Vietnam’s AI Law Takes Shape: Key Insights from Decree 142

On 30 April 2026, the Government of Vietnam issued Decree No. 142/2026/ND-CP (Decree 142) detailing a number of articles and measures for implementing the Law on Artificial Intelligence (Law on AI), which took effect from 1 May 2026. 

Decree 142 elaborates on a number of important aspects of the Law on AI, thereby providing a clearer basis for organisations and enterprises to assess their compliance obligations when researching, developing, providing, deploying, or using artificial intelligence (AI) systems in Vietnam.

In this legal update, we highlight certain notable provisions of Decree 142.

1. Criteria for identifying high-risk and medium-risk AI systems

Decree 142 clarifies the criteria for determining whether an AI system is classified as high-risk. Accordingly, an AI system will be considered high-risk if it satisfies one or more of the following criteria:

(i) Degree of impact: The extent to which the system may cause harm to life, health, property, human rights, national interests, public interests, or national security; the degree of automation of the system; the level of support provided for final decision-making; and the extent to which human oversight and intervention are possible in the implementation of actions;

(ii) Area of use: Deployment in essential sectors (including healthcare and education sectors), or in sectors directly related to the public interest; and/or

(iii) Scope of users and scale of impact: The scope of users, the scale of affected persons or entities, or the degree of interconnection with critical technical infrastructure systems.

Even where the above criteria are met, an AI system may qualify for an exemption from the high-risk classification where the system:

(i) solely performs tasks relating to the collection, processing, standardisation, classification, translation, or improvement of data quality, and does not directly generate decisions affecting the legitimate rights and interests of organisations or individuals;

(ii) has technical mechanisms and operational procedures ensuring meaningful human oversight, whereby an authorised person is capable of independently reviewing, intervening in, rejecting, or modifying the system’s decision before such decision takes effect;

(iii) is used solely for the internal administration and operational activities of an organisation or enterprise, and does not directly affect the legal rights, obligations, or lawful interests of external organisations or individuals; or

(iv) solely performs analytical, forecasting, assessment, or recommendation functions of a consultative nature, and neither the provider nor the deploying entity may use the output as the sole basis for making a final decision.

In addition, Decree 142 provides that an AI system will be classified as medium-risk where it does not fall within the List of high-risk AI systems to be issued by the Prime Minister; and it is capable of causing confusion, influencing, or manipulating users due to the users’ inability to recognise that the interacting entity is an AI system or that the content has been generated by such system.

Nevertheless, certain AI systems will not be classified as medium-risk systems, including where the system:

(i) only supports technical editing to improve the presentation or appearance of content, does not generate new content, and does not alter the identity of the subject;

(ii) supports office-related work where users can clearly recognise, from the context of use, that the function is an AI tool, and the system does not perform simulation or imitation functions capable of causing confusion regarding identity or the authenticity of events;

(iii) does not directly interact with, or directly provide services or content to, the public, including cases where the system is not made available to the public through third parties or intermediary platforms;

(iv) is used in artistic activities, cinematography, video games, or other creative activities, and the context of publication clearly indicates that the content is fictional in nature; or

(v) only performs data processing, data analysis, or operational optimisation within a technical system; does not directly interact with users; does not generate content for public dissemination; and does not directly interact with the physical environment as a primary control function of the system.

2. Risk classification dossiers and notification procedures

Providers are required to prepare a risk classification dossier prior to deploying high-risk or medium-risk AI systems. Such a dossier should include: 

(i) information on identification of the system; 

(ii) a description of the system and its context of use; 

(iii) a general description of the main types of input data used in the operation of the system; and 

(iv) risk management content.

Decree 142 allows providers to use technical documentation or equivalent technical materials prepared in accordance with international standards to satisfy the dossier requirements, provided that such materials contain all information required under Decree 142. In addition, where the AI system involves the processing of personal data, providers may use the personal data processing impact assessment dossier prepared under personal data protection regulations to replace or integrate certain parts of the risk classification dossier to reduce administrative compliance costs.

For high-risk and medium-risk AI systems, providers must notify the Ministry of Science and Technology of the risk classification results via the AI Single-Window Portal (Portal) prior to deployment by either:

(i) directly submitting the notification through the Portal; or

(ii) automatically transmitting information via an application programming interface or other appropriate electronic methods in accordance with applicable laws.

Upon completion of the notification, the system will automatically record the information, issue an AI system identification code and send an electronic confirmation to the provider.

3. Transparency, technical marking and labelling obligations

Decree 142 requires providers and deployers to comply with transparency obligations in relation to AI systems and AI-generated content, including:

(i) implementing notification, technical marking and labelling measures for AI systems and AI-generated content;

(ii) providing information regarding the purposes of use, scope of application, conditions of use, and limitations of AI systems; and

(iii) retaining information and documentation for inspection and supervision purposes.

For audio, image or video outputs, providers must implement technical measures to mark such content in a machine-readable format, including, among others, through file structure markers, metadata integration, digital signatures, electronic signatures, or equivalent technical measures. Deployers are also required to apply visible labels to audio, image or video content generated or modified by AI systems where such content simulates the appearance or voice of real persons or recreates actual events, unless otherwise provided by law.

For open-source or free-of-charge AI systems, providers will be deemed to have complied with the technical marking obligations where they have either integrated built-in marking functionality or publicly disclosed tools, configurations, application programming interfaces, or technical documentation enabling deployers to configure and operate such marking functionality.

Apart from the above, labelling obligations do not apply to deployers in the following cases:

(i) content is subject only to technical editing to improve quality without changing its nature or context;

(ii) text is processed using tools for spelling correction, grammar correction, summarisation, paraphrasing, or translation without materially distorting the original meaning;

(iii) content is used solely for internal purposes and is not publicly disclosed; or

(iv) content is generated for research, development, or testing purposes within a controlled environment and is not publicly disclosed.

4. Reporting and handling of serious incidents

Decree 142 specifies circumstances that constitute serious AI system incidents, including incidents causing:

(i) loss of life or serious harm to human health;

(ii) significant property damage or serious disruption to organisational activities;

(iii) serious infringement of human rights or the legitimate rights and interests of organisations or individuals; or

(iv) serious disruption to public services, essential services, or negative impacts on national security, social order and safety.

Where a serious incident occurs, subject to their roles, relevant parties are responsible for recording the incident, implementing measures to mitigate damage, applying technical measures to prevent and remedy the incident, as well as cooperating in providing information necessary for incident handling.

In addition, providers or deployers must submit a preliminary incident report via the Portal within:

(i) seventy-two (72) hours from the time the incident is confirmed for urgent or uncontrollable serious incidents; or

(ii) five (5) working days from the time the incident is confirmed for other serious incidents.

Providers and deployers must also retain system logs, data, and information relating to the incident, and submit a formal incident remediation report within fifteen (15) days from the submission date of the preliminary report.

5. Regulatory sandbox for AI systems

Research, development, or testing activities conducted within simulated environments, closed environments, or internal testing environments will fall outside the scope of the regulatory sandbox where no actual participants are involved and no external impact is generated outside the organisation.

The regulatory sandbox is classified into three (3) levels based on factors including:

(i) the risk level of the AI system;

(ii) the nature of the data used, including personal data, sensitive personal data, children’s personal data, or restricted data;

(iii) the scope and scale for deployment of regulatory sandbox; and

(iv) the degree of impact on national security, social order and safety, and the legitimate rights and interests of organisations and individuals.

To participate in the regulatory sandbox, organisations or individuals must submit an application dossier electronically through the National Public Service Portal and obtain a Regulatory Sandbox Participation Certificate.

During the testing period, participants must comply with periodic reporting obligations and ad hoc reporting obligations in the event of serious incidents or where the approved testing limits are exceeded.

No later than fifteen (15) days prior to the expiry of the testing period, participants must submit a final testing report. Upon completion of the testing period, participants may continue operating the AI system during a transitional period of up to twelve (12) months within the scope and conditions specified in the Regulatory Sandbox Completion Certificate.

In summary, Decree 142 plays an important role in facilitating the practical implementation of the Law on AI, particularly through clarifying compliance obligations applicable to organisations and enterprises engaged in the development, provision, deployment, or use of AI systems in Vietnam. Businesses are advised to proactively review their existing AI systems, assess the applicable risk classification, prepare the necessary internal dossiers and compliance procedures, and continue monitoring forthcoming technical guidance and the anticipated list of high-risk AI systems to be issued by State authorities. 

Click here to download: Legal Update (EN) - Vietnam’s AI Law Takes Shape: Key Insights from Decree 142

This material provides only a summary of the subject matter covered, without the assumption of a duty of care by Frasers Law Company.
The summary is not intended to be nor should it be relied on as a substitute for legal or other professional advice.

© Copyright in this article is owned by Frasers Law Company