companies, particularly high-tech startups, to test and validate innovative AI applications with certain regulatory flexibilities.

6. Conclusion

Vietnam’s new AI Law marks a shift from principle-based governance to a detailed, risk-based compliance framework. Because regulatory duties are tied to the risk classification of each AI system, businesses must proactively assess and classify their AI use cases and prepare the required documentation, transparency measures, human-oversight mechanisms and incident-response processes. Many key obligations will also be further detailed in forthcoming implementing decrees to keep pace with rapidly evolving AI technologies, so companies should closely monitor these developments to ensure timely and ongoing compliance.
———-

[1] Article 9 of the AI Law
[2] Article 10 of the AI Law
[3] Article 11 of the AI Law
[4] Article 12 of the AI Law
[5] Article 13 and Article 14 of the AI Law
[6] Article 15.1 of the AI Law
[7] Article 15.2 of the AI Law
[8] Article 6 of the AI Law
[9] Article 7 of the AI Law
[10] Article 29 of the AI Law
[11] Article 21 of the AI Law


  |