Vietnam's Enforceable AI Law Has Direct Lessons for European Financial Services

What the Law Actually Requires

Businesses already running AI systems received a 12-month grace period, with full compliance required by 1 March 2027. For sectors deemed especially sensitive, including finance, healthcare, and education, the deadline extends to 18 months, or 1 September 2027. A National AI Commission is to be established by 1 July 2026 to oversee enforcement, with the Ministry of Science and Technology leading centralised governance.

The compliance obligations are substantial. Firms must conduct risk assessments, register high-risk systems in the National AI Database, appoint compliance officers, and document AI decision-making processes. AI-generated content in media and communications must be clearly labelled. Users must be informed when they are interacting with an AI system. Violations can result in fines, suspension of AI operations, or revocation of operating licences.

• All high-risk AI systems must be registered in the National AI Database before deployment
• Transparency requirements mandate that users are told when interacting with an AI system
• AI-generated content in media and communications must be clearly labelled
• Companies must conduct and document regular impact assessments for high-risk deployments
• Violations can result in fines, suspension of AI operations, or revocation of operating licences

Sandbox mechanisms are built in, and Vietnam has included tax incentives for AI research, support for startups, and a national AI development fund. The message is clear: this is regulation designed to attract responsible investment, not to repel it.

How It Compares to the EU AI Act

The parallels with the EU AI Act are deliberate. Vietnam's National Assembly passed the law on 10 December 2025, drawing heavily from the EU's risk-based framework. Both approaches ban certain AI practices outright, require transparency in high-risk deployments, and impose documentation obligations on operators. But there are meaningful divergences that European policymakers and compliance teams should examine carefully.

Yann Bonnet, former Secretary-General of France's national AI advisory body the Conseil National du Numérique, has argued publicly that the EU's phased implementation timeline, stretching to 2027 for most provisions, risks creating a protracted period of regulatory uncertainty. Vietnam's approach compresses that window significantly. Where the EU AI Act uses four risk tiers, Vietnam uses three. Where the EU requires an EU-based representative for foreign providers, Vietnam requires a local legal representative with direct enforcement exposure. The Vietnamese national AI fund has no direct EU-level equivalent; that function is left to member states.

For financial services firms, the high-risk classification is the critical pressure point in both regimes. Under Vietnam's law, AI used in financial services, credit scoring, fraud detection, and employment decisions all fall into the high-risk category, mirroring the EU AI Act's Annex III classifications. The compliance architecture is recognisable. The pace is not.

Dragos Tudorache, the Romanian MEP who co-led the European Parliament's AI Act negotiations, has consistently stressed that effective AI regulation requires not just rules on paper but functioning enforcement bodies with genuine authority. Vietnam's National AI Commission, due by 1 July 2026, is designed precisely along those lines. European national competent authorities under the AI Act are still being constituted across member states, with uneven progress.

What Foreign Providers Must Do

For European financial institutions with AI systems operating in Vietnam, whether through local subsidiaries, cloud deployments, or API-based services, the mandatory local representative requirement adds a compliance layer that has no soft opt-out. This mirrors the EU AI Act's requirement for non-EU providers to designate an authorised representative within the Union, a provision that European compliance teams are already familiar with from the General Data Protection Regulation.

Companies such as SAP and Temenos, both of which provide AI-enabled financial software to institutions across emerging markets including Vietnam, will need to ensure their systems meet the new registration and risk classification requirements. High-risk AI systems cannot simply be deployed and monitored remotely; they must be registered with the National AI Database before going live.

The compliance clock is already running. Firms that assumed a generous grace period should note that the 12-month window began on 1 March 2026. For financial services specifically, the 18-month deadline of 1 September 2027 offers marginal additional time, but the documentation and risk assessment work required is substantial and should begin immediately.

The Broader Regulatory Signal

Vietnam's move matters beyond its immediate jurisdiction. Its neighbours are watching. Thailand's draft AI legislation, expected later in 2026, will likely reference Vietnam's framework. The Philippines and Malaysia are assessing their own positions. For multinational financial services groups operating across multiple jurisdictions, the patchwork of national approaches is becoming the defining compliance challenge of the decade.

From a European vantage point, the Vietnamese law demonstrates something important: a developing economy has concluded that waiting for perfect regulatory conditions before acting is more costly than moving with a workable framework now. That is a lesson the EU absorbed in data protection with the GDPR and is attempting to replicate with the AI Act. The question is whether the EU's enforcement machinery will be as operationally credible as its legislative ambition suggests.

For financial services firms, the practical implication is straightforward. Whether your AI systems are deployed in Hanoi, Frankfurt, or London, the era of voluntary compliance frameworks and aspirational guidelines is ending. Vietnam has made that point more bluntly than most. The EU is making the same point more slowly. The destination is the same.