Vietnam Enacts Southeast Asia's First Comprehensive AI Law: What Legal Teams Need to Know
Vietnam's artificial intelligence law took effect on 1 March, marking the region's first comprehensive framework for AI. The statute sets rules for the development, supply, and use of AI technologies with a clear aim: grow the digital economy while managing AI risk.
Passed by the National Assembly in December, the framework enters into force now, with additional measures expected to roll out through 2026. Officials position it as a balance between innovation and oversight-especially for complex, high-impact systems.
Scope: Who's In and What's Covered
The law applies to domestic developers, providers, and users of AI systems, as well as foreign firms operating AI in Vietnam. If your product, model, or service touches Vietnamese users, data, or infrastructure, assume you have obligations.
Core Regulatory Pillars to Expect
While detailed implementing rules will clarify the edges, expect the framework to include familiar guardrails seen in other jurisdictions:
- Risk-based requirements with stricter duties for high-risk use cases.
- Registration, notification, or licensing for certain AI systems and providers.
- Transparency and labeling duties where AI interacts with individuals.
- Data governance: lawful sources, documentation of training data, privacy controls, and IP respect.
- Pre-deployment testing, security measures, and ongoing performance monitoring.
- Human oversight, clear accountability, and incident reporting procedures.
- Vendor management expectations across the AI supply chain.
- Audits, enforcement tools, and penalties for non-compliance.
Timing and Implementation
The law is effective from 1 March, with further provisions anticipated through 2026. Watch for decrees and circulars that define thresholds, sector-specific rules, and compliance windows. Early movers will have more room to negotiate timelines and methods.
Immediate Actions for Legal and Compliance Teams
- Inventory AI use: systems in development, in production, and sourced from vendors. Map data flows and impacted user groups.
- Determine scope: classify uses by risk and flag high-impact or sensitive contexts.
- Gap-assess policies and controls against expected obligations (testing, documentation, transparency, human oversight).
- Update contracts: add AI clauses on data sources, IP warranties, model changes, performance, security, and incident notification.
- Stand up governance: designate accountable owners, approval workflows, and recordkeeping for audits.
- Build repeatable processes: impact assessments, model evaluation logs, bias testing, and deprecation/recall procedures.
- Localize for Vietnam: consent mechanics, disclosures, language requirements, and government requests handling.
- Monitor regulators and sector rules to align high-risk deployments and public sector procurements.
Global Context
Vietnam's move tracks with a broader push to regulate AI. For comparison, review the EU's approach under the EU AI Act and high-level benchmarks like the OECD AI Principles. Expect interoperability questions on definitions, risk tiers, documentation, and cross-border operations.
Further Reading
For practical workflows, tools, and policy templates relevant to counsel, see AI for Legal.
Your membership also unlocks:
