DPO Radio

Measure Value, Not Just Traffic Explore new features in AesirX Analytics

AesirX ComplianceOne | Vietnam AI Law

Overview Image

Why the Vietnam AI Law Matters

Vietnam’s AI Law, Law 134/2025/QH15, has been active since 1 March 2026. It establishes the parent governance framework for organizations developing, providing, deploying, or using AI systems in Vietnam.

Decree 142/2026/NĐ-CP is now the active implementing decree. Issued on 30 April 2026 and effective from 1 May 2026, it replaces the earlier assumption that detailed procedures and official forms were still pending. The decree adds operational detail for classification, high-risk controls, transparency, incidents, monitoring, and controlled testing.

AI governance is a continuing evidence problem, not a one-time registration exercise. A system can change risk profile when its purpose, data, users, deployment context, or behavior changes. Compliance teams therefore need a current record of classification, review, controls, incidents, and decisions across the system lifecycle.

ComplianceOne connects those records in one governed process. Technical, legal, risk, and operational contributors can work on the same AI system record while human reviewers retain control over classification, assessment, and submission decisions.

What the Vietnam AI Law 2026 Covers

Dimension

Coverage

Parent framework

Law 134/2025/QH15, active since 1 March 2026

Active child instrument

Decree 142/2026/NĐ-CP (implementing decree, active since 1 May 2026) and Decision 33/2026/QĐ-TTg (official high-risk AI systems list, effective 15 August 2026)

High-risk list

Decision 33 lists 46 high-risk AI system categories across six sectors; a match triggers the Decree 142 high-risk workflows

Core operations

AI system records, risk classification, reclassification, conformity assessment, transparency, labeling, monitoring, and incidents

Controlled testing

Sandbox applications, monitoring, reporting, extensions, incident handling, and completion evidence

Official forms

Eighteen Decree 142 forms covering serious incidents, state-agency impact assessment, and controlled testing workflows

Evidence requirements

 Classification rationale, approvals, assessment records, control evidence, disclosures, incident records, and audit history

 
Overview Image

How ComplianceOne Supports the Vietnam AI Law

ComplianceOne provides a governed record for each AI system, including purpose, ownership, deployment context, data dependencies, risk classification, review history, and linked controls. Classification and reclassification decisions retain their rationale and approval trail.

High-risk work can be coordinated through assessment and control workflows. Teams can assign contributors, collect conformity and risk-management evidence, record human-oversight measures, and track changes that require a new review.

Transparency and labeling evidence can be linked to the AI system record, while incident operations preserve investigation, notification, remediation, and closure history. Related personal data or cybersecurity events can be connected without losing their separate regulatory context.

For controlled testing, ComplianceOne supports application, monitoring, reporting, incident, extension, and completion records using the official Decree 142 forms where applicable. Human review remains required before evidence or submission material is approved.

Related Modules

Data Classification

Records AI risk classification, rationale, changes, and review status.

Explore Data Classification

Program Governance

Coordinates ownership, assessments, controls, and recurring reviews.

Explore Program Governance

Audit Trail

Preserves classification, assessment, approval, and incident history.

Explore Audit Trail

Compliance Forms

Supports Decree 142 forms and related controlled documentation.

Explore Compliance Forms

Incident Operations

Manages AI incident investigation, evidence, remediation, and linked notifications.

Explore Incident Operations

Compare the Difference

Graphic Image

Without Structured Framework Operations

Graphic Image

With ComplianceOne

IconAI inventories lose context about ownership, use, data, and deployment changes.
IconEach AI system has an owned, reviewable governance record.
IconRisk classifications are recorded without their rationale or approval history.
IconClassification and reclassification retain rationale, evidence, and approvals.
IconHigh-risk controls and conformity evidence sit across disconnected teams.
IconHigh-risk assessment and control work is assigned and tracked.
IconTransparency and labeling decisions are difficult to trace to the system version.
IconTransparency, labeling, monitoring, and incident evidence stays connected.
IconIncident and sandbox records are assembled only after an authority request.
IconDecree 142 forms and controlled-testing records are prepared through governed workflows.

Built for AI Law Compliance Operations

Build For Image

ComplianceOne reflects the current legal stack: an active parent law and an active implementing decree, not a pending-decree placeholder.

Build For Image

The platform supports the eighteen official Decree 142 forms alongside the operational evidence that gives those forms context.

Build For Image

Human review gates preserve accountability for classification, assessment, evidence, and submission decisions.

Background Image

Book a Demo

Ready to see how ComplianceOne's command center, guided setup, platform administration, and AI advisor work together in practice? Request a personalized demo with your compliance scenarios.

Demo Image
Ronni K. Gothard Christiansen

Ronni K. Gothard Christiansen - Technical Privacy Engineer & CEO

Technical Compliance Expert, 32+ Years Open Source Advocate, X-BoD Open Source Matters Inc.

Or contact via

ronni@aesirx.io+84 909 500 760

People Also Ask

Yes. The Vietnam AI Law became effective on 2026-03-01. Organizations that develop, deploy, or operate AI systems in Vietnam should already be working toward compliance. The implementing decree (which will specify official forms, filing channels, and detailed procedures) has not yet been issued, but the law's core obligations – registration, classification, transparency, and human oversight – are in effect.

No. Decree 142/2026/NĐ-CP is an active implementing decree under the Vietnam AI Law. It was issued on 30 April 2026 and took effect on 1 May 2026.

 

ComplianceOne's 18 internal template IDs align with the official form requirements specified by the implementing decree. Organizations using the platform receive the updated templates without needing to restart their governance documentation. Existing dossier content and classification records are preserved.

 

It provides operational detail for risk classification, reclassification, high-risk conformity and risk management, transparency and labeling, serious incidents, monitoring, and controlled testing. It also introduces eighteen official forms.

 

The Data Classification module supports AI system classification by risk level. Organizations inventory their AI systems, assign risk classifications based on the system's purpose and data processing characteristics, document the classification rationale, and route the classification decision through an approval workflow. Each classification is captured in the audit trail with reviewer identity and approval status.

  • The platform records system context, classification rationale, evidence, reviewers, approvals, and later changes. 
  • Reclassification work can be triggered when the system or its deployment context changes.
 

No. The platform can organize evidence and assist with drafting, but human reviewers remain responsible for approval and submission decisions.

 

Yes. ComplianceOne supports 7 Vietnam regulatory frameworks within a shared workflow engine. AI systems that process personal data are subject to both the AI Law and the PDPL. The platform manages both sets of obligations – AI classification and dossier management alongside data protection impact assessments and consent governance – with consistent audit trail coverage.

 

Yes. AI incident readiness is supported through the same incident operations infrastructure used for cybersecurity and personal data breaches. The incident workflow manages detection, assessment, escalation, authority notification, investigation, and remediation, with evidence chain of custody maintained throughout the incident lifecycle.

 

Yes. Related records can be linked so teams can coordinate response and evidence while retaining the separate requirements and history of each framework.

 

Next Steps

Icon Image

Start a Compliance Pilot

Test AI classification, high-risk evidence, and controlled-testing workflows with your team.

Icon Image

Discuss Your Compliance Needs

Review your AI system inventory, Decree 142 obligations, and evidence model.