Vietnam’s AI regulatory framework has reached an important milestone. While the Law on Artificial Intelligence No. 134/2025/QH15 (AI Law) established the foundation for AI governance, many practical compliance requirements were left to implementing regulations.
On April 30, 2026, the government issued Decree No. 142/2026/ND-CP (Decree 142), which took effect on May 1, 2026, and provides the first detailed guidance on the implementation of the AI Law. Although an official list of high-risk AI systems is still pending from the prime minister, Decree 142 provides valuable insight into how Vietnam’s risk-based AI regulatory framework will operate in practice.
Risk Classification Framework
The AI Law adopts a risk-based approach under which AI systems are classified as high-risk, medium-risk, or low-risk. Decree 142 builds on this framework by providing detailed guidance on how these classifications are determined.
High-risk AI systems are determined based on factors such as (i) their potential impact on life, health, property, human rights, public interests, or national security; (ii) the sector in which they are deployed; and (iii) the scale of affected users or integration with critical infrastructure. The latest draft list of high-risk AI systems appears to follow these same principles.
Medium-risk AI systems generally include systems that may mislead, influence, or manipulate users, particularly where users may not realize they are interacting with AI or AI-generated content. The focus is therefore on transparency and authenticity risks rather than broader societal or safety concerns.
Low-risk AI systems are those that do not meet the criteria for either high-risk or medium-risk classification.
Importantly, Decree 142 seeks to avoid over-classification. Certain systems may fall outside the high-risk or medium-risk regimes, including internal-use systems, office-support tools, technical editing applications, certain back-end processing systems, and AI systems used in artistic, gaming, cinematic, or other creative contexts.
Providers must also review and reclassify AI systems where significant changes materially alter the system’s risk profile, where serious incidents reveal a higher level of risk, or where required by regulatory developments or competent authorities.
Key Compliance Requirements
Risk Classification Documentation and Notification of Medium- and High-Risk AI Systems
Before deployment, providers of medium-risk and high-risk AI systems must prepare risk classification dossiers containing key information regarding the system, its intended purpose, deployment context, affected users, principal input data, and applicable risk management measures.
Decree 142 limits disclosure obligations to information within the provider’s lawful access and control. Providers are generally not required to disclose source code, model parameters, raw training data, or protected confidential information. The decree also recognizes equivalent international technical documentation standards and, where an AI system uses personal data, permits a personal data processing impact assessment (DPIA) dossier prepared in accordance with personal data protection laws to replace or be integrated into the risk classification dossier, thereby reducing duplicative compliance requirements.
Providers must then notify the Ministry of Science and Technology (MST) of the risk classification results through the national AI one-stop portal before deployment. The notification follows a self-declaration model and automatically generates an AI system identification code and electronic confirmation.
Governance Requirements for High-Risk AI Systems
Decree 142 clarifies that mandatory third-party conformity certification applies only to certain categories of high-risk AI systems. For other high-risk systems, providers may conduct self-assessments or engage accredited conformity assessment organizations, while remaining responsible for the assessment results.
Providers of high-risk AI systems must also establish and maintain risk management systems addressing risk assessment, data quality, human oversight, risk mitigation measures, and ongoing reviews following significant system changes. Reassessment is required where material changes affect the original conformity assessment results.
Deployers are subject to corresponding obligations, including monitoring system performance, maintaining human oversight, implementing risk controls, and notifying providers and authorities where serious risks or incidents arise.
Transparency Requirements for All AI Systems
Transparency is a central feature of Decree 142. Providers must implement machine-readable technical markings for AI-generated or AI-modified audio, image, and video content, such as metadata, digital signatures, or other provenance verification measures. Separately, deployers making AI-generated content available to the public must provide clear notifications where such content could mislead users regarding authenticity, particularly in relation to deepfakes, simulated voices, and recreated real-world events.
The decree recognizes a number of exceptions, including certain technical edits, internal-use content, and research or testing activities. Overall, the framework adopts a dual-layer approach combining technical traceability with user-facing transparency.
Incident Reporting for All AI Systems
Decree 142 further clarifies the AI Law’s serious incident regime. Covered incidents include those involving death, serious health impacts, significant property damage, serious infringements of rights and interests, or disruptions to public services, essential services, national security, or public order.
Providers and deployers must submit preliminary reports within 72 hours for urgent incidents or within five working days for other serious incidents, preserve relevant logs and data, and submit follow-up reports within 15 days. Where incident reporting obligations also arise under cybersecurity, personal data protection, or sector-specific regulations, reporting must additionally comply with those requirements.
Foreign Providers
The AI Law requires foreign providers of certain high-risk AI systems subject to mandatory conformity certification to establish a commercial presence or appoint an authorized representative in Vietnam. Decree 142 does not further clarify the scope of this requirement, leaving uncertainty regarding its application to cross-border AI services.
Other Notable Developments
Decree 142 introduces a controlled regulatory sandbox mechanism for AI systems. Depending on the risk level, deployment scope, and data involved, participants may benefit from certain regulatory flexibilities during testing while remaining subject to regulatory oversight and compliance with cybersecurity and personal data protection laws.
The decree also contains transitional provisions pending the launch of the national AI one-stop portal. However, as of the date of writing, the portal has not yet been launched and no formal alternative submission mechanism has been announced.
Outlook
Decree 142 represents a significant step toward operationalizing Vietnam’s AI Law by introducing detailed compliance obligations, governance requirements, and implementation procedures, particularly for high-risk AI systems. However, several important elements remain pending, including the prime minister’s official list of high-risk AI systems, further guidance on conformity assessment methodologies, and the launch of the national AI one-stop portal. Businesses should therefore continue monitoring forthcoming regulations and guidance to assess the practical impact of the regime on their AI-related activities in Vietnam.
