.jpg)
The Law on Artificial Intelligence No. 134/2025/QH15, effective from 1 March 2026, marks the first time Vietnam has established a comprehensive legal framework for AI. For companies, this is not merely a technology law but also a new compliance framework governing many matters that were previously considered primarily from a technical or operational perspective. Therefore, instead of asking whether AI may be used in Vietnam, companies and investors should focus more on how AI should be deployed and used to comply with legal requirements.
1. The Law on Artificial Intelligence applies to more companies than many companies may expect
One of the key new features of the Law on Artificial Intelligence is that its scope is not limited to companies developing AI. From the outset, Articles 1 and 2 provide that the Law governs all activities relating to the research, development, provision, deployment and use of AI systems in Vietnam, and applies to both Vietnamese and foreign organisations and individuals engaging in such activities.
Notably, Article 3 clearly distinguishes four categories of entities, namely developers, providers, deployers and users, rather than focusing solely on companies developing AI as under the previous approach.
This is particularly important because many companies still assume that legal responsibility rests only with the entity developing the AI model.
In practice, a bank in Vietnam deploying a credit scoring system provided by a foreign AI provider, a hospital using AI-assisted diagnostic software, or an e-commerce platform integrating a third-party AI chatbot into its customer service system may all be regarded as deployers under the Law, even though they do not directly develop the AI model.
For high-risk AI systems, the obligations of deployers extend beyond merely using the system for its intended purpose. Under Article 14, a deployer must:
(i) operate and monitor the system in accordance with its intended purpose, scope and classified risk level;
(ii) ensure safety, data security and maintain the possibility of human intervention during use;
(iii) maintain compliance with applicable standards and technical regulations throughout the operation of the system;
(iv) fulfil obligations relating to transparency and incident handling;
(v) fulfil accountability obligations to competent state authorities regarding the operation of the system, risk control measures and incident handling; and
(vi) cooperate with the provider and competent state authorities during inspections, assessments and incident remediation.
Meanwhile, even end users do not fall entirely outside the scope of the Law. For high-risk AI systems, users must comply with operating procedures and technical instructions, must not unlawfully interfere with or alter the functions of the system, and must promptly report any incidents to the deployer. For medium-risk and low-risk AI systems, users remain subject to the corresponding obligations relating to notification, labelling or responsibility for the use of the system in accordance with Article 15.
Accordingly, the Law on Artificial Intelligence has shifted from an approach that regulates only technology developers to one that governs the entire AI system value chain. For companies, the first question is no longer, "Do we develop AI?", but rather, "What role do we play in the lifecycle of the AI system?" Correctly identifying a company's legal role will provide the basis for accurately assessing its compliance obligations.
2. Compliance begins with identifying the risk level of the AI system
Unlike many existing technology regulations, the Law on Artificial Intelligence does not impose the same set of obligations on all AI systems.
Instead, the Law adopts a risk-based regulatory approach, under which compliance obligations increase in proportion to the level of risk presented by the AI system.
For companies, this means that one of the first legal assessments is no longer determining the sector in which an AI system is used, but rather determining whether that AI system qualifies as a high-risk AI system under the Law.
This issue is likely to become a key consideration during product development, internal compliance reviews, as well as legal due diligence in future investments or mergers and acquisitions involving AI companies.
In practice, investors may no longer ask only what AI products a company is developing, but also how those products have been classified under the Law on Artificial Intelligence and what corresponding compliance measures the company has implemented.
3. High-risk AI systems will require significantly more documentation than current practice
For high-risk AI systems, companies are required to maintain comprehensive technical documentation and compliance documentation throughout the lifecycle of the system. Such documentation may include materials relating to risk management, data governance, technical documentation, human oversight mechanisms, activity log retention, system monitoring and incident management.
From a legal perspective, this represents a significant change. Previously, many technology companies regarded technical documentation primarily as an engineering requirement. However, under the Law on Artificial Intelligence, such documentation may also serve as evidence of legal compliance during inspections or examinations conducted by competent state authorities.
Accordingly, preparing technical documentation is no longer solely the responsibility of engineers. Instead, it requires close coordination among legal, compliance, engineering, cybersecurity and product management teams to ensure that all legal requirements are fully satisfied.
At the same time, companies should note that the Law generally does not require them to disclose source code, algorithms or technological trade secrets merely because an AI system is subject to regulation by competent state authorities. This reflects an effort to balance regulatory transparency with the protection of intellectual property rights and trade secrets.
4. Transparency is becoming a legal obligation rather than merely good practice
Another notable feature of the Law on Artificial Intelligence is its emphasis on transparency throughout the lifecycle of AI systems.
Depending on the type of AI system, companies may be required to inform users that they are interacting with AI, provide sufficient information regarding the capabilities and limitations of the system, and implement measures to enable AI-generated content to be identified.
These requirements will affect a wide range of companies beyond the technology sector, including companies operating AI-powered customer service platforms, recruitment software providers, online education companies, financial institutions using AI-assisted decision-making systems, as well as companies using generative AI in marketing or customer service activities.
From a practical perspective, transparency should no longer be regarded as an issue to be addressed only before a product is launched. Instead, companies should incorporate transparency requirements into the product design stage through close coordination among legal, product and engineering teams.
5. AI governance is becoming a board-level issue
The Law on Artificial Intelligence establishes a governance framework requiring companies to implement internal mechanisms to manage AI-related risks throughout the operation of AI systems.
For many companies, particularly financial institutions, healthcare providers and large technology companies, this means that AI governance will gradually become an integral part of corporate governance.
Rather than treating AI solely as an information technology issue, the board of directors and senior management may need to directly oversee matters such as AI risk management, internal controls, human oversight, data governance and incident management.
In practice, this may require companies to establish internal AI governance policies, clearly allocate responsibilities among relevant departments, and periodically review the compliance of AI systems throughout their operation.
6. Foreign AI providers should not assume that supplying AI from overseas is outside the scope of Vietnamese law
Under the Law on Artificial Intelligence, foreign organisations supplying certain AI systems, particularly high-risk AI systems, to the Vietnamese market may be required to comply with additional regulatory requirements, including appointing a lawful representative or maintaining an appropriate presence in Vietnam in certain circumstances.
This is an issue that multinational AI companies currently providing cross-border services to customers in Vietnam should pay particular attention to.
Although an AI system may be developed, operated and hosted entirely outside Vietnam, making that system available in the Vietnamese market may still trigger obligations under the new legal framework.
Accordingly, foreign investors should review not only their corporate structure, but also their product distribution model, service delivery channels and the allocation of responsibilities under contractual arrangements when supplying AI products or services to Vietnam.
7. The Law on Artificial Intelligence aims to regulate innovation rather than hinder it
Although much attention has been focused on compliance obligations, it should also be recognised that the Law is intended to promote AI development rather than restrict it.
In addition to imposing legal obligations, the Law also establishes various supporting mechanisms, including regulatory sandboxes, policies supporting research and development, AI investment incentives, the development of national AI infrastructure and measures to facilitate access to data for innovation.
For investors, a transparent legal framework is often just as valuable as investment incentives, as it enables companies to assess legal risks at an early stage and proactively take compliance costs into account in their investment decisions.
What should companies do now?
Although implementing regulations will continue to be issued, from a practical perspective, companies should:
(i) review all AI systems that are currently being developed, provided or used;
(ii) determine the company's legal role under the Law on Artificial Intelligence;
(iii) conduct a preliminary assessment to identify which AI systems may fall within the high-risk category;
(iv) review AI governance mechanisms, internal controls and risk management;
(v) assess the existing technical documentation against the requirements of the Law;
(vi) review contracts with AI providers and customers to clearly allocate legal responsibilities.
For companies preparing to invest in AI projects in Vietnam, incorporating compliance requirements from the project design stage will be considerably more effective than making adjustments after the products have already been commercialised.
Conclusion
Vietnam's Law on Artificial Intelligence marks a shift from technology regulation to risk-based AI governance, combining compliance requirements with policies that promote innovation. For companies and investors, the focus is no longer on whether AI may be used in Vietnam, but on how to establish a governance framework that complies with the requirements of the Law. Proactively reviewing AI governance systems, technical documentation and compliance procedures from now on will enable companies to better manage legal risks and be well positioned to seize opportunities in Vietnam's growing AI market.
