VCI Legal – May 12, 2026

The Government has issued Decree No. 142/2026/ND-CP detailing certain provisions and measures for implementing the Law on Artificial Intelligence (AI Law) No. 134/2025/QH15 (“Decree 142”), effective from May 1, 2026. Decree 142 consists of 8 chapters and 46 articles relating to: (i) the one-stop portal and the national AI database; (ii) three-tier risk classification and conformity assessment; (iii) transparency, labeling, watermarking, and serious incidents; (iv) a three-level controlled testing mechanism (sandbox); (v) national AI infrastructure, data, and technological sovereignty; (vi) ecosystems, clusters, and support vouchers; (vii) responsibilities of ministries; and (viii) effectiveness and transitional provisions. 

Below are the key highlights and important notes for businesses under Decree 142: 

1. Obligation of technical marking and AI content labeling  

AI system providers must implement machine-readable technical markings for outputs such as audio, images, or video generated or edited by AI, e.g., digital watermarks, fingerprints, or equivalent technical solutions.11 

At the same time, implementers must clearly disclose when AI content may cause confusion about authenticity, and must visibly label audio, images, or video in two cases: (i) simulation or imitation of a real person’s appearance or voice; (ii) recreation of real events to distinguish from genuine content. This obligation applies immediately upon the Decree’s effective date, with no grace period, though exemptions and exceptions are provided under certain circumstances.12 

2. Obligation of incident reporting and handling within 72 hours: 

Decree 142 emphasizes the establishment of shared data infrastructure and strict incident-handling mechanisms. Businesses may register to use shared AI models on national infrastructure and are encouraged to share open or commercial data via the central portal to receive incentives in bandwidth and computing capacity. In the event of a serious AI incident causing loss of life, property damage, or significant privacy violations, Providers must promptly record the incident, take necessary measures, and formally report to the competent state authority within 72 hours. Compliance obligations are continuous, requiring businesses to review and update risk assessments upon core system changes, actual incidents, or written requests from regulators, alongside periodic reporting for AI systems under risk management. 13 

Three levels of AI system risk classification: 

Decree 142 stipulates that providers are responsible for self-classifying AI systems before deployment and bear legal responsibility for the accuracy and integrity of the classification results.14 Accordingly, AI systems are classified by risk level as follows: 

• High-risk AI systems: systems listed in the Catalogue of High-Risk AI Systems issued by the Prime Minister.15 Currently, the Government is still consulting relevant stakeholders to issue official regulations, which will provide a clear legal framework for providers to classify artificial intelligence systems. 

• Medium-risk AI systems: (i) systems not classified as high-risk, and (ii) systems that may confuse, influence, or manipulate users who cannot recognize that they are interacting with an AI system or AI-generated content.16 

• Low-risk AI systems: systems not falling under the two categories above. 

For medium-risk artificial intelligence systems and high-risk artificial intelligence systems, providers are required to notify the Ministry of Science and Technology of the risk classification results through the National One-stop Electronic Portal for Artificial Intelligence before putting the system into use. Providers may fulfill this obligation by directly declaring information via electronic forms on the portal or by automatically transmitting information through an application programming interface (API) or other electronic methods.17 At present, the National One-stop Electronic Portal for Artificial Intelligence is still under preparation and has not yet been officially put into operation. Therefore, businesses should continue to monitor announcements from the competent authorities and await further specific guidance before being able to carry out online procedures through this system. 

Furthermore, if the implementing party modifies, integrates, or changes the functions/purposes of the system compared to the provider’s original disclosure, resulting in new risks or increased risk levels, the implementing party must coordinate with the provider to review and reclassify the risk level.18 

3. Conformity assessment procedures for high-risk artificial intelligence systems 

For artificial intelligence systems classified as high-risk, the law requires that a conformity assessment be conducted prior to putting the system into use. The conformity assessment process is carried out as follows19: 

(i) Risk classification and preparation of the initial technical documentation 

The provider classifies the AI system according to its risk level to determine whether it falls within the high-risk category, and concurrently prepares the initial technical documentation as the basis for the conformity assessment. 

(ii) Conduct of the conformity assessment 

Based on the technical documentation prepared, the provider conducts a conformity assessment of the high-risk AI system prior to its deployment, either through self-assessment or through an conformity assessment organization. Although the Law on Artificial Intelligence 2025 and Decree 142 set out this requirement, it remains unclear which organizations in the market have been officially licensed to provide such services. Therefore, providers should exercise particular caution when introducing high-risk AI systems to the market. 

(iii) Disclosure of conformity assessment results 

The provider is required to compile the conformity assessment results into a dossier and disclose them on the National One-stop Electronic Portal for Artificial Intelligence, in order to ensure transparency and to facilitate oversight by competent state authorities. 

(iv) Operation and coordinated risk monitoring 

After being put into use, the high-risk artificial intelligence system must be operated in conjunction with a continuous risk monitoring mechanism. The conformity assessment shall be re-initiated where there are significant changes to system functions, data sources, or where incidents occur. 

4. Controlled testing mechanism (Sandbox mechanism): 

Decree 142 establishes a three-level controlled testing mechanism. Level 3 applies to AI systems with high data or security risks, such as processing sensitive personal data, core/critical data, children’s data subject to impact assessment, state secrets, or systems directly connected to critical information infrastructure related to national security. The Ministry of Public Security is the authority to receive, appraise, and issue confirmation for Level 3. The sandbox mechanism only provides exemptions, reductions, or adjustments of obligations within the approved testing scope; it is not an official commercial deployment license and does not exempt responsibilities beyond that scope.20 

Conclusion: Decree 142 serves both as a strict legal framework for risk management and as a driver of innovation in artificial intelligence. Businesses must proactively establish compliance mechanisms, ensure transparency, and strengthen incident management, while leveraging national infrastructure and sandbox mechanisms to develop AI technologies safely, sustainably, and competitively. 

About VCI Legal:

VCI Legal is an award-winning business law firm in Vietnam with a wide range of legal and corporate services, among other things, corporate, banking & finance, tax, labor & HR, real estate and dispute resolution with special focus on international investment disputes, We also offer our specialized type of service called “In-House Counsel Service” with the aim of assisting our clients in dealing with all types of internal and external issues arising from their day-to-day operations and business activities. With our offices in both Hanoi and Ho Chi Minh City, we have a tremendous depth of experience in providing well-reasoned and comprehensive legal advice to not only multinationals and Fortune 500 companies, but also small and medium enterprises.

Our professional team comprises one of the leading law firms in Vietnam with service quality highly recommended and acknowledged by international legal service reviewers such as: The Legal 500, AsiaLaw Profiles, IFLR, KPMG’s Tax Directors’ Handbook, Acquisition International, ACQ Global, Global Law Experts, Finance Monthly, and Chambers & Partners.

For many years, VCI Legal has been ranked among the top law firms in Vietnam for corporate, finance, insurance, taxation, employment, intellectual property and investment. With a “Can Do Attitude” combined with a “Know How” capacity, our firm is big enough to provide comprehensive legal support for any in-house legal matters, yet small enough to care about each of our clients. We undertake each engagement with the mindset of a long-term relationship, with the will to give whatever it takes to understand and fulfill your needs.

Ho Chi Minh City

Suite P7-42.18, Vinhomes Central Park, 720A Dien Bien Phu, Thanh My Tay Ward, Ho Chi Minh City, Vietnam

Tel.: (+84) 028 3827 2029 Fax: (+84) 028 3823 4436

Hanoi

Suite 1903, Floor 19, W1 Tower, Vinhomes Westpoint, Pham Hung, Tu Liem Ward, Hanoi City, Vietnam

Tel.: (+84) 024 3936 4985 – (+84) 024 3936 4987

Affiliated Offices: Beijing – Shanghai – Hanoi – Ho Chi Minh City – Singapore – New Delhi – Dubai – Doha – Zurich – Paris – Rome – Brescia – Washington D.C. – Los Angeles