Vietnam's AI Law: Risk Tiers and Conformity Certs | TLY

AI Regulation Tracker  /  Legislation in force

Vietnam's AI Law No. 134/2025 is in force: providers must risk-classify systems before deployment

Vietnam's standalone Law on Artificial Intelligence took effect March 1, 2026, forcing providers to sort every system into high, medium, or low risk before it ships and putting high-risk systems through pre-market certification. Foreign vendors selling in are pulled in too.

Vietnam's AI Law No. 134/2025 is in force: providers must risk-classify systems before deployment regulation briefing
The Leveraged Years AI Regulation Tracker

Vietnam now has a standalone artificial intelligence statute with operative duties, not a policy sketch. The Law on Artificial Intelligence No. 134/2025/QH15, passed by the National Assembly on December 10, 2025, took effect on March 1, 2026. It creates a standalone AI statute built on a three-tier risk model, an approach also taken by the European Union and South Korea rather than a patchwork of sector rules. The Ministry of Science and Technology is the lead agency.

The core duty: classify before you deploy

The heart of the law is a three-tier risk model. Providers must sort every AI system into high, medium, or low risk before deployment. That classification can be done by self-assessment or by an accredited conformity-assessment body. The obligation does not stop at launch. Deployers must re-classify a system when a change in its function or use creates new risk, so the classification is a living record rather than a one-time filing.

High-risk systems carry the heaviest load. They face pre-market conformity certification and periodic audits, meaning a high-risk system has to clear a certification step before it reaches the market and stay subject to review after that. Medium and low-risk systems sit under lighter obligations, so the tier a system lands in decides how much process it draws. That makes the classification itself, and the evidence behind it, the first document a Vietnamese regulator or an accredited assessor is likely to ask for. The structure borrows visibly from the EU AI Act, which also sorts systems by risk and places tighter obligations on the high-risk band.

The choice between self-assessment and an accredited conformity-assessment body is not cosmetic. A provider that self-assesses owns the judgment and the paper trail if that judgment is later questioned. Using an accredited body shifts part of that burden to a third party but adds cost and lead time. Either way, the law expects a defensible classification before deployment, not an after-the-fact rationalization.

The list that decides the stakes

Whether a given system needs pre-market certification turns on an official list of high-risk AI systems that the Prime Minister is to issue. That list is the pivot point of the whole regime: it converts the abstract tiers into concrete obligations for named categories of systems. As of this writing, publication of the list itself is not confirmed, so firms should treat the specific catalog of high-risk categories as pending and watch for it rather than assume today's read is final.

Foreign vendors are pulled in

The law reaches beyond Vietnamese companies. Foreign providers of high-risk AI systems must maintain a lawful local contact, and where certification is required, a commercial presence or an authorized representative in Vietnam. For US and EU vendors that sell AI into the Vietnamese market, that adds a local-presence and registration burden that did not exist before. The design echoes the extraterritorial logic of the GDPR and the EU AI Act, where selling into a market brings the market's rules and a local point of accountability with it.

What it does not do yet

The law does not give every provider until 2027 to think about this. Existing providers and deployers have a grace period to March 1, 2027, extended to September 1, 2027 for the health, education, and finance sectors, but new systems entering the market face the framework now. Nor does the law resolve every operational detail on its own. Key specifics, including the high-risk list and the mechanics of certification, are left to implementing measures and the Prime Minister's list. Firms that read the statute as the final word will miss the instruments that give it teeth.

A sourcing caution matters here. The widely circulated English text of Law 134 comes from luatvietnam.vn, a paid secondary translation, not an official source. The authoritative Vietnamese text sits on the government portal chinhphu.vn and the National Assembly site quochoi.vn. Any hard citation to an article number should be checked against those gazette copies rather than the translation.

The cross-border read for US professionals

For a US audience, Vietnam is a preview and a checklist item at once. It joins the EU and South Korea in building a purpose-built AI statute, and its local-representative rule mirrors the extraterritorial reach US firms already know from GDPR. A company that maps its AI governance to the EU AI Act's risk tiers will find the Vietnamese structure familiar, but it should not assume the two are interchangeable. The tiers rhyme; the certification steps, the local-presence rule, and the sector timelines are Vietnam's own.

Frequently Asked Questions

What changed under Vietnam's AI Law No. 134/2025/QH15?

Vietnam enacted a standalone AI law, in force since March 1, 2026, that requires providers to classify every AI system as high, medium, or low risk before deployment. High-risk systems face pre-market conformity certification and periodic audits, and the Prime Minister is to issue an official list of high-risk systems.

Who does the law affect?

AI providers and deployers operating in or selling into Vietnam, including foreign vendors. Providers classify systems before deployment; deployers must re-classify when a change in function or use creates new risk. Foreign high-risk providers also need a lawful local contact, and a commercial presence or authorized representative where certification applies.

When do the obligations bite?

The law has been in force since March 1, 2026. Existing providers and deployers have a grace period to March 1, 2027, extended to September 1, 2027 for health, education, and finance. New systems entering the market face the framework now.

Is the list of high-risk systems published?

Not confirmed. The Prime Minister is to issue an official list of high-risk AI systems that specifies which need pre-market certification. Until it is confirmed published, treat the specific high-risk categories as pending and monitor for the official text.

Browse the full AI Regulation News tracker

Informational analysis for working professionals, not legal advice. Confirm how any rule applies to your situation with qualified counsel.