Vietnam’s Law on Artificial Intelligence: Key Details and Limitations

It’s been widely reported that Vietnam’s Law on Artificial Intelligence came into force on March 1st.

Lauded as one of the first laws of its kind in Southeast Asia, this new law is being seen as laying the groundwork for Vietnam to be a serious player in AI development in the region. 

However, the law is more of an overarching framework than an immediately operational piece of legislation, with the actual legal work to be done by Decrees, Decisions, and Circulars still yet to come.

These additional requirements may take quite a bit longer to be realised, and as such, the impacts from what came into force on March 1st will be limited.

With this in mind, here are the key components of the law and what it still needs to be practically effective.

What does it cover?

Firstly, the law governs the development, supply, deployment, and use of artificial intelligence systems in Vietnam, including the rights and obligations of organisations and individuals involved, as well as how the state manages AI activities.

It does not apply to artificial intelligence systems used exclusively for national defence, security, or cryptography.

Governing principles

It also has a set of guiding principles, including:

1. Human-centred use that protects human rights, privacy, and national interests.
2. Human oversight, ensuring AI supports rather than replaces human decision-making.
3. Fairness, transparency, and accountability, avoiding bias and discrimination.
4. Sustainable development through energy-efficient and environmentally responsible AI.

1. Risk classification framework

What the law requires

Providers must classify AI systems as high, medium, or low risk before deployment, based on potential impacts (human rights, safety/security, sector of use, scale of impact).

Providers must classify systems before release and notify the Ministry of Science and Technology (MOST) via the national AI portal for medium and high-risk systems.

What’s missing?

• The risk criteria that determine which systems fall into each category
• Technical guidance on how classification must be performed
• The required documentation for classification filings
• How authorities will verify whether classifications are accurate

2. National AI portal and AI registry

What the law requires

The law requires a one-stop national AI portal and a national AI systems database for registration, classification submissions, incident reporting, publishing compliance outcomes, and public transparency information.

What’s missing?

• Portal design and build details
• Registration procedures (how and when organisations submit)
• Disclosure rules (what becomes public, what stays confidential)
• Security and access rules
• Standard forms/templates for filings (classification, incident reports, periodic reports)

3. Transparency and labelling

What the law requires

Systems that interact with people must make it clear that users are dealing with AI.

AI-generated or AI-edited audio, images, and video must be labelled, including content that simulates real people or events.

What’s missing?

• The technical labelling standard (eg watermark/metadata format)
• Machine-readable marking requirements
• Required user disclosure format (where/when the notice appears)
• Exemptions and sector-specific carve-outs

4. High-risk AI conformity assessment

What the law requires

High-risk systems must pass a conformity assessment before deployment (and again after significant changes).

Some systems will require third-party certification; others may allow provider self-assessment.

What’s missing?

• The official list of high-risk systems that require mandatory certification
• Detailed certification methodology and procedure
• Applicable technical standards/benchmarks
• The set of approved conformity assessment bodies
• Required technical documentation for assessments

5. Risk management and technical governance for high-risk systems

What the law requires

Providers must implement:

• risk management processes
• training/testing/operational data governance
• technical documentation and operational logs
• human oversight and the ability to intervene
• explainability/required disclosures to regulators and users

Deployers must:

• operate within the approved scope and risk classification
• maintain data security and ongoing monitoring

What’s missing?

• A concrete risk management standard (what “good” looks like)
• Log retention and content requirements
• Data quality expectations for training/testing data
• Practical rules for “human oversight” (minimum control, escalation, override)

6. AI incident reporting

What the law requires

Serious incidents must be reported via the national portal, with cooperation between developers, providers, deployers, and users.

Authorities can suspend, recall, or require re-evaluation of systems.

What’s missing?

• Thresholds defining what counts as a “serious incident”
• Reporting deadlines
• Investigation roles and procedures
• Required corrective actions and remediation timelines

7. National AI infrastructure

What the law requires

The law mandates national AI infrastructure (compute, shared datasets, testing environments, national language models, training platforms).

“Critical” AI applications in essential sectors must be deployed on national AI infrastructure.

What’s missing?

• Definition and list of “critical AI applications”
• Governance model (operator, oversight, audit)
• Access rules (eligibility, pricing, prioritisation)
• Funding and procurement mechanisms

8. National AI strategy

What the law requires

A National AI Strategy must be issued and updated at least every three years, including targets, priority areas, and measurement indicators.

What’s missing?

• The strategy itself
• The KPI framework and measurement methodology
• Priority sector list and implementation plan

9. Regulatory sandbox

What the law requires

A controlled sandbox allows supervised testing; results may support conformity assessment recognition or reduced obligations.

What’s missing?

• Eligibility criteria
• Application and approval process
• Testing limits (scope, duration, user exposure)
• Which obligations can be reduced or waived, and under what conditions

10. National AI ethics framework

What the law requires

A national ethics framework must guide responsible AI use and inform standards and guidance.

What’s missing?

• The ethics framework document
• Operational guidance (how organisations implement it in practice)
• Monitoring and enforcement approach (if any)

11. National AI development fund

What the law requires

A national fund will finance AI infrastructure, research, startups, and workforce development.

What’s missing?

• Fund governance and decision-making structure
• Eligibility and selection criteria
• Application process and reporting obligations

12. Liability framework

What the law requires

Primary liability for damage caused by compliant high-risk AI sits with the deployer, who can then seek reimbursement from the supplier/developer if agreed.

What’s missing?

• Specific administrative penalties and fine levels
• Practical guidance on allocating liability across multiple parties
• Any mandatory insurance rules (the law encourages insurance but does not require it)

13. State management structure

What the law requires

The Government has overall management; MOST is the focal agency; line ministries oversee their sectors; provinces enforce locally.

What’s missing?

• A clear inter-agency coordination mechanism (decision rights and conflict resolution)
• Sector-specific implementing rules for regulated domains (finance, health, education, etc.)

Timeline realities

The law sets the framework, but most operational requirements depend on Government decrees, Prime Minister decisions (lists and strategies), and MOST implementing guidance (standards, portal operations, technical rules) — there are a lot of moving parts and seeing all of the aforementioned gaps filled will likely take some time.