Vietnam entered 2026 as the first ASEAN member state with a binding, cross-sector AI law on its books. The Law on Digital Technology Industry, passed by the National Assembly in 2025 and effective from 1 January 2026, dedicates a full chapter to artificial intelligence and introduces risk-based classification, developer and deployer obligations, and content transparency requirements. For global operators serving Vietnamese users or building teams in Vietnam's fast-growing technology sector, understanding this framework is now a baseline compliance task, not a future consideration.
Key takeaways
- The Law on Digital Technology Industry (Law No. 71/2025/QH15) took effect 1 January 2026 and is the first binding, cross-sector AI law adopted by an ASEAN member state, moving Vietnam ahead of Singapore, Malaysia, and Thailand, all of which currently rely on voluntary frameworks.
- The law introduces risk-based classification for AI systems, with high-risk systems facing risk management, documentation, and human oversight obligations broadly comparable in structure, though not in scope or penalty severity, to the EU AI Act's high-risk category.
- The Ministry of Information and Communications (MIC) is the lead supervisory authority, with sector regulators including the State Bank of Vietnam retaining domain-specific oversight.
- A content labelling obligation requires disclosure of AI-generated or AI-manipulated synthetic media likely to be mistaken for authentic content, structurally similar to Article 50 of the EU AI Act.
- The EU AI Act applies independently to any Vietnamese operator with EU-facing AI deployments, regardless of Vietnamese domestic compliance status.
Why Vietnam moved first in ASEAN
Vietnam's decision to legislate AI governance through a binding statute, rather than the voluntary principles-based approach adopted across most of Southeast Asia, reflects the same dual priority seen across the region: attract AI investment while managing the political and social risk of ungoverned deployment. What sets Vietnam apart is the vehicle chosen. Singapore's Model AI Governance Framework, Malaysia's MDEC AI Principles, and Thailand's draft AI guidelines are all voluntary instruments layered onto existing sector regulation. Vietnam instead built AI governance directly into a new, binding digital technology industry law, giving its AI chapter the same statutory force as the law's provisions on semiconductors, digital assets, and data centre investment.
The National Assembly passed the Law on Digital Technology Industry in 2025 as part of a broader legislative push to formalise Vietnam's digital economy strategy, which the government has positioned as a pillar of its growth model through 2030. The AI chapter was added following an extended consultation period that drew on the EU AI Act's risk-tiered structure and Vietnam's own National Strategy on Research, Development, and Application of Artificial Intelligence, originally issued in 2021 and updated in 2024. The result is a framework that borrows the EU's classification logic while calibrating obligations and penalties to Vietnam's domestic regulatory capacity and enforcement infrastructure.
Structure of the AI chapter in Law 71/2025
The AI provisions within the Law on Digital Technology Industry establish four core pillars. The first is a definitional framework for AI systems, adapted from the OECD's definition and broadly aligned with the definition used in Regulation (EU) 2024/1689, covering systems that generate outputs such as predictions, recommendations, or decisions influencing physical or virtual environments.
The second pillar is risk-based classification. The law divides AI systems into a high-risk category, covering systems with material potential impact on safety, fundamental rights, or critical infrastructure, and a standard category for systems outside that scope. Illustrative high-risk categories referenced in the law's implementing framework include AI used in critical infrastructure management, healthcare diagnosis and treatment recommendations, employment and credit decisioning, and law enforcement support tools. The precise boundaries of these categories, including thresholds and sector-specific carve-outs, are delegated to implementing decrees issued by MIC, several of which were still in draft or early-adoption stage through mid-2026.
The third pillar sets obligations for developers and deployers of high-risk AI systems, including risk assessment prior to deployment, technical documentation describing the system's design and intended use, human oversight mechanisms proportionate to the system's risk level, and incident reporting to MIC where a high-risk system causes material harm. The fourth pillar addresses transparency, requiring disclosure where content is AI-generated or AI-manipulated in a way that could reasonably mislead a user into believing it is authentic human-generated material.
The Ministry of Information and Communications as lead authority
MIC holds primary supervisory responsibility for AI under Law 71/2025, a natural extension of its existing authority over Vietnam's digital economy, telecommunications, and cybersecurity regulation. MIC's responsibilities include issuing implementing guidance and decrees that fill in the classification and procedural detail the primary law leaves open, maintaining a registry function for high-risk AI systems deployed at scale, coordinating with provincial departments of information and communications on local enforcement, and cooperating with sector regulators where AI is deployed in a regulated domain.
Sector regulators retain concurrent authority within their domains. The State Bank of Vietnam (SBV) oversees AI used in credit scoring, fraud detection, and algorithmic trading within licensed financial institutions, building on SBV's existing digital transformation guidance for banks. The Ministry of Health has jurisdiction over AI systems used in clinical diagnosis, treatment recommendation, and medical device software. This layered structure mirrors the pattern seen in the EU, where the AI Office coordinates centrally while national market surveillance authorities and sector regulators retain domain expertise, though Vietnam's version is considerably less mature in its implementing infrastructure as of mid-2026.
Content labelling and the transparency obligation
The transparency provisions in Law 71/2025 require that AI-generated or AI-manipulated content be labelled or otherwise disclosed where a reasonable user could mistake it for authentic human-generated material. This covers synthetic images, audio, and video, and extends to text-based content generated for purposes such as news reporting or public commentary where authenticity carries particular weight. The obligation applies to both the developers of generative AI systems, who must build labelling or watermarking capability into their tools, and deployers, who must ensure that labelling is actually applied and visible to end users.
This structure is close in substance to Article 50 of the EU AI Act, which requires disclosure of AI interaction, labelling of synthetic content, and disclosure of deepfakes and AI-generated text published for public information purposes. The practical implementing detail for Vietnam, including specific labelling formats, technical watermarking standards, and enforcement thresholds for what counts as content that could reasonably mislead a user, was still being developed by MIC through mid-2026, meaning operators should expect further guidance and should build labelling capability with enough flexibility to adapt to finalised technical standards.
Obligations for high-risk AI deployers
Deployers of AI systems classified as high-risk under Law 71/2025 face a compliance programme that will be structurally familiar to any operator already working through EU AI Act Article 26 obligations, though calibrated to a lighter documentary burden at this early implementation stage. The core obligations are a pre-deployment risk assessment identifying the system's potential impact on safety and fundamental rights, technical documentation sufficient to demonstrate the system's intended purpose and known limitations, a human oversight arrangement appropriate to the system's risk level and deployment context, and an incident reporting channel to notify MIC or the relevant sector regulator where the system causes material harm.
Operators who have already built EU AI Act Article 9 risk management systems, Article 14 human oversight arrangements, or Article 72 post-market monitoring processes will find that much of the underlying documentation is directly reusable for Vietnamese compliance, since both frameworks are asking the same foundational risk-management questions. The gap to close is procedural: registering with MIC where required, aligning incident reporting timelines and formats to Vietnamese requirements, and confirming that any translated documentation meets Vietnamese-language filing requirements where applicable.
Enforcement and penalties
Enforcement under Law 71/2025 sits with MIC and, for sector-specific violations, the relevant sector regulator, with escalation available through Vietnam's administrative sanctions framework and, in serious cases, referral for criminal liability under existing provisions of Vietnamese law covering data protection and cybersecurity offences. Administrative penalties for AI-related violations are calibrated in the law's implementing decrees, with fines scaled to the severity of the violation and the risk classification of the system involved. As of mid-2026, published penalty schedules for AI-specific violations remained narrower in absolute terms than the EU AI Act's turnover-based fines, reflecting Vietnam's broader administrative sanctions practice, though MIC has signalled that penalty schedules will be revisited as enforcement experience accumulates.
For repeat or severe violations, particularly those involving high-risk systems deployed without required risk assessment or oversight, Vietnamese authorities retain the ability to suspend or revoke a system's operating authorisation, order remediation measures, and require public disclosure of the violation. This escalation structure is broadly consistent with the enforcement posture MIC has applied in cybersecurity and data protection matters under Vietnam's 2018 Cybersecurity Law, giving operators a reasonable basis for predicting how AI enforcement will develop in practice.
Comparison with the EU AI Act
The structural similarity between Vietnam's approach and the EU AI Act (Regulation (EU) 2024/1689) is closer than in most jurisdictions covered in this network, because Vietnam's drafters explicitly referenced the EU's risk-tiered model during the legislative process. Both frameworks classify AI systems by risk level, impose heavier documentation and oversight obligations on high-risk systems, and include a transparency obligation for AI-generated content. The material differences lie in scope, maturity, and penalty severity. The EU AI Act applies across all EU member states with harmonised enforcement architecture coordinated by the AI Office and national market surveillance authorities, backed by fines of up to EUR 35 million or 7 percent of global annual turnover. Vietnam's framework is newly in force, with substantial implementing detail still being finalised by MIC through 2026, and penalty levels considerably lower in absolute terms.
For global operators, the practical consequence is that Vietnamese compliance work should be built on top of, not instead of, an existing EU AI Act compliance programme where one exists. A deployer that has completed EU AI Act Article 9 risk management documentation, Article 13 instructions for use, and Article 14 human oversight arrangements has already produced the substantive analysis that Vietnamese risk assessment and documentation obligations require. A full analysis of EU AI Act deployer obligations is available at agentliability.eu.
Operator compliance priorities for Vietnam in 2026
The following priorities reflect the compliance structure as of July 2026, with the caveat that MIC's implementing decrees remain a moving target through the remainder of the year.
For operators deploying high-risk AI systems in Vietnam: conduct a pre-deployment risk assessment now, even where MIC's classification thresholds are not yet finalised in every sector, since the underlying risk analysis is reusable once formal thresholds are published. Establish a human oversight arrangement and document it in a form consistent with existing EU AI Act Article 14 documentation if one exists.
For operators offering generative AI or synthetic media tools to Vietnamese users: build labelling and disclosure capability into the product now, using flexible implementation that can be adapted once MIC finalises technical labelling standards. Treat the Article 50 EU AI Act labelling work already completed for EU deployments as the starting template.
For financial services and healthcare operators: engage directly with the State Bank of Vietnam or Ministry of Health guidance applicable to your sector in addition to MIC's general framework, since sector regulators retain concurrent and, in practice, more immediately enforced authority.
For organisations with EU market exposure: the EU AI Act applies regardless of Vietnamese incorporation or compliance status. Vietnamese domestic compliance does not substitute for EU Act compliance where EU persons are affected. The Agent Certified framework at agentcertified.eu provides a structured seven-dimension assessment that maps to both regimes and gives operators a single evidence base for cross-jurisdictional compliance and insurance underwriting purposes, with coverage pathways tracked at agentinsured.eu.
Frequently asked questions
What is Vietnam's Law on Digital Technology Industry?
The Law on Digital Technology Industry (Law No. 71/2025/QH15) was passed by Vietnam's National Assembly in 2025 and took effect on 1 January 2026. It is Vietnam's first comprehensive legal framework for the digital technology sector, and it contains a dedicated chapter on artificial intelligence that introduces risk-based classification, developer and deployer obligations, and content labelling requirements. It is the first binding, cross-sector AI law adopted by an ASEAN member state.
How does Vietnam classify AI systems by risk?
Law 71/2025 introduces a tiered classification broadly split into high-risk AI systems, those with significant potential impact on human rights, safety, or critical infrastructure, and standard AI systems that fall outside those categories. High-risk systems face heavier obligations including risk management documentation, human oversight requirements, and pre-deployment assessment. The precise classification criteria are set out in implementing decrees issued by the Ministry of Information and Communications following the law's entry into force.
Which authority enforces AI rules in Vietnam?
The Ministry of Information and Communications (MIC) is the lead authority for AI governance under Law 71/2025, with sector regulators retaining authority over AI deployed in their specific domains, including the State Bank of Vietnam for financial services AI and the Ministry of Health for healthcare AI applications. MIC is responsible for issuing implementing guidance, maintaining oversight of high-risk AI systems, and coordinating enforcement with provincial digital technology departments.
Does Vietnam require labelling of AI-generated content?
Yes. Law 71/2025 includes a transparency obligation requiring that AI-generated or AI-manipulated content, including synthetic images, audio, and video, be labelled or otherwise disclosed to users where the content could reasonably be mistaken for authentic human-generated material. This obligation is structurally similar to Article 50 of the EU AI Act, though Vietnam's implementing detail on labelling format and thresholds was still being finalised by MIC as of mid-2026.
Does the EU AI Act apply to Vietnamese companies with EU customers?
Yes. The EU AI Act applies to any provider placing an AI system on the EU market and to any deployer whose AI system's outputs affect persons located in the EU, regardless of where the company is incorporated. A Vietnamese company with EU-based customers or EU-facing AI deployments is within the Act's extraterritorial scope and must meet its obligations independently of compliance with Vietnamese domestic law.
References
- National Assembly of Vietnam. Law on Digital Technology Industry (Law No. 71/2025/QH15). Passed 2025, effective 1 January 2026.
- Ministry of Information and Communications (MIC), Vietnam. Implementing decrees and guidance on AI risk classification. 2026 (ongoing).
- Vietnam Government. National Strategy on Research, Development, and Application of Artificial Intelligence to 2030. Issued 2021, updated 2024.
- State Bank of Vietnam. Digital transformation and AI governance guidance for licensed financial institutions. 2024-2026.
- Vietnam National Assembly. Law on Cybersecurity. 2018. Enforcement precedent for digital economy administrative sanctions.
- European Parliament and Council. Regulation (EU) 2024/1689 on Artificial Intelligence (EU AI Act). Official Journal of the European Union, 12 July 2024.
- OECD. OECD Principles on Artificial Intelligence. 2024 revision. OECD Publishing, Paris. Definitional reference used in Law 71/2025 drafting.