Regulatory landscape

II

Pillar II of V

Legal & Regulatory Compliance

Bizzi processes B2B financial data. Legal is not a footer. It is the floor every AI feature must clear before it ships.

Bizzi ships AI inside invoices, contracts, and payment workflows. Every line of code you deploy operates under at least three overlapping legal regimes. Vietnamese data protection law. Sector-specific banking and insurance rules. The international standards your enterprise customers contract you against. This section maps the regimes you comply with and explains why the overlap is deliberate.

Context

The Vietnamese AI regulatory regime is no longer abstract. Decree 13/2023/NĐ-CP on personal data protection took effect 1 July 2023. It binds every organization processing personal data of individuals located in Vietnam, including foreign organizations. It sets out seven processing principles, data subject rights, and a mandatory breach notification regime. For Bizzi, personal data appears on almost every invoice. Buyer name, phone number, sometimes national ID. Compliance is not optional. The burden falls on you as the processor.

Beyond personal data, you operate under the Cybersecurity Law (2018), which mandates in-country storage for certain service categories. The Law on Electronic Transactions (updated 2023) defines the legal status of e-invoices produced by Bizzi. Sector-specific rules from the State Bank of Vietnam (Thông tư 09/2020) and the Ministry of Finance (Thông tư 12/2023) add further controls when you serve banks or insurance companies.

How we implement

Treat regulatory compliance as layered defense, not a single checklist. Five layers run in parallel.

• Domestic personal data law. Decree 13/2023 governs every processing operation. All seven principles map into product controls in §3.
• Domestic sector rules. Banking customers trigger SBV Circular 09/2020 controls. Private hosting, enhanced classification, PCI-DSS Level 1 readiness. Insurance customers trigger MoF Circular 12/2023.
• E-invoice legal framework. Decree 123/2020 and Thông tư 78/2021 define the formats and tax authority validation rules governing the invoice processing pipeline.
• Cross-border regimes. GDPR applies when you process EU subject data. Bizzi describes itself as GDPR-ready, not GDPR-certified, and runs analogous controls. PII redaction, DPIA, ROPA, Right to Explanation. The EU AI Act (Regulation 2024/1689) classifies accounting-support features as limited risk under Article 50 transparency obligations, not high-risk under Annex III.
• Voluntary international standards. BAGF benchmarks against ISO/IEC 42001 (AI management systems), NIST AI RMF, and OWASP Top 10 for LLMs.

Principle: Why the overlap is intentional

Each regime sees the problem from a different angle. Decree 13 sees personal data. ISO 42001 sees AI as a managed system. NIST AI RMF sees risk. The EU AI Act sees risk classification, especially for multi-agent systems. OWASP-LLM sees application security. Cross-mapping all five gives you defense-in-depth and a single coherent compliance story for any auditor.

Standards mapping

Standards Mapping

Decree 13/2023, entire decree. EU AI Act Articles 6, 9, 50. ISO/IEC 42001 A.5.4 (external and internal context). NIST AI RMF GOVERN-1.6 (legal and regulatory requirements).