top of page

Vietnam to strictly regulate 46 high-risk AI systems starting August 15th, 2026

Beginning August 15th, 2026, Vietnam will officially classify 46 artificial intelligence (AI) systems as high-risk AI systems across six sectors: education, ethnicity and religion, healthcare, banking, legal proceedings, and transportation. These systems must comply with strict governance requirements under Decision No. 33/2026/QĐ-TTg, including human oversight and phased compliance deadlines.

The era of "deploy first, govern later" is ending for artificial intelligence in Vietnam. From August 15, 2026, AI systems capable of making significant decisions that affect people's lives, public interests, or national security will be subject to stricter regulatory oversight. For organizations already integrating AI into education, healthcare, banking, transportation, or government services, regulatory compliance is becoming just as important as technological innovation.

What does decision no. 33/2026/QĐ-TTg introduce?

Deputy Prime Minister Hồ Quốc Dũng signed Decision No. 33/2026/QĐ-TTg on June 30, 2026, issuing Vietnam's official list of high-risk AI systems. The Decision takes effect on August 15, 2026.

What does decision no. 33/2026/QĐ-TTg introduce?
What does decision no. 33/2026/QĐ-TTg introduce?

The Decision also establishes mandatory operational principles and a compliance roadmap for AI systems that were already in operation before the effective date.

Importantly, AI must not replace or eliminate the legal responsibilities of competent authorities or organizations. Human oversight and intervention must remain available throughout the AI system's operation.

Which AI systems are considered high-risk?

A total of 46 AI systems have been included in the high-risk category across six sectors.

Education (3 systems)

  • AI platforms providing self-learning content using uncontrolled data sources.

  • AI systems that automatically assess, grade, or rank learners.

  • AI systems monitoring and analyzing student behavior.

Ethnicity and Religion (7 systems)

  • Automatically score and classify applications for ethnic policy eligibility.

  • Validate ethnicity or religion-related information.

  • Automatically approve, reject, renew, or revoke administrative applications.

Healthcare (2 systems)

  • AI-assisted surgical systems.

  • AI-controlled robotic surgical equipment.

Banking (2 systems)

  • AI systems automatically executing electronic banking transactions.

  • AI systems automatically making credit approval decisions.

Legal Proceedings (1 system)

  • Wide-area biometric identification AI systems supporting public-interest civil cases.

Transportation (31 systems)

  • Highly autonomous vehicle control systems.

  • AI-powered traffic signal and railway traffic management.

  • Intelligent control systems for critical transportation infrastructure and operations.

Why is human oversight mandatory?

One of the key principles introduced by the Decision is that AI cannot operate without meaningful human supervision.

Why is human oversight mandatory?
Why is human oversight mandatory?

While AI may assist in decision-making, the final legal responsibility remains with organizations and authorized personnel. Human operators must be capable of monitoring, reviewing, intervening, or overriding AI-generated outcomes whenever necessary.

This reflects a global trend toward Human-in-the-Loop (HITL) governance, particularly for AI systems affecting healthcare, finance, education, transportation, and public administration.

Compliance timeline for existing AI systems

Organizations operating AI systems before August 15, 2026 are permitted to continue operations during the transition period.

However, compliance obligations must be completed according to the following schedule:

  • By September 1, 2027 for healthcare, education, and financial AI systems

  • By March 1, 2027 for all other sectors included in the high-risk list

Authorities may still require suspension or termination of AI systems if they determine that the systems pose a serious risk under Vietnam's AI Law.

What does this mean for businesses?

The new regulation signals a major shift in AI governance.

Organizations should begin by identifying:

  • Which AI systems they currently operate

  • Whether those systems fall within the high-risk categories

  • What data those systems process

  • Whether adequate human oversight exists

  • Whether governance, audit, logging, and risk management mechanisms are in place

For businesses using AI to automate decision-making, regulatory readiness is becoming a strategic priority rather than a future consideration.

IPSIP Vietnam expert insight

1 . What organizations can Do immediately?

Businesses should conduct an internal inventory of all AI systems currently deployed, including third-party AI services.

Recommended actions include:

  • Classify AI systems based on operational risk

  • Document data sources and processing activities

  • Implement human review procedures for AI-generated decisions

  • Enable multi-factor authentication for AI administrators

  • Maintain audit logs for AI operations

  • Review contracts with AI vendors regarding security and compliance responsibilities

  • Adopt data minimization and role-based access control practices

2 . Professional support from IPSIP Vietnam

IPSIP Vietnam's management and monitoring platform has successfully passed rigorous independent assessments to achieve internationally recognized ISO/IEC 27001:2022 and SOC 2 Type II certifications. Through its 24/7 Security Operations Center (SOC), 24/7 Network Operations Center (NOC), and dedicated IT Support/Helpdesk teams, IPSIP delivers continuous monitoring, rapid threat detection, and around-the-clock incident response to help organizations defend against cyber threats at any time. 

IPSIP Vietnam cybersecurity solutions
IPSIP Vietnam cybersecurity solutions

IPSIP Vietnam helps organizations prepare for Vietnam's evolving AI regulatory landscape by assessing compliance readiness, establishing governance and control frameworks, performing gap assessments, and developing tailored remediation roadmaps before the regulatory milestones of March 1, 2027 and September 1, 2027. For AI systems that process personal data, financial information, student records, or other sensitive information, organizations are encouraged to prioritize IPSIP Vietnam's Cybersecurity Law & Decree 13 Compliance Consulting service to reduce regulatory exposure and strengthen enterprise data governance.


Comments


follow ipsip vietnam.png
40051abd5a76713af8f015988fc6780e-blue-phone-icon-with-a-wave-on-it.webp
whatsapp-mobile-software-icon-png-image_6315991.png
pngtree-minimal-calendar-icon-vector-png-image_21233134.png
IPSIP logo transparent.png

IPSIP VIETNAM ONE MEMBER LIMITED LIABILITY COMPANY (IPSIP VIETNAM OMLLC)

Tax code: 0313859600

🏢 SH05.01, B4 Street, Saritown Area, An Khanh Ward, Ho Chi Minh City, Vietnam

​☎  +84 918 397 489

  • Linkedin
  • Facebook
  • TikTok
  • Email liên hệ
png-clipart-iso-iec-27001-information-security-management-iso-iec-27002-international-orga
soc 2 type ii

Our Services

Sign up to receive in-depth cybersecurity documents and news from IPSIP Vietnam.

bottom of page