Law on Cybersecurity Comes into Operation on 1 July 2026: Establishing a Unified Legal Framework on Cybersecurity and Network Information Security in Vietnam

Introduction

On 10 December 2025, the National Assembly passed the Law on Cybersecurity No. 116/2025/QH15 (“Law on Cybersecurity“). It consolidates and replaces the Law on Cybersecurity No. 24/2018/QH14 (“Law on Cybersecurity 2018“) and the Law on Network Information Security No. 86/2015/QH13 (“Law on Network Information Security 2015“), thereby establishing a unified legal framework governing cybersecurity and network information security in Vietnam.

The Law on Cybersecurity will take effect from 1 July 2026.

Key Features

Scope of Application

The Law on Cybersecurity has extraterritorial effect, applying to both Vietnamese and foreign agencies, organisations and individuals. For the latter, the law will cover those that are in Vietnam, or directly participate, or are otherwise involved in, cybersecurity protection activities or the business of cybersecurity products and services in Vietnam.

Prohibited Acts and Core Principles of Cybersecurity Protection

The Law on Cybersecurity largely inherits the fundamental principles and prohibited acts framework from the Law on Cybersecurity 2018, while consolidating relevant provisions under the Law on Network Information Security 2015. Notably, it introduces an expanded and more industry-responsive list of prohibited acts, reflecting emerging risks in the digital economy, including, among others, those related to online fraud and asset misappropriation, impersonation and digital identity-related offences, and the misuse of artificial intelligence or new technologies.

Classification of Information Systems; Definition of Information System Critical for National Security

The Law on Cybersecurity retains the five-tier classification for information systems from Level 1 to 5 based on the level of harm to national security, social order and safety in case of incident or violation of cybersecurity laws, inheriting the approach set out under the Law on Network Information Security 2015.

The law introduces a refined definition of information system critical for national security, being information systems that play a strategic role and are particularly important to politics, national defense, security, foreign affairs, the economy, and society. These systems may cause damage to national security or serious harm to public order and social safety when incidents occur or cybersecurity laws are breached. These systems fall within the list decided by the Prime Minister. The determination criteria will be further guided by the Government.

The classification of an information system, as well as determination of information system critical for national security directly affect the scope and intensity of applicable cybersecurity obligations, including technical safeguards, incident response requirements, and regulatory oversight.

Regulations on Prohibited Information and Online Conduct

The Law on Cybersecurity enumerates the categories of information and acts using information technology and electronic means that infringe national security, public order, and social safety in cyberspace (“prohibited acts“). Information system owners and domestic and foreign enterprises providing services on telecommunications networks, the internet, and value-added services in cyberspace (“covered service providers“) are obliged to comply with stipulated obligations as follows:

1. implement managerial and technical measures to prevent, detect, block, and remove information falling within the categories specified; and

2. coordinate with specialised cybersecurity protection forces in handling prohibited information, as well as in preventing and combating prohibited acts.

Protection of Children in Cyberspace

Building on earlier cybersecurity legislation, the Law on Cybersecurity introduces comprehensive obligations to protect vulnerable groups online. Information system owners and covered service providers must comply with certain obligations including:

1. controlling content on their platforms to ensure that it does not harm children, infringe their rights, or facilitate abuse;

2. preventing the dissemination of harmful or rights-infringing content involving children, and promptly removing such content;

3. establishing and implementing technical systems to support the prevention and blocking harmful or abusive content relating to children;

4. coordinating with competent authorities, organisations, and enterprises to block sources of harmful content; and

5. promptly notifying and cooperating with the specialised cybersecurity protection forces under the Ministry of Public Security (“MPS“) to address violations.

Enhanced Statutory Obligations on Malware Prevention and Response

The Law on Cybersecurity further develops the technical standards regime under the Law on Network Information Security 2015 by modifying malware prevention, detection, and response mechanims into clear, role-specific statutory obligations applicable across the digital ecosystem.

Obligations of Enterprises in Relation to Cyberattacks and Emergency Cybersecurity Situations

The Law on Cybersecurity introduces a structured regime to govern the prevention and handling of cyberattacks, cyber-terrorism, and serious cybersecurity emergencies, with direct compliance implications for enterprises that own information systems or provide digital services. In particular:

1. Information system owners must implement technical measures to prevent and block cyberattacks targeting systems under their management, including malware dissemination, unlawful system intrusions, data exfiltration, exploitation of security vulnerabilities, and other acts disrupting the normal operation of information systems.

2. Where a cyberattack threatens national security, public order, or social safety, covered service providers may be required by specialised cybersecurity protection forces to implement traffic filtering or blocking measures and provide timely and complete information and materials relevant to the incident.

3. Information system owners are expected to conduct regular reviews and inspections of their systems to eliminate risks of cyber-terrorism and, upon detecting signs of cyber-terrorism, must promptly notify the relevant cybersecurity authorities.

4. Telecommunications, internet, and information technology enterprises, as well as covered service providers must cooperate with MPS in preventing, detecting and handling serious cybersecurity incidents and emergency situations.

Network Information Security and Data Localisation

Covered service providers providing services in Vietnam must comply with the following obligations:

1. verify user account information and secure user information and account;

2. provide user information to specialised cybersecurity protection forces of MPS within 24 hours upon request in writing or email, telephone or otherwise certified communications to aid in the verification, investigation and handling of violations of cybersecurity laws; in urgent cases where national security or human life is threatened, provision of required information must be made within three hours upon request at the latest.

3. block or remove information, and take down services and applications with contents that violate the Law on Cybersecurity, within 24 hours upon the specialised cybersecurity protection forces of MPS’ request to do so. They are to retain system logs to aid in the verification, investigation and handling of violations of cybersecurity laws within the prescribed timelines under laws. In urgent cases where there is threat to national security, the timeline for blocking and removing affected information is six hours at the latest;

4. not provide, or suspend services on telecommunications network, internet and value-added services for organisations and individuals who post certain violated contents as prescribed by the Law on Cybersecurity at the request of the specialised cybersecurity protection forces of MPS; and

5. store user personal information and data created by users, including account name, service use time, service fee payment information, internet protocol (“IP“) address, and other related data within the statutory timeline after the users terminate using the services.

The Law on Cybersecurity retains the data localisation requirements under the Law on Cybersecurity 2018, which apply to covered service providers providing services in Vietnam. It also retains the requirement to establish a branch or representative office in Vietnam for foreign enterprises.

Further guidance from the Government is expected to be released to detail these obligations. 

Cybersecurity Standards, Technical Regulations, and Cybersecurity Products and Services 

The Law on Cybersecurity inherits and incorporates the regulations from the Law on Network Information Security 2015 and provides a chapter on cybersecurity standards, technical regulations, and cybersecurity products and services, including a list of relevant cybersecurity products and services. 

1. Cybersecurity products include civil cryptography products, cybersecurity testing and assessment tools, monitoring solutions, products designed to prevent cyberattacks and unauthorised intrusions and other cybersecurity products; and

2. Cybersecurity services encompass cybersecurity testing and assessment services, non-civil cryptography information security services, civil cryptography services, cybersecurity consultancy, monitoring services, incident response services, data recovery services, and cyberattack prevention services.

Enterprises that engage in the business of cybersecurity products and services must have a Business Licence for Cybersecurity Products and Services. The Government will provide further guidance on these procedures and requirements.

Human Resources, Operational Readiness, and Ongoing Cybersecurity Compliance Obligations

The Law on Cybersecurity imposes ongoing organisational, staffing, and operational obligations on enterprises that own information systems or provide services in cyberspace, going beyond purely technical controls.

Notably, owners of information systems (in particular owners of systems classified at Level 3 or above or deemed important to national security) are required to:

1. designate dedicated or specialised cybersecurity personnel proportionate to the system’s protection level;

2. ensure such personnel meet prescribed professional and competency standards; and

3. maintain regular training and skill updates for staff involved in system operation, monitoring, incident response, and recovery.

At the operational level, information system owners must implement statutory protection measures, connect monitoring and malware-prevention systems to designated cybersecurity centres under MPS, and promptly report cybersecurity incidents to competent authorities.

Separately, covered service providers are subject to heightened duties to warn users of cybersecurity risks, maintain and immediately activate emergency incident response plans, apply appropriate technical measures for data and personal data protection, identify and provide IP address information upon lawful request, and establish technical connectivity and cooperation mechanisms with specialised cybersecurity forces when required.

Further Information

Please feel free to reach out to our contact partners should you have queries on the above development.