Vietnam Enacts Landmark on New Cybersecurity Law

Introduction

On 10th December 2025, Vietnam's National Assembly promulgated the Law on Cybersecurity, consolidating and replacing the previous Law on Information Network Safety (No. 86/2015/QH13) and the Law on Cybersecurity (No. 24/2018/QH14). Set to take effect on 1st July 2026, this comprehensive legislation establishes an expansive regulatory framework governing cyberspace activities, information systems protection, and cybersecurity incident response. The law reflects Vietnam's strategic prioritization of national security and social order in the digital domain, imposing substantial obligations on domestic and foreign entities operating in or serving the Vietnamese market.

I. Scope of Application and Extraterritorial Reach

The law applies to Vietnamese agencies, organizations, and individuals; foreign entities physically present in Vietnam; and critically, foreign entities "directly involved in or related to cybersecurity protection activities, and trading in cybersecurity products and services in Vietnam" (Article 1). This broad extraterritorial scope potentially captures cloud service providers, telecommunications companies, social media platforms, and e-commerce marketplaces with Vietnamese users, regardless of physical presence.

II. Information Systems Classification and Protection Requirements

The law establishes a five-level risk classification system for information systems, determined by potential damage to national security, social order, public interests, and organizational rights (Article 8). Compliance obligations scale with classification:

• Levels 1-2: System administrators must perform cybersecurity tasks and may select protective measures based on capabilities
• Levels 3-4: Mandatory implementation of cybersecurity regulations, management standards, backup systems, inspections, supervision, and incident response
• Level 5 and "Important for National Security" systems: Most stringent requirements, including pre-deployment certification, regular inspection, and mandatory incident response

Article 9 designates eight sectors containing "information systems important for national security," including military, security, diplomatic, and cipher systems; systems in energy, finance, banking, telecommunications, transportation, agriculture, healthcare; and automatic control systems at critical national security sites. The Ministry of Public Security holds primary regulatory authority over these systems.

III. Data Localization and Service Provider Obligations

Article 25 imposes critical obligations on domestic and foreign entities providing telecommunications, Internet, and value-added services in Vietnam:

• User Information Disclosure: Entities must provide user information to the Ministry of Public Security's specialized cybersecurity protection force within 24 hours of receiving requests (3 hours in urgent cases threatening national security or human life).
• Content Removal Requirements: Entities must prevent information sharing, remove content, and take down services/applications violating the law within 24 hours of official requests (6 hours in urgent cases).
• Data Localization Mandate: Entities collecting, exploiting, analyzing, and processing data on personal information, user relationships, and user-created data in Vietnam must (1) store this data in Vietnam for government-prescribed periods, and (2) establish a branch or representative office in Vietnam (foreign entities only).

IV. Prohibited Content and Activities

Articles 7 and 13 establish comprehensive restrictions on information content in three categories: propaganda against the State (distorting government actions, inciting war/division, insulting national symbols); undermining solidarity and socio-economic policies (causing division, obstructing policies); and infringing upon organizational and individual rights (false information, boycott mobilization, impersonation).

The law also prohibits cyberattacks, cyberterrorism, cyberspionage, trading state/business/personal secrets, using AI to create fake media, and illegally collecting or trading personal information.

V. Enforcement Authority and Emergency Powers

The Ministry of Public Security serves as the focal agency for cybersecurity management, with comprehensive authority including issuing regulations, preventing cyber threats, building IP address management mechanisms, and handling violations (Article 39).

Notably, Article 20 grants extraordinary emergency powers to handle "dangerous cybersecurity situations." Upon Prime Ministerial authorization, the Minister of Public Security may stop network information provision in specific areas or disconnect international network gateways. Article 21 explicitly authorizes "proactively attacking to neutralize cyberspace targets" for security protection.

VI. Practical Implications for Foreign Entities and Multinational Entities

Foreign service providers face significant compliance investments:

• Physical Presence: Data localization requirements necessitate establishing Vietnamese branches or representative offices, subjecting foreign entities to direct Vietnamese jurisdiction.
• Infrastructure Investment: Local data storage requirements demand deployment of Vietnam-based infrastructure or contracted local storage solutions.
• Operational Protocols: 24-hour (3-6 hour urgent) response timelines require robust 24/7 capacity and clear escalation procedures for government requests.
• Content Moderation: Implementing technical measures to prevent, detect, and remove prohibited content requires content moderation aligned with Vietnamese law's detailed restrictions.

VII. Transitional Provisions and Timeline

The law takes effect 1st July 2026, with 12-month grace periods for information systems classified under prior law to supplement cybersecurity measures and for existing products or services to be upgraded to meet new conditions (Article 45). Business licenses issued under prior law remain valid until expiration, with renewals subject to new requirements.

Organizations operating in or serving Vietnam should undertake comprehensive compliance assessments before the effective date, engaging Vietnamese legal counsel to clarify ambiguous provisions and develop implementation roadmaps. As Vietnamese regulators issue implementing regulations detailing specific procedures and technical standards, affected entities should monitor regulatory developments closely and integrate cybersecurity law compliance into broader Southeast Asia regulatory strategies.