Vietnam’s AI Framework: Compliance and Business Impact

Introduction

Vietnam has quickly emerged as one of Southeast Asia’s most aggressive regulators of artificial intelligence, data governance, and digital infrastructure. The country’s regulatory framework significantly expanded after the passage of the Law on Data (Law No. 60/2024/QH15), which took effect on July 1, 2025, followed by the Law on Personal Data Protection (Law No. 91/2025/QH15), which became effective on January 1, 2026. These laws created stricter obligations around data protection, cross-border data transfers, data sovereignty, and the storage of sensitive personal data.

Vietnam also introduced its standalone AI framework in late 2025, which entered into force in March 2026 and created a more formal governance model for artificial intelligence systems. The government’s broader objective is clear: encourage AI development while protecting national security, strengthening digital sovereignty, and ensuring foreign technology providers do not operate without oversight. AI is recognized as a strategic technology integral to Vietnam’s digital transformation and innovation strategy, driving economic growth and national development. For businesses using AI tools, cloud computing services, cloud storage providers, automated decision-making systems, and global data infrastructure, Vietnam’s regulatory environment now requires significantly more compliance planning. The AI Law aims to enhance investor confidence by providing a predictable legal environment for businesses investing in AI technologies.

The law’s provisions, passed by the National Assembly, establish a comprehensive regulatory framework for AI activities, including scope, principles, governance, and compliance timelines, and take precedence over conflicting legal provisions. This framework creates strategic opportunities across sectors such as healthcare, finance, and manufacturing by facilitating access to national infrastructure and funding for AI applications, supporting the continued growth and competitiveness of Vietnam’s digital economy.

Scope and Guiding Principles for AI Systems

Vietnam’s AI framework applies to a wide range of entities involved in AI development, deployment, commercialization, and distribution. This includes software vendors, SaaS companies, financial institutions, healthcare providers, e-commerce businesses, cloud providers, and organizations offering internet-based services to users in Vietnam. The law is not limited to domestic companies. Foreign businesses that process data from Vietnamese consumers or deploy AI systems into the Vietnamese market may also fall under its jurisdiction.

This extraterritorial reach creates significant compliance implications for companies that rely on foreign cloud providers, offshore data centres, and global AI infrastructure. Organizations using a foreign cloud service provider to process data collected in Vietnam may trigger regulatory scrutiny if those activities involve cross-border data access, sensitive data processing, or restricted data categories. Regulatory authorities and competent authorities are responsible for overseeing compliance and enforcement in these scenarios. Businesses must now think carefully about where they process data, how they transfer information internationally, and whether their cloud services operate in a way that aligns with Vietnam’s broader data localization requirements.

Vietnam’s AI governance principles also emphasize transparency, fairness, accountability, cybersecurity, human oversight, lawful processing, and protecting personal data. These principles align with global regulatory trends while still reflecting Vietnam’s own focus on national control over digital infrastructure. As the framework develops, businesses should expect more detailed guidance from competent authorities to clarify sector-specific requirements and enforcement practices.

Risk-Based Classification and High-Risk AI Systems

Vietnam’s AI Law adopts a four-tier risk classification system, aligning with global models like the EU AI Act. The four risk levels are: prohibited AI systems, high-risk AI systems, limited-risk AI systems, and low-risk AI systems. This framework determines the level of regulatory control imposed on AI systems and guides compliance obligations for businesses developing or deploying AI.

High-risk AI systems face the strictest obligations because they can directly impact consumer rights, safety, or financial outcomes. AI tools used for healthcare diagnostics, credit scoring, employment screening, biometric identification, public surveillance, and critical information infrastructure are far more likely to face regulatory oversight. In contrast, low-risk AI systems are subject to less stringent, largely post-hoc oversight and limited regulatory requirements. AI systems used by organizations providing critical services may also fall under heightened scrutiny.

As part of compliance, businesses must conduct risk assessments and maintain detailed technical documentation for high-risk and other relevant AI systems. Before deploying high-risk systems, businesses may be required to conduct impact assessments, validate training datasets, document algorithmic decision-making processes, and demonstrate meaningful human oversight. Foreign providers entering Vietnam may also need local representatives to address compliance requirements and regulatory investigations.

National AI Database and System Registration

Vietnam’s regulatory framework introduces registration obligations for certain high-risk systems through a proposed National AI Database. In addition to registration, there is a requirement to register and monitor AI systems deployed in Vietnam via this centralized platform. This requirement is expected to become more detailed through future implementing regulations.

Businesses operating high-risk systems should prepare technical documentation that explains how the AI model functions, what datasets and training data were used during development, what safeguards exist to reduce bias, and how incidents are managed. Regulators may also request documentation related to model retraining, cybersecurity protections, and third-party integrations.

Operational logs are equally important. Companies may need to maintain records showing how their systems performed over time, how incidents were resolved, and whether any model updates materially changed outputs. Organizations that fail to maintain documentation may struggle during regulatory audits. High-risk AI systems under Vietnam’s classification must also undergo conformity assessments, register in the National AI Database, and implement mechanisms for human oversight and incident reporting.

Transparency and Labeling of AI-Generated Content

One of the most discussed parts of Vietnam’s AI framework is its transparency requirement for generative AI outputs. Organizations distributing AI-generated content may need to clearly disclose that the content was created using artificial intelligence.

This requirement can apply to synthetic text, audio, images, and video. Businesses may also need to implement machine-readable markers for synthetic media to help regulators and platforms identify manipulated content. These requirements are largely designed to reduce fraud, misinformation, and deceptive advertising practices.

Companies using AI chatbots must also notify users when they are interacting with an AI system rather than a human representative. This requirement may directly affect customer service operations, digital marketing campaigns, and automated content production workflows.

Data Governance and Data Law Intersections

This is where compliance becomes significantly more complex for global businesses. Vietnam’s Law on Data 2024 regulates the full lifecycle of digital data, including collection, storage, sharing, encryption, and cross-border data flows. It applies to both personal data and non-personal data, making it broader than traditional privacy laws.

The Law on Personal Data Protection 2025 adds stricter requirements for businesses processing sensitive personal data. Companies must establish legal grounds for processing, obtain valid consent where necessary, and implement safeguards for protecting personal data. Data controllers have specific responsibilities under the Personal Data Protection Act 2019 (PDPA), including handling requests from data subjects for deletion, destruction, or de-identification of personal data, and implementing measures to protect data confidentiality and privacy. Cross-border data transfers are now heavily regulated. Businesses transferring personal data outside Vietnam must often submit a transfer impact assessment dossier, identify data recipients, document security measures, and explain why the transfer is necessary. This includes cloud storage, cloud computing services, foreign cloud providers, and multinational analytics tools.

While Vietnam does not currently impose broad data localization mandates on all businesses, certain restricted data categories tied to national security, critical services, financial sector data localization, health data storage, and sensitive government data may face stricter storage expectations. Businesses should evaluate whether they need local data centers or whether offshore data centers create compliance risks. AI systems may also intersect with intellectual property rights, especially in automated decision-making and data-driven services, making it essential for businesses to protect their innovations and creations within the AI ecosystem.

Compliance Obligations for Businesses and AI Development

AI compliance in Vietnam is becoming operational rather than theoretical. Businesses can no longer treat governance as a legal checkbox completed after product development. Organizations should conduct pre-deployment impact assessments before launching AI products, particularly when those systems process sensitive data or automate major decisions. Legal and regulatory compliance in AI deployment is crucial, requiring adherence to risk assessments, safety procedures, transparency, and oversight to ensure responsible and lawful use of AI technologies across industries. They should also implement incident detection workflows, incident reporting mechanisms, internal audit procedures, and governance structures that define accountability.

In addition, prompt detection and reporting of any serious incident involving AI systems is essential, with swift coordination with authorities to maintain safety and social stability. Human oversight remains a major requirement. Businesses must ensure that automated systems do not operate without meaningful review in high-risk environments. Companies should also align internal policies with Vietnam’s evolving compliance obligations. At the same time, technical standards provide voluntary guidance on AI terminology, lifecycle management, and governance frameworks, supporting responsible AI development and alignment with international norms.

Incentives and Regulatory Sandbox

Vietnam’s new AI Law establishes a comprehensive legal framework governing the development and deployment of AI systems, with a strong focus on fostering innovation while ensuring robust oversight. One of the law’s most forward-looking features is the introduction of incentives and a regulatory sandbox, designed to encourage responsible investment in AI technologies and streamline the path to market for both domestic and foreign providers.

The regulatory sandbox mechanism offers businesses a controlled environment to test and validate AI systems, especially high-risk AI systems, under relaxed regulatory conditions. This approach lowers barriers to entry for innovative solutions, allowing enterprises to experiment with new AI models, algorithms, and data governance practices without the immediate pressure of full compliance. By mirroring global regulatory trends, such as those set by the EU AI Act, Vietnam’s sandbox supports a risk-based regulatory framework that balances innovation with consumer protection.

Foreign providers of high-risk AI systems are required to appoint a local legal representative, ensuring a lawful contact point for compliance and communication with Vietnamese authorities. The AI Law applies broadly to Vietnamese and foreign organizations engaging in AI-related activities within Vietnam, but specifically excludes activities conducted solely for national defense, security, or cryptography.

Within the sandbox, businesses can perform security verification, incident reporting, and system safety assessments, helping them meet the law’s requirements for conformity assessment and system registration before full-scale deployment. This process is particularly valuable for high-risk and medium-risk systems, which are subject to more stringent oversight, including human oversight mechanisms and detailed technical documentation. The sandbox also provides an opportunity to refine risk management strategies and ensure that personal data protection standards are met from the outset.

The AI Law’s risk-based classification model, categorizing AI systems as high risk, medium risk, or low risk systems, ensures that regulatory scrutiny is proportionate to the potential impact of each system. High-risk AI systems, such as those used in healthcare, finance, or critical infrastructure, must undergo rigorous conformity assessment and demonstrate robust data protection and human oversight. Meanwhile, low-risk systems benefit from lighter-touch regulation, encouraging broader adoption of AI technologies across sectors.

By establishing a national AI ecosystem and promoting transparency, the AI Law’s incentives and sandbox mechanisms support the growth of Vietnam’s digital economy. They provide a platform for businesses to innovate, test, and validate AI systems while reducing the risk of non-compliance. The law’s emphasis on data governance, incident reporting, security verification, and personal data protection ensures that AI systems are developed and deployed in a responsible and secure manner.

Implications for E-Commerce and Shopify Stores

E-commerce brands increasingly rely on artificial intelligence for personalization, recommendation engines, behavioral advertising, customer segmentation, and chatbot support. Many of these systems rely heavily on consumer tracking data. For Shopify merchants, this creates additional consent challenges. Businesses using AI personalization tools should ensure users understand how their personal data is being processed and whether that data is shared through cross-border data flows. Pandectes helps merchants address these risks by enabling multilingual cookie banners, granular consent tracking, and stronger alignment with Google Consent Mode. Businesses can better document user preferences while reducing compliance exposure tied to AI-driven advertising tools.

Liability, Incident Reporting, and Enforcement Under AI Regulation

Vietnam’s regulatory framework is increasingly enforcement-focused. Businesses should expect regulators to demand documentation when compliance failures occur. Competent authorities are responsible for overseeing incident reporting and enforcing sector-specific AI regulations, ensuring formal accountability within the governance framework. Organizations should create internal reporting templates for AI incidents, define accountability between providers and deployers, and establish response procedures for regulatory investigations, including coordination with competent authorities in the event of a serious incident. Failure to comply may result in fines, operational restrictions, or reputational damage.

Conclusion

Vietnam is positioning itself as both an AI growth market and a serious regulator of digital infrastructure. Its framework blends innovation incentives with stricter rules around data localization, data protection, cross-border data flows, and AI accountability. Businesses that proactively improve governance, strengthen consent mechanisms, document data transfers, and prepare for evolving compliance obligations will be far better positioned to scale responsibly in Vietnam’s growing digital economy.