DPO Radio

Vietnam’s AI Law, Law 134/2025/QH15, has been active since 1 March 2026. It establishes the parent governance framework for organizations developing, providing, deploying, or using AI systems in Vietnam.
Decree 142/2026/NĐ-CP is now the active implementing decree. Issued on 30 April 2026 and effective from 1 May 2026, it replaces the earlier assumption that detailed procedures and official forms were still pending. The decree adds operational detail for classification, high-risk controls, transparency, incidents, monitoring, and controlled testing.
AI governance is a continuing evidence problem, not a one-time registration exercise. A system can change risk profile when its purpose, data, users, deployment context, or behavior changes. Compliance teams therefore need a current record of classification, review, controls, incidents, and decisions across the system lifecycle.
ComplianceOne connects those records in one governed process. Technical, legal, risk, and operational contributors can work on the same AI system record while human reviewers retain control over classification, assessment, and submission decisions.
Law 134/2025/QH15, active since 1 March 2026
Decree 142/2026/NĐ-CP (implementing decree, active since 1 May 2026) and Decision 33/2026/QĐ-TTg (official high-risk AI systems list, effective 15 August 2026)
Decision 33 lists 46 high-risk AI system categories across six sectors; a match triggers the Decree 142 high-risk workflows
AI system records, risk classification, reclassification, conformity assessment, transparency, labeling, monitoring, and incidents
Sandbox applications, monitoring, reporting, extensions, incident handling, and completion evidence
Eighteen Decree 142 forms covering serious incidents, state-agency impact assessment, and controlled testing workflows
Classification rationale, approvals, assessment records, control evidence, disclosures, incident records, and audit history

ComplianceOne provides a governed record for each AI system, including purpose, ownership, deployment context, data dependencies, risk classification, review history, and linked controls. Classification and reclassification decisions retain their rationale and approval trail.
High-risk work can be coordinated through assessment and control workflows. Teams can assign contributors, collect conformity and risk-management evidence, record human-oversight measures, and track changes that require a new review.
Transparency and labeling evidence can be linked to the AI system record, while incident operations preserve investigation, notification, remediation, and closure history. Related personal data or cybersecurity events can be connected without losing their separate regulatory context.
For controlled testing, ComplianceOne supports application, monitoring, reporting, incident, extension, and completion records using the official Decree 142 forms where applicable. Human review remains required before evidence or submission material is approved.
Records AI risk classification, rationale, changes, and review status.
Explore Data ClassificationCoordinates ownership, assessments, controls, and recurring reviews.
Explore Program GovernancePreserves classification, assessment, approval, and incident history.
Explore Audit TrailSupports Decree 142 forms and related controlled documentation.
Explore Compliance FormsManages AI incident investigation, evidence, remediation, and linked notifications.
Explore Incident Operations


ComplianceOne reflects the current legal stack: an active parent law and an active implementing decree, not a pending-decree placeholder.

The platform supports the eighteen official Decree 142 forms alongside the operational evidence that gives those forms context.

Human review gates preserve accountability for classification, assessment, evidence, and submission decisions.
Ready to see how ComplianceOne's command center, guided setup, platform administration, and AI advisor work together in practice? Request a personalized demo with your compliance scenarios.

Yes. The Vietnam AI Law became effective on 2026-03-01. Organizations that develop, deploy, or operate AI systems in Vietnam should already be working toward compliance. The implementing decree (which will specify official forms, filing channels, and detailed procedures) has not yet been issued, but the law's core obligations – registration, classification, transparency, and human oversight – are in effect.
No. Decree 142/2026/NĐ-CP is an active implementing decree under the Vietnam AI Law. It was issued on 30 April 2026 and took effect on 1 May 2026.
ComplianceOne's 18 internal template IDs align with the official form requirements specified by the implementing decree. Organizations using the platform receive the updated templates without needing to restart their governance documentation. Existing dossier content and classification records are preserved.
It provides operational detail for risk classification, reclassification, high-risk conformity and risk management, transparency and labeling, serious incidents, monitoring, and controlled testing. It also introduces eighteen official forms.
The Data Classification module supports AI system classification by risk level. Organizations inventory their AI systems, assign risk classifications based on the system's purpose and data processing characteristics, document the classification rationale, and route the classification decision through an approval workflow. Each classification is captured in the audit trail with reviewer identity and approval status.
No. The platform can organize evidence and assist with drafting, but human reviewers remain responsible for approval and submission decisions.
Yes. ComplianceOne supports 7 Vietnam regulatory frameworks within a shared workflow engine. AI systems that process personal data are subject to both the AI Law and the PDPL. The platform manages both sets of obligations – AI classification and dossier management alongside data protection impact assessments and consent governance – with consistent audit trail coverage.
Yes. AI incident readiness is supported through the same incident operations infrastructure used for cybersecurity and personal data breaches. The incident workflow manages detection, assessment, escalation, authority notification, investigation, and remediation, with evidence chain of custody maintained throughout the incident lifecycle.
Yes. Related records can be linked so teams can coordinate response and evidence while retaining the separate requirements and history of each framework.

Test AI classification, high-risk evidence, and controlled-testing workflows with your team.

Review your AI system inventory, Decree 142 obligations, and evidence model.