Vietnam became the first Southeast Asian country to enforce a binding standalone AI law on March 1, 2026, less than three months after the law was passed in December 2025. South Korea’s AI Basic Act entered force on January 22, 2026, creating a multipart enforcement architecture. China has rolled out more than 30 AI and data standards, with several now enforceable. Thailand is gathering public feedback on AI guidelines. Australia committed AUS$29.9 million to its AI Safety Institute and is modelling its governance reviews on Korea’s impact assessments.

Five APAC jurisdictions — South Korea, Vietnam, Taiwan, Japan, and Australia — are now converging on risk-based AI governance models with similar transparency and oversight requirements. The pattern is unmistakable: the region stopped debating whether to regulate AI and started writing the operational rules.

🔍 THE BOTTOM LINE Asia’s AI law wave is not a parallel development to the EU AI Act. It’s the operational layer. The EU is the headline; Asia is the implementation. If you sell into or operate in any APAC market, the compliance default is no longer “follow the EU AI Act because it has the strictest rules.” It’s “follow the convergence layer between Korea, Vietnam, China, and Australia, because that’s where your customers and regulators live.”

Vietnam — ASEAN’s first standalone AI law

Law No. 134/2025, passed December 10, 2025 and in force since March 1, 2026, is the first dedicated AI statute in Southeast Asia. It’s not a regulatory layer over an existing data-protection law — it’s purpose-built for AI.

Risk-tiered model:

• Low Risk — no specific requirements beyond general data protection
• Medium Risk — impact assessments and supporting documentation required
• High Risk — pre-deployment registration, used in healthcare, education, and finance

Transition periods:

• 18 months for healthcare, education, and finance AI systems
• 12 months for all other industries

In practice, that means any NZ business exporting AI-enabled products to Vietnam has until roughly September 2027 to bring healthcare/education/finance AI in line, and until March 2027 for everything else. The clock is running.

South Korea — the regional anchor

Korea’s AI Basic Act entered force on January 22, 2026 — the broadest AI-specific law in Asia. The architecture is multipart:

• A new government AI office with rulemaking and enforcement powers
• Mandatory impact assessments for high-risk AI deployments
• Cross-border data restrictions for sensitive AI training data
• Disclosure requirements for AI-generated content
• Whistleblower protections for AI safety issues

Korea is the de facto regional standard-setter. The country is in the same position the EU occupied in 2024: the rules are being written, and other APAC jurisdictions are copying. Australia’s AUS$29.9 million AI Safety Institute commitment is explicitly modelled on Korea’s impact assessment framework.

China — the 30-standard framework

China’s regulatory approach is the most distinctive. Rather than a single omnibus AI law, China is rolling out more than 30 separate AI and data standards](https://enersys.co.th/en/insights/asean-ai-regulation-wave-2026), administered by the Cyberspace Administration of China (CAC), the Ministry of Industry and Information Technology (MIIT), and the Standardization Administration.

The existing Interim AI Measures Act (in force since August 15, 2023) already requires:

• Algorithm filing for recommendation services
• Security reviews for AI services
• Mandatory labelling of AI-generated content
• Legitimacy verification of training data sources
• Service provider accountability for content created on their platforms

The new standards layer on top. The net effect is that China has the most prescriptive AI regulatory regime of any major economy — granular rules for each AI application type, enforced through a combination of pre-deployment review and post-deployment monitoring.

ASEAN — the convergence layer

The ASEAN AI Governance Guide, updated in 2026 to cover Generative AI explicitly, is the soft-law layer over the national hard laws. It provides:

• A common risk-classification framework that maps to Vietnam, Korea, and Singapore’s national rules
• Cross-border data flow guidance for AI training and inference
• Procurement defaults for ASEAN government buyers
• An interoperability layer for AI sandboxes and regulatory testing

Thailand is in the late stages of public consultation on its national AI guidelines, with the working assumption that they will track Vietnam’s risk-tiered model with modifications for the Thai market.

Australia — the model importer

Australia’s National AI Plan, announced last year, is the regional model-importer. The framework is based on Korea’s AI Basic Act, the EU AI Act, and Singapore’s voluntary AI Verify toolkit. Australia’s AI Safety Institute is operational in 2026 and is doing the impact-assessment work that will become the procurement default for Australian government AI contracts.

The Australian regulatory timeline is slower than Vietnam’s or Korea’s — no binding standalone AI law is on the immediate horizon. But the procurement layer is moving: the Australian AI disclosure deadline for businesses is the practical pressure point.

Why this matters for New Zealand

We covered the Australia vs NZ AI regulation comparison earlier. The picture has only sharpened since then.

NZ remains the only major Asia-Pacific economy without a binding AI law, a sovereign AI strategy with procurement teeth, or a funded AI safety institute. The asymmetry has consequences:

For NZ exporters: A NZ AI company selling into Vietnam, Korea, or China must comply with the destination jurisdiction’s rules regardless of what NZ does. The compliance overhead is the same whether NZ has a law or not. The only thing an NZ law would change is who pays the compliance consulting bill.

For NZ procurement: When a NZ public sector agency buys AI tools, the default is “OpenAI or Anthropic because they’re the path of least resistance.” That default is increasingly hard to defend when:

• The Australian government is asking vendors for AI safety documentation
• Korean banks are demanding model transparency reports
• Vietnamese regulators require pre-deployment registration for high-risk AI

For NZ sovereignty: The Maincode Matilda sovereign LLM we covered yesterday is built on the same thesis as Mistral: a domestic model is procurement insurance against US-controlled frontier models. Whether NZ gets its own sovereign LLM, partners with Maincode/Mistral, or stays a customer of US frontier labs is a choice that should be made deliberately, not by default.

The convergence pressure

The interesting question for the next 12-18 months is whether the APAC regulatory convergence outpaces the EU. Korea, Vietnam, China, and Australia are writing rules that look very similar:

• Risk-tiered classification
• Mandatory impact assessments for high-risk systems
• Pre-deployment registration or filing
• Transparency and labelling requirements
• Cross-border data flow restrictions

If that convergence completes, the EU AI Act stops being the strictest standard and starts being one of several. The procurement default for multinational AI vendors will become “comply with the APAC convergence layer plus the EU AI Act” — not the other way around.

For NZ, the question is whether to be inside the convergence layer or outside it. We covered the broader Asia-Pacific AI governance snapshot in April, and the picture hasn’t changed: the train is moving. NZ can choose to be on it or watch it leave.

❓ FAQ

Why is Asia moving faster than the US? The US has no federal AI law. The Trump administration’s national security memorandum on AI is a procurement directive, not a regulation. APAC governments are competing for AI capability investment, and binding rules are part of the value proposition to foreign AI companies: “operate here, the rules are clear.”

Is China’s regulatory model actually enforceable? Yes — through a combination of pre-deployment review (algorithm filing, security assessment) and post-deployment monitoring. The CAC has the authority to block AI services from operating in China if they fail to register or comply with content rules. The enforcement is real, not theatrical.

Does Vietnam’s law apply to foreign companies? Yes, if the AI system is used in Vietnam or has effects on Vietnamese users. The law has extraterritorial reach similar to the EU AI Act.

What about Singapore? Singapore remains the most permissive major APAC jurisdiction. The PDPC and IMDA guidance is principles-based, not prescriptive. AI Verify is voluntary. Singapore’s role is to be the regional AI hub, and the regulatory approach supports that ambition.

Should NZ pass a binding AI law? The case is strong. Without one, NZ businesses exporting to APAC face the same compliance burden but get none of the procurement benefits. With one, NZ could position itself as a regional testbed for risk-tiered AI governance, similar to how Korea did.

🔍 THE BOTTOM LINE

Asia’s AI law wave is the operational layer of the global AI regulatory regime. Vietnam, Korea, China, Thailand, and Australia are writing the rules that AI vendors and operators will actually have to follow in 2027 and beyond. NZ is the only major APAC economy sitting on the sidelines. The cost of staying on the sidelines is the procurement default calcifying against NZ interests.

📰 Sources

• AI in Asia — Vietnam, Korea Shape Asia’s AI Regulatory Future
• Enersys — Asia’s AI Law Wave in 2026
• AIMenta — Asia AI Regulation Snapshot Q2 2026
• CX Network — AI Regulation in APAC: Current Developments
• Cyberspace Administration of China — Interim AI Measures
• White House — Promoting Advanced AI Innovation and Security (June 2026)