AI rules in South-east Asia: risks, fines and everything else you need to know

IF YOU build or deploy AI in South-east Asia, someone has probably handed you a stack of “AI governance frameworks” and told you to comply. Most of those frameworks are voluntary and carry no penalty, but there are others that can incur hefty fines.

These mandatory frameworks range from existing data protection laws to new AI regulations, as well as industry-specific rules that you should already be familiar with.

Making the effort to know the difference between what is voluntary and mandatory is key for any CTO or product lead. Confusing the two can waste precious time and money that most startups do not have.

In my work as an applied scientist building AI systems for South-east Asian contexts, I have spent years on the technical side of what regulators are now trying to govern, such as training data, model documentation, bias testing and deployment oversight. For builders, it is important to understand what these regulations actually require so they can act on them.

What carries penalties

A lot of AI regulations, including the European Union’s AI Act and Vietnam’s AI Law, use risk-based classification systems. These have a wide reach, covering local and foreign entities engaged in AI activities.

For example, social scoring and real-time biometric identification in public spaces are categorised as prohibited in both the EU and Vietnam.

Below that is the high-risk tier, which is where most AI builders will find themselves. If your product touches on hiring, credit scoring, healthcare, education, or essential public services, treat it as high-risk by default.

The EU AI Act

Regulation 2024/1689 is a binding law that applies not only to companies inside the EU but to any provider or deployer outside the union whose AI system output is used in its jurisdiction. If your company is based in Jakarta but a client uses your tool in their Berlin office, you are in scope just the same.

Penalties are not symbolic: up to 35 million euros (S$52.2 million) or 7 per cent of worldwide turnover for prohibited uses, and up to 15 million euros or 3 per cent of worldwide turnover for high-risk non-compliance.

SEE ALSO

Companies need to govern AI risks as adoption outpaces oversight: KPMG, IIA Singapore

Asia has a three-year window to seize AI leadership through digital sovereignty

Governance, workforce gaps hinder companies’ AI adoption despite rising investments: KPMG

MAS launches AI risk toolkit for financial institutions with case studies from DBS, peers

AI boom masks mounting risks from Middle East energy shock: MAS chief

Asia’s courts are drowning in paperwork. Can AI save them?

Banks pour billions into AI, but most see no ROI. Here’s why

More

Vietnam’s AI Law

Law 134/2025 has flown under the radar for many builder teams operating in South-east Asia. Vietnam’s National Assembly passed the region’s first standalone, comprehensive AI statute on Dec 10, 2025, and it took effect on Mar 1.

The law’s structure lifts much of its logic from the EU AI Act: There are prohibited, high-risk, and low-risk tiers, with separate provider and deployer obligations on high-risk systems.

Existing systems get a 12- to 18-month transition window depending on the sector. If you ship products into Vietnam, then this is the regulatory regime that lands first.

Existing data protection laws

You do not need an AI-specific law to be regulated when your system processes personal information.

Data protection laws in Singapore, Malaysia, Thailand and Vietnam carry penalties, and they all apply to AI systems that process such data. If your model trains on or makes decisions about identifiable people, then you are exposed to risk.

Financial regulators

In finance, the rules are effectively mandatory even when the label says “guideline.” Otoritas Jasa Keuangan (OJK), Indonesia’s financial regulator, has issued AI governance expectations for banks and fintech firms, including the Banking AI Governance guideline of April 2025.

The Monetary Authority of Singapore has set AI risk expectations for financial institutions, while the Bank of Thailand (BoT) released its AI Risk Management Guidelines for Financial Service Providers in September 2025, applicable to financial institutions and payment providers.

Voluntary, for now

With few exceptions, the frameworks that dominate the conversation are not binding. However, voluntary does not mean you should ignore them.

For one, enterprise procurement increasingly asks for such guidelines. A bank or government buyer will ask whether your system aligns with voluntary frameworks long before any law requires it.

More importantly, today’s voluntary standard could become tomorrow’s binding text, which teams should take into account in their planning.

What high-risk means in practice

One critical distinction determines how much of the regulatory burden applies to your company: If you build a product on top of an existing AI model – a hiring tool built on ChatGPT, for example – the compliance burden for that product is yours, not OpenAI’s. Most South-east Asian startups are in this position, even if they have never trained a model themselves.

In practice, a high-risk system under the EU’s AI Act, Vietnam’s AI Law and the draft laws that have been proposed in Indonesia and Thailand require a risk management process maintained across the system’s life cycle.

It also requires data governance records showing your training data is relevant and tested for bias, technical documentation that an external assessor can read, automatic logging retained for at least six months, a defined human oversight mechanism and post-market monitoring after launch.

That is a big bundle that has to be built into the product, not bolted on after the roll-out.

This is where the regional data gap – the underrepresentation of South-east Asian languages, cultures and contexts in AI training data – stops being an ethics talking point and becomes a compliance problem. Article 10 of the EU AI Act requires training, validation and testing data to be relevant and sufficiently representative in view of the intended purpose.

My interpretation is that if the system makes decisions about Indonesian, Filipino, or Vietnamese users, representativeness has to extend to them. If your model was trained on largely Western, English-language data and you cannot document how it performs for those users, that representativeness test will be hard to pass.

Regional dataset efforts like SEA-VL matter here for a practical reason: Documented, regionally representative data is becoming part of what compliance evidence looks like. (Disclosure: I am a co-author of this vision-language dataset.)

What to do in the next 12 months

I see four steps that South-east Asia’s AI firms can take:

• Map every AI product you ship against the risk tiers outlined in applicable regulations. Anything in hiring, credit, biometrics, health, education or public services should be treated as high risk.

• If any output reaches the EU, make the EU AI Act your binding floor and build to its high-risk requirements. It is the strictest regime you are likely to face, and meeting it generally satisfies other systems.

• Use the US National Institute of Standards and Technology’s AI Risk Management Framework (NIST AI RMF) or ISO/IEC 42001 as your documentation template. They are voluntary, but they map closely to the binding requirements already in effect in Vietnam and being drafted elsewhere.

• Start the audit trail today. Ensure you document risk logs, training data provenance, bias test results, and human oversight design.

The encouraging part is that these measures reward teams that build carefully. AI companies that treat documentation, data provenance and oversight as engineering work rather than paperwork will clear every regime with roughly the same effort.

The map is not simple, but it is readable, and reading it now is far cheaper than reading it under audit. TECH IN ASIA

Vicky Feliren is an applied scientist and MSc candidate at Monash University, Indonesia, working on trustworthy multimodal AI and vision-language models.