Market Focus - Regulatory Compliance Vietnam (Part II)

This article walks through the next layer of the Vietnamese legal stack and is written for DPOs, legal and compliance teams, CISOs, and digital leaders operating in Vietnam - especially in banking, telecom, payments, e-commerce platforms, AI-driven product teams, and large enterprises with cross-border services. If you are responsible for governing AI systems in production, managing seller and platform enforcement workflows, producing dossier-ready evidence, or keeping vendor and data-flow governance audit-ready under scrutiny, this is written for you.

AI Law + E-Commerce Law + the Cybersecurity overlay

The same pattern from Part I now applies across AI and platforms:
Most organizations can write a policy.
Fewer can run the workflows.
Very few can produce the correct dossier formats quickly, consistently, and with audit-grade evidence.

Callback to Part I - read Chapters 1-5 first

Part I covers the first five chapters of Vietnam’s regulatory stack and why enforcement is becoming procedure-driven and evidence-driven:

1. Personal Data Protection (PDPL 2025 and implementation)
2. Standardized administrative procedures and dossier lifecycle
3. The Data Law and system-level governance
4. Telecom overlays shaping real-world obligations
5. The Cybersecurity trajectory and why drafts must be treated as a watchlist

If those five chapters describe the compliance foundation, Part II is where the stack starts to shape product design, platform operations, and system architecture in practice.

Part II continues from Chapter 6.

“Vietnam compliance is no longer document compliance - it is execution compliance.”

The Vietnamese regulatory stack (continued)

6. The Vietnam AI Law (effective 01 March 2026)

AI compliance is not an AI policy - it is a risk governance system

Most companies still think AI compliance means adding a disclaimer, a policy paragraph, or a checkbox in procurement. That logic does not survive once AI is treated as a regulated risk domain.

AI creates a new type of compliance exposure: systems that influence outcomes at scale. Ranking, recommendations, fraud scoring, eligibility signals, customer service decisions, dynamic pricing, identity signals, content generation - these are not "features" anymore. They are operational risk surfaces.

“If AI influences outcomes, it is already a regulated capability - whether you call it AI or not.”

What matters in Vietnam is not abstract AI ethics. It is what the implementing framework is signaling: classification, transparency, controllable safeguards, and the ability to produce evidence when asked. In practice, enforcement will not debate your model architecture - it will test whether you can demonstrate governance in the format and workflow reality Vietnam is standardizing.

The pivot: classification comes before everything

In a risk-based AI regime, classification becomes the first mandatory discipline. Not the model name. Not the vendor. The deployment context.

The same model can be low risk in one use case and high risk in another. That means classification must be repeatable and auditable. It cannot live in product team memory. It must live in a system.

In practice, that means you need an AI register that answers, consistently and defensibly:

What AI systems exist in production?
Who owns them?
Where are they used in the product?
Which users or groups are affected?
What data feeds them?
What harms are plausible?
What oversight exists?
What evidence exists?

What AI compliance looks like in production

AI compliance only becomes real when it is operationalized into a governance spine.

Start with a living AI System Register. This is the AI equivalent of a processing register - not a document, but a continuously updated inventory of deployed AI capabilities, their purposes, their data dependencies, their ownership, and their change history.

Then define pre-deployment gates for systems that can create meaningful harm. The moment AI impacts eligibility, access, safety, financial outcomes, or rights, the deployment process needs controls: internal review, documented safeguards, monitoring readiness, and rollback capability.

“The compliance question is not 'do you use AI?' - it is 'can you prove you control it?”

Transparency becomes a deliverable, not a slogan. You do not need to publish your model. You need to be able to produce the right level of explanation for the system’s purpose, limitations, expected oversight, and what users are told.

If your product generates or modifies content, labeling and provenance controls become part of compliance. Not because regulators care about aesthetics, but because integrity, traceability, and evidence are now central to trust.

Finally, you need AI incident handling as a first-class workflow. Not only breaches. AI incidents include harmful outputs at scale, systemic decision errors, unsafe behavior, and failures that require rapid containment and evidence preservation.

7. The E-Commerce Law (Law No. 122/2025/QH15)

E-commerce is regulated as platform operations, not just online sales

The common failure mode in e-commerce compliance is treating it as legal packaging. Add some terms, update the footer, and assume the risk is covered.

Vietnam’s direction increasingly regulates platforms as governed systems: onboarding, seller identity, visibility, enforcement, complaints, and proof.

“A marketplace without evidence is not a platform - it is a liability engine.”

The operational reality: your platform must be proof-capable

Compliance pressure does not arrive as a philosophical question. It arrives as a request:

Show what was displayed.
Show what was agreed.
Show what rule was in force at the time.
Show why visibility changed.
Show why a listing was removed.
Show how a complaint was handled.

In Vietnam, the platform fails the moment it cannot produce a clean, time-stamped evidence pack in the required dossier format - not when it lacks a policy page.

If you cannot produce that evidence quickly, the platform fails under scrutiny, even if your policies are beautifully written.

Mandatory disclosures are not a single page. They are a versioned publishing workflow. You need to prove what was published, when it changed, and what users and sellers were shown.

Order and contract flows are not only UX. They become compliance evidence systems. You need to prove what information was presented and confirmed.

Seller onboarding becomes a governed workflow. Identity verification cannot be a casual form field. It requires logs, review steps, and escalation paths.

Takedown and enforcement must become formalized. If the platform can remove listings or suspend sellers, every enforcement event becomes a record that can be challenged. Intake, assessment, action, notification, appeal, finalization.

Ranking and visibility become accountability surfaces. If you rank, recommend, boost, suppress, or filter content, you are running algorithmic governance. Even if you never call it AI, the effect is the same: outcomes are influenced at scale.

The practical requirement is simple: you need a ranking accountability pack that can be produced quickly when disputes occur. If you cannot explain why visibility changed, you cannot defend your platform.

8. The Cybersecurity Law overlay (effective 01 July 2026)

Cybersecurity does not replace other laws - it constrains the architecture

Part I already covered the cybersecurity trajectory. Part II clarifies the business impact: AI and e-commerce platforms are typically the most exposed categories because they operate high-volume services with user accounts, cross-border infrastructure, and algorithmic decision systems.

Cybersecurity overlays shift compliance in three concrete ways.

First, where data sits and how quickly you can respond becomes an operational requirement, not an abstract legal analysis. Architecture decisions become compliance decisions.

Second, monitoring becomes part of regulatory posture. Detection, incident coordination, and evidence preservation shift from best practice to auditable capability.

Third, account telemetry and IP-related attributes become compliance-sensitive. Not because logs are bad, but because logs become governed evidence.

The correct posture remains the same as Part I: draft guidance is signal, not final law. Treat it as a watchlist. But do not delay capability-building. When implementing rules land, the companies that already have workflow and evidence architecture will move fastest.

The new enforcement surface - AI systems, platforms, and cybersecurity readiness

Part I’s execution layer focused on registers, assessments, dossiers, workflows, and evidence discipline. Part II extends that into two operational domains:

AI governance as a controlled system. A living AI register, classification workflow, pre-deployment gates for high-impact systems, transparency deliverables, provenance controls where relevant, and AI incident workflows.

Platform governance as a controlled system. Versioned disclosures, evidence-ready order flows, seller verification, enforcement workflows, ranking accountability, and dispute handling with evidence preservation.

This is the shared pattern across the stack:

Compliance becomes manageable the moment it becomes a system.

Why I'm writing this now

Over the past months, I have been deep inside Vietnam’s compliance reality while building a Vietnam-native governance platform that has to survive in the real world - not in slide decks.

Part I focused on the core compliance stack most teams are already feeling: personal data protection, data governance, cross-border handling, and procedure-driven dossier requirements.

Part II expands the same operational proof into two domains that will define 2026 for digital business in Vietnam: AI systems and e-commerce platforms - with the cybersecurity overlay increasingly shaping what is possible at an architecture level.

The pattern I keep seeing is still simple, but the blast radius is larger:

Most organizations can write a policy.
Fewer can run the workflows.
Very few can prove control when the system is live - across privacy, AI, platform operations, cross-border flows, vendors, and incidents.

That gap is where compliance becomes expensive, slow, and risky - especially when an AI feature ships without governance, a ranking system causes disputes, a seller incident escalates, a cross-border dependency changes, or authorities request evidence in a specific format.

Vietnam enterprises, banks, telcos, platforms - what we are building and what we need from you

We have been building AesirX ComplianceOne as a Vietnam-native compliance execution layer that covers the full stack across Part I and Part II: dossiers, registers, workflows, evidence, and submission readiness - not as documents, but as a system that runs continuously.

This coming Friday, we are officially releasing AesirX ComplianceOne into the market, including new landing pages, three ready-to-deploy packages and an enterprise rollout plan.

If you are operating in Vietnam and you are:

• A bank or financial institution running regulated or cross-border data flows.
• A telco, ISP, data center operator, or large digital infrastructure provider.
• An e-commerce platform or marketplace managing sellers, ranking, enforcement, and disputes.
• A large enterprise deploying AI systems, copilots, recommendation engines, fraud scoring, dynamic pricing, or automated decisioning.
• A group company managing multiple subsidiaries, vendors, and shared platforms.

We are open to early enterprise input and pilot participation.

“Compliance becomes manageable the moment it becomes a system”

What we need is not feature requests - it is operational reality

If you want to shape a Vietnam-native compliance platform that is built for the way enforcement works in practice, we are looking for specifics:

What I’m looking for is a clear picture of where compliance breaks inside live operations. Which dossiers and registers your teams struggle to produce on demand, and which artifacts consistently fail the “format, timeline, evidence” test when pressure hits.

I also want to understand which workflows collapse first when the environment changes - incidents, authority requests, vendor changes, cross-border dependencies, internal reorganizations, or disputes that require fast decisions with a clean evidence trail.

And for teams shipping AI and running platforms, I want the uncomfortable details: which AI systems are hardest to govern in production (classification, oversight, transparency, logging), and which platform operations create the most exposure (seller verification, takedowns, ranking disputes, complaints, appeals). When you say “audit-ready” internally, what evidence actually gets challenged first - and what does your organization wish it could produce faster, cleaner, and with less manual effort?

If this sounds like your world, send me an email or reach out here. We will start with a short call, give you access to a demo environment, map your compliance pain points, and turn them into concrete roadmap priorities for your Vietnam reality.

Ronni K. Gothard Christiansen
Technical Privacy Engineer & CEO @ AesirX.io

References

Part I frameworks referenced: PDPL 2025 (Law No. 91/2025/QH15), Decree 356/2025/NĐ-CP, Decision 778/QĐ-BCA-A05, Data Law (Law No. 60/2024/QH15), Telecommunications Law (Law No. 24/2023/QH15 and Decree 163/2024/NĐ-CP), Cybersecurity Law 2025 (Law No. 116/2025/QH15) and draft guidance.

Part II frameworks cover: Vietnam AI Law (effective 01 March 2026) and implementing framework and guidance, E-Commerce Law (Law No. 122/2025/QH15), Cybersecurity Law 2025 (effective 01 July 2026) and draft guidance.