1. Introduction
On March 1, 2026 , Vietnam entered a new era of digital governance with the activation of Law No. 134/2025/QH15 of the National Assembly: Law on Artificial Intelligence, a landmark piece of legislation built on the fundamental essence of human-centricity. Grounded in Article 4, this framework mandates that AI serves as an assistive tool to augment human capability rather than displace human judgment, ensuring that "the human remains the final arbiter" in all critical decisions. This "Management for Development" philosophy bridges the gap between safety and progress, pairing an ethical anchor with the economic engine of Article 5, which promotes "green" infrastructure and regulatory sandboxes. By balancing a risk-based management approach in Chapter II with the aggressive innovation incentives of Chapter IV, the law ensures that technological growth remains accountable to Vietnamese cultural values and public safety. This article explores who needs to comply with the law, the key definitions, the specific obligations for stakeholders, and the regulatory mechanisms that define this new legal landscape.
2. Key Facts & Timelines
Effective Date: March 1, 2026.
Compliance Grace Period:
12 Months (March 2027): For general AI systems.
18 Months (Sept 2027): For critical sectors like healthcare and finance.
Enforcement (Article 29): Violations can lead to system suspension, recalls, and administrative fines (up to 2% of annual revenue for severe breaches).
3. Who Needs to Comply with the Law?
Under Article 2, the law establishes a broad scope of application to ensure all entities within the Vietnamese AI ecosystem are regulated. This jurisdiction applies to three primary groups:
- AI Providers and Developers: Entities that research, create, or market AI systems;
- AI Deployers: Organizations or individuals utilizing AI systems for professional or commercial purposes; and
- Foreign Entities: International companies providing AI services to users in Vietnam or whose operations significantly impact the local market.
4. Key Definitions and Operational Terms
The law relies on the following core concepts to implement its "Management for Development" strategy:
Artificial Intelligence (AI) (Article 3.1): Defined as the electronic implementation of human intellectual capabilities, including learning, reasoning, perception, judgment, and natural language understanding. This definition focuses on the "cognitive" functions being replicated.
Artificial Intelligence System (AI System) (Article 3.2): A machine-based system designed to perform AI capabilities with varying levels of autonomy and the ability to adapt after deployment. Based on explicit or implicit objectives, the system infers from input data to generate outputs—such as predictions, content, recommendations, or decisions—that can influence physical or digital environments.
High-Risk AI (Article 9): Refers to systems identified by the Prime Minister that could significantly harm life, health, human rights, or national security. These systems trigger the most stringent regulatory requirements.
Conformity Assessment (Article 13): The mandatory verification process to ensure a High-Risk system meets all safety and technical standards before it is "put into service" or placed on the market.
AI Single-Window Portal (Article 8): The government’s official digital platform designed to streamline administrative tasks. It serves as a hub for sandbox registration, incident reporting, and the public disclosure of AI system classifications.
5. The Risk-Based Hierarchy (Articles 9 & 10)
This table explains how the law classifies AI based on its potential impact.
Risk Level
|
Key Criteria
|
Compliance Obligations
|
| High-Risk |
Significant threat to life, health, legal rights, or national security. |
legal rights, or national security.Mandatory Conformity Assessments, third-party audits, and periodic inspections. |
| Medium-Risk |
Chatbots or deepfakes that could manipulate or confuse users. |
Transparency requirements, reporting, and sample testing. |
| Low-Risk |
Systems not meeting High or Medium criteria. |
Minimal restrictions to foster innovation. |
6. Core Obligations for Organizations
This table breaks down the specific legal duties found in Articles 11–14.
Area of Obligation
|
Legal Requirement
|
Key Action Items
|
| Transparency |
Article 11 |
Clearly label AI-generated content; use machine-readable watermarks for audio/video; notify users of AI interactions. |
| Incident Management |
Article 12 |
Immediate Action: Rectify faults, suspend/recall risky systems, and notify authorities during serious incidents. |
| Pre-Market Quality |
Article 13 |
High-risk systems must pass a Conformity Assessment and recertify if the system logic changes significantly. |
| Ongoing Management |
Article 14 |
Maintain technical dossiers/activity logs; ensure high data quality; implement Human-in-the-Loop overrides. |
7. Individual Rights and Safeguards
Vietnam’s AI Law establishes a robust shield for individuals by integrating specific protections across several key articles:
- Right to Know (Article 11): Mandates clear labeling of AI-generated content (simulations of people/events) to ensure users can distinguish machine-made from authentic interactions.
- Protection from Deception (Article 7): Prohibits AI applications designed for cognitive manipulation or the exploitation of vulnerable groups (e.g., children, the elderly, or ethnic minorities).
- Human Oversight in Public Sector (Article 27): Guarantees that AI cannot replace human legal authority. Citizens retain the right to have significant, life-altering decisions reviewed by a human official rather than an algorithm.
8. Regulatory Authority
Ministry of Science and Technology (MoST)(Article 30): Acts as the central focal point for unified state management and national AI infrastructure.
Sector-Specific Ministries (Article 6): Exercise "stricter management" via specialized guidelines for essential fields like health and education.
Dual-Layered Strategy: Combines centralized technical standards with expert-led oversight for high-impact sectors.
9. Important Exceptions & Exemptions
Under Article 2, the law is designed for broad application across all entities; however, a vital exception exists for systems used exclusively for national defense, cryptography, or state security, which fall outside this general regulatory scope. To balance this strict oversight with the goal of economic growth, Article 21 introduces the Controlled Testing Mechanism (Regulatory Sandbox). This framework allows participating organizations to test innovative AI solutions under state supervision, with the potential to receive specific exemptions, reductions, or adjustments to their standard compliance obligations. By integrating these exceptions, the law ensures that national security remains uncompromised while providing a "fast lane" for developers to refine cutting-edge technologies with reduced regulatory friction.
10. How an Organization Can Operationalize the Law?
Step 1: Register Your AI Assets (Article 8)
Companies must maintain a clear inventory of their AI models and link them to the National Database via the One-Stop AI Web Portal. This portal is used for:
- Risk Grading: Reporting if your model is "High-Risk" or "General."
- Safety Records: Uploading required certificates for high-impact systems.
- Incident Reports: Logging performance data or reporting serious technical failures.
Step 2: Conduct an Impact Audit (Article 27)
If your AI affects public services or human rights, you must perform an ethical "health check" to ensure:
- Fairness: Identifying if the AI might discriminate or harm public interests.
- Human Control: Proving that a person can step in and override the AI at any time.
- Safety Measures: Documenting exactly how you are keeping the system under control.
Step 3: Build in Transparency (Article 11)
Transparency must be part of the AI's design, not an afterthought. You must ensure:
- Disclosure: Users must be told immediately if they are talking to a chatbot.
- Digital Watermarks: All AI-generated photos, videos, and audio must have "hidden tags" that machines can detect.
- Clear Labels: Any AI content that looks like a real person or event must be clearly labeled to prevent deception.
How Securiti Can Help?
Securiti pioneered the Data Command Center, a centralized platform for the safe use of data and AI. It delivers unified data intelligence, controls, and orchestration across hybrid multicloud environments, helping large global enterprises operationalize data security, privacy, governance, compliance, and AI risk management in one place.
For organizations adopting GenAI, Securiti helps turn governance requirements into practical workflows. Through AI Security & Governance, Securiti enables teams to discover and inventory AI systems, identify unsanctioned or shadow AI usage, assess AI risk, and apply controls across cloud and SaaS environments. This gives organizations a stronger foundation for aligning AI use with regulatory obligations and internal governance requirements.
Securiti also helps organizations reduce GenAI risk in real time. Its context-aware controls for AI interactions help monitor prompts, responses, and data flows, supporting safer use of AI systems and reducing the risk of harmful, deceptive, or policy-violating outputs. At the same time, Assessment Automation and Compliance Management help teams standardize governance reviews, manage conformity and control assessments, and maintain the documentation and evidence needed for higher-risk AI use cases.
A key strength of the platform is its ability to connect data and AI governance. With Data Mapping, Data Intelligence, and Data Privacy Management, Securiti helps organizations understand what data is being used in AI systems, where it resides, how it moves, and whether its use aligns with privacy, cybersecurity, and data protection requirements. This allows teams to reduce unauthorized use, strengthen purpose limitation, and build a more defensible governance model for AI across the enterprise.
Request a demo to learn more.
