AI regulations across ASEAN countries are built on a foundation of data protection laws, while AI-specific guidelines and strategic documents are being developed at varying speeds from country to country.

This article is intended for legal and compliance officers at Japanese companies operating in the ASEAN region, business managers advancing AI adoption, and tech leads with ASEAN-based operations. It covers four countries — Thailand, Vietnam, Laos, and Indonesia — and provides a consolidated overview of: (1) the current state of AI regulation in each country, (2) the connection to data protection laws, and (3) practical steps Japanese companies should take.

The conclusion up front: In ASEAN, there is as yet no comprehensive, binding AI regulation comparable to the EU AI Act — but ignoring each country's developments can result in sudden compliance costs in cross-border business. Beginning the three-stage cycle of "situational awareness → internal risk assessment → governance development" sooner rather than later is the most effective risk mitigation strategy for Japanese companies.

Please note that this article is based on our local knowledge and publicly available information, and does not constitute legal advice. For actual implementation, please be sure to consult a qualified local legal professional.

The value of comparing AI regulations across ASEAN lies in capturing both the current divergence and the direction of future developments, so that companies can build their own risk prioritization framework.

Unlike the EU AI Act or AI regulations at the US state level, AI regulation within ASEAN varies significantly from country to country in terms of progress, form, and binding force. Without comparison, it is difficult to determine how much resource to allocate to which country.

Within ASEAN, the pace of engagement with AI regulation varies considerably. As a general overview:

• Singapore: The earliest in ASEAN to publish an AI governance framework. Outside the primary scope of this article, but useful as a reference point for comparison.
• Thailand: Holds a national AI strategy; regulation of AI use is centered primarily through the data protection law (PDPA).
• Vietnam: Discussion of AI-related legislation is intensifying, and the legislative process is underway.
• Indonesia: AI ethics guidelines have taken the lead, structured to connect with the Personal Data Protection Law (UU PDP).
• Laos: AI-specific regulation is still in the development stage, but is addressed through interpretation of the Personal Data Protection Law (PDPL) and the Digital Law.

Given these differences in pace, Japanese companies should prioritize tracking the latest laws and guidelines starting with the countries that carry the greatest weight in their business operations.

Many Japanese companies operating in ASEAN conduct cross-border activities — for example, processing data from Vietnam and Laos using an AI model hosted in Thailand. In such cases, regulatory differences across countries can surface in the following ways:

• Cross-border data transfers: Some countries impose additional requirements on the transfer of personal data outside their borders, such as contractual clauses, notifications to relevant authorities, or explicit consent from data subjects.
• Accountability for AI-generated decisions: Where AI-generated decisions affect local users, compliance with local guidelines on explainability may be required.
• Sector-specific additional regulations: In finance, healthcare, and the public sector, sector-specific regulations may be layered on top of general AI use requirements.

ASEAN is often perceived as a region with light regulation, but in specific areas — particularly around data protection laws — regulatory frameworks are steadily being put in place, and the risk of proceeding while ignoring them is growing year by year.

Meaningful comparison requires a consistent set of criteria. This article examines each country across three axes: "legal binding force," "connection to data protection law," and "cross-border transfer requirements."

By narrowing the focus to these axes, it becomes easier to assess the degree of impact on one's own organization. Attempting comprehensive coverage is prohibitively costly, so beginning with an evaluation along these three axes is the most practical approach.

AI-related regulations across ASEAN countries exist in a mixed landscape of "legally binding laws" and "guidelines and strategic documents." The two differ significantly in terms of compliance priority.

In practice, a three-tiered approach is realistic for Japanese companies: (1) first ensure compliance with the legal layer, (2) voluntarily incorporate guideline-level requirements, and (3) reference strategic documents as material for risk scenario planning.

Very few ASEAN countries have established AI regulation as standalone legislation. In most countries, AI use is indirectly governed through personal data protection laws.

• Thailand PDPA: Processing of personal data by AI falls under the PDPA. Regulations on automated decision-making are also discussed within the data protection law framework.
• Indonesia UU PDP: Similarly positions AI processing as personal data processing.
• Laos PDPL: AI is regulated through the personal data protection law, with a focus on cross-border data transfer rules.
• Vietnam Personal Data Protection Regulations: AI use is governed through personal data protection-related regulations.

In other words, rather than tracking "AI regulation" in isolation, the correct approach in ASEAN is to view it as a combined package of "data protection law + AI guidelines."

For related reading, please also refer to ASEAN Data Protection Laws: An In-Depth Comparison of 4 Countries.

When operating AI within ASEAN, cross-border data transfers are almost inevitable. Personal data protection laws in each country frequently include rules governing cross-border transfers, such as consent requirements, contractual clauses, and notifications to authorities.

The following are patterns that Japanese companies commonly encounter:

• Processing customer data from Vietnam and Laos using an AI system based in Thailand: Compliance with the cross-border transfer regulations of the source countries (Vietnam and Laos) is required.
• Sharing a global AI infrastructure based in Japan across ASEAN countries: It is necessary to confirm per-country consent acquisition, contractual clauses, and security measures for overseas transfer destinations.
• AI models hosted in the cloud using data centers in other countries: Rather than leaving this entirely to the cloud vendor, companies must maintain awareness of the physical location of their data.

In particular, when training data for AI models includes personal data from ASEAN countries, data protection laws governing cross-border transfers may apply to the entire training process, making it important to verify this at the design stage.

The following sections provide an overview of the current situation in four countries — Thailand, Vietnam, Laos, and Indonesia — as of the time of writing.

Please note that regulations across ASEAN countries are changing rapidly, and the information in this article reflects the situation at the time of writing. For practical compliance purposes, always verify the latest information through each country's official publications and local legal professionals.

Thailand is one of the more proactive ASEAN countries in developing AI governance frameworks, and national AI strategy documents have been published. The core mechanism is the regulation of AI use through the Personal Data Protection Act (PDPA), with issues related to automated decision-making and personal profiling discussed within this framework.

There are three key practical points for Thailand. First, the PDPA has a broad scope of application, covering foreign companies that handle data of Thai nationals and residents in Thailand (extraterritorial application). Second, operations in which AI decisions affect individuals may require documentation of the decision-making process from an accountability standpoint. Third, sector-specific regulations in industries such as finance and healthcare — from bodies such as the Bank of Thailand, the Ministry of Public Health, and the SEC — may apply on top of general AI use requirements.

For Japanese companies deploying AI systems in Thailand, a sound approach is to start with PDPA compliance as a foundation, then build a comprehensive picture by combining sector-specific regulations with the direction set out in the national AI strategy.

For related reading, please also refer to A Compliance Checklist for Balancing Thailand PDPA Requirements with AI Utilization.

Vietnam is advancing the development of personal data protection regulations, while discussions on AI-related bills and regulations are also progressing in parallel. It is one of the countries whose legislative process requires continuous monitoring.

Key practical considerations:

• Personal data protection regulations: AI-based processing of personal data tends to be addressed within this framework
• Cross-border data transfers: Rules governing cross-border transfers are covered under personal data protection regulations
• Sector-specific regulations: Separate rules exist for cybersecurity and data handling in sectors such as finance and telecommunications

Vietnam is a country where bills are frequently revised and promulgated, and businesses that operate AI in earnest—particularly those doing so at scale—will find regular updates with local legal counsel indispensable.

Laos has established a Personal Data Protection Law (PDPL) within the ASEAN region, structured in combination with a Digital Law and an Electronic Transactions Law. While AI-specific legislation is still in development, AI use involving the processing of personal data falls within the scope of the PDPL.

Key practical points for Laos:

• PDPL applicability: AI systems that handle personal data of Laotian nationals or persons residing in Laos are subject to the PDPL
• Cross-border transfers: Transfers of personal data outside the country must comply with the requirements set forth in the PDPL
• Digital Law and Electronic Transactions Law: The validity of electronic transactions and electronic contracts involving AI is assessed within the framework of these laws
• Sector-specific: In finance and the public sector, sector-specific regulations may affect AI use

Laos is a relatively late mover in regulatory development within ASEAN, but the pace of legislative reform has accelerated in recent years. Japanese companies are advised to maintain a system for reviewing the latest version of applicable laws on an annual basis.

For related reading, see also Key Points for Businesses on Laos's Digital Law and Implementation Guide for the Laos Personal Data Protection Law.

Indonesia has established a Personal Data Protection Law (UU PDP), and on the AI front, government-led ethical guidelines have taken the lead. Rather than directly regulating AI through legislation, the approach involves using guidelines to set the overall direction while relying on the data protection law to govern individual processing activities.

Key practical points:

• UU PDP compliance: AI-based processing of personal data is addressed within the scope of the UU PDP
• AI ethics guidelines: Government-led ethics guidelines function in some contexts as a de facto industry standard
• Sector-specific regulations: Sector-specific regulations from bodies such as the Financial Services Authority (OJK) and the telecommunications regulator overlap with AI use
• Cross-border transfers: Compliance with cross-border transfer rules under the UU PDP is required

The Indonesian market is large in scale, and collaboration with local partners is often a prerequisite. When deploying AI systems, an assessment that includes the compliance status of the partner side is necessary.

When it comes to responding to AI regulation across ASEAN, the practical approach is not to "track everything perfectly," but to prioritize based on "business weight × risk × cost."

This section outlines two practical areas that Japanese companies should actually address: risk assessment and internal governance development.

When beginning to address AI regulation across ASEAN countries, the first step to take is conducting your own risk assessment. We recommend the following process:

1. Inventory of AI use cases: List all AI systems currently in operation or planned at each country location
2. Identification of applicable countries: Map which country's regulations (personal data protection laws, sector-specific regulations, AI guidelines) apply to each use case
3. Impact assessment: Classify each use case as high-risk (direct impact on individuals, financial decisions, medical decisions), medium-risk, or low-risk (internal operational efficiency)
4. Gap analysis: For each use case, identify the gaps between current operations and the regulatory requirements of each country
5. Action plan: Develop an action plan based on the severity of each identified gap

Incorporating this process into an annual review cycle enables systematic tracking of regulatory updates. We recommend a pattern of conducting a joint review with local legal counsel once per year, and country-specific updates once per quarter.

Establishing internal governance means translating the results of a risk assessment into a form that the organization can sustain on an ongoing basis. At a minimum, the following four elements should be in place.

• AI Usage Policy: Decision-making criteria, prohibited activities, and approval workflows for internal AI use
• Data Handling Guidelines: Procedures for inputting personal data and confidential data into AI systems
• Responsible Parties and Structure: An AI compliance officer and liaison contacts for coordination with local offices
• Training and Awareness: Training for frontline staff, FAQs, and regular update communications

For Japanese companies with ASEAN bases, a two-tier structure consisting of headquarters governance and local governance is the practical approach. The headquarters defines a company-wide common policy, while local offices handle additional compliance requirements specific to each country's regulations.

For related reading, see also What Is AI Governance? and ASEAN Data Protection Laws: A Thorough Comparison Across 4 Countries.

Below are answers to the questions we most frequently receive from Japanese companies with ASEAN operations.

Q1. Is there a comprehensive AI regulation equivalent to the EU AI Act in ASEAN?

As of the time of writing, no comprehensive, binding AI regulation equivalent to the EU AI Act exists within ASEAN. Singapore is ahead of the curve with its AI Governance Framework, but even that is positioned as a set of guidelines rather than binding law. In most countries, AI use is regulated through a combination of personal data protection laws and AI guidelines.

Q2. If AI guidelines are not legally binding, is it acceptable to ignore them?

We do not recommend ignoring them. First, guidelines are often a precursor to future legislation. Second, they are frequently referenced as a "de facto standard" by local authorities, business partners, and users, meaning that non-compliance can put you at a disadvantage in terms of trust, contracts, and procurement. Third, there are cases where sector-specific regulators—such as those in finance, healthcare, and telecommunications—incorporate guidelines into licensing requirements. Even if you do not need to follow them as rigorously as statutory law, they are worth integrating into your internal governance.

Q3. For Japanese companies operating AI in ASEAN, which regulations should be prioritized?

"Personal data protection laws" are most often the top priority. There are three reasons: penalties and administrative sanctions for violations are clearly defined; extraterritorial application is broad; and they serve as the de facto foundation for AI regulation. A sound approach is to start with compliance with data protection laws, then progressively expand your scope to cover sector-specific regulations, AI guidelines, and national strategy documents.

Q4. Should headquarters create a unified policy for ASEAN regulatory compliance, or should each country develop its own separately?

A hybrid approach is the most practical. A two-tier structure—where headquarters defines "company-wide minimum requirements" (handling of personal data, handling of confidential data, AI usage approval workflows) and each country office builds on top with "additional requirements" (compliance with local regulations, compliance with sector-specific regulations)—strikes the best balance between ongoing maintenance costs and local adaptability.

While ASEAN has yet to establish a unified, comprehensive framework like the EU AI Act, AI use is increasingly being regulated in practice through a combination of each country's personal data protection laws and AI guidelines. The key takeaways from this article are summarized below.

• ASEAN AI regulatory compliance should be understood as a package of "personal data protection laws + AI guidelines + sector-specific regulations"
• Thailand, Vietnam, Laos, and Indonesia each differ in terms of progress, form, and binding force. It is necessary to align comparison criteria and organize them accordingly
• Practical compliance should be embedded through a cycle of risk assessment → governance development → annual review
• A two-tier structure of headquarters governance and local governance makes it easier to balance maintainability with local adaptability

Regulations across ASEAN countries are changing rapidly, and the information in this article reflects the state of affairs at the time of writing. When taking actual compliance measures, please be sure to verify the latest publicly available information and consult with local legal professionals.

We provide AI compliance support for Japanese companies operating in the ASEAN region. If you would like to have an initial discussion, please feel free to contact us.