Cybersecurity regulation in Vietnam (2026)

Vietnam's consolidated Cybersecurity Law 2025, passed on 10 December 2025 with 434/443 votes in the National Assembly, takes full effect, replacing both the 2015 and 2018 laws. It mandates data localisation for all domestic and foreign platform operators, sets 24-hour (and 6-hour in urgent cases) content-removal windows, and reaffirms the Ministry of Public Security as the principal cybersecurity authority.

Passed by the National Assembly on 26 June 2025, this landmark statute elevates personal-data rules from decree to primary legislation for the first time, establishing data-subject rights (access, rectification, erasure), a 72-hour breach-notification duty, and fines up to VND 3 billion or 10× illegal profits. Implementing Decree No. 356/2025/ND-CP was promulgated on 31 December 2025.

Vietnam's National Cyber Security Center recorded approximately 552,000 cyberattacks in 2025; Q1 alone saw nearly 15,000 ransom-DDoS cases — 3.7× higher year-on-year. A securities firm was hit by a 1.2 Tbps DDoS attack costing an estimated VND 200 billion in trading losses, highlighting systemic vulnerabilities in financial infrastructure.

Viettel's annual cyber-threat report found 14.5 million Vietnamese accounts exposed — 12% of global leaked accounts that year — alongside a 46% rise in new vulnerabilities and a 34% surge in DDoS incidents (924,000 cases). Ransomware encrypted 10 TB of data across organisations, causing USD 11 million in estimated losses.

Vietnam's first comprehensive personal-data regulation (issued 17 April 2023) took effect, requiring data controllers and processors to conduct and submit Personal Data Processing Impact Assessments to the Ministry of Public Security within 60 days, notify breaches within 72 hours, and appoint a data-protection officer for sensitive-data processing. It applied to all entities processing Vietnamese citizens' data regardless of where processing occurs.

After more than four years of delay, Decree 53 operationalised the data-localisation and foreign-entity provisions of the 2018 Cybersecurity Law. It requires domestic firms and foreign platform operators to store three categories of Vietnamese user data locally for a minimum of 24 months, and compels foreign providers to establish a local branch or server within 12 months of a written MPS request.

The Ministry of Information and Communications issued Circular 12/2022, updating technical and organisational security requirements for classified information systems (building on Decree 85/2016). Operators of systems at Level 3 and above must conduct independent security assessments and implement enhanced incident-reporting procedures.

Vietnam's landmark 2018 Cybersecurity Law took effect, establishing a national framework focused on protecting sovereignty in cyberspace, prohibiting content deemed threatening to national security, and requiring internet service providers and platforms to remove offending content within 24 hours of an MPS request. It also introduced the first statutory data-localisation mandate for platforms with large Vietnamese user bases.

Vietnam's first network-security statute, adopted by the National Assembly on 19 November 2015, took effect, establishing rules on personal information protection online, requirements for licensing cybersecurity product and service vendors (10-year licences), and baseline obligations for operators of critical information infrastructure. It served as the primary framework until superseded by the 2018 Cybersecurity Law.