Vietnam has launched a sweeping regulatory milestone. On 1 March 2026, the standalone Law on Artificial Intelligence officially took effect. The measure centralizes oversight, creates a risk-based framework, and lists outright bans. For global executives, the headline is clear. The Prohibited Acts Decree within the law empowers officials to suspend non-compliant systems immediately. Consequently, companies developing or deploying AI in Vietnam now face strict duties. However, the statute also offers sandboxes and funding to boost domestic innovation. Moreover, supporters claim the law could unlock $120 billion in economic value by 2040. This article explains the context, core rules, and next steps for compliance.

Vietnam's AI Law Context

Vietnam’s National Assembly adopted Law No. 134/2025/QH15 on 10 December 2025. Subsequently, the law replaced scattered provisions in earlier digital statutes. It entered force on 1 March 2026 after 429 of 434 delegates voted yes. Government briefs state the statute contains eight chapters and 35 articles. Moreover, it introduces the first comprehensive AI Governance regime in Southeast Asia.

Officials cite a BCG estimate that AI could add $120 billion to GDP by 2040. Therefore, policymakers balanced strict controls with pro-innovation measures like sandboxes and a national fund. Nevertheless, observers note many technical details remain pending in subordinate regulations.

These contextual points show why the Prohibited Acts Decree commands immediate boardroom attention. Meanwhile, deeper analysis of banned uses follows next.

Prohibited Acts Decree Scope

Article 7 enumerates AI behaviors that are absolutely forbidden. They include systems creating deceptive deepfakes that threaten national security or public order. Additionally, AI exploiting minors, harming vulnerable groups, or blocking human oversight is banned. In contrast, legitimate research remains allowed under separate research exemptions.

• Deepfake content threatening national security
• Mass facial recognition in public spaces
• AI systems exploiting minors or disabled users
• Data processing that violates privacy statutes

The Prohibited Acts Decree also criminalizes collecting personal data in breach of Vietnam’s cybersecurity statutes. Consequently, developers must map data flows carefully against existing privacy rules. Ethics committees inside large providers will need documented reviews before launch.

Overall, the decree defines an unacceptable-risk ceiling that no mitigation can cure. However, understanding the risk governance model clarifies what remains permissible.

Risk Governance Model Explained

Vietnam follows a tiered approach inspired by the EU draft AI Act. Systems are labeled high, medium, or low risk depending on potential harm severity. Moreover, high-risk categories include healthcare diagnostics, credit scoring, and critical infrastructure control. Providers of such systems must conduct impact assessments, maintain logs, and enable human override. However, whenever a system meets criteria under the Prohibited Acts Decree, regulators may prohibit deployment.

Medium-risk tools, such as chatbots, need transparency notices but face lighter duties. Low-risk applications, like spam filters, only require basic security hygiene. Governance obligations scale with risk, thereby aligning compliance costs with expected harm.

These calibrated rules illustrate Vietnam’s preference for balanced Governance rather than blanket bans. Consequently, attention now shifts to labeling and disclosure mandates.

Transparency And Labeling Rules

Article 11 mandates machine-readable watermarks on every AI-generated image, video, or audio file. Furthermore, users must be clearly informed whenever they interact with a non-human agent. In contrast, covert bots are allowed only under explicit security exemptions approved by authorities.

The Prohibited Acts Decree reinforces these labeling duties by linking non-compliance to suspension powers. Consequently, interface designers should collaborate early with compliance teams to embed disclosures. Ethics advisers can validate that labels are understandable across literacy levels.

Effective labeling builds public trust and limits deceptive content. Meanwhile, the next section details how enforcement will work in practice.

Enforcement Powers And Process

The Ministry of Science and Technology leads primary Enforcement actions under the new law. However, sector regulators, including the State Bank, will issue complementary technical guidance. Inspectors can demand documentation, order risk mitigation, or impose temporary suspensions.

For serious or repeated breaches, the Prohibited Acts Decree authorizes outright bans and administrative fines. Moreover, draft decrees propose revenue-based penalties, though final numbers remain unpublished. Enforcement roadmaps include six-month grace periods for legacy high-risk systems.

These layered powers create strong deterrence. Nevertheless, industry groups demand clear appeal procedures and independent oversight. Debate on rights and remedies continues in public consultations.

Effective Enforcement will hinge on transparent procedures and consistent risk assessments. Next, we assess how businesses and critics view the broader impact.

Industry Impact And Debate

Vietnamese tech giants, including VNG and VinAI, welcome legal certainty and public trust. Consequently, they plan to leverage sandboxes and the National AI Fund for rapid scaling. Foreign cloud providers, however, worry about cross-border data localization clauses.

Civil-liberties advocates argue the Prohibited Acts Decree could enable politically motivated censorship. Moreover, Asia Times highlights past cases where online satire triggered security investigations. Ethics scholars urge transparent Governance bodies to prevent abuse.

Analysts also flag compliance burdens on small and medium enterprises. Nevertheless, supporters expect new trust marks to attract foreign investment. These divergent views underline the importance of clear secondary rules.

The debate signals both opportunity and risk for the market. Therefore, enterprises must prepare concrete compliance roadmaps now.

Next Steps For Compliance

Companies should start by mapping all AI systems against the risk taxonomy. Additionally, they must document data sources, model testing, and human oversight measures. Legal teams should monitor forthcoming decrees that specify fine levels and banned lists.

Professionals can enhance their expertise with the AI Legal Strategist™ certification. Moreover, internal audit schedules should align with annual reporting cycles. The Prohibited Acts Decree requires incident reports within 72 hours of discovering harm.

Proactive planning will reduce last-minute fire drills during inspections. Consequently, leadership that embeds Ethics into design will navigate the regime confidently.

Vietnam’s AI statute marks a pivotal shift toward structured oversight and accountability. However, ultimate success depends on transparent Enforcement and fair Legal remedies. The Prohibited Acts Decree embodies the law’s sharpest edge, yet also offers clarity for planners. Consequently, organizations should monitor decrees, refine risk registers, and build cross-functional Ethics councils. Take action today by reviewing system inventories and pursuing advanced certifications. Doing so positions your team to innovate responsibly while avoiding costly penalties. Ultimately, disciplined preparation will transform compliance from burden into competitive advantage.