Cybersecurity · Vietnam
Cybersecurity - Vietnam
Vietnam operates a comprehensive cybersecurity legal regime. The foundational Law on Cybersecurity (No. 24/2018/QH14), supplemented by implementing Decree 53/2022, imposes obligations on operators of critical information infrastructure, domestic and foreign internet/telecom service providers (including data localisation), and mandates incident reporting to the Ministry of Public Security. A sweeping replacement law (No. 116/2025/QH15), passed December 2025, takes effect 1 July 2026, consolidating the 2018 cybersecurity law and the 2015 cyber information-security law into a single unified statute with strengthened obligations on platforms, AI-generated content, and critical infrastructure operators.
Law on Cybersecurity No. 24/2018/QH14 (in force since 1 January 2019) establishes the core regime: national cyberspace security, critical information infrastructure (CII) protection, platform obligations, and data localisation. It is being replaced on 1 July 2026 by Law No. 116/2025/QH15.
Law No. 116/2025/QH15, passed by the National Assembly on 10 December 2025 and effective 1 July 2026, consolidates the 2015 Cyber Information Security Law and 2018 Cybersecurity Law into one statute. It strengthens CII operator duties, bans AI-generated deepfakes for illegal use, mandates child-safety measures, and unifies state management under the Ministry of Public Security.
Data controllers must notify the Ministry of Public Security's A05 unit within 72 hours of detecting a personal data breach (Decree 13/2023). E-commerce operators must notify authorities within 24 hours of detecting a hack risking consumer data loss. Banks and credit institutions must report cybersecurity incidents to the State Bank of Vietnam within 24 hours of detection and within five working days of resolution.
Under both the 2018 law (implemented via Decree 53/2022) and the incoming 2026 law, domestic and foreign enterprises providing telecom, internet, or value-added services that collect or process Vietnamese users' personal or behavioural data must store that data on servers in Vietnam for a minimum of 24 months. Foreign enterprises are also required to establish a branch or representative office in Vietnam.
CII operators across national-security-relevant sectors must conduct mandatory cybersecurity assessments, coordinate continuously with cybersecurity task forces, and apply technical security measures. Decree 53/2022 specifies patch and vulnerability management mandates and prompt incident reporting to the Ministry of Public Security for CII operators.
Decree 13/2023/ND-CP (effective 1 July 2023) requires data controllers, processors, and controller-processors to prepare a written Personal Data Processing Impact Assessment at the start of processing and submit a copy to A05 within 60 days of commencing data processing activities.
Machine-assisted translation · verified 5/24/2026 · orientation, not legal advice. English version →