Vietnam’s Ministry of Public Security has released the draft Cybersecurity Law 2025 for public consultation until 16 July 2025. This important legal document is expected to consolidate and replace the existing Cybersecurity Law 2018 and the Law on Network Information Security 2015. The law is part of a broader digital policy revamp, including the Data Law and the Personal Data Protection Law that was passed by the National Assembly on 26 June 2025.
The draft introduces sweeping changes. It significantly broadens the law's scope and imposes new obligations on organisations operating or providing services in Vietnam’s cyberspace. Businesses should be aware of these developments to assess potential impacts and prepare for compliance.
Below are the key changes likely to affect businesses:
Broader Scope of Application
The draft expands the definition of “service providers.” It now covers a wide range of industries, beyond traditional tech companies:
Many businesses that previously fell outside the scope of the Cybersecurity Law may now face stricter requirements.
Changes to Data Storage and Local Presence Requirements
For foreign businesses, this is a major change.
Data protection compliance remains central, but without the strict local office mandate.
New Obligations to Combat Cybercrime Using High Technology
A new chapter (Chapter III) imposes direct obligations on service providers to help tackle cybercrime using high technology:
Service users are also required to safeguard the confidentiality of their digital account information and could be held accountable if their accounts are used for illegal activities. Depending on the severity of the violation, users may face disciplinary, administrative, or criminal penalties, and must compensate for any damages caused. Additionally, users must provide accurate and complete information to competent authorities and service providers in accordance with the law.
Notably, the draft explicitly classifies IP infringement as a cybercrime. This includes copyright, related rights, and industrial property right infringements. The change provides another legal basis for IP owners to take actions against counterfeit and IP infringing goods on e-commerce platforms, copyright piracy, and misleading use of trademarks online.
Legal Definition of “Digital Assets”
For the first time, the draft defines “digital assets” as technology products created, issued, transferred, and verified using blockchain, with value and legal rights under civil law. This is a significant development for businesses in blockchain, cryptocurrency, NFTs, and other digital asset sectors. It may lay the groundwork for future regulation, but stricter oversight is expected.
Tightened Controls on Cybersecurity Products and Services
New chapters (IV and V) of the Draft introduce cybersecurity standards and technical regulations that are applied to IT products, services and network equipment, as well as the licensing and requirements for businesses providing cybersecurity products or services. These new provisions aim to tighten controls on cybersecurity products and services, as organizations must either certify or announce the conformity of their products and services to comply with these standards before trade.
What Should Businesses Do?
While the Draft may be subject to further changes, businesses may take the following proactive steps:
Review Business Scope: Determine if your company qualifies as a “service provider” under the draft law.
Assess Data Policies: Re-examine how your company handles personal data of Vietnamese citizens. Ensure alignment with data protection rules.
Prepare Compliance Processes: Prepare to update internal procedures for user identification, incident reporting, and cooperation with authorities. Providers of IT products, services and network equipment need to watch this space closely to ensure conformity to national cybersecurity standards and technical regulations.
Monitor Legal Developments: The draft is still under review and may change. Stay updated to avoid compliance gaps.
Vietnam’s Draft Cybersecurity Law 2025 signals a clear shift towards stricter and more comprehensive cyberspace governance. As the new Cybersecurity Law is set to take effect on 1 January 2026, the law is likely to follow a fast-tracked legislative process. Early preparation will therefore help businesses manage legal risks and maintain stable operations in the Vietnamese market.
Authors: Yen Vu, Huy Nguyen, Ly Nguyen and Uyen Doan.