AI Legal Frameworks: EU AI Act, NIST AI RMF, OECD, and the Vietnamese Context
A comparison of major global AI legal and governance frameworks—the EU AI Act, the US NIST AI RMF, and the OECD AI Principles—alongside the Vietnamese context, featuring the AI Law 2025, Decree 13/2023, and the Personal Data Protection Law 2025, with an analysis of their differing approaches.
AI Legal Frameworks
As AI proliferates across economies and daily life, nations and international organizations are developing legal frameworks to balance fostering innovation with protecting human beings. These frameworks fundamentally differ in their binding nature, scope, and philosophy—ranging from hard laws with sanctions to voluntary guidelines. This article neutrally presents the most significant frameworks and compares them with the Vietnamese context.
1. The European Union AI Act (EU AI Act)
The EU AI Act is the world’s first comprehensive law regulating AI, based on a risk-tiered approach:
- Unacceptable risk: prohibited—e.g., state-sponsored social scoring, certain forms of real-time biometric identification.
- High-risk: subject to strict obligations regarding risk management, data quality, documentation, and human oversight—e.g., AI used in recruitment, credit assessment, healthcare, and justice.
- Limited risk: subject to transparency obligations, such as informing users they are interacting with AI or labeling generated content.
- Minimal risk: largely unrestricted.
Implementation timeline: Obligations for providers of General-Purpose AI (GPAI) models take effect from August 2, 2025, but the European Commission’s oversight and enforcement powers will only begin to apply from August 2, 2026 (a one-year adjustment period). GPAI models released before August 2, 2025, must comply by August 2, 2027. A Code of Practice for GPAI is being finalized by an independent expert group in July 2025; it is voluntary but creates a “presumption of conformity” for signatories.
The EU AI Act includes significant financial penalties and has extraterritorial application—meaning it binds even non-EU providers if their products impact users within the EU.
2. NIST AI RMF (United States)
Unlike the EU, the United States has opted for a voluntary, risk-based approach. The AI Risk Management Framework (AI RMF 1.0), published by the National Institute of Standards and Technology (NIST) in January 2023, is structured around four core functions:
- GOVERN: establishing an AI risk management culture and policies.
- MAP: identifying contexts and risks.
- MEASURE: analyzing, evaluating, and monitoring risks.
- MANAGE: prioritizing and addressing risks.
In July 2024, NIST released the Generative AI Profile (NIST-AI-600-1)—a specialized profile for generative AI, identifying 12 specific risk categories (e.g., hallucinations, data poisoning, prompt injection, intellectual property issues, over-reliance), along with a catalog of over 400 mitigation actions, organized according to the four functions mentioned above.
Characteristics: The NIST AI RMF is not a law and carries no penalties, but it is widely adopted as a benchmark for good practice and is one of the most influential voluntary governance frameworks globally.
3. OECD AI Principles
The OECD AI Principles, first adopted in May 2019, are the first intergovernmental standard for AI and were updated in May 2024 to encompass generative AI and foundation models. All 36 OECD member countries, along with many non-member countries, have endorsed them. These are non-binding principles, allowing each government to adapt them within its national laws.
The five core values are: (1) inclusive growth and sustainable development; (2) human-centered values and fairness; (3) transparency and explainability; (4) robustness, security, and safety; (5) accountability. The 2024 update places greater emphasis on risk management, misinformation, information integrity, and interoperable governance. The OECD Principles also form the basis for the G20 AI principles.
4. The Vietnamese Context
Vietnam has rapidly transitioned from soft guidance to hard law during the 2023–2026 period.
AI Law 2025
The National Assembly enacted AI Law No. 134/2025/QH15, effective March 1, 2026. This is Vietnam’s first law comprehensively regulating the development, application, and governance of AI. Its core feature is a risk-based management mechanism, classifying AI systems into three levels: high, medium, and low—similar in spirit to the EU’s tiered approach, but designed to balance regulation with fostering innovation. Guiding decrees to elaborate on the law are currently being developed to facilitate participation for entities involved in AI activities.
Personal Data Protection: From Decree 13/2023 to Law 2025
Personal data protection is a legal foundation intrinsically linked to AI, as AI operates on data.
- Decree No. 13/2023/ND-CP (issued April 17, 2023, effective July 1, 2023) was the first document to detail obligations regarding personal data protection and cybersecurity in data processing.
- The Personal Data Protection Law 2025 is the first law in this field, elevated from a decree to a law—offering broader scope, stricter penalties, and an independent oversight mechanism. Decree 13/2023 expires on January 1, 2026. The government will issue Decree No. 356/2025/ND-CP to guide the new Law. The definition of “personal data” has also been expanded: from “information in the form of symbols, text… in an electronic environment” to “digital data or information in other forms that can identify a specific human being.”
5. Comparison of Approaches
| Framework | Binding Nature | Approach | Scope |
|---|---|---|---|
| EU AI Act | Hard law, with sanctions | Risk-tiered (4 levels) | Extraterritorial application |
| NIST AI RMF | Voluntary | Four risk governance functions | Practice reference |
| OECD | Non-binding | Five core values | Intergovernmental |
| Vietnam (AI Law 2025) | Hard law | Risk-tiered (3 levels) | National |
Multi-dimensional perspectives on trade-offs:
- Hard laws (EU, Vietnam) versus soft guidelines (NIST, OECD): Hard laws create clear obligations and offer stronger protection for citizens, but they can increase compliance costs and raise concerns about stifling innovation for smaller businesses. Soft guidelines are flexible and adapt quickly to changing technology but rely on voluntary adherence and are difficult to enforce.
- International harmonization: While many frameworks share a risk-tiered approach, creating common ground favorable for multinational businesses, detailed differences (definitions, thresholds, obligations) still compel organizations to comply with multiple standards simultaneously.
- Balancing innovation and protection: There is no single optimal solution. Each jurisdiction selects a unique balance point that aligns with its economic priorities, culture, and enforcement capabilities.
Conclusion
The global AI legal landscape in 2026 is coalescing around a common denominator—risk-based, human-centric management—yet it diverges in terms of binding force and implementation specifics. Vietnam, with its AI Law 2025 and Personal Data Protection Law 2025, has joined the ranks of nations with statutory AI frameworks, closely following international trends while maintaining a clear focus on fostering innovation. Businesses and developers should closely monitor guiding decrees to ensure compliance.
References
- Implementation Timeline — EU Artificial Intelligence Act
- Enforcement of Chapter V under the EU AI Act
- AI Risk Management Framework — NIST
- NIST releases its Generative AI Profile — DLA Piper
- AI Principles Overview — OECD.AI
- Evolving with innovation: The 2024 OECD AI Principles update — OECD.AI
- Luật Trí tuệ nhân tạo 2025 số 134/2025/QH15 — Thư viện Pháp luật
- Luật Trí tuệ nhân tạo — bước tiến về quản lý, phát triển AI cho Việt Nam — VnExpress
- Bản so sánh Luật Bảo vệ dữ liệu cá nhân 2025 và Nghị định 13/2023/NĐ-CP — LuatVietnam
- Nghị định 13/2023/NĐ-CP về bảo vệ dữ liệu cá nhân — KPMG Việt Nam