Vietnam’s Ministry of Public Security has released the draft Cybersecurity Law 2025 for public consultation until 16 July 2025. This important legal document is expected to consolidate and replace the existing Cybersecurity Law 2018 and the Law on Network Information Security 2015. The law is part of a broader digital policy revamp, including the Data Law and the Personal Data Protection Law that was passed by the National Assembly on 26 June 2025.

The draft introduces sweeping changes. It significantly broadens the law's scope and imposes new obligations on organisations operating or providing services in Vietnam’s cyberspace. Businesses should be aware of these developments to assess potential impacts and prepare for compliance.

Below are the key changes likely to affect businesses:

Broader Scope of Application

The draft expands the definition of “service providers.” It now covers a wide range of industries, beyond traditional tech companies:

• Internet service providers (ISPs), telecommunications, hosting, servers, domain names, VPNs, proxy services, cloud computing
• Social networks, websites, online gaming
• Financial institutions, banks, e-wallets, payment intermediaries
• Stock exchanges, digital asset platforms, e-commerce platforms
• Logistics providers, digital television
• Other types of products and services in cyberspace

Many businesses that previously fell outside the scope of the Cybersecurity Law may now face stricter requirements.

Changes to Data Storage and Local Presence Requirements

For foreign businesses, this is a major change.

• Current law (2018): Requires domestic and foreign companies that collect or process data from Vietnamese users to store the data in Vietnam and establish a branch or representative office here. (Article 26.3)
• Draft 2025 Law: Removes the mandatory local office requirement. However, businesses collecting, exploiting, analysing, or processing personal data of Vietnamese citizens must comply with the Personal Data Protection Law (set to take effect on 1 January 2026). (Article 13)

Data protection compliance remains central, but without the strict local office mandate.

New Obligations to Combat Cybercrime Using High Technology

A new chapter (Chapter III) imposes direct obligations on service providers to help tackle cybercrime using high technology:

• User Identification: Businesses must verify user identities before and during service provision. They must prevent the use of fake or unverified accounts.
• Reporting & Cooperation: Cyberattacks must be reported to authorities within 24 hours. Businesses must cooperate with official requests from the Ministry of Public Security.
• Powers of Authorities: Officials may suspend accounts, freeze transactions, block websites, or seize electronic devices involved in violations.

Service users are also required to safeguard the confidentiality of their digital account information and could be held accountable if their accounts are used for illegal activities. Depending on the severity of the violation, users may face disciplinary, administrative, or criminal penalties, and must compensate for any damages caused. Additionally, users must provide accurate and complete information to competent authorities and service providers in accordance with the law.

Notably, the draft explicitly classifies IP infringement as a cybercrime. This includes copyright, related rights, and industrial property right infringements. The change provides another legal basis for IP owners to take actions against counterfeit and IP infringing goods on e-commerce platforms, copyright piracy, and misleading use of trademarks online.

Legal Definition of “Digital Assets”

For the first time, the draft defines “digital assets” as technology products created, issued, transferred, and verified using blockchain, with value and legal rights under civil law. This is a significant development for businesses in blockchain, cryptocurrency, NFTs, and other digital asset sectors. It may lay the groundwork for future regulation, but stricter oversight is expected.

Tightened Controls on Cybersecurity Products and Services

New chapters (IV and V) of the Draft introduce cybersecurity standards and technical regulations that are applied to IT products, services and network equipment, as well as the licensing and requirements for businesses providing cybersecurity products or services. These new provisions aim to tighten controls on cybersecurity products and services, as organizations must either certify or announce the conformity of their products and services to comply with these standards before trade.

What Should Businesses Do?

While the Draft may be subject to further changes, businesses may take the following proactive steps:

Review Business Scope: Determine if your company qualifies as a “service provider” under the draft law.

Assess Data Policies: Re-examine how your company handles personal data of Vietnamese citizens. Ensure alignment with data protection rules.

Prepare Compliance Processes: Prepare to update internal procedures for user identification, incident reporting, and cooperation with authorities. Providers of IT products, services and network equipment need to watch this space closely to ensure conformity to national cybersecurity standards and technical regulations.

Monitor Legal Developments: The draft is still under review and may change. Stay updated to avoid compliance gaps.

Vietnam’s Draft Cybersecurity Law 2025 signals a clear shift towards stricter and more comprehensive cyberspace governance. As the new Cybersecurity Law is set to take effect on 1 January 2026, the law is likely to follow a fast-tracked legislative process. Early preparation will therefore help businesses manage legal risks and maintain stable operations in the Vietnamese market.

Authors: Yen Vu, Huy Nguyen, Ly Nguyen and Uyen Doan.

TAGS

• Vietnam
• Cybersecurity
• Data
• Personal Data