Internet & Online Safety · Vietnam
Online safety & content laws in Vietnam (2026)
Vietnam shaded by its internet & online safety status
Vietnam operates one of the most restrictive internet regulatory regimes in Southeast Asia, using a layered body of cybersecurity and platform laws to mandate content removal on government demand, prohibit anti-state online speech, require real-name user authentication, and compel data localisation. The December 2025 Law on Cybersecurity (No. 116/2025/QH15), effective July 2026, consolidates prior laws and expands Ministry of Public Security powers over digital identity and content policing. Major platforms including Meta and Google now comply with over 90–95% of Vietnamese government content-removal requests.
Key points
Passed by the National Assembly on 10 December 2025 with 91.75% approval and entering into force 1 July 2026, this eight-chapter, 45-article law consolidates the 2015 Cyber-Information Security Law and the 2018 Cybersecurity Law into a single framework. It grants the Ministry of Public Security lead authority over cybersecurity governance, digital ID verification, and removal of illegal online content.
Effective 25 December 2024, Decree 147/2024/ND-CP requires social media platforms with ≥100,000 monthly Vietnamese visitors to authenticate users via Vietnamese phone numbers or national ID cards, store Vietnamese user data locally for a minimum of 24 months, provide data to authorities on demand, and remove content the government classifies as illegal within 24 hours (with a 90%+ compliance rate required for flagged content).
The 2018 Cybersecurity Law (Article 16–17) and its 2025 successor broadly prohibit online content that criticises or opposes the Socialist Republic, 'distorts revolutionary history', undermines national unity, or spreads 'untruthful' information. Authorities can demand takedown within 24 hours; Facebook restricted 834 pieces of content in the latest reporting period — a reported 983% increase — and Meta and Google comply with approximately 95% and 90% of government requests respectively.
Decree 147/2024 requires parents or guardians to register and supervise social media accounts for children under 16. Decision 88/QD-BTTTT (2025) from the Ministry of Information and Communications further introduces content classification and identity-verification requirements for minors. The incoming Cybersecurity Law 2025 expands digital identity requirements that will apply to minor account registration from July 2026.
Building on Decree 13/2023/ND-CP (Vietnam's first personal data protection decree, effective 1 July 2023), a new Law on Personal Data Protection entered into force on 1 January 2026. It expands obligations to foreign organisations processing Vietnamese citizens' data, mandates 72-hour breach notification, requires explicit consent as the primary legal basis for processing, and introduces stricter cross-border data transfer rules.
Vietnam's Freedom on the Net 2025 report (Freedom House) rates the country 'Not Free', noting systematic blocking of politically sensitive websites, arrests for online speech, and coercion of platforms into compliance. The 2025 Cybersecurity Law further tightens liability by designating the Ministry of Public Security as lead cybersecurity enforcer with powers to compel platform cooperation on content identification and user data disclosure.
Timeline - major decisions & events
The National Assembly passed a consolidated cybersecurity statute replacing both the 2018 Cybersecurity Law and the 2015 Network Information Security Law, unifying Vietnam's cyber-safety framework for the first time. Key additions include a 6-hour emergency takedown window for illegal content, a nationwide ban on AI-generated deepfakes for illegal purposes, mandatory child-safety technical filters on platforms, and the Ministry of Public Security designated as sole national cybersecurity authority.
LuatVietnam — Official Gazette of Vietnam ↗Vietnam's first dedicated Personal Data Protection statute elevated data-privacy rules from decree level to primary legislation, superseding Decree 13/2023. It applies extraterritorially to any entity processing data of Vietnamese citizens, shortens breach notification to 72 hours from detection, and authorises fines of up to 5% of annual revenue for cross-border data-transfer violations.
LuatVietnam — Official Gazette of Vietnam ↗Replacing the decade-old Decree 72/2013, this decree (effective 25 December 2024) requires all social-media platforms to verify Vietnamese user accounts via national phone number or ID, mandates removal of government-designated illegal content within 24 hours, and extends data-localisation obligations to any foreign cross-border service attracting 100,000 or more monthly visits from Vietnam for six consecutive months.
Vietnam Law Magazine — Ministry of Justice ↗Effective 1 July 2023, Decree 13 was Vietnam's first dedicated data-protection legal instrument, introducing GDPR-style consent requirements, a 72-hour breach-notification obligation to the Ministry of Public Security's Cybersecurity Department, and explicit cross-border data-transfer conditions — applying to any entity processing personal data of Vietnamese users regardless of where processing occurs.
LuatVietnam — Official Gazette of Vietnam ↗Effective 1 October 2022, Decree 53 operationalised the data-localisation mandates of the 2018 Cybersecurity Law, requiring foreign platforms (social networks, e-commerce, cloud, video) with a material Vietnamese user base to store specified personal data domestically for a minimum 24 months and to establish a Vietnamese branch or representative office within 12 months of a ministerial request.
U.S. International Trade Administration ↗Vietnam's landmark cybersecurity statute required foreign internet companies to store data on Vietnamese users in-country, remove content on state request, and cooperate with authorities on investigations. The law drew widespread international criticism for broad restrictions on online speech and sparked public protests inside Vietnam; it became the central instrument for enforcement actions against dissidents until superseded in 2026.
LuatVietnam — Official Gazette of Vietnam ↗Vietnam's first dedicated network-security statute established the regulatory framework for protecting information systems and critical infrastructure, civil cryptography, and technical standards — creating the institutional scaffolding that the 2018 Cybersecurity Law would build on. It imposed security requirements on ISPs and data centres and gave authorities powers to order takedowns of information systems used for illegal purposes.
Ministry of Information and Communications (MIC) ↗The government's first comprehensive internet-governance instrument regulated internet services, social networks, online games, and blogs for over a decade; it banned posting content deemed harmful to national security, social order, or traditional Vietnamese values and required foreign platforms serving Vietnamese users to maintain at least one domestic server. Its longevity — and the enforcement controversies it generated — shaped the push for Decree 147/2024.
Tilleke & Gibbins ↗Vietnam's foundational IT statute established the first legal framework for electronic transactions, internet services, software, digital content, and network infrastructure. It set out rights and obligations for IT users and service providers and created the legislative baseline from which all subsequent internet safety, cybersecurity, and data-protection laws in Vietnam were developed.
WIPO Lex ↗Vietnam - other topics
Last verified 5/24/2026 · Orientation, not legal advice - verify against the primary sources linked above. Explore the full world map →